Professional Documents
Culture Documents
--------------------------------------------------------------
---------------------------------------------------------------------------
Lesson 1: an approach
---------------------------------------------------------------------------
[Pooldemo.exe]
--------------------------------------
has not been a one way road... strictly speaking it's not even
but most of the time you 'll unearth only various trite
So I'll begin the "hands on" part (-> starting from lesson
defeat this kind of junk too. I'll also explain WHERE you can
maybe you have tried it with mixed success. If you are here to
get aimed in the right direction, to get off to a good start with
the cracking tricks and procedures, then you have come for the
right reason. I can't promise you'll get what you want, but I'll
on the elementary side for you. (If you want to review a few
basics and have no where else pressing to go, then by all means
stay).
* Some intuition
(easy to crack)
crippled on
release you 'll get all the copies that remain unsold for next
them, to use them for ever and ever and/or graciously donate them
on the Web to the poor lamers that have no money and no brain.
too).
schemes that you find in a simple (and short) shareware game will
-I hope- the dos and donts of our art: let's crack together as
time (i.e. "how many times" you use them or "how long" you use
by East Point Software Ltd, (c) Team 17 Software Ltd 1994. This
throughout 1995.
crippled on how long you use it: i.e., you can only play 2
minutes, afterwards a "nag" reminder of where and how you can buy
- start [pooldemo.exe]
vectors)
(you should always check MORE THAN ONCE your findings when
memory areas.
interpretate, evaluate.
Sucker user has lost one second more of his precious two minutes.
further on for the exact point where you get the "nag screen" in
think you got it already and you remember anyway that the first
Here you believe that you have already found the way: you
got the counter that charges the reverse clock that triggers the
to "EE" (Yeah, the maximum would be FF... but it's always good
get four times more playtime for your game... more than enough
the trade" section) but you could also work with simpler
debuggers like [debug] or [symdeb] (-> see lesson 2). If you do,
i.e.:
symdeb POOLDEMO.DED
corresponds to the
refill line).
cs:3EEA
-w
Now you run your tampered pooldemo. You think you cracked it, you
Well, for a start you have not been attentive enough! The
search in debug gave you TWO locations, you moron, and not just
the one you just tampered with. Check and you 'll see that the
locations do mirror the first ones and correct them on the fly
if need be.
So you need to modify this too... you act as said above but
-e cs:3EEA+4 EE
before writing back the dead file and then renaming it to exe and
then running it... and loo! Hoow sloow! THERE YOU ARE! Your
that you can now play the stupid game up to 12 minutes real time,
So you begin to play, and the seconds look veeery sloow, and
everything seems OK, but -alas- NO! At screen second 28 you get
the irritating "two minutes are over" nag screen! Obviously you
were dead wrong: the program "knows" the time directly from the
So it's back to cracking, and now you are angry, and forget
the quiet ways of the zen-analyze and begin the heavy cracking
you should reserve -if ever- for really complicated schemes. You
now start to check the hooked vectors (you did your routinely
believe interesting:
vecs c
first hooked vector does it! It's good old interrupt_08: the
timer_clicker!
(Interrupt Service Routine) that the INT_08 points to... and this
to 1EFD:84C6.
One of the actions taken by the INT_08 ISR within the BIOS
every ISR from INT_08 the CPU would fetch the contents of the
address F000:9876 but can contain any trick they could think of).
now?
to
disable the IRQ_0 level timer interrupt, which is controlled by
* prompt $t and hit ENTER a few times, see how the dos_clock
* enter DEBUG.COM
-a
in al,21
or al,1
out 21,al
ret
RETURN
into AL, you set the mask bit in the bit 0 position (which
When you are ready to activate IRQ_0 events again, reenter DEBUG,
run the following and then reset the clock you stopped with DOS
TIME command:
-a
in al,21
and al,fe
out 21,al
ret
RETURN twice
- g 100
-q
will not operate correctly: once you access the diskette drive,
-------------------------------------------------------
address at 20h (or 0a0h), from which the instructions are given.
the EoI command (20h) is written to either port 20h or port 0a0h.
After the EoI follow the usual pushes, then some CALLS then
a call that issues some OUT 40,AL that look like timer refreshing
CALL, one more conditional CALL and then a "mysterious" call FAR
final CALL... then the routine pops all registers and irets away.
find the one that's only called at the awakening of the time
limit protection).
You work, and work, and work... and eventually find nothing
the range DS:0 DS:FFFF you 'll notice that one of them changes
How long will it tick along? Well, we saw above that the "charge"
BINGO!: FOUND!
------------------------------------------------
symdeb pooldemo.ded
- s cs:0 Lffff 81 3E 20 A7 20 1C
- w
- q
-------------------------------------------------
as you will see in the hands on part, there are always MANY ways
have found this protection the other way round: set a trace on
memory range for the program, restricting the trace to the first
can always try the other blocks). Breakpoint at the nag screen,
...
JL 0A99
...
JL 0A99
...
...
JL 0A99
E834FD CALL 0759 <- BINGO! (CALL beggar_off_time_is_up)
... there it is, found the other way round. (But this apparently
and nag screen, therefore the somehow more complicated, but more
are seldom difficult to find (and those that are really worth
understand our zen ways, and do not care at all for a well done
job. That means, among other things, that the hard disk of the
user will be cluttered with files that the main program module
This was in reality no less than the complete beta version of the
You 'll obtain the missing lessons IF AND ONLY IF you mail
not know that YOU discovered. Mostly I'll actually know them
already, but if they are really new you'll be given full credit,
and even if they are not, should I judge that you "rediscovered"
them with your work, or that you actually did good work on them,
welcomed.
E-mail +ORC
+ORC an526164@anon.penet.fi
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
[INDY.EXE]
--------------------------------------
important.
tells you where all the device drivers and TSR are loaded, in
which memory locations the program you are cracking dwells, how
much memory is left and what the next program load point is. The
unfamiliar program. This will help you by ensuring that you don't
DE SOIREE and its vastly available on the Web). You could also
are now on the Web for free... learn how to use YAHOO and find
them. In emergency cases you could fix some quick crack using
older debuggers won't do. I'll nevertheless ALWAYS give the final
to crack programs.
provided that you are fairly familiar with the protection scheme
used, going in too deep too soon can be a problem when you don't
it. The debugger it's your best weapon, you must know all the
possibility.
when you are close to the protection scheme, but too much of it
are appalling) and ask yourself: "What is this going to tell me?"
and "What else will I need to know once the break occurs?". MOST
and most direct?", coz you do not want to waste precious cracking
time.
When devising a set of breakpoints it is wise to consider
how "a trail of bread crumbs" can be left. Not allowing for an
cracking session.
specific cracking.
one function, you must understand what happens within each of the
child functions you must study their children; and so on down the
calling hierarchy tree. Then there is the data. Tracing tentacles
luck.
For each memory variable you are interested in, you must survey
task a lot easier. (Use Sourcer! It's a fairly good tool and
directly from the functions which need them. But when a program
calls from the same location, you know that this is certainly the
case.
Now, what happens sometimes is that the programmers write
calls from the same location but for one or two calls which are
coming out of the section where the morons have "hidden" their
cracking are made from common library functions, all is not lost.
The specific function from which these library calls were made,
order, you should find yourself in the function you need to see.
ASCIIZ IN CODE
message strings from separate files, your search has just been
simplified.
specific message on the screen, you could go into the program and
locate the code that emits this message, and then determine what
console.
know the screen location used, and if that part of video memory
is not used for anything else at the time (a big if), a memory
the address of the message string and then survey the reminder
searching for such things in a listing will make you old before
your time.
for interrupt calls that are followed by data. Sometimes you will
sense. Sometimes you can determine the offset of the next true
cases, you will have to trace through the interrupt call to see
HOOKED VECTORS
the program under a debugger and watch for system calls to INT_21
vector), but in the event that the program reads and writes
utility.
(easy to remember, isn't it?) and there are four bytes per
four times and use the result at the offset (on segment zero).
trigger. But when you isolate the offending instruction, you find
the following:
now all you have to do is to add this value to the offset value
And the other way round? If you have a physical address, say
first of all decide in which segment you want the address... if,
Before starting this section, for those of you that do not know
anything, here is the ARCHIE way you get all the program that do
1) (address) archie@archie.univ-rennes1.fr
I use this french archie, but you can get a worldwide list using
Wait two hours, get your post and ftp the file you wanted (and
YES!, you 'll find also EVERYTHING else for free on the Web).
You could, instead of using archie, also learn how to use YAHOO.
[MEMSCAN.EXE]
code areas, available RAM, etc. I used this great idea to create
[TRACKMEM.COM]
[SCANCODE.COM]
software. The must utility for crackers that do not learn all
scancodes by heart.
[MAP.EXE]
too, coz you get it with the "Nigel" nag screens. They are not
[SPRAY.COM]
should study the program, only 252 bytes long, and will have to
[VEXE.EXE]
useful.
the best one, and comes with source code(!). I'll teach you how
to crack without any of them (you do not need them if you zen-
crack), but they can nevertheless be very useful in some
purposes :=)
[SOURCERING UTILITIES]
fairly good sourcering tool. Version 4.08 has been cracked (it's
Web, so you should easily find it. This said, you should NEVER
use such a brute force approach, unless you are really desperate:
I'll teach you how to crack without sourcering (you don't need
[HEXEDITORS]
Every idiot has written at least one hexeditor, and you can find
programs). If you do use it (as you should) disapt the nag screen
[DEBUGGER]
cracked and/or distributed and are now on the Web for free...
learn how to use ARCHIE and YAHOO in order to find them. Your
debugger is the only tool you 'll REALLY need, believe me. So
choose your weapon wisely and learn how to use backtrace ranges
You should get all the programs mentioned above (all the
programs that EXIST for that matter) for free on the Web. Use
them, but also modify them recklessly! REMEMBER THAT YOU ARE
(GOING TO BE) A CRACKER! The first programs you should crack and
modify are therefore your very tools! So steal the code of the
best tools you find! Snatch the best routines and change them for
you know what I'm talking about, but -unless you are already
for the reasons explained in lesson 1, but you 'll find the SAME
pretty easily. The nag screen asks for data based on the
- disable it.
way", the only one that can really enable you to crack high
protection schemes.
bytes BEFORE and 500 bytes AFTER your position. You'll get some
locations. (In the case of INDY 500 you get 6 such locations).
