                the right way to go!
                    
                      
                       
                      
                     
                        
                      
                      
                      

                      GERMAN CRACKING FORCE / PC -
                        
 

 Cracking - HowTo #3 made for you by JoGy [Laxity]

 I read the tutorial from Yaan!, another cracker from Laxity, and
 thought:  I should show you the differences between cracking with a
 disassembler and a debugger.  So I decided to write this tutorial 
 about cracking Ghosttyper 1.0e with SoftIce. 

 This tutorial won't show you how SoftIce works; but it will show you
 how to crack a shareware program using it. 

 What you will need:

 * SOFTICE v. 3.0 or higher:
 SoftIce is a "must-have" in the scene. Try to get it at
 http://cracking.home.ml.org/  and don`t blame me, if you can`t find 
 it or if it`s deadlinked !

 * PIECE OF PAPER:
 You'll need it later to write down the right code 8)

 Oky, let's start. Open the ghosttyper.exe with the SymbolLoader from
 SoftIce and  execute it by clicking on the LOAD button in SoftIce. 
 You will be in  SoftIce at  the beginning of the program. So it's 
 time to configure SoftIce a little bit:  write 'data' [enter] and 
 write 'r' [enter]. Now a part of the SoftIce  window  shows the CPU 
 registers and another shows the offset-adresses and  what's in them. 

 Press [F5] to let the program run, again. The Ghosttyper window,
 where you should  register, will be opened. Click on the 'register' 
 button and enter  your name and a  dummy code (e.g. 98765432). BEFORE 
 you click on the OK button go back  in SoftIce by  pressing [CRT] & 
 [d] at the same time. Back in ICE you have to set a  breakpoint. There 
 are many breakpoints possible to set, but the one I prefer is for 
 breaking on highmemcopy.  This bp will be activated if the program calls 
 the  hmemcopy-procedure. (this program  reads in three values, so it 
 calls the hmemcopy procedure three  times. Set the  breakpoint by typing 
 this in SoftIce: 'bpx (that means breakpoint) hmemcpy' [ENTER]. 

 Now press [F5] again to switch back to Ghosttyper. Click the ok
 button. Immediately  you will be back in ICE due to the breakpoint at 
 hmemcpy. Press [F5]  two times.  Now press the [F12] button until you 
 are out of the 16-bit adresses  in the 32-bit adresses.  You will stop 
 at 0137:00436E92  POP ESI.  We are not more in KERNEL but in the GHOSTTYPER 
 CODE and that's what we want. The prog  has read all neccessary information 
 with hmemcpy. But where are the codes ? They have to  be somewhere.. 
 so let's search for the dummy code 98765432! Probably the code is on an
 adress beginning with 013F:????????. So let's move to those adresses
 by typing  'd 013F:00000000'. Now let's search: 
 type 's (for search) 0 l ffffffff (type as much  times the 'f' as the length 
 of your code is. Each 'f' stands for one position in your  dummy code) '98765432''!
 's 0 l ffffffff '98765432' [ENTER]

 After that you will see 'pattern found at 013F:00ADB778' ! Now, try
 to think,  (if it is possible)...our dummy code is on the address
 013F:00ADB778.hmmm......

 What we wanna find is the compare between our dummy code and the
 right code:  so all we have to do is to set another breakpoint that will be
 activated if our dummy code  is moved, read , deleted or overwritten. 
 Therefore we use 'bpm (breakpoint on memory  access) 013F:00ADB778'[ENTER]. 
 After you defined this bpm press [F5] and you will be  back immediately at 
 the address 0137:00402AF1 INC ESI.  So, this means that something happens to 
 our dummy code here; look at the [esi] register  by typing: 'd esi'[ENTER]. 
 WOW! Our code is in the esi-register.  The line above MOV BL, [ESI] has moved 
 the first number of our code into the BL register.  Trace further by pressing 
 [F10] and let's try to understand what happens to our code:  There are many 
 compares but it's not THE cmp WE are looking for. At the address  0137:00402B1D 
 ADD EAX,EBX the first numba will be moved into the EAX register. If you  trace
 further you will notice that we are in a loop which moves one codenumba after 
 another into the EAX register by using ADD EAX, EBX. Press [F10] until you  
 reach 0137:0046301F MOV ESI, EAX. (before you should have left two calls by 
 tracing  through RET instructions.)  Type '? eax' and you will see our dummy 
 code in the eax register. Now it will be moved   to the esi register. Trace one 
 step further and type ' ? esi' and you will see our dummy   code in the esi register. 
 Trace two steps further and you are diggin gold: CMP ESI, EAX. Yeah. Thatsit. 
 The call before has given eax the right code. Get its value by typing
 '? eax'  and use your peace of paper to write your code it down !

 If you wanna know how the code was calculated... have a look into the
 call before. But that's   only neccessary if you want to code a keygenerator. 
 (Maybe in the next tutorial ?)

 You made it. You ripped a code out of a shareware progarm using
 SoftIce !
 Did you notice that it`s much cheaper to register a ProG this way
 ???? Common.... 

 If you understand it and you have fun cracking other progs: JOIN
 US... 
 JOIN  LAXITY - GERMAN CRACKING FORCE!!! Mail us and become a trial
 memba !

 Perhaps I will write some other tutorials (if you want to !), but
 don't terrorize  me by sending too much mail. (a tuti like this needs its time 
 to be done!)


 GOOD LUCK by TRYING to CRACK sharewareProGs!
 CU
 JoGy [Laxity]




 
 ۳į   Membaz:  ͻ
 ۳ Animalo       founder, cracker          laxity_hq@gmx.net        
 ۳ĳĳĺ 
 ۳ SONIC 98      cracker, iNET admin       laxity_s98@gmx.net      
 ۳ pCsK8R        cracker                   laxity_pc@gmx.net       
 ۳ Yaan!         cracker                   laxity_yaan@hotmail.com 
 ۳ JoGy          cracker                   jogy_laxity@hotmail.com 
 ۳ The Brain     cracker                   the.brain.@gmx.net           
 ۳ xCrk          cracker                   xcrk@bigfoot.com        
 ۳ vTeC          cracker                   @                       
 ۳ Swoop         cracker                   @                       
 ۳ Smakkker      cracker                   @                       
 ۳ Twister       cracker                   @                       
 ۳ Tiger of THT  gfxer                     @                       
 ۳ Raptor #1     driver                    @                       
 ۳ͺ
 ۳                          Trial Membaz:                             
 ۳ĺ
 ۳ _awe_         gfxer, tester             @                       
 ۳ͺ
 ۳                             Greetz                                 
 ۳ĺ
 ۳             APP - GCG - GWA98 - NEXUS98 - UCF2000 - PC98           
 ۳ͺ
 ۳                           Join Laxity                              
 ۳ĺ
 ۳ Are you a cracker?... Contact laxity and ask him if you can join!  
 ۳ We need also slaves for our irc, spread, test and help section...  
 ۳ͺ
 ۳                               iNET                                 
 ۳ĺ
 ۳ IRC EFNET:    #laxity98                                           
 ۳ German Hq     http://gcf.notrix.de                                
 ۳ͼ
 