   _________   SWAT MAGAZINE ISSUE SIXTEEN: APRIL 1999   __________
  /         \___________________________________________/          \
 /	                       Cracking	        	   	    \
/                              By Viper       	                     \
-----------------------------------------------------------------------
Hi Guys,

OK, this is my first article for the Swateam and so its not very good, 
credit goes to all other members who write such good articles!

OK, I decided to go for a different topic, cracking.

Basically, cracking involves anything from getting a serial number and 
thereby obtaining the registered version of a program, to cheating in 
games.

Basic Tools needed:

Softice 3.x for Windows
Hexeditor (such as Hacker's View)
Quick View (available on the Windows 95 CDROM)

Another useful thing would be a little knowledege of a programming 
language such as C/C++ or Pascal 


A basic knowledge of Assembly would also be useful. Here are a few 
commands you will need to know :

MOV :- moves data from one address/register to another
       e.g MOV AX,DX (moves contents of DX register to AX register)

CMP :- compares data in two addresses (this is usually used to compare
       a good serial number with the one input by the user)

JMP :- same as BASICs GOTO, simply jumps to an address unconditionally
       e.g JMP 1234 (jumps to address 1234)

JNZ :- jumps to an address if the result of an operation is not equal
       to zero

JZ :- Jumps to an address if the result is zero

JNE :- Jumps to an address if two data items are not equal 

(e.g CMP OurSerial,RealSerial; Compares our serial to real one
     JNE                     ; Jump if 2 serials are not equal, 
                               normally to error message)       

PUSH :- moves data onto the stack

POP :- moves data off the stack

CALL :- calls a function at a specific address (e.g CALL ;1234 calls 
        function at 1234)

RET :- simply returns back to the program to the address where the 
       CALL function was used

This is the basic assembly you need to get started.


OK, so, why do I need Softice?

Well, Softice is a debugging tool, it allows the user to enter a 
program and see what it is doing. 

How do I start it up?

Well, you need to put the line:
"c:\(directory where softice 3.x is installed)\winice.exe"
at the end of your autoexec.bat file if you want to use it all the 
time, or just type "winice" in your softice directory whilst in DOS. 

(It is possible to choose whether to load softice or not using batch 
programming which I will probably tell you how to do next time, 
depending on the success of this article)

Once windows has booted up with softice, pressing CTRL-D will switch 
between Windows and Softice. A daunting black screen will appear. 
It may look complicated, but its really quite simple. 

The top window displays the contents of each register, the next one 
down shows the contents of memory addresses, the next one down shows 
what commands are being carried out and the bottom lets you enter 
commands.

Basic commands used in Softice:

BPX : sets a breakpoint on execution of something (e.g on execution of 
      a	window which asks for a serial number)
BPR : sets a breakpoint on a memory range

BC : removes a breakpoint

S : searches the memory for a string (e.g S 0 l FFFF "Hello" 
    (searches all the memory for "Hello")
D : Displays contents of a memory range (e.g D 0:FFFF would display 
    contents of all the memory)

Setting breakpoints will jump into Softice when a program executes 
something so that the user can see what the program is doing.

Thats all we need to know for now about commands.

So, first we'll try to crack a serial number. The first thing we do is 
load whatever program we want to crack, and find the serial number 
entry screen. Now jump into Softice by pressing CTRL-D. We need to see
what the program does with our serial number, and what it compares it 
with to find out the real one. The easiest way is to set a breakpoint 
on the point of the program where our serial number is entered. So, 
type this at the command line:

"BPX GetWindowItemTextA RW"

This sets a breakpoint on the windows command used to read in the 
serial number. If this is not recognised, you need to go to your 
softice directory and find the winice.dat file and edit out all the 
semi-colons in the example sysmbols section.

If all goes well, you should have set the breakpoint.
Now, return to softice (press CTRL-D) and enter any old serial number,
say 123456 and press enter. Softice should appear automatically. 
(If it does not appear, go into Softice and type "BPX GetDlgItemTextA 
RW" which is a different command windows uses for text entry, but does 
the same basic thing as GetWindowItemTextA).

The command that has just been run will be highlighted. This is where 
the assembly comes in. Basically, you need to step through the program 
using F10 and look for places where CMP is used, and then typing D 
(wherever the address is of the CMP command, this can also be a 
register e.g CMP 1234,AX so typing D AX will show you what AX holds)
will give you the correct serial number.

This is only the very basics of cracking, and more advanced programs 
will use better protection to stop crackers. In the next edition, I 
hope to give a step by step guide on cracking WinZip 7.0 and other 
programs too. This text file should give you a little taster on the 
basics of cracking, and get you started at least with some basic 
programs.

By Viper