_CbD_ Tutorial 01 _CbD_ vs. Ultisoft, Inc. Ok I know the title sounds strange, _CbD_ vs. Ultisoft, Inc. but i decide this would be a good title for this tutorial seeing how i will be attacking 5 of there programs in this tutorial. Well let me tell you how this war began, I know you dont care, but i am going to tell you anyway. Well I was on Windows95.com and was looking for a good casino game, well what i found was a lot of programs by this Ultisoft, Inc., and the bad part is that they were mostly slot games, NO FUN. well i also seen that some of them where VB4 programs so i thought ok this might be a good program to practice what (razzia) said about VB4 protections. Ok so i downloaded a few of them. I then unzipped and checked to see if they would aloow me to register them, guess what as soon as i started the program a big blue screen pops up asking me to register, hmm ok that answers that question. Well now lets see if the program is any good. Ha Ha Ha this games sucks, well i decided to crack it anyway. so now on to the cracks target #1 Name: Cherry Slots Author: Ultisoft, Inc. Tools: Softice 3.xx you can get it at (http://wwwsoftsite.com/ulti/95chry44.zip) ok i will do this crack in several steps so even the newest of crackers can follow, before i start i want to thank razzia for his exellent tutorial on VB4 , so Thanks. Ok now go get the program from softsite.com (it is small like 150k) ok you got it. lets crack it. Step #1 Lets look at the File. So in Explorer select it and do QuickView (right click select quickview) now scroll down and see what the Import Table says, Hmm VB40032.DLL. Ah this is a VB4 program. Ok now we know that or GetWindowTextA and GetDlgItemTextA wont work for us so we will have to use HMEMCPY to get into the program. Wait didnt i read a tutorial by razzia talking about VB4 programs hmm, yeah now i remember. ok lets try and recall what it was he wrote (if you never read it you should, but i will use alot of his methods here for those of you who have no idea). Step #2 ok lets start this little puppy, so run cherry.exe. OK now a big ugly blue screen pops up and what is this the middle button is (REGISTATION CODE) hmm wonder what that does. So click on it and find out ah the old enter your registration Number box (Like you would really buy this game). ok first lets type in a few numers to see if it has a pre-set length for the reg number 12345678901244567865, hmm nope has no pre-set length. Ok that is fine lets just clear that text out and enter hmm 7777777 seven 7's (my favorite) and then press REGISTER. hmm We get the old faithfull Registration Failed thats fine just click ok. hmm or box is gone now What they only give us one chance (assholes). Step #3 Ok now look in the menu and you will see Register so click on it, What is this our box is back. Good lets enter 7777777 again now DONT PRESS REGISTER YET now we need to get in Softice and set some BreakPoints so Press Ctrl-D, boom. Into Softice we go now lets set some BreakPonits. so at the ---> : type BPX HMEMCPY and press [ENTER] ok now we have a BreakPoint set on the HMEMCPY fuction. ok now press Ctrl-D again and boom back to Cherry Slots we go Now you can press REGISTER and continue on to step 4. Step #4 Ok if you done it right you should be looking at the softice screen, and if not then go back and start over from step #1. Ok now we are looking at the call made to HMEMCPY so lets get out of that as we need not be there. but first lets disable that BreakPoint as we dont need it anymore so do a --> BD 0 <--- now press F11 and then softice should blink and then pop you right back in. Ok now we are in the Fuction that made the call well this to is not really that important to us. What we need to be in is the VB40032.DLL so press F10 til you see the text (on the line between the Code window and the command window) VB4xxxxxxx ok now that should look like somthing this (Address's may look different) 0137:0F730116 CALL EBP 0137:0F730118 MOV [ESP+14] , EAX 0137:0F73011C CMP DWORD PTR [ESP+2C] , 00 0137:0F730121 JNZ 0F73070C 0137:0F730127 MOV EAX, [ESP+14] 0137:0F73012B POP EBP 0137:0F73012C POP EDI 0137:0F73012D POP ESI Yours may differ just a bit. Ok now we are in the VB4xxxx section of the code. Next we will look at some of razzia's VB tutorial razzia has done all the hard work for us and found the VB4 dll code that compares two strings (in WideChar format !). Here is what it looks like : 56 push esi : 57 push edi : 8B7C2410 mov edi, [esp + 10] : 8B74240C mov esi, [esp + 0C] : 8B4C2414 mov ecx, [esp + 14] : 33C0 xor eax, eax : F366A7 repz cmpsw ;<-- here the (WideChar) strings at ds:esi : 7405 je 0F79B362 ; and es:edi get