:compare_loop
2A25 SUB AH,[DI] <-- sub coded data from mask and get
real answer
...
And if the protection scheme had been more far away? And if you
cannot "feel" the right one? And if my grandma had wheels? You'll
learn it, believe me.
------------------------------------------------
symdeb indy.ded
- s (cs+0000):0 Lffff B4 FF 2A 25 47 3A C4 75 1A
- s (cs+1000):0 Lffff B4 FF 2A 25 47 3A C4 75 1A
- w
- q
-------------------------------------------------
WHY WE CRACK
much for money and -as you can see- I am giving away the basis
of what I know for free with this tutorial. The programs we crack
money, he does not deserve anything. It's the mind challenge that
counts, NEVER the profit! (Even if you can make good use of the
personal profit).
information, data that you would like to snoop but that somebody
its awfully egoistic way of life and its dirty "profit" values,
but you'll never be able to crack in the "right" way. You must
coz in order to be emphatic with the code you must be free from
you better take a good look around you... you'll find plenty of
crackle programs in the right way... Hope all this did not sound
too cretin.
You 'll obtain the missing lessons IF AND ONLY IF you mail
not know that YOU discovered. Mostly I'll actually know them
already, but if they are really new you'll be given full credit,
and even if they are not, should I judge that you "rediscovered"
them with your work, or that you actually did good work on them,
welcomed.
E-mail +ORC
+ORC an526164@anon.penet.fi
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--------------------------------------
SOME PROBLEMS WITH INTEL's INT
invoked it.
you cannot write MOV AX,x21, and then INT AX; you must
instructions which look harmless and modifying them "on the fly"
language" code. You can find a lot of good, well explained code
for free: viruses are one of the best sources for good "tight and
tricky" assembler code. You can find the source code of almost
all viruses on the web: oddly all the would be hackers seem to
it out and study it: the more you know, the better you crack.
The string instructions are quite powerful (and play a great role
that:
ES:DI
repeated.
aesthetic choice
(or BBS & servers) although inside files that are small enough
That's obviously not a very big protection -per se- coz everybody
to motivate our cracks and -besides- you'll find the same schemes
requires a word that the user can find somewhere inside the
---------------------------------------------------
---------------------------------------------------
schemes used to day (January 1996) are directly derived from one
of the 12 primitives.
asking your answer, only the use of CTRL+C will bring you out of
newer schemes let you in for only 3 attempts or even only one,
first of all, to find out where are stored the letters that you
type in. So examine your memory map, find out where the program
search for some words used in the nag_screen and then let's dump
the area where we find them (in UMS that will be at 3E_hook
address + 7656) and loo! You'll see the content of the nag screen
(that's a very old protection scheme indeed). You could now, for
for server and BBS, for that matter) have quite a lot of weak
points. The most obvious one (you 'll find out the other when
you'll high crack) is that they MUST compare the password of the
password, you just need to "ear" the echo of the original one in
the memory locations used for the compare, or, and that's more
correct, to crack the compare mechanism itself so as to make it
where the password is stored (and you 'll find these with your
ES:0F8E (here you 'll see a copy of the password that the
program is asking)
ES:0F5C (here you 'll see a copy of the password that the user
types in)
in extenso).
out of the CMPSB check at the first different char, OR at the end
Well let's now look for the next JZ near (it's a "74" code)
a JZ... now you will always pass, no matter what you write,
------------------------------------------------
symdeb ums.ded
- s (cs+0000):0 Lffff 74 0D 1E B8 C2 3F
(nothing)
- s (cs+1000):0 Lffff 74 0D 1E B8 C2 3F
(nothing)
- s (cs+2000):0 lffff 74 0D 1E B8 C2 3F
- e xxxx:yyyy 75
- e xxxx:yyyy+17 74
- w
- q
-------------------------------------------------
modified them there, but I'm teaching also pupils who may not
have [Soft-ice].
that's good practice! If you do not find your string in the first
sector you must search for it in the next sectors, till you find
it, coz in many programs there may be MORE THAN ONE repetitions
--------------------------------------------------------
--------------------------------------------------------
interesting indeed).
The snap_comparisons of the main memory area -as you type the
What now?
Moskovskaja 'll do) and meditate. Get the memory map of the
compares. Sit down, sip Martini Wodka, relax. You know that the
code for A is x41, for B x42, for C x43 and so on... and in the
snap_compares, that you made between letters, you 'll have only
You 'll soon enough find out that for LIGHTSPEED absolute
-----------------------------------------------------
-----------------------------------------------------
Inspecting the same prints, you 'll find out that absolute
LAST character you typed in. The relative code line is:
and this means that the code of the letter you just typed in will
be now copied in BX=F85A. What else can you do? Time to use a
is the typical "IF the user hits ENTER then" instruction, coz
And now the way is open to the crack. But YOU DO NOT NEED ALL
THIS! Since the password protection schemes are -as I told you-
all more or less the same, I would suggest that you use first of
memory map to see where the program dwells) search the "F3A6"
pgsg:C6F9
pgsg:E5CA
pgsg:E63E
pgsg:EAB0
There you are! Only four... have a short look at each of them:
you 'll see that the second one (pgsg:E5CA) is the "good" one.
password)
at CX=0 or at char_differs
See how easy? They all use the same old tricks the lazy
lowercased.
locations, in order to stop the program "in the snap area" and
Now you can find out the segment:offset used by the snap and only
NOT CX instruction).
Now run the program and breakpoint in: have a dump of the
ES:DI and see the original password. How nice! We have now the
are the password stored? From which locations do they come from?
you to see them. Here the passwords are encoded (albeit in a very
sg:0118 8C 91 9D 95 9B 8D 00 B8 EC 94 9B 8D 8F 8B 9B
sg:0128 94 9B 8D 00 AE EC 9C 9B 8A 9B 86 00 A9 EC 91
This is a typical encoded matrix, with clear 00 fences between
Let's now leave the "hidden" passwords and proceed with our
cracking... let's follow the snap procedure after the REPZ CMPSB
:preserved_AX=0000
5D POP BP
CB RETF
....
0BC0 OR AX,AX
the fly INSIDE [Soft-Ice] and it did work!), the "74" with a
"75" also. And then you would like to change the JNZ instruction
fly", as needs arise, by the program. The code you modify while
"dead" program.
overlay message and the program pops out with instability! You
cannot easily modify the JNZ instruction either, coz the part
after the RETF will be compiled "on the fly" by lightspeed, and
do encrypt it twice... and then you must hack all night long...
very annoying.
Wodka and meditate: loo! The only thing that happens after the
that's what the two SBB instructions do) if the snap went out
with a non-zero flag... i.e. if you did not know the password.
So let's nop the 5 bytes of the two SBB instructions, or, more
elegantly, let's have a INC AX, DEC AX, NOP, INC AX, DEC AX
with the second JNZ either... the program will work as if you got
the previous type of crack -seen for UMS- when you crack computer
accesses: hereby the legitimate user will not have any suspects
'coz the system will not shut him out... everybody will access:
the good guys and the bad ones... that's nice isn't it?).
------------------------------------------------
symdeb lightspd.ded
- s (cs+0000):0 Lffff 2B F9 F3 A6 74
- s (cs+1000):0 Lffff 2B F9 F3 A6 74
- s (cs+2000):0 lffff 2B F9 F3 A6 74
- w
- q
When you break in, at the nag screen, you are in the middle of
the BIOS procedures, coz the program expects your input (your
password, that's is). You 'll quickly find out (MAP MEMORY
breakpoints on memory write you 'll find out that the memory area
xxxx:1180 to xxxx:11C0
where xxxx represents the second of the memory segments where the
procedure):
CODE.
It's already done! Now it's your intuition that should work a
our_memory_area
:funny_procedure
0AC0 OR AL,AL
7405 J2 compare_byte
:compare_byte
C3 RET
MOV 2A and CMP 2A, coz there would be no sense in comparing the
"2A" in order to JNZ to after_ret if you just had the 2A set with
the precedent MOV instruction... but the first JNZ jumps to the
compare WITHOUT putting the "2A" inside. And "2A" is nothing else
explained):
- else ret_ahead_nice_buyer
------------------------------------------------
symdeb general.ded
- s (cs+0000):0 Lffff 8C 11 75 0E
- e xxxx:yyyy+2 EB [SPACE] 09
- w
- q
-------------------------------------------------
And in this way you changed the JNZ to the cmp "*" instruction
You 'll obtain the missing lessons IF AND ONLY IF you mail
not know that YOU discovered. Mostly I'll actually know them
already, but if they are really new you'll be given full credit,
and even if they are not, should I judge that you "rediscovered"
them with your work, or that you actually did good work on them,
welcomed.
E-mail +ORC
+ORC an526164@anon.penet.fi
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--------------------------------------
You have seen in the previous lesson that the use of a password
with the password that the user types in. You therefore have many
just to name the more obvious ones. In order to make things more
instructions or jumps in and out protected mode (no match for our
beloved [Soft-Ice]);
using the program. This is the type of password that you'll find,
(they do NOT verify only the three magnetic areas in the magnetic
strip on the card). The lines between ATM's & their hosts are
dedicated line between the ATM and the host; 2) insert your
computer between the ATM and the host; 3) Listen to the "normal"
with a legal card, make some mistakes, take note of the various
codes; 5) When you are ready insert a fraudulent card into the
- the ATM sends a signal to the host, saying "Hey! Can I give
discards it, sends on the "there's no one using the ATM" signal;
- the host gets the "no one using" signal and sends back its
"good, keep watching out if somebody comes by, and for God's sake
don't spit out any money on the street!" signal to the ATM;
away (again), and sends the "Wow! That guy is like TOO rich! Give
- the ATM obediently dispenses cash till the cows come home.
