MEXELITE '97 PRESENTS "Your first Windoze crack" by YOSHi Introduction. ------------- There is one reocurring thing I see in all cracking tutorials; they are not suitable for the absolute beginner. Either they dont explain what the debugger is doing or they go too fast and skip over sections. With this, I hope to set some people straight on the fundamental issues of cracking Windoze95 programs. By the way if you are somewhat experienced please leave now; you will not learn anything you dont already know. Beginning. ---------- Ok, the first thing you need to do is download the "target", we will use a horribly limited program called "Hot Chilli 2.0". It is a decent program for creating Java applets with a major restriction: you can only use this program 4 times in 9 days and you can't use your applets unless you register the program. So download this, it is on all Tucows sites under "HTML Special Effects". The only other thing you need is Softice. Here I'm using version 3.0, but it makes no difference what version your using. Now load up Softice in your config.sys (by the way, for anyone who cares, "ice" means "in-circut emulator") and run HotChilli. Notice the nag at the beginning? Its hard to miss and very annoying. But look, there is the option to register! So click on that, and enter a name and a code. Now enter Softice (probably control-d) and type "bpx hmemcpy" (What is bpx? Bpx makes Softice break on a call to a Windoze function, such as hmemcpy, messagebox, etc. What is hmemcpy? Hmemcpy means "high memory copy"; it copies data from one place to another, like when it reads your bogus info, so the program can access it there). Now return to HotChilli and press enter, and Softice will pop up. Now type 's 0 l ffffffff "yourregcode"' (What is this "s 0 l ffffffff" garbage? This will make Softice look through the memory to find the string specified in the quotes). Softice will give you an address, and the offset s probably above 8000000, because thats where Windoze keeps its temporary data. So anyway, type "bpm theaddresssofticegivesyou" (What is bpm? Bpm is a breakpoint on a memory range, and Softice will break on all read or writes to or from that address). Now press control-d again to leave Softice (Why???? Because we want to see where our string checked. When we enter, be broke due to hmemcpy. Since that's not what we want, we press control-d again. Now we are in the code of hmemcpy, but we see in our code window at the top: "REP MOVSD". So its moving our string! Press F10 a few times to get past the "REP MOVSB". Now we want to look for our string again, becaude it just got moved. So instead of typing 's 0 l ffffffff "yourregcode"' we can just type "s" and it will repeat the search for you. Softice will give you a new address but this time instead of typing "bpm theaddress" we want to change the first bpm, because Windoze is bound to so something else with that space sometime or another, either during this cracking session or the next, causing unnecessary breaks. So type "bpe 01" (What is Bpe? Bpe edits a previously added breakpoint. Why 01? You could type "bl" (lists all your breakpoints) but we know we've only entered 2 breakpoints, and the first one is numbered "00". Anyway, Softice should show something like "BPMB 0030:80126431 RW". Just change the address to the new one, and press enter. Now press control-d to leave softice, and you break in at the comparison routine. You will see something that looks like this: Mov cx, yourcode Mov dx, goodcode Cmp cx, dx All you have to do now is type one of the following: ed dx d dx ? dx The first will let you modify the value while showing it to you, The second will show you the value, And so will the third. Now type "bd *" (What? Bd * disables all breakpoints) and go back to the program and put in the correct code. MAKING A KEY GENERATOR. ----------------------- Instead of searching for your code, look for your name (and bpm on it). Write down -Everything- that is done to the name to make the code. Now write a program in C that will get a name (name = gets();), build the code from it and then show the user the valid code. Contacting the Author. ---------------------- Look for YOSHi or _YOSHi on EfNet, and while your at it stop by #cracking4newbies, we love to help people out.