L0phtCrack 2.52 for Win95/NT - Cracking Tutorial by Goatass
BEGINNER (X) - NEWBIE () - INTERMEDIATE () - ADVANCED ()
First off, L0phat Heavy Industries is one of the best
hacking groups out there today along with some others that release
some of the best hacking/security tools. I am a newbie but I will
do my best to teach you how to crack L0phtCrack 2.52 which is the
latest NT password cracking tool.
About this protection:
This is a very simple time trial/serial number protection. An unlock
code gets compared with a pre-assigned serial number. I was very
surprised to find out that such a great hacking group didn't bother
to protect their trademark tool very well. They are selling it for $100.
Ok well lets get going with the crack.
What you will need:
- L0phtCrack 2.52 (http://www.l0pht.com/l0phtcrack/)
- your eyes
This is a memory echo crack which should be very easy for all newbies.
First off, make a backup of l0phtcrack.exe incase you screw something up.
Run the program and you should see a nag screen showing you how many days
you have left (15 days total) and there is also a "Register" button.
Click the "Register" button and you should see a dialog box with a
grayed out box with the pre-assigned serial number and below it there
will be a box for your unlock code. The unlock code is alphnumeric but
that doesn't matter right now. Go ahead and put any number you like, I
used 12345678 for my unlock code.
Now go into SoftIce (CTRL+D) and set a breakpoint on GetWindowTextA
(BPX GetWindowTextA). The approach here is to break right after the
program reads your unlock code and then uses it along with the
pre-assigned serial number to generate and compare the good unlock code.
Now get out of SoftIce (X) and click the OK button. SoftIce breaks,
press F11 to return to the calling function, that read in the
pre-assigned serial number. Now press F5 to read your unlock code,
SoftIce breaks a second time, press F11 again and now you are in the
program's code. Trace through the code until you get to this part:
:406345 MOV EAX, [EBX] <-- if you type D EAX you will see
the code you entered.
:406347 LEA ECX, [ESP+1C] <-- here is the unlock code, D ECX
to see it.
If you dump ECX you will see two 8 digit alphanumeric strings they are
both the correct unlock codes. Why two ? you'll see in a second.
Next we see the program PUSHing EAX and ECX onto the stack then comes
the CALL to compare the codes.
:40634D CALL 00426260 <-- this is where the program compares
your number and the first unlock
code. Since you entered a wrong
code the CALL will return with
EAX=FFFFFFFF (-01), if the code
you entered was correct it would
return with EAX=00000000
:406355 TEST EAX, EAX <-- checks to see what the CALL returned,
if the code is good or not.
:406357 JZ 004063A2 <-- if the CALL returned 00, good code,
jump to "Thank You"
Now the program gives you another try and does the exact same thing as
above with the second code.
:406359 MOV EAX, [EBX] <-- here is your the code you entered
:40635B LEA EDX, [ESP+2C] <-- and here is the second unlock code,
type D EDX to see the 2nd code
:406361 CALL 00426260 <-- here is that same call for comparing
the codes, same as before the
program will return EAX=FFFFFFFF (-01)
I skipped some code here that does the same as above with the TEST and
JZ. Since the code you entered was wrong the program proceeds to the
:406376 CALL 0045666B <-- this is the call to display the nag
Now you can get out of SoftIce and try your new unlock code and you'll
There are a few ways of going about cracking this program, the easiest
would be what I have described above but if you want you can force the
jump at 406357 by changing it from JZ to JMP but why screw with the code
if you don't have to.
Another way is to use the program to create a small KeyGen. By changing
one of the two PUSHes before the CALL to the nag screen at 406361 and
making it display the correct code, PUSH [ESP+1C] or PUSH [ESP+2C].
That's all for this tutorial I hope I helped you better understand the
memory echo concept. This was a very easy crack but keep in mind that
many other programs use the same way for protection.
I just want to say THANK YOU to my mentor zip for getting me started
with cracking. Also great thanks goes out to EDiSON, +ORC, Fravia,
CrackZ, Sandman and all the great people who reverse for knowledge,
keep writing those great tutorials.
I'm out, PEACE !
fy code and debugg programs
that you legaly bought and then for personal use only!!
To ignore this warning is a criminell act and can result in lawful actions!
So please note!
I take no responebility for how you use the information in this essay,
i take NO responebility for what might happen to you or your computer!
You use this information on your own risk!!
What i mean is: Please buy the software!
Essay written by Wiseman ŠTRES2000. All Rights Reserved.