PASSWORDS AS REGISTRATION
you register the shareware program, you are sent a password that
get the "unique key" to unlock the "special protection". It's all
entry.
software. The password query does not usually appear any more at
the password query appears after one or more levels are completed
DONGLE PASSWORDS
myself have only seldom seen them, and do not like at all to
ones on the appropriate web sites, they may even answer you if
- encrypted and/or
themselves):
* password read in
manipulations
routine
searches first the file where the password is stored, then loads
Setup (at the beginning), the protection scheme does not allow
a boot with a floppy and does not allow a setup modify. In these
* open the PC
words "Pw"
* take it away
* PC on
* run the setup with F1 or Del (depending from the BIOS) (the
* PC off
* close the PC
* PC on, cracked (if you want to be nasty you could now use
denying, encryption and locking of the FAT tables, get from the
web, and study, the (very well written) code of a virus called
- using the most recent and best SMC (self modifying code)
tricks
7402 JZ go_ahead_nice_buyer
------------------------------------------------
symdeb top.ded
- s (cs+0000):0 Lffff 8A 84 1C 12 3A 84
- w
- q
-------------------------------------------------
And you changed the MOV AL, [SI+121C] instruction in a MOV AL,
the characters you typed in... no wonder that the ECHO does
are stored: we saw in the first part of our "passwords hands on"
mean? Well, this could mean quite many things... the most
Now you 'll quickly find out that the routine determining
Now, every time this random triggers, you get a different number
The random seed routine, evidently, comes back with the random
seed in AX... what we now need is to zero it: the user will
always have to choose the same plane: "plane 0", and he will have
given the correct answer. Note how elegant all this is: we do not
with the actual choosing of the planes... the random seed may
---------------------------------------------------
----------------------------------------------------
beginning this was a smart idea: "the cracker won't find the
correct password, 'coz it's not there, ah!". We'll now therefore
[POPULOUS.EXE]
stored. Set a breakpoint memory read & write on this area, and
40 INC AX
I don't think that you need much more now... how do you prefer
[BP+0C], AX and three NOPS (=6 bytes) after the IMUL instruction?
---------------------------------------------------
----------------------------------------------------
Now you are almost ready with this course... let's crack a
very useful for our purposes (you'll use it later to crack a lot
But, Hey! Do not forget that you would have never done it without
[MAP.EXE]
Let's now go over to one of the best TOOLS for mapping your
amount of time before asking the user to press a key which varies
the loading of the nag screen. You 'll quickly find the relative
07 POP ES
AC LODSB
...
You could already eliminate the delay and you could already force
the protection... but we crack deep!: let's do the job and track
91 XCHG AX,CX
7307 JAE after RET <- Ha! Not taking the RET!
C3 RET
50 PUSH AH
58 POP AX
AB STOSW
CD16 INT 16
E807F3 go_ahead
are somehow like little snakes moving under a cover: you cannot
easily say what's exactly going on yet, but you could bet that
your LODSB routine call: you find two JUMPS there: a JZ ret, that
leaves a lot of pusha and popa aside, and a JAE after RET, that
does not take the previous ret. If you did smell something here
you are thoroughly right: The first JZ triggers the NIGEL screen
protection, and the second JAE does THE SAME THING (as usual,
find out the LODSW routine; find out the real area; dump that
memory region; find out a search sequence for the "dead" code...
------------------------------------------------
symdeb map.ded
- s (cs+0000):0 Lffff 74 16 50 53 51 52 57
- e xxxx:yyyy EB
- w
- q
-------------------------------------------------
You 'll obtain the missing lessons IF AND ONLY IF you mail
not know that YOU discovered. Mostly I'll actually know them
already, but if they are really new you'll be given full credit,
and even if they are not, should I judge that you "rediscovered"
them with your work, or that you actually did good work on them,
welcomed.
E-mail +ORC
+ORC an526164@anon.penet.fi
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--------------------------------------
vector used for the protection. This kind of crack can be used
lesson A.2).
following lines:
-------------------------------------------------------
...
:0146 FA CLI
:0147 0E PUSH CS
:0148 1F POP DS
:014C FB STI
0000 fence
:01A7 B2015887
:01AB B2015887
:O1AF B2015887
0000 fence
JNZ ret
JNZ ret
pop all
From now on this loader will work every time that a program
the target program will be modified on the fly and will get, at
The most important thing is the routine that YOU write that
will precede the call to INT_21 (or any other INT) service 25 (or
program. I'll show you another one, this one for [Reach for the
skies] (reach.com):
push all
MOV DS,AX
JNZ 015B
JNZ 015B
CMP Byte Ptr [B6DC],80 <- ditto, now we now where we are
JNZ 015B
MOV DX,CS:[0165]
MOV DS,CS:[0167]
INT 21
POP all
Here you did change the instruction 740F in the instruction EB0F,
DEC AX, NOP, INC AX, DEC AX sequence instead! There are sound
program and trash everything if they find more than -say- three
You can apply this kind of crack, on the same lines, to many
programs that perform self checking of the code and hook the
vectors.
cracking matters too. As the older 5 1/4 inch big black floppy
disks were still used (the 320K/8 tracks or 360K/9 tracks ones,
format the "master" (key) disk in a weird way. Old floppy disk
order to defeat this kind of cracks you need to know two things:
the floppy disk parameter block (FDPB) and the interrupt routines
(very old) copy of VisiCalc master I do, you'll find that sector
myself, but you 'll be able to find many such utilities in public
domain, the oldest one, from 1984 (!) being the seasoned [U-ZAP]
trick).
2 Motor on delay no 25
8 Format byte no F6
9 Head settle time no 0F
is the step rate time for the disk drive head. The right
nybble is the disk head unload time. These values are best
left alone.
1) Offset #1: again, don't fool around with these values. The
left nybble is the disk head load time, and the right
formatting and tells DOS how many sectors there are on each
track.
5) Gap length for diskette reads: this is what you fool around
with if you keep getting CRC errors when you try to read a
or 3.
and the number of sectors per track you can always format with
floppies:
history!) a new floppy disk format has been supported: The IBM
AT (80286 CPU) introduced the so called "high capacity" 5.25 u-
on the media:
table.
not set, AH=0, therefore the weird sector has been read, if
placed into RAM. DMA (Direct memory access) is used by the disk
will occur.
[INT_13, AH=4 Verify disk sectors]
the disk and DOES NOT involve verification of the data on the
stored on the disk. See INT_13, AH=2 registers and error report.
[CRC]
"CD13" in their machine code, but which clearly are checking the
the protection scheme from our nice prying eyes. I'll describe
29h, sector ffh, and then checking for a status code of 10h:
...
...
machine code, you would never have found the protection routine.
have the program change the "10" to "13 (and then back to "10")
Old good [debug.com] has been called the "swiss army knife" of
the disks. The sector count starts with the first sector of track
back to the first side, track 1, and so on, until the end of the
- l 100 0 10 20
drive A, sector 10h for 20h sectors. This allows at times the
retrieval of hidden and/or weird formatted data. If you get an
error, check the memory location for that data. Often times, part
of the data has been transferred before the error occurs, and the
retries.
scheme: on the disk you had only a "stub", called FS.COM with few
-------------------------------------------------------
don't you? Herein you can watch the same snap that happens in
more recent (much more recent) protection schemes (as you'll see
That should be no problem for you any more: you should just
just watch and break on the INT_13 calls), fetch the "weird"
data, tamper the whole crap and have your soup as you like it.
-- CLEVER
-- STILL USED
3, you just type your name and a serial number of your choice in,
say "666666666", break into the program with WINICE, search the
"666666666" and search too, for good measure, your own name, set
a memory read breakpoint where the number dwells and look at the
a key generator which will produce a valid code. This code will
work for any name you typed in only in the "pure maths
they are getting more and more rare in this objectionable world
zest will really be perfect) and watch from your balcony, with
unsullied eyes, your town and the people around you: slaves
produce other cars in order to buy, one day, a new car with a
different colour...
Why people don't look at the stars, love each other, feel
the winds, ban the stinking cars from the places where they live
activity? Why don't they read any poems any more? No poetry any
will soon be forbidden, coz you cannot CONSUME as you read poems,
the only thing they want you to do... you are CULTIVATED to
well placed neutron bombs, the ones that would kill all these
useless zombies and leave noble books and good Wodka untouched.
"look" like and could not care less about anything else than
making bucks and defend intolerant and petty patterns. The slaves
publicity... sorry, at times I forget that you are here for the
You 'll obtain the OTHER missing lessons IF AND ONLY IF you
I may not know that YOU discovered. Mostly I'll actually know
them already, but if they are really new you'll be given full
credit, and even if they are not, should I judge that you
"rediscovered" them with your work, or that you actually did good
Your suggestions and critics on the whole crap I wrote are also
welcomed.
E-mail +ORC
+ORC an526164@anon.penet.fi
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Before the next step let's resume what you have learned in
that the good buyer could find on the manual, whereby the bad
cracker could not. (Here you choose -with the mouse- one number
any more to teach you how to find the relevant section of code
(-> see lesson 3). Once you find the protection, this is what you
get:
:protection_loop
...
:C872 55 PUSH BP
...
