Muad'Dib's Tutorials

"Well, Muad'Dib brings us 4 of his own exploits including his own CrackMe. I should perhaps point out that these examples are simplistic in the extreme :-), but I guess we all had to start somewhere. This tutorial will be the last I will accept or write with ad nauseam basic techniques which most of my readers ought now to be VERY familiar with". However maybe you can find a use for the MASM patcher". "Slightly edited by CrackZ".

Desktop Switch 1.3 - Simple nag removing.
Desktop Themes 1.87 - Simple key generator.
Muad'Dib's CrackMe #1 - Trivial removal of a nag (tsch, tsch and he doesn't even correct the stack :-) ).
Spynet Internet Mail - Simple StringRef cracking with a Win32 ASM patch.

File :- - (5k).

OK...Lets get right into it...I'll assume some cracking knowledge but you should get along fine if you don't have any. First of all, run the program. A standard windows message box comes up. Now, if you know anything about the windows API you'll know that the call is MessageBoxA. Since this is a small program, I'll be using W32Dasm. Disassemble the program and search for the function MessageBoxA. You'll get this code :-

:004012BF PUSH 00000000

* Possible StringData Ref from Data Obj ->"Please register!"

:004012C1 PUSH 0040302D

* Possible StringData Ref from Data Obj ->"I want your money! Please send "
    ->"me $20 to get rid of this screen!"

:004012C6 PUSH 0040303E
:004012CB PUSH 00000000

* Reference To: USER32.MessageBoxA, Ord:01BBh

:004012CD CALL 00401314 <-- CALL IT!.

The part that I commented as "CALL IT!" is the important part. All we have to do is NOP that out...Well...Here's how we do it. 004012CD is the code address. Next to it you'll see E842000000. That's what we need to get rid of. So open up your favourite hex editor and search for that....It's normally smart to search for things around it so I normally do this :-

6A00E842000000 as my search string (the PUSH 0 before it too). Change E842000000 to 909090909090 (a 90 in hex is NOP, meaning no operation). Now run the program again. Poof! No nag!.

Spynet Internet Mail

File :- - (175k)

Spynet Internet Mail is a small e-mail program that can be used to quickly send or get e-mail. I know the programmer, but as soon as he got recognised by software magazines, he became an asshole, so I chose this program to do a tutorial on. This is actually the first program I ever cracked.....ahh sweet revenge. He seems to be a good programmer, but lacks in protecting his software. This program comes down to reversing a single jump. First, load the program in W32Dasm. If you don't have it, go to and download it from the tools section. This is my favourite site by the way :-). Let's get back on track. When you load it, go into the String Data Refs section (ALT + R + S). Search for the string "error: inc...". Wow, it's right there. This promises to be easy. Double click it and you see this :-

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

:00409FB1 PUSH 00000010

* Possible StringData Ref from Data Obj ->"Spynet Internet Mail - application error"

:00409FB3 PUSH 0041C424

* Possible StringData Ref from Data Obj ->"error: incorrect registration "

:00409FB8 PUSH 0041CECC

* Reference To: USER32.MessageBoxA, Ord:01BEh

:00409FBE CALL DWORD PTR [00423810]

Go to the blue highlighted address, 00409F66. You see this :-

:00409F66 JE 00409FB1 (7449)
:00409F68 PUSH 00000030

* Possible StringData Ref from Data Obj ->"Spynet Internet Mail"
:00409F6A PUSH 0041C450

* Possible StringData Ref from Data Obj ->"Thank you for registering Spynet "
->"Internet Mail 1.0!"

:00409F6F PUSH 0041CEF8
:00409F74 PUSH EBP

* Reference To: USER32.MessageBoxA, Ord:01BEh

Wow! This looks EXTREMELY easy :-). Let's go into our HEX editor and change the 7449 to 9090. This will make it go straight to "you registered". You COULD change it to JNE, but then it would only jump if they entered an invalid serial. Test it by running the program and entering any serial...Wow! It works. Now to make a patch. I do everything in Windows 32 Assembly language.

Desktop Switch 1.3

Protection: Every few times you switch virtual desktops, a nag screen comes up.

This can be rather annoying, so let's patch it :-). Open it up in W32Dasm. Look through the SDR items and try to find the dialog string "NOTIFICATION" as that comes up when it is nagging you. It seems to not show up. We know from clicking about (you did do the about box, didn't you? :-) that the one that says "ABOUTDIALOG" is actually the about box. Let's be crazy and try "SWITCH". It seems to have a call to DialogBoxParamA later on! Let's go to the menu Functions/Imports and see about this call. Double click the function DialogBoxParamA and it'll search for you.

Do this numerous times. Notice that it is called in only 2 different places! One of them has the "ABOUTDIALOG" string pushed, so that can't be it. Let's go with the one that says "SWITCH". Note the code in front of the call:

FF15F0A14000 CALL [USER32!DialogBoxParamA]

Search for this in your hex editor. We know that it will be the second call, so search twice. We get the offset 75D. Patch the whole call with NOPs (909090909090). Save it and run DesktopSwitch. You'll notice that it doesn't nag you anymore!

Now you can edit the EXE file with a resource editor to get rid of the "Register" button, or leave it intact.

Desktop Themes v1.87

I'll mainly be focusing on taking apart the algorithm here, so I assume you know how to find it in SoftICE and how to break and such. Pretty easy keygen here, so let's get to it. The first thing you want to break on are standard functions then trace through a bit. Eventually you'll find some code that looks like this :-

:0040570A TEST ECX, ECX ; Test length for 0.
:0040570C JBE 00405726 ; If 0 jump bad.

:0040570E MOVSX EDX, BYTE PTR [EBP+EAX-30] ; Get a letter.
:00405713 MOV EDI, EAX
:00405715 AND EDI, 1 ; Bitwise AND.
:00405718 INC EDI ; Increment.
:00405719 IMUL EDX, EDI ; Multiply.
:0040571C ADD EDX, EAX ; Add to serial.
:0040571E ADD DWORD PTR [EBP-04], EDX ; Store it.
:00405721 INC EAX ; Increment counter.
:00405722 CMP EAX, ECX ; Compare EAX with length.
:00405724 JB 0040570E ; If below continue.

:00405726 XOR DWORD PTR [EBP-04], 82644404 ; Now XOR.
:0040572D JGE 00405737
:0040572F MOV EAX, DWORD PTR [EBP-04] ; EAX = serial.
:00405732 NEG EAX ; NEG it.

That's it! Pretty simple, no?. Now just construct your key generator.

That's all for now!


greenball.gif (835 bytes) Newbies greenball.gif (835 bytes) Return to Main Index

© 1999 Hosted By CrackZ. Muad'Dib 19th December 1999.