How to crack using w32dasm Name:5 or More Version:v2.0 Operating System:Windows 95 Cracker: josephCo [ME'97/C4N] Level:Beginner Where:http://www.midstream.com Size:170,008 bytes Type:Name/Serial Number Where Serial Number is built in. In this little tute i am going to try to show you how it is possible to get serials from proggies just using the deadlist approach. The name of this proggie is 5ORMORE. I really don't have a clue as to what it does, but lets crack it anyway! OK, let me say that you will find this tute easier to follow if you print it. The tools needed for this are: W32DASM 8.9 (however any ver. should work) HERE ARE A FEW INSTRUCTIONS YOU WILL NEED TO KNOW XOR EAX, EAX this clears eax or makes eax=0 CMP BYTE PTR [EAX+X], 31 this compares the first byte at eax with 31h JNE jump if not equal JE jump if equal TEST EAX, EAX does eax=0 also note that anything inside [ ] is a memory address I have placed the code at the end so you can see all of it at one time. First of all we start up w32dasm and load 5ormore.exe into it (this is done by clicking on "open file to disassemble"). Now lets look for some reference to the program being registered..... we find both "Successfull regisration, Thank" and "Invalid serial number" Please note that if you are not sure how to find these then click on "Refs" then select " string data references", you should see a little list of phrases and words. Now double click on "Successfull registration, Thank" . You can now exit from the string data references list (hit the X at the top right of THAT box. When u look at the code, you should be on line 4060c3 (if you can't see words, then change the fonts you are using). Now scroll up the screen until you are on line 40608e. This line should be a call.....and right above it is "KERNEL32.lstrlena". This call goes to the api LSTRLENA which calculates the length of something. We can't follow that call. Now look at the code here: what do u see? Well.... we see 3 different TEST EAX, EAX and those are used to see if eax=0 or not. I won't go into how, or why, but that is what the test does, and below those TEST EAX, EAX are conditional jumps. TEST EAX, EAX is eax=0 JE 406XXX if equal then jump If you pay special attention, you will notice that all of those jumps skip over our desired destination (thank you for registering). What do we do? you may ask. Well we need to see where eax is set to zero (this is done by XOR EAX, EAX or MOV EAX, 00000000 and a few other ways also)..... You may be asking "How do i find out where it is set?" The answere is "FOLLOW THE CALLS !!!!!!" But which calls do we want to follow? Like i said all of those conditional jumps SKIP our destination, so we follow the CALLS just before each test. Now lets THINK for a sec here. hhmmm "If the first test is bad then we skip all of the others, and since the first one is LSTRLENA, which is an api, we can't follow that one.... so we need to go to the next one!!" That leads us to line 40609c. When you are on it goto the top and select "EXECUTE CALL" by clicking on the call button. Now we are on line405eef. What do we see? WOW!!!!!! we see a lot of compares and jne (jump if not equal)... this could be a good place... but what does all of this shit mean? The first line loads something from memory address esp+04 mov eax, dword ptr [esp+04] although we don't know exactly what, we will say it is our serial test eax, eax <--------- it is tested to see if there is anything inside.. je 00405F31 <--------- (does eax=00000000)?? If so, then jump cmp byte ptr [eax], 31 <------ does the first byte of [eax]=31h ?(since we are assuming jne 00405F31 that eax is our serial number then it is being checked to see if cmp byte ptr [eax+01], 36 it is 31h. When we convert 31h to ascii (look it up on your chart) jne 00405F31 we get the number 1!!!!!! if eax is not equal to 1 then the cmp byte ptr [eax+02], 31 jne goes to line 00405f31 which is a XOR EAX,EAX jne 00405F31 byte ptr [eax+1] points the the 2nd byte at [eax] cmp byte ptr [eax+03], 33 so if the the bytes at memory location eax ------> [eax] jne 00405F31 are equal to 87654321... the 2nd byte would be a 7. ........... byte ptr [eax+2] points to the 3rd byte which is a 6 in our example. ......... i hope u get the point....so anyway we have [eax] should equal ..... 