:C8F7 90 NOP
:C8F8 0E PUSH CS
:C8FC 5B POP BX
:C8FD 5B POP BX
:C8FE 8B5E06 MOV BX,[BP+06]
:C912 5D POP BP
idea?
less than 15 minutes WITHOUT USING THE DEBUGGER! Just look at the
data above and find the right answers feeling them... (you 'll
now which one are the right one checking with your debugger...
score as many points as you like for each correct answer and sip
a good Martini-Wodka... do you know that the sequence should
One easy way to encrypt data is the XOR method. XOR is a bit
FF XOR A1 5E
5E XOR A1 FF
encrypt_decrypt:
xor_loop:
random, for instance using INT_21, service 2Ch (get current time)
and choosing as encrypt_value the value reported in DL (but
random_value:
mov ah,2Ch
int 21h
cmp dl,0
je random_value
mov encrypt_value,dl
methods), is that the part of the code that calls the encryption
These are the more common protection method for the small
This small program will XOR the ten bytes at the location pointed
to by SI with the value 44. Providing the ten bytes were XORed
In this very simple case the "key" is the value 44. But there are
several tricks involving keys, the simplest one being the use of
loop.
and CALLS, that DO NOT AFFECT the registers that are used for the
oft alters on each generation also all the registers that the
decryptor uses, invariably making sure that the JUNK code that
real decryptor! So, with these rules in mind, here is our simple
decryptor again:
CLD ;junk
OR AL,CL ;junk
NOP ;junk
parts:
There are other discrete parts but these three are the ones where
junk code.
time.
(->see lesson B). Besides, you (now) know what may be going on
the road is open and the rest is easy (->see lessons 3-5).
For example, say the encrypted code started at address 10h, the
digit keys the decoding is much easier than for, say, 129 or 250
digit keys. Nevertheless you can crack those huge encryption too,
PC for a couple of hours, for a 250 bit key, this kind of things
have been done quite often on Internet, were you can also find
techniques.
Eurocrypt 1991.
A very good old book you can incorporate in your probes to build
very effective crack programs (not only for BBS accesses :=) is
*the* "pomerance" catalog:
Anyway... make a good search with Lykos, and visit the relevant
two or three (or thirty) years and you'll resume cracking with
interesting for our aims :=) Here are some interesting patents,
which are completely encrypted with both the operation code and
key kernel.
storage.
that runs 24 hours on 24 only to this aim and yet have only begun
to see the light at the famous other end of the tunnel. It's
hard, but good crackers never resign! We'll see... I publish here
the following only in the hope that somebody else will one day
be able to help...
public file, while the decryption keys for the users are only
digest algorithm.
As a final gift, I'll tell you that PGP relies on MD5 for a
of every word) and a single message block that yield the same
hashcode. The attack takes a few minutes on a PC. From here you
as [Lost soul] sends his stuff, if he ever does. For (parts of)
language.
next to nothing in the second hand bookshops. All the lusers are
Visual basic, C++ and Delphy. Good C new books are now rare
them, read them, use them for your/our aims. You can find a lot
you need to find the "main" sub-routine inside the asm. With
DOS/4GW programs, search the exe file for "90 90 90 90", almost
always it'll be at the start of the compiled code. Now search for
an INT_21 executed with 4C in AH, the exec to dos code (if you
cannot "BPINT 21 AH=4C" with your tool, then search for the
int 21]: it's the most direct call, but as you'll have already
learned, there are half a dozen ways to put 4C in AX, try them
A few bytes above the INT_21 service 4C, you'll find the
call to the "main" subroutine: "E8 xx xx". Now place a "CC" byte
a few bytes above the call in the exe and run the exe under a
you'll be throw back in the debugger coz the "CC" byte acts as
hidden INSIDE a picture (or a *.waw file for that matter). This
media.
bit in each pixel of a picture. It uses that bit to store one bit
when it needs be, and there we'll intercept them. You'll need to
You 'll obtain the OTHER missing lessons IF AND ONLY IF you
I may not know that YOU discovered. Mostly I'll actually know
them already, but if they are really new you'll be given full
credit, and even if they are not, should I judge that you
"rediscovered" them with your work, or that you actually did good
Your suggestions and critics on the whole crap I wrote are also
welcomed.
E-mail +ORC
an526164@anon.penet.fi (+ORC)
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
[WINPGP.EXE]
--------------------------------------
--------------------------------------------------------
---------------------------------------------------------
ameliorate them.
situation in DOS, where for years the key "load but don't
Windows] (the last two are GUI, not text debuggers. The use of
in WinDebug().
3.1., all crackers should study it and get the maximum possible
have special code for Standard vs. Enhanced modes, because the
digestible form.
of doing ring transitions that are not allowed with legal 80x86
----------------- DEBUGGERS
to crack a function)
second monitor)
information.
----------------- INSPECTORS
MS-Spy Old
----------------- SNOOPERS
informations.
reserved for debuggers. You can put the INT_03 op code in place
In the 80386 and later, you can set a register flag that tells
stepping.
debug it. The SDK's debug API takes care of how the interrupts
programmers -in few years time- will not be able any more to
alone the capacity to push forward (and sell) real programs that
you begin serious work and you discover its shortcomings, like
the fact that extended error codes are not documented, and
you must burn precious time testing them. What we definitely need
program enters a loop to run the program. At the top of the loop
tell about the vent that suspended the program being debugged.
contains among other things the address that was interrupted end
program's memory.
its place, it's always the same old marmalade. When the
IDE and waits for the cracker to take an action that resumes the
program.
you must understand the format of that file (best thing to do,
they used names that suggest their purpose (nomen est omen).
include entries for .text, .bss, .data and .idata. Inside these
information.
null terminated strings into which the .stab table entries point.
windows, by Geib - I must thank "Q" for the idea to work on this
crack).
13.081B.
...
beggar_off:
IT'S THE SAME OLD SOUP! You do remember lesson 3 and the
protection schemes of the old DOS stupid games of the '80s, don't
you? IT'S THE SAME OLD SOUP! In this "up-to-date" "new" windows
Besides, look at all the mov eax, and eax, moves preceding
in less than three seconds flat. The IMUL instruction creates the
Now you could crack the above code in 101 different ways,
0EAF, that's the same) to the jne 0EAF at 13.0EA8. You just write
a 74 at the place of the 75, like you did for the cracks in
1978... how boring: it's really the same old soup! (But you'll
You 'll obtain the missing lessons IF AND ONLY IF you mail
not know that YOU discovered. Mostly I'll actually know them
already, but if they are really new you'll be given full credit,
and even if they are not, should I judge that you "rediscovered"
them with your work, or that you actually did good work on them,
welcomed.
E-mail +ORC
+ORC 526164@anon.penet.fi
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--------------------------------------
---------------------------------------------------------
If you thought that DOS was a mess, please notice that windows
sure: This OS will not last... it's way too messy organised,
meat not fish: neither 16 nor 32... you could call it a "24 bit"
operating system.
this planet. I'll write it this sommer and give it away between
find it on the web for free, I use version 1.95, cracked by [The
Lexicon] (do not bother me for Warez, learn how to use the search
engines on the web and fish them out yourself). Learn how to use
soon that you did not wanted to learn how to use it properly.
TRA = 92
This way you'll always have the hexadecimal notation on, two very
useful watch windows for passwords deprotection and enough buffer
first 8 bytes.
every user name will give a different "access key". This is the
* load WINICE
* hwnd [name_of_the_crackanda_module]
* Run anew
possibilities...
* Reassemble everything.
there are quite a lot of them (see also the crack of Wincat Pro
protection scheme):
JZ ok_it's_a_+_or_a_-
JNZ Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it
:ok_it's_a_+_or_a_-
:Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it
...
even if you did not read all my precedent lessons, you do not
USER!BOZOSLIVEHERE
KERNEL!HMEMCPY
USER!GLOBALGETATOMNAME
tutorial.
The above code is the part of the routine that checks for the
Now sit down, make yourself comfortable and sip a good Martini-
protectionists are! You don't believe me? Try it... you 'll get
Yes I know, to find this code is not yet to crack it... but for
you can only learn how to find them and circumvene them. I'll not
program below).
WHERE ARE THE CODES? WHERE ARE THE MODIFIED FILES? WHERE DO
THE
Most of the time the protection schemes use their own *.ini files
they even use the "garbage sammler" win.ini file. Let's take as
This scares most newby crackers, since if the copy you have
unless you get the REAL stuff. The youngest among us do not
few lines inside the win.ini file, under the heading [WinZip],
that has already been created with the demo version, before the
I will not help you any further with this... I'll leave it to
substitute for your tries inside WINICE... you'll get it, believe
me):
[WinZip]
name=Azert Qwerty
sn=########
version=5.5
The *important* thing is that this means that you DO NOT NEED
to have a "new registered version" shipped to you in order to
believe. The same applies most of the time... never believe what
newspapers tell you... you can be sure that the only reason they
* INTERNET
to use well the search engines (or if you do build your ones...
my spiders are doing most of the work for me... get your robots
the same point you'll have to confront all your life long: HOW
TO THROW AWAY TONS OF JUNK, HOW TO SECLUDE MYRIADS OF USELESS
rule this slaves world, are paradoxically most of the time the
only ones worth studying... somewhere even the real rulers have
around that you can easily find (even on the web). These
all the other medias in the world, the ones that are used only
english (poor guy) you could try your luck with the weekly
"Economist"... you'll have to work a lot with it, coz it has been
tailored for the "new riches" of the Tatcher disaster, but you
truth. American newspapers (at least the ones you can get here
in Europe) are absolute shit... one wonders where the hell do the
spanish newspaper "El Pais" that seems to know about what's going
but has a lot of useful information. See what you can do with all
the Serbians are not so evil at all and that "the Croats" or some
other Yugoslavian shits are the real culprits. This does not mean
at all that the Serbians are good, I warn you, it means only what
direction and believe the few bit of information that do say the
writes that the commies are bad then THERE the commies must not
be so bad at all and, conversely, if everybody in another place
writes that the commies are all good and nice and perfect (like
the Soviet propaganda did) then THERE the commies are surely not
you are, i.e. whose interests are really at stake. There is NEVER
sententiae".
algorithms, and the registration key will be made "ad hoc" and
can register "over your registration" one thousand times, and you
can herefore try for this crack different user_names to see all
protection code.
get a window where you can input your name and your registration
schemes, but it'll teach you a lot for higher cracking, so you
STOSB). Then various routines store and move in memory the usn
...
case mismatch, foreign accents in the name etc.) You just need
light").
memory; double checking the string lengths (and saving all these
register points to the stack you have most of the time fished
a user name, in our babe, for instance, the usn must have at
least 6 chars:
:too_short
2467:00000CAC 40 INC AX
CX,SS:[BX+04], the STOSB and the REPZ MOVSB (as usual in password
You should be enough crack-able :=) by now (if you have read
with these hints, how the working of the protection goes and
matches the name you typed in. Remember that in these kind of
routine that checks for a "-" inside the rn, a very common
protection element.
code in [Wincat Pro] I'll give you another hint, though: if you
different usn than your own name to crack a program you only show
that you are a miserable lamer... no better than the lamers that
that is really software that they have stolen (Yeah: stolen, not
I bomb them as soon as I spot them. YOU ARE (gonna be) A CRACKER!