compared : 1BC0 sbb eax, eax : 83D8FF sbb eax, FFFFFFFF : 5F pop edi : 5E pop esi : C20C00 ret 000C Now you have enogh to crack this program. Ok now for the final step Step #5 Now we know the code lets find it in our program so we need to search for it we can do this by typeing the following in the command window S 0 L FFFFFFFFF 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14 then press [ENTER] you should get something like this Procedure found at 0030:0F79B348 (0F79B348) Now we set a Break Point on it BPX 0030:0F79B348 and press F5 we will break again into softice were you should see the above code ok Now we have the question (Does the program have a set serial Number that we have to enter or does it just compare certian letters or numbers of our serial code.) well lets just have a look at some of the some of the values here So type this ----> ed esi <-------- and you should see the following in the data window 013F : 0044A612 33 00 36 00 32 00 - 34 37 00 00 00 00 60 00 3 . 1 . 6 . 2 . 4 . 7 . . . ' . Well what is this hmm look kinda strange there dont it hmmm could this be the serial number hmm well it is 6 numbers long and if you took the spaces out it would read 316247 well lets see if this could be the serial number. So we do a BD 1 to disable our BreakPoint and then press CTRL -D and you should return to Cherry Slots and the Registration Failed box should be up. So clear it and press goto register once more this time enter the code we got from VB4xxxxx it should be 316247 and then press register you should get the congradulations you have now registered this peice of shit software. Blah Blah ok that is it the game is now registered. Ok if you want to distribute your cracked game you can now look in your cherry slots Dir and you should see a file named cherry.key this is all you need so pass it around and any needs only to put it in thier cherry slots and they are registered to. Although this is easy and takes only a few minutes i am going to look at makeing a patch to just get the nag screens to go away without a correct serial numbers just as practice. you can use these same steps to crack all of UltiSofts VB games. PART 2 The War is Still On _CbD_ vs. UltiSoft After looking around there page i found that they also had a few games that was not VB games so i decided to check them target #2 Name: Animated Black Jack Author: Ultisoft, Inc. you can get it at (http://wwwsoftsite.com/ulti/95anbj11exe) Tools Needed : W32DASM Ok I downloaded this one and then used QuickView and then i seen this was not a VB Program, so first i ran the program then noticed it had the same old registration box as the others.. Ok well i decided to use softice and Break on the old GetWindowTextA and GetDlgItemTextA well then i tried a fake number and nothing i didnt pop into softice hmmm well lets try GetWindowText and GetDlgItemText well nothing still no softice. So i decided to load it in W32DASM and look at the functions well i saw tons of them this program uses everything but is own. Ok well lets have a look at some of them (Damn there is so many ) well several look as if we could set breakpoints on and try , but hmm lets look some more . lets look at the string references (the button should be [Strn Ref] ) damn so so many wel lets loog for anything dealing with registration We See ( 2. In the Registered Version) hmm well we could look at that but What is that funny looking one right under it ? all it says is ("508150") Hmm that looks funny it is 6 numbers and we have seen that all of there codes are six numbers. no way it cant be that easy can it ? well lets just check so we start up Black Jack and then we put 508150 for a registration number and press [ENTER] knowing this wont work and Boom Thank you for Registering our ShitWare hmm ok now I have lost all respect for these guys (not that i ever had any) they have to be very stupid to hard code there # that way hmm i think instead of sending them the registration few i will send them Programing For Dummies Books Well thats it for that one and any of the other programs they have that are not vb is the same way... Oh yeah there installers sux and will hang so just use the task manager and end task on the installer (CTRL + ALT + DEL) End TASK INSTALLER ok this is a list of there programs that i have cracked useing these methods VB Cherry Slots #316247 Dynamite Slots #884916 Extreme Slots #196458 Other Double Wide Slots # 317541 Animated Black Jack # 508150 All there other programs are on the site http://www.softsite.com/ulti Well I really Hope this helped you in some way if nothing than showing that sometime the protection can be so easy. _CbD_ [ME/C4N'97]