You are on page 1of 4

_CbD_ Tutorial #6

Modifying dll's to
give real reg codes
Target:VoxPhone

Pre Crack notes:

Ok how many of you have wanted to crack a program and


have it give you the real registration code instead of
the Sorry you entered a invalid Code message? Hmm
thought so everyone. ok well that is what this tut is
all about. This will show you one of many ways to do this
the program we will be werking with uses a dll to check
our reg number so this will also give you a little info
on cracking dll's.

About the Tut.

Target: Vox Phone


where to get it: www.voxware.com
protection type: user ID number / key number
tools needed: Softice, W32dasm, Heiw (Hexeditor)
Tut requested by: JosephCo & nIabI
Crack requested by: DarkNight

Well if you have ever read any of my tut's then you are
aware of my style of cracking, Step by Step is the
nest way for newbies to follow IMHO so that is how this
tut will flow.

Pre Crack notes


You will need to run the program while you are on the net
then disconect so you can use the BreakPoint we will need
if you try to do this online you will break every time
your system gets info from your ISP but the program will
not start if you are not online so make sure your online
when you start then log off. Also you will have to click
on [help] register then fill out the form and tell the
you are going to send your registration in by mail
then you will be able to enter a registration number
after that.

Step 1:

ok lets start by setting the Break Points we will need in Softice


the one we will use first is GETDLGITEMTEXTA so set that in si
(BPX GETDLGITEMTEXTA)then press ctrl-d to return to our
program. Now lets go back to [help] and register and you
will see the box asking for a regcode. enter anything you want
as long as it fills the box or is atleast 10 digits long
and then press unlock.

Step 2:
you should be in Softice now at the point that our program
called the getdlgitemtexta function. press F11 to get back to
the code that called this. you should see something like the
code below

0137:00691ESC CALL [USER32!GetDlgItemTextA] <-- Call to get


0137:00691B92 MOV ECX,PFFFFFFF our unlock code
0137:00691E97 SUB EAX,EAX
0137:00691E99 REPNZ SCASB
0137:00691E9B NOT ECX
0137:00691E9D DEC ECX
0137:00691E9E CMP ECX,OA <-- Check to see if code is 10 digits
0137:00691EA1 JZ 00691EE3 <-- Jump if is
0137:00691EA3 LEA EAX,[ESP+74] <-- set msg for invalid code

0137:00691EA7 PUSH 006AC444


0137:00691EAC PUSH EAX <-- save msg
0137:00691BAD CALL 006A0370
0137:00691EB2 LEA EAX,[ESP+7C]
0137:00691EB6 ADD ESP,OS
0137:00691EB9 PUSH 30

ok as you can see here the program checks to see if we entered


a code that is 10 digits long and if we did then it will jump
to the code below if not then it displays a invalid code msg

0137;00691EE2 RET
0137:00691EE3 MOV EDI ,006B3ADO <-- we land here if code is 10
0137:00691EB8 MOV ECX ,FPFFFFFF
0137:00691EED SUB EAX ,SAX

ok now you will have to press F10 to single step though the code
till you come to the code below.

0137 :00691F1E CALL 006936EO <-- Generate real code here


0137 :00691F23 LEA ECX,ESP+4C) <-- if we do a ED ESP+4c here we get
0137 :00691F27 ADD ESP,OC the real code
0137 :00691F2A PUSH 006B84BO
0137 :00691F2P PUSH ECX <-- Save real code
0137 :00691230 CALL 006AA980 <-- call to compare our code with
0137 :00691F35 ADD ESP,OB real code.

I have skiped some code here just scroll down and


you will see this.

0137:00691F3A MOV EAX,[006B78B4]


0137:00691F3F JNZ 00691F53 <-- jump if code is invalid
0137:00691F41 MOV WORD PTR [EAX+04],0001
0137:00691F47 XOR EAX,EAX
0137:00691F49 POP EDI
0137;00691F4A POP ESI
0137:00691F4B POP EBX
0137:00691F4C ADD ESP,00000130
0137:00691F52 RET
0137:00691F53 LEA ECX,[ESP+74] <-- set up for invalid code msg
0137:00691F57 PUSH 006AC444
0137:00691F5C MOV WORD PTR [EAX+04,0000
0137:00691F62 PUSH ECX
0137:00691P63 CALL 006A0370
0137:00691F68 LEA ECX,[ESP+7C] (this may not be 7C as i cant remeber
i had changed it before i wrote
down the code) This is where we
will make our change inorder to
get our real number.

Ok damn that is a lot of code. well what is happening here is


our program (the Rsagnt32.dll is getting ready to give us
that damn " Sorry you fucked up message" the program
copies the strings we will see in the messagebox right here
to ECX then will push ECX in a few lines down but we dont want
it to push the message we want it to push our real code, dont
we. So we will need to make a few changes here. rememeber where i
siad our real code was?

:00691F23 LEA ECX,ESP+4C) <-- if we do a ED ESP+4c here we get


:00691F27 ADD ESP,OC the real code

well do you think you see what needs to be done?


yeah change the esp+7c to esp+4c right? Nope that want work.
If you do that you will only get the last 5 letters of the code
because the code starts before 4c do we need to do a ED esp+4c
and see what we get. hmm well what we want to see is our code
start on the first line of the data window like below

:009BEBD4 49505848 544E4A54 00005443 00000004 HXPITJNTCT.. .


:009BEEE4 00000000 00000000 02EF005C 02EF0004
:009BEEF4 034P3AAO 02EF7E3B 7P1R0500 18078394 0.> .....0....
:009BEF04 00004389 00000000 382780D4 40000000 C........'8...0

now to do this we will have to play with ESP so to save you time
i have found that ESP+48 will do the trick.
so what we will need to do is change LEA ECX,[ESP+7C] to
LEA ECX,[ESP+48] this will yield us a real code every time
in the place of that damn "Sorry you Fucked up message"
so now you can do one of 2 things (1) restart the registraion
process and when you get to the line with LEA ECX,[ESP+7C] on it
do a ED xxxx:00691F68 then write down what you see in the data
window so you can change it or i will give you the info
you willl need when you run your hexeditor

you will need 8D4C247C83C408 do a search for that in your


hexeditor (use Hiew it is the best) and replace the 7C with 48
and then save your file (make a back up before you do this though)
now when you run the program you will get a message that tell you
that a dll is corupted go on to the next step to fix that

step 3:
in the Main program file tx32.exe do the following:
ok in hiew search for 85C0752C50 then edit it in code mode
and change the jnz to jz or visa versa then there is one more
search for 85C0752E33FF and change its jnz to jz or visa versa
i cant remember if they are jnz or jz but what ever it is change
to the opisite. or you can do a BPX MESSAGEBOXA and find the
jumps on your own. (Hint addresses are :0041CD27 & :0041D267)
well that is about it after you make the changes you can run the
program and get you real number from it then register it.
Sorry if this is not as clear as most of my tut's but i only wrote
down the code that i needed while i was cracking and make notes
about the rest so if you have any trouble just find me on EFNET
in #cracking4newbies and i will be glad to explain.

Oh yeah you cant unregister the program after you register it


so make sure you get a good understanding of how it all werks
before you regiters the program.

Hope this Helps you to better understand Dll cracking and


makeing a msg box show you the real reg codes for your
program. _CbD_

Greetz to :
josephCo, nIabI, Mornings, ^pain^, drlan, mp, razzi and
all the rest of #Cracking4newbies

You might also like