You 'll obtain the missing lessons IF AND ONLY IF you mail
not know that YOU discovered. Mostly I'll actually know them
already, but if they are really new you'll be given full credit,
and even if they are not, should I judge that you "rediscovered"
them with your work, or that you actually did good work on them,
welcomed.
E-mail +ORC
an526164@anon.penet.fi
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
[Winformant][Snap32]
--------------------------------------
[WINFORMANT CRACKING]
This application is -per se- crappy, I doubt you'll ever use
it... but its curious (and pretty rare) "deactivate" mode is
nevertheless very interesting for us: you can "unregister"
Winformant on the fly if you feel the need to.
This feature is pretty useful for scholars that like to
investigate password algorithms with valid and invalid codes
without having to reinstall every time to delete a valid code.
For your cracking exercises choose programs that have
"REVERSIBLE" protections (rare) or that can be re-registered a
billion times (more frequent). Programs that keep the valid
registration on *.ini or special files will also do the job: you
just change a couple of lines to "unregister" them.
The trick of this lesson: [data_constraint], or "password
proximity", bases on the protectionist's need to keep an eye on
the protection "working" when he assembles it. He must "see" the
relationships between USER INPUT NUMBER, USER INPUT TRANSFORMED
and the CORRECT NUMBER ANSWER (in our jargon: the "Bingo"). These
relationships must be constantly checked In order to debug the
protection code. Mostly they will dwell TOGETHER inside a small
stack area, allowing them to be "seen" in the SAME watchwindow.
Most of the time, therefore, the "ECHO" will "materialize"
shortly not very far away from one of the locations of the USER
INPUT. Let's crack:
Let's pinpoint the code, here the relevant window is the first
"Edit" one, for obvious reasons (more on this later).
:bmsg 3710 wm_gettext ;set breakpoint
CTRL+D ;run the babe until you get:
Break Due to BMSG 3710 WM_GETTEXT C=01
Hwnd=3710 wParam=0050 lParam=2C5F629A msg=000D WM_GETTEXT
2C3F:000024BE B82F2C MOV AX,2C2F
So! Now we have "pinpointed" the babe (more on "pinpointing"
later). Let's snoop around a little: look at the stack to fetch
your babe's last call (if it does not show immediately, just keep
pinpointing, for instance on GetWindowText() or do a BPRW
diskomat (very useful), and then try and retry the stack...
should this too fail to work, search for your input in memory (in
the 30:0 lffffffff selector, as usual) and breakpoint range on
it with ReadWrite, and then stack, stack, stack... until you get
the "real" list of calls coming from your babe's protection.
:stack ; let's see
USER(19) at 073F:124C [?] through 073F:1239
CTL3D(02) at 2C3F:0D53 [?] through 2C3F:0D53
DISKOMAT(01) at 2C97:20B9 [?] through 2C97:20B9
DISKOMAT(01) at 2C97:3D94 [?] through 2C97:3D94
DISKOMAT(01) at 2C97:49E2 [?] through 2C97:4918
DISKOMAT(04) at 2C7F:EA20 [?] through 2C7F:EA20
USER(01) at 04A7:19BE [?] through USER!GETWINDOWTEXT
== CTL3D(02) at 2C3F:24BE [?] through 04A7:3A3Cæ
OK, so the code is in selector 137:(as usual), and you have there
43000 bytes of code from 401000 to 401000+43000; the DATA,
ReadWrite and ReadOnly, are in selector 13F: (as usual).
OK, so, for our cracking purposes, it's Handle 0x350. Most of
the times the "nag" window you want to crack will be the first
one in the hwnd listing (coz it was the last one to appear).
Watch the number in parentheses that follows the Whandle: (1) is
a mother, (2) are "children" windows. At times you'll find under
"Class Name" something like "Edit" (see before the Winformant
cracking)... SNIFF THERE! At times the "Window Procedure" code
location in a list of more than twenty, will be slightly
different for one or two windows... SNIFF THERE!
4) BREAKPOINT MESSAGE WM_GETTEXT (or any other WM_ that you can
think of in order to "pinpoint" the code of our babe).
"Pinpointing" the code is extremely important in windows
cracking... this idiotic OS moves code, data and stack out and
inside the pages all the time... so you'll keep getting on
"INVALID" sections without a correct pinpointing. Good
Pinpointing points are in general:
BMSG xxxx WM_GETTEXT (good for passwords)
BMSG xxxx WM_COMMAND (good fro OK buttons)
BPRW *your babe* TW (good for tracking)
u USER!GETWINDOWTEXT (u and then BPX inside the code)
u GETDLGITEM (for the Hwnd of an Item inside a
Dialog Box)
CSIP NOT GDI (if you have too many interferences)
u USER!SHOWWINDOW (bpx with counter occurrence to get to
the "right" window)
u GETSYSTEMTIME (for "time-crippled" software)
and many others pinpointing points you'll learn. If you are
really desperate for pinpointing, just do a BMSG xxxx WM_MOVE and
then move the nag window, this will always work. Let's go on:
6) SEARCH THE DATA AREA for your input string (4 Gigabytes from
30:0... remember that DATA are *always* in 30:0 to 30:FFFFFFFF
and CODE is *always* in 28:0 to 28:FFFFFFFF). In most protection
the "registration_number" string must match the "username"
string, which cannot be constrained, in order to allow users to
choose whatever stupid name they fancy. Some protections requires
fixed symbols inside the "username" string, though... in these
rare eventualities, just apply to the "username" string what
we'll do here with the "registration_number" string. The point
to remember is: begin always with the protection fumbling your
number, crack only if necessary the protection that fumbles your
name. Let's search now.
OK Now we'll begin to dig out the relevant parts of the code.
Remember that you must breakpoint *every* copy of the string that
protection generates. A typical copy routine, very frequently
used in windows copy protection schemes, dwells inside
KERNEL!HMEMCPY (+0076):
We'll now find out where protection stores the "magic" sum (and
now you'll pop out inside the very own snap32 code, this is the
"real" protection part):
As you can see, the protection is very simple: The "magic" sum
is hidden only two lines before the further manipulations of the
input string. We have found location 137:404384, here, in the
CORRECT way, through bprring of the string that has been
manipulated in the GDI, but actually, we could have found it
quickly just checking superficially what's happening "around" all
manipulations of the input string. Do we really need to follow
all manipulations of our registration_number and eventually also
all manipulation of our username? NO, not at all: we just set a
BPR on the stack location where protection hides the sum [EBP-10]
and we'll see what happens: 90% of these protections just create
two sums, a sum from your username and a sum from your
registration_number... somewhere there will be a compare that
must use this location (or a copy of it... we'll see).
That's it, you have made it! We found the compare between the
"username" magic number (for my "+ORC+ORC" string that's here
0x7C25621B) in AX (we do not need to know how this landed
there... it's irrelevant!) and the "license_number" '12121212'
(whose magic is here 0x00B8F47C) stored in [pointer-10.] How do
we find now the correct INPUT number for +ORC+ORC? Well, it's
easy... the "magic number" must be the same... therefore:
Cracked=Dec(0x7C25621B)
Cracked=2082824731
That was it. Old Snap32 has been cracked. You could now
prepare a crack in order to distribute this program around
without its simple protection. Good cracked applications should
be given free (i.e. cracked) to all the people that NEED them and
do not have the money to buy them. Don't forget that in this
intolerable society the 0,5% of the citizens own the 56% of the
industrial capital and the 63% of the propaganda machines (data
from US researchers... therefore suspect... the real situation
is probably even worser) effectively conditioning the destiny of
millions of slaves, moronized by television watching. So crack
the applications and give them to the people you care and the
peolple that need them, but for the others... just EXPLAIN
everybody how you did it... this is real help: giving knowledge,
not wares. DO NOT use my handle and my codes to crack this
program, get yours, I gave you mine only as an help for this
cracking lesson. I have showed you the way enough... THIEFS, not
crackers, use the codes that others have found. You are (gonna
be) CRACKERS! Remember it, look straight ahead, crack accurately
and keep your tommy in.