1613 by assuming that all of the compares are correct I have given you the first four numbers... i leave the rest up to you... (I have commented them at the end of the tute.) Once you have figured out what all the numbers are write them down!!! You will need them.. hehe hmm now what? Do we try those numbers or look around more? Well since we can run the program while we have w32dasm running, lets try them!!! heheheh hahahahha IT WORKS!!!! If the serial you entered didn't work, we have a little problem. You either looked up the wrong number or wrote them down wrong. If this was another program and the numbers you wrote down didn't work then we would trace a a little farther to see if we could see anything interesting. REMEMBER: this type of protection isn't used very often so your chances of finding another program like it are very slim. However i encourage you to look around for one. If you have any questions, feel free to stop by #cracking4newbies on irc EFNET this is done by typing /j #cracking4newbies right after u connect to irc :) Good Luck, Happy cracking :) josephCo ------------------------------------------------------------------------------------------------------------------------- * Reference To: KERNEL32.lstrlenA, Ord:0275h :0040608E FF155C134100 Call dword ptr [0041135C] :00406094 85C0 test eax, eax did the user enter any data? :00406096 747B je 00406113 if not jump to messagebox :00406098 8D45F0 lea eax, dword ptr [ebp-10] :0040609B 50 push eax :0040609C E84EFEFFFF call 00405EEF WE FOLLOW THIS CALL!!!!!!!!!! :004060A1 83C404 add esp, 00000004 :004060A4 85C0 test eax, eax is eax=0 (xor eax,eax) :004060A6 746B je 00406113 if eax=0 then jump :004060A8 8D45F0 lea eax, dword ptr [ebp-10] :004060AB 8D4DB0 lea ecx, dword ptr [ebp-50] :004060AE 50 push eax :004060AF 51 push ecx :004060B0 E87FFEFFFF call 00405F34 :004060B5 83C408 add esp, 00000008 :004060B8 85C0 test eax, eax :004060BA 7449 je 00406105 :004060BC 6A40 push 00000040 * Possible StringData Ref from Data Obj ->"5-Or-More!" | :004060BE 68ACD34000 push 0040D3AC * Possible StringData Ref from Data Obj ->"Successfull registration, thank " ->"you!" | :004060C3 6864D94000 push 0040D964 -------------------------------------------------------------------------------------------------------------------------- Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00406084(C), :00406096(C), :004060A6(C) <----we don't want these 3 jumps to come here | :00406113 6A30 push 00000030 Possible StringData Ref from Data Obj ->"5-Or-More!" | :00406115 68ACD34000 push 0040D3AC Possible StringData Ref from Data Obj ->"Invalid serial number" :HMMM wonder what this is? :0040611A 6834D94000 push 0040D934 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406111(U) | :0040611F FF7508 push [ebp+08] * Reference To: USER32.MessageBoxA, Ord:0188h this is the message box!!!!! | :00406122 FF1538144100 Call dword ptr [00411438] --------------------------------------------------------------------------------------------------------------------------------- :00405EEF 8B442404 mov eax, dword ptr [esp+04] :00405EF3 85C0 test eax, eax did the user enter anything? if not clear eax :00405EF5 743A je 00405F31 :00405EF7 803831 cmp byte ptr [eax], 31 hmmm..... is the first byte at eax =1 :00405EFA 7535 jne 00405F31 if not clear eax :00405EFC 80780136 cmp byte ptr [eax+01], 36 is the 2nd byte=6 :00405F00 752F jne 00405F31 <---------------- if it isn't xor eax, eax :00405F02 80780231 cmp byte ptr [eax+02], 31 is the 3rd byte=1 :00405F06 7529 jne 00405F31 <---------------if it isn't xor eax, eax :00405F08 80780333 cmp byte ptr [eax+03], 33 is the 4th byte=3 :00405F0C 7523 jne 00405F31 :00405F0E 80780435 cmp byte ptr [eax+04], 35 is the 5th byte=5 :00405F12 751D jne 00405F31 :00405F14 80780535 cmp byte ptr [eax+05], 35 is the 6th byte=5 :00405F18 7517 jne 00405F31 :00405F1A 80780631 cmp byte ptr [eax+06], 31 is the 7th byte=1 :00405F1E 7511 jne 00405F31 :00405F20 80780730 cmp byte ptr [eax+07], 30 is the 8th byte=0 :00405F24 750B jne 00405F31 ******* we now have [eax] = 6135510***** :00405F26 80780800 cmp byte ptr [eax+08], 00 make sure there is nothing else * Possible Reference to Menu: MenuID_0001 | :00405F2A B801000000 mov eax, 00000001 <----- eax=1 so it is a good guy!!!!!!1 :00405F2F 7402 je 00405F33 <-----if eax+8 is =0 from cmp on 405f26 then jump :00405F31 33C0 xor eax, eax <----- otherwise clear eax (this is bad) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00405F2F(C) | :00405F33 C3 ret :return back from the call (line 4060a1 )