1) Choose an archie from this list (I will not explain you what
an archie is, you should know it... if you do not, be ashamed):
archie.univie.ac.at 131.130.1.23 Austria
archie.belnet.be 193.190.248.18 Belgium
archie.funet.fi 128.214.6.102 Finland
archie.univ-rennes1.fr 129.20.254.2 France
archie.th-darmstadt.de 130.83.22.1 Germany
archie.ac.il 132.65.16.8 Israel
archie.unipi.it 131.114.21.10 Italy
archie.uninett.no 128.39.2.20 Norway
2) Email a message to your archie:
To: archie.univie.ac.at (for instance)
Subject: (nothing on this field)
Body: set search sub (substrings too)
set maxhits 140 (max 140 hits)
set maxhitspm 9 (not the same file all over)
find snap32 (we want this)
3) After a while you'll get (per email) your answer: Here the
answer from the Austrian archie
+ORC an526164@anon.penet.fi
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
site's internal network and the wild and woolly Internet where
have to deal with the same problem we have: getting OUT through
travel between the server and the client. This provides a way to
the policy of the site, the firewall must make sure that all
cracking attempts
represent the basic forms; most other firewalls employ the same
from one network (the Internet) to the other (the internal net
than communicating directly, the client and the server both talk
A proxy on the bastion host does not just allow free rein
The use of proxy software on the bastion host means that the
platforms, PC, Sun, IBM, DEC, HP...) and a great burden for
to the internal net such that the bastion host is the only
machine that can be reached from the outside. Unlike the dual-
get into.
The bastion host in a screened host firewall is protected
on the bastion host. Further, it may allow that traffic only FROM
SPECIFIC EXTERNAL HOSTS. For example the router may allow Usenet
you can crack not only the bastion host, but also the inner
lot of back doors and bugs, that you'll find in the appropriate
example of how you could crack in this way, read the whole
is good": the bigger the software package, the more chance that
we can find some security related bugs... and all packages are
Delphy!
Finally, remember that the logs are 'mostly) not on the bastion
The dual-homed gateway and the screened host are probably the
1) The CERN Web server handles not only HTTP but also the other
protocols that Web clients use and makes the remote connections,
environment variables.
/pub/security/socks.cstc/socks.cstc.4.2.tar.gz
The toolkit contains many useful tools for cracking firewall and
sendmail).
/pub/firewalls/toolkit/fwtk.tar.Z
The popular PC firewall solution is the "PC Socks Pack", for MS-
file.
archie server and "spoof" the firewall into believing that you
are the archie server. You'll need the help of a fellow hacker
you can send packets from port 20, and that in a screened host
/dist/internet_security/berferd.ps
correct zen-cracking: you must *FEEL* that some code (or that
Some suggestions have been given above, but teaching you how
believe you can crack it without knowing nothing at all. So, for
your sake, I'll teach you HOW TO LEARN IT, not HOW TO DO IT
above. For text, start with Marcus Ranum's paper "Thinking about
others.
You can find for free on the web quite a lot of early
versions of proxy software. Study it, study it and then study it
small BBS which uses a firewall version you already studied very
do not know nothing about the software they use). As soon as you
If you feel ready and everything went well so far, if your zen-
ahead! You will then be able to try your luck on the Cyberspace
and get quickly busted (if you did not follow my admonitions and
jewels... :=)
viewed as a door or window in the walls. Not all these doors have
secure and reliable locks. The more openings are available, the
criteria.
* Terminal type
(firewalled) net will take your claim at face value and send you
will find you out pretty quickly if you do not). The best method
You 'll obtain the missing lessons IF AND ONLY IF you mail
not know that YOU discovered. Mostly I'll actually know them
already, but if they are really new you'll be given full credit,
and even if they are not, should I judge that you "rediscovered"
them with your work, or that you actually did good work on them,
welcomed.
E-mail +ORC
+ORC an526164@anon.penet.fi
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
[BARCODES]
First of all, let me stress the importance of cracking in
our everyday life. Cracking it's not just about software, it's
about information, about all patterns of life. To crack is to
refuse to be controlled and used by others, to crack is to be
free. But you must also be yourself free from petty conventions
in order to crack properly.
You must learn to discerne cracking possibilities all around
yourself, and believe me, the development of this ghastly society
brings every day new codes, protections and concealing
mechanismes.
All around us grows a world of codes and secret and not so
secret patterns. Codes that are at times so familiar and common
that we do not even notice them any more... and yet they are
there to fool us, and yet they offer marvellous cracking
possibilities.
Let's take as an striking example BARCODES... those little
lines that you see on any book you buy, on any bottle you get,
on any item around you... do you know how they work? If you do
not you may be excused, but you cannot be excused if you never
had the impulse to understand them... crackers are curious by
nature... heirs of an almost extinct race of researchers that has
nothing in common with the television slaves and the publicity
and trend zombies around us. Cracker should always be capable of
going beyond the obvious, seek knowledge where others do not see
and do not venture.
[BARCODE HISTORY]
Let's begin with a little history. Universal Product Code
(UPC) was adopted for commercial use by the grocery industry in
the USA. Among the advantages were a rapid, accurate and reliable
way of entering stock information into a computer and the
possibility to sack a lot of workers and to do more profit. The
early success led to the development of the European Article
Numbering System (EAN), a symbology similar to UPC, that is
widely used in Europe and in the rest of the World. I'll teach
you to crack this one, since I do not -fortunately- live in the
States. Keep in mind, anyway, that there are different barcode
symbologies, each with its own particular pattern of bars. The
UPC/EAN code used on retail products is an all-numeric code; so
is the Interleaved 2 of 5 Code. Code 39 includes upper case
letters, digits, and a few symbols. Code 128 includes every
printable and unprintable ASCII character code. The most new one
is a 2-D code. These are special rectangular codes, called
stacked barcodes or matrix codes. They can store considerably
more information than a standard barcode. They require special
readers which cost more than a standard scanner. The practical
limit for a standard barcode depends on a number of factors, but
20 to 25 characters is an approximate maximum. For applications
that need more data, matrix codes are used. For example, the next
time you receive a package from United Parcel Service look for
a small square label with a pattern of dots and a small bullseye
in the centre. This is a MaxiCode label, and it is used by UPS
for automatic destination sortition.
The manufacturer's ID number on the barcode uniquely
identifies products. These numbers are managed by the Uniform
Code Council in Dayton, Ohio for the States and Canada and by the
EAN authority (Internationale Article Numbering Association) in
Bruxelles, for Europe and the rest of the World. The
manufacturer's ID number accounts for some digits of the code,
which leaves other digits to be assigned in any way the producer
wants. He provides retail outlets with a list of his products and
their assigned codes so that they can be entered in the cash
register system. Many codes are NOT on the products and are added
by the supermarkets on the fly, using an internal code schema
that may be non standard. Now it's enough... let's crack.
BARCODES are the only thing an automated casher needs to see
on a product to calculate its price and automatically catalogate
the sold merchandise... imagine (just imagine it :=) coz it would
be extremely illegal to act in this way) somebody would fasten
an adhesive home-made codebar label direct on the top of the
supermarket/mall/retail store label, say on a bottle of Pomerol
(that's a very good but unfortunately very expensive french
wine).
The new label would mean for the casher something like
"cheap wine from Bordeaux, France, cost so and so, everything
it's OK, do not worry"... do you think that anybody would come
to the idea that there is something wrong with the label, with
the bottle or with you? I have been codebaring for years and had
only once a problem, coz my printer was running out of ink and
the scanner in the supermarket could not read it... so what? Act
uninterested, always wear jackets of the utmost quality, shetland
pullovers and beautiful expensive shoes... (all articles that you
may codebar too, by the way), in this society appearance and look
count much more than substance and knowledge... LET'S USE THIS
TO OUR ADVANTAGE! Nobody will ever come to the idea that you may
actually really know the working of the scheme... coz codebar is
pretty complicated and not exactly exceptionally public. On the
Web there are a lot information about it, but most of them are
useless, unless you know how to search most of the time you'll
find only sentences like this one:
"The calculated check digit is the twelfth and final
digit in the U.P.C.code. It is calculated based on a
specific algorithm, and is necessary to ensure that
the number is read or key-entered correctly."
But good +ORC will now explain you everything you need to crack:
Now watch some labels yourself... see the difference between the
numbers left and the numbers right? The first "half" of the
barcode is coded using sets A and B, the second "half" using set
C. As if that were not enough, A and B are used inside the first
"half" in a combination that varies and depends from value #0,
following 10 different patterns:
#1 #2 #3 #4 #5 #6
0 A A A A A A
1 A A B A B B
2 A A B B A B
3 A A B B B A
4 A B A A B B
5 A B B A A B
6 A B B B A A
7 A B A B A B
8 A B A B B A
9 A B B A B A
"Ah! Stupid buyer will never understand why the same values gives
different bars! Nothing is as reliable as barcodes!" :=)
[INSTANT ACCESS]
The (c) Instant access routines are a commercial protection
scheme used to "unlock" complete commercial applications that
have been encrypted on CD-
ROMs which are distributed (mostly) through reviews.
This is an ideal cracking target: it's commercial software,
complete, uncrippled and of (relatively) prominent quality, that
you can get in tons for the price of a coke. Obviously this kind
of protection represents an ideal subject for our lessons. This
fairly intricate protection scheme has not yet been cracked by
anybody that I am aware of, anyway not publicly, therefore it's
an ideal candidate for a "strainer" to my university. I'll teach
you here how to crack it in three lessons, C.1, C.2 and C.3. I warn
you... it's a difficult cracking session, and this protection
represents quite an intellectual challenge. But if you are
seriously interested in our trade you will enjoy these lessons
more than anything else.
This cracking is intended as an "assignment" for my +HCU
"cracking university": you'll find inside lessons C.1 and C.2 a
relatively deep "introduction" to Instant access cracking. This
will teach you a lot anyway, and spare you hours of useless
roaming around, bringing you straight to the cracking point. But
I'll release the third part of this session, with the complete
solution (lesson C.3) on the Web only in october 1996, not a day
before. All the students that would like to apply to the Higher
Cracking University, opening on the web 01/01/1997, should work
in July, August and September (three months is more than enough
time) on this assignment. They should crack completely the
instant access scheme and send me their solutions, with a good
documentation of their cracking sessions, before 30/09/1996
(WATCH IT! You can crack this scheme in -at least- three
different paths, be careful and choose the *best* one. WATCH IT!
Some of the informations) in lesson C.1 and C.2 are slightly incorrect:
check it!).
There are four possibilities:
1) The candidate has not found the crack or his solution is
not enough documented or not enough viable... the candidate
is therefore not (yet) crack-able, he will not be admitted
to the +HCU 1997 curses, better luck in 1998;
2) The cracking solution proposed by the candidate is not as
good as mine (you'll judge for yourself in october) but it
works nevertheless... he'll be admitted at the 1997
courses;
3) The cracking solution of the candidate is more or less
equal to mine, he'll be admitted, personally monitored, and
he'll get all the material he needs to crack on higher
paths;
4) The cracking solution of the candidate is better than mine,
he'll be admitted, get all the material he wishes and asked
to teach us as well as study with us: "homines, dum docent,
discunt".
E-mail +ORC
+ORC an526164@anon.penet.fi
HOW TO CRACK, by +ORC, A TUTORIAL
---------------------------------------------------------------------------
---------------------------------------------------------------------------
[INSTANT ACCESS]
--------------------------------------
[SEE LESSON C.1 for the first part of this cracking session]
Here follow the relevant protection routines for the first
(The "Registration") number_code of Instant Access, with my
comments: you have to investigate a little the following code.
Later, when you'll crack on your own, try to recognize the
many routines that fiddle with input BEFORE the relevant (real
protection) one. In this case, for instance, a routine checks the
correctness of the numbers of your input:
This_loop_checks_that_numbers_are_numbers:
1B0F:2B00 C45E06 LES BX,[BP+06] ; set/reset pointer
1B0F:2B03 03DF ADD BX,DI
1B0F:2B05 268A07 MOV AL,ES:[BX] ; get number
1B0F:2B08 8846FD MOV [BP-03],AL ; store
1B0F:2B0B 807EFD30 CMP BYTE PTR [BP-03],30
1B0F:2B0F 7C06 JL 2B17 ; less than zero?
1B0F:2B11 807EFD39 CMP BYTE PTR [BP-03],39
1B0F:2B15 7E05 JLE 2B1C ; between 0 & 9?
1B0F:2B17 B80100 MOV AX,0001 ; no, set flag=1
1B0F:2B1A EB02 JMP 2B1E ; keep flag
1B0F:2B1C 33C0 XOR AX,AX ; flag=0
1B0F:2B1E 0BC0 OR AX,AX ; is it zero?
1B0F:2B20 7507 JNZ 2B29 ; flag NO jumps away
1B0F:2B22 8A46FD MOV AL,[BP-03] ; Ok, get number
1B0F:2B25 8842CC MOV [BP+SI-34],AL ; Ok, store number
1B0F:2B28 46 INC SI ; inc storespace
1B0F:2B29 47 INC DI ; inc counter
1B0F:2B2A C45E06 LES BX,[BP+06] ; reset pointer
1B0F:2B2D 03DF ADD BX,DI ; point next number
1B0F:2B2F 26803F00 CMP BYTE PTR ES:[BX],00 ; input end?
1B0F:2B33 75CB JNZ 2B00 ; no:loop next num
check_if_sum_other_9_numbers_=_remainder_of_the_third_number:
:4B79 8CD0 MOV AX,SS ; we'll work inside the stack...
:4B7B 90 NOP
:4B7C 45 INC BP
:4B7D 55 PUSH BP ; save real BP
:4B7E 8BEC MOV BP,SP ; BP = stackpointer
:4B80 1E PUSH DS ; save real Datasegment
:4B81 8ED8 MOV DS,AX ; Datasegment = stacksegment
:4B83 83EC04 SUB SP,+04
:4B86 C45E06 LES BX,[BP+06] ; BX points input_start
:4B89 268A07 MOV AL,ES:[BX] ; load first number
:4B8C 98 CBW ; care only for low
:4B8D C45E06 LES BX,[BP+06] ; reset pointer
:4B90 50 PUSH AX ; save 1st number
:4B91 268A4701 MOV AL,ES:[BX+01] ; load 2nd number
:4B95 98 CBW ; only low
:4B96 8BD0 MOV DX,AX ; 2nd number in DX
:4B98 58 POP AX ; get 1st number
:4B99 03C2 ADD AX,DX ; sum with second
:4B9B C45E06 LES BX,[BP+06] ; reset pointer
:4B9E 50 PUSH AX ; save sum
:4B9F 268A4707 MOV AL,ES:[BX+07] ; load 8th number
:4BA3 98 CBW ; only low
:4BA4 8BD0 MOV DX,AX ; 8th number in DX
:4BA6 58 POP AX ; old sum is back
:4BA7 03C2 ADD AX,DX ; sum 1+2+8
:4BA9 C45E06 LES BX,[BP+06] ; reset pointer
:4BAC 50 PUSH AX ; save sum
:4BAD 268A4703 MOV AL,ES:[BX+03] ; load 4rd number
:4BB1 98 CBW ; only low
:4BB2 8BD0 MOV DX,AX ; #4 in DX
:4BB4 58 POP AX ; sum is back
:4BB5 03C2 ADD AX,DX ; sum 1+2+8+4
:4BB7 C45E06 LES BX,[BP+06] ; reset pointer
:4BBA 50 PUSH AX ; save sum
:4BBB 268A4704 MOV AL,ES:[BX+04] ; load 5th number
:4BBF 98 CBW ; only low
:4BC0 8BD0 MOV DX,AX ; #5 in DX
:4BC2 58 POP AX ; sum is back
:4BC3 03C2 ADD AX,DX ; 1+2+8+4+5
:4BC5 C45E06 LES BX,[BP+06] ; reset pointer
:4BC8 50 PUSH AX ; save sum
:4BC9 268A4705 MOV AL,ES:[BX+05] ; load 6th number
:4BCD 98 CBW ; only low
:4BCE 8BD0 MOV DX,AX ; #6 in DX
:4BD0 58 POP AX ; sum is back
:4BD1 03C2 ADD AX,DX ; 1+2+8+4+5+6
:4BD3 C45E06 LES BX,[BP+06] ; reset pointer
:4BD6 50 PUSH AX ; save sum
:4BD7 268A4706 MOV AL,ES:[BX+06] ; load 7th number
:4BDB 98 CBW ; only low
:4BDC 8BD0 MOV DX,AX ; #7 in DX
:4BDE 58 POP AX ; sum is back
:4BDF 03C2 ADD AX,DX ; 1+2+8+4+5+6+7
:4BE1 C45E06 LES BX,[BP+06] ; reset pointer
:4BE4 50 PUSH AX ; save sum
:4BE5 268A4708 MOV AL,ES:[BX+08] ; load 9th number
:4BE9 98 CBW ; only low
:4BEA 8BD0 MOV DX,AX ; #9 in DX
:4BEC 58 POP AX ; sum is back
:4BED 03C2 ADD AX,DX ; 1+2+8+4+5+6+7+9
:4BEF C45E06 LES BX,[BP+06] ; reset pointer
:4BF2 50 PUSH AX ; save sum
:4BF3 268A4709 MOV AL,ES:[BX+09] ; load 10th #
:4BF7 98 CBW ; only low
:4BF8 8BD0 MOV DX,AX ; #10 in DX
:4BFA 58 POP AX ; sum is back
:4BFB 03C2 ADD AX,DX ; 1+2+8+4+5+6+7+9+10
:4BFD 0550FE ADD AX,FE50 ; clean sum to 0-51
:4C00 BB0A00 MOV BX,000A ; BX holds 10
:4C03 99 CWD ; only AL
:4C04 F7FB IDIV BX ; remainder in DX
:4C06 C45E06 LES BX,[BP+06] ; reset pointer
:4C09 268A4702 MOV AL,ES:[BX+02] ; load now # 3
:4C0D 98 CBW ; only low
:4C0E 05D0FF ADD AX,FFD0 ; clean # 3 to 0-9
:4C11 3BD0 CMP DX,AX ; remainder = pampered #3?
:4C13 7407 JZ 4C1C ; yes, go on good guy
:4C15 33D2 XOR DX,DX ; no! beggar off! Zero DX
:4C17 33C0 XOR AX,AX ; and FLAG_AX = FALSE
:4C19 E91701 JMP 4D33 ; go to EXIT
let's_go_on_if_first_check_passed:
:4C1C C45E06 LES BX,[BP+06] ; reset pointer
:4C1F 268A4701 MOV AL,ES:[BX+01] ; now load #2 anew
:4C23 98 CBW ; only low
:4C24 05D7FF ADD AX,FFD7 ; pamper adding +3
:4C27 A38D5E MOV [5E8D],AX ; save SEC_+3
:4C2A 3D0900 CMP AX,0009 ; was it < 9? (no A-F)
:4C2D 7E05 JLE 4C34 ; ok, no 0xletter
:4C2F 832E8D5E0A SUB WORD PTR [5E8D],+0A ; 0-5 if A-F
:4C34 C45E06 LES BX,[BP+06] ; reset pointer
:4C37 268A07 MOV AL,ES:[BX] ; load 1st input number
:4C3A 98 CBW ; only low
:4C3B 05C9FF ADD AX,FFC9 ; pamper adding +7
:4C3E A38F5E MOV [5E8F],AX ; save it in FIR_+7
:4C41 0BC0 OR AX,AX ; if #1 > 7
:4C43 7D05 JGE 4C4A ; no need to add 0xA
:4C45 83068F5E0A ADD WORD PTR [5E8F],+0A ; FIR_+7 + 0xA
now_we_have_the_sliders_let's_prepare_for_loop:
:4C4A C45E0E LES BX,[BP+0E] ; Set pointer to E
:4C4D 26C747020000 MOV WORD PTR ES:[BX+02],0000 ; 0 flag
:4C53 26C7070000 MOV WORD PTR ES:[BX],0000 ; 0 flag
:4C58 C706975E0900 MOV WORD PTR [5E97],0009 ; counter=9
:4C5E E99500 JMP 4CF6 ; Jmp check_counter
loop_8_times:
:4C61 C45E06 LES BX,[BP+06] ; reset pointer
:4C64 031E975E ADD BX,[5E97] ; add running counter
:4C68 268A07 MOV AL,ES:[BX] ; load # counter+1
:4C6B 98 CBW ; only low
:4C6C 50 PUSH AX ; save 10th number
:4C6D A18D5E MOV AX,[5E8D] ; ld SEC_+3 down_slider
:4C70 BA0A00 MOV DX,000A ; BX holds 0xA
:4C73 F7EA IMUL DX ; SEC_+3 * 0xA
:4C75 03068F5E ADD AX,[5E8F] ; plus FIR_+7 up_slider
:4C79 BAA71E MOV DX,1EA7 ; fixed segment
:4C7C 8BD8 MOV BX,AX ; BX = Lkup_val=(SEC_+3*10+FIR_+7)
:4C7E 8EC2 MOV ES,DX ; ES = 1EA7
:4C80 268A870000 MOV AL,ES:[BX+0000] ; ld 1EA7:[Lkup_val]
:4C85 98 CBW ; only low: KEY_PAR
:4C86 8BD0 MOV DX,AX ; save KEY_PAR in DX
:4C88 58 POP AX ; repops 10th number
:4C89 03C2 ADD AX,DX ; RE_SULT=KEY_PAR+#10
:4C8B 05D0FF ADD AX,FFD0 ; polish RE_SULT
:4C8E 99 CWD ; only low: RE_SULT
:4C8F 8956FC MOV [BP-04],DX ; save here KEY_PAR [9548]
:4C92 8946FA MOV [BP-06],AX ; save here RE_SULT [9546]
:4C95 0BD2 OR DX,DX ; KEY_PAR < 0?
:4C97 7C0F JL 4CA8 ; yes: KEY_PAR < 0
:4C99 7F05 JG 4CA0 ; no: KEY_PAR > 0
:4C9B 3D0900 CMP AX,0009 ; KEY_PAR = 0
:4C9E 7608 JBE 4CA8 ; no pampering if RE_SULT < 9
:4CA0 836EFA0A SUB WORD PTR [BP-06],+0A ; else pamper
:4CA4 835EFC00 SBB WORD PTR [BP-04],+00 ; and SBB [9548]
:4CA8 C45E0E LES BX,[BP+0E] ; reset pointer to E
:4CAB 268B4F02 MOV CX,ES:[BX+02] ; charge CX [958C]
:4CAF 268B1F MOV BX,ES:[BX] ; charge BX slider [958A]
:4CB2 33D2 XOR DX,DX ; clear DX to zero
:4CB4 B80A00 MOV AX,000A ; 10 in AX
:4CB7 9A930D2720 CALL 2027:0D93 ; call following RO_routine
This is the only routine called from our protection, inside the
loop (therefore 8 times), disassembly from WCB. Examining this
code please remember that we entered here with following
configuration: DX=0, AX=0xA, CX=[958C] and BX=[958A]...
1.0D93 56 push si ; save si
1.0D94 96 xchg ax, si ; ax=si, si=0xA
1.0D95 92 xchg ax, dx ; dx=0xA ax=dx
1.0D96 85C0 test ax, ax ; TEST this zero
1.0D98 7402 je 0D9C ; zero only 1st time
1.0D9A F7E3 mul bx ; BX slider! 0/9/5E/3B2...
1.0D9C >E305 jcxz 0DA3 ; cx=0? don't multiply!
1.0D9E 91 xchg ax, cx ; cx !=0? cx = ax & ax = cx
1.0D9F F7E6 mul si ; ax*0xA in ax
1.0DA1 03C1 add ax, cx ; ax= ax*0xA+cx = M_ULT
1.0DA3 >96 xchg ax, si ; ax=0xA; si evtl. holds M_ULT
1.0DA4 F7E3 mul bx ; ax= bx*0xA
1.0DA6 03D6 add dx, si ; dx= dx_add
1.0DA8 5E pop si ; restore si
1.0DA9 CB retf ; back to caller with two
parameters: DX and AX
Back_to_main_protection_loop_from_RO_routine:
:4CBC C45E0E LES BX,[BP+0E] ; reset pointer
:4CBF 26895702 MOV ES:[BX+02],DX ; save R_DX par [958C]
:4CC3 268907 MOV ES:[BX],AX ; save R_AX par [958A]
:4CC6 0346FA ADD AX,[BP-06] ; add to AX RE_SULT [9546]
:4CC9 1356FC ADC DX,[BP-04] ; add to DX KEY_PAR [9548]
:4CCC C45E0E LES BX,[BP+0E] ; reset pointer
:4CCF 26895702 MOV ES:[BX+02],DX ; save R_DX+KEY_PAR [958C]
:4CD3 268907 MOV ES:[BX],AX ; save R_AX+RE_SULT [958A]
:4CD6 FF0E8D5E DEC WORD PTR [5E8D] ; down_slide SEC_+3
:4CDA 7D05 JGE 4CE1 ; no need to add
:4CDC 83068D5E0A ADD WORD PTR [5E8D],+0A ; pamper adding 10
:4CE1 FF068F5E INC WORD PTR [5E8F] ; up_slide FIR_+7
:4CE5 A18F5E MOV AX,[5E8F] ; save upslided FIR_+7 in AX
:4CE8 3D0900 CMP AX,0009 ; is it over 9?
:4CEB 7E05 JLE 4CF2 ; no, go on
:4CED 832E8F5E0A SUB WORD PTR [5E8F],+0A ; yes, pamper -10
:4CF2 FF0E975E DEC WORD PTR [5E97] ; decrease loop counter
check_loop_counter:
:4CF6 833E975E03 CMP WORD PTR [5E97],+03 ; counter = 3?
:4CFB 7C03 JL 4D00 ; finish if counter under 3
:4CFD E961FF JMP 4C61 ; not yet, loop_next_count
loop_is_ended:
:4D00 C45E06 LES BX,[BP+06] ; reset pointer to input
:4D03 268A4701 MOV AL,ES:[BX+01] ; load 2nd number (2)
:4D07 98 CBW ; only low
:4D08 05D0FF ADD AX,FFD0 ; clean it
:4D0B BA0A00 MOV DX,000A ; DX = 10
:4D0E F7EA IMUL DX ; AX = SEC_*10 = 14
:4D10 C45E06 LES BX,[BP+06] ; reset pointer
:4D13 50 PUSH AX ; save SEC_*10
:4D14 268A07 MOV AL,ES:[BX] ; load 1st number (1)
:4D17 98 CBW ; only low
:4D18 8BD0 MOV DX,AX ; save in DX
:4D1A 58 POP AX ; get SEC_*10
:4D1B 03C2 ADD AX,DX ; sum SEC_*10+1st number
:4D1D 05D0FF ADD AX,FFD0 ; clean it
:4D20 99 CWD ; only low
:4D21 C45E0A LES BX,[BP+0A] ; get pointer to [9582]
:4D24 26895702 MOV ES:[BX+02],DX ; save 1st (1) in [9584]
:4D28 268907 MOV ES:[BX],AX ; save FINAL_SUM (15) [9582]
:4D2B 33D2 XOR DX,DX ; DX = 0
:4D2D B80100 MOV AX,0001 ; FLAG TRUE !
:4D30 E9E6FE JMP 4C19 ; OK, you_are_a_nice_guy
EXIT:
:4D33 59 POP CX ; pop everything and
:4D34 59 POP CX ; return with flag
:4D35 1F POP DS ; AX=TRUE if RegNum OK
:4D36 5D POP BP ; with 1st # in [9584]
:4D37 4D DEC BP ; with FINAL_SUM in [9582]
:4D38 CB RETF
Now the loops ends, having handled the input numbers from tenth
to third. Protection loads the second number and multiplies it
by 10 (let's call this result SEC_*10), in our case 2*0xA=14.
Protection loads the first number and adds it to the
multiplication, in our case 1+0x14=0x15 (FINAL_SUM].
Now everything will be added to FFDO to "clean" it.
Pointer will now be set to the end of the input number.
DX, zeroed by CDW, will be saved as parameter in [9584] and the
cleaned and pampered sum will be saved in [9582].
FLAG is set to true and this routine is finished! No parameter
are passed and the only interesting thing is what actually
happens in the locations [9582], [9584], [958A] and [958C], i.e.:
FINAL_SUM, 0, slider_sum, odd_dx.
In the next lesson we'll crack everything, but I'll give you
already some hints here, in case you would like to go ahead on
your own: we'll see how the scheme used for the third (the
registration) number show analogies and differences with the
scheme we have studied (and cracked) here for the first number.
Our 3434-3434-3434-3434-34 input string for the registration
number will be transformed in the magic string
141593384841547431, but this will not work because the "magic"
12th number: "1" will not correspond to the remainder calculated
inside this check through the previous locations of the other
checks.
Here the things are more complicated because every little
change in your input string transforms COMPLETELY the "magic"
string... therefore in order to pass the strainer you'll have to
change 3434-3434-3434-3434-34 in (for instance) 7434-3434-3434-
3434-96. The "magic" string 219702960974498056 that this
registration input gives will go through the protection strainer.
Only then we'll be able to step over and finally crack the whole
protection... it's a pretty complicated one as I said. Now crack
it pupils... you have three months time. From this crack depends
your admission to the Uni, there will be no other admission text
till summer 1997 (it's a hell of work to prepare this crap)...
work well.
E-mail +ORC
+ORC an526164@anon.penet.fi