________ SWAT MAGAZINE ISSUE TWENTY ONE: SEPTEMBER 1999_________ / \___________________________________________/ \ / How To Crack Tutorial One \ / By Lithium Joe zetnet.admin@england.com \ ----------------------------------------------------------------------- (sorry about the crap email address, new one coming soon) Program: AudioTools 2.4 Materials: Hexworkshop W32Dasm v8.93 (or any other version probably) Introduction ~~~~~~~~~~~~ This is my first cracking tutorial and will be mainly focusing on the simpler aspecs of cracking. The first program I will look at is Audiotools 2.4, Once you start using the program you will soon come across a major ristriction, you can only record for 5 mins or less. Well that makes the program pritty useles, But YOU can soon fix that. Heres What to do ~~~~~~~~~~~~~~~~ 1. Go into the audiotools directory and copy audio.exe to audiocrk.exe. this makes cracking the program much simpler. 2. Start audiotools and try to record somrthing for more than 5mins you will see the message, "The unregistered version has a"... Write this down (or remember it) as you will need it later. 3. Fire up W32Dasm and dissasemble audio.exe. Once dissasembled click on the string references (StrnREF) and look for the string "The unregistered version has a" (the same message as before) Once you have found it double click on it and you should be at the Possition of the message in the code and it should look like this (you might have to scroll up a bit)- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040A730(C) | :0040A750 C6864006000000 mov byte ptr [esi+00000640], 00 :0040A757 8B86DC030000 mov eax, dword ptr [esi+000003DC] :0040A75D 3986D8030000 cmp dword ptr [esi+000003D8], eax :0040A763 7E30 jle 0040A795 <--This is it :0040A765 85C0 test eax, eax :0040A767 7E2C jle 0040A795 <--This is it :0040A769 8B16 mov edx, dword ptr [esi] :0040A76B 8BCE mov ecx, esi :0040A76D FF521C call [edx+1C] :0040A770 8B8E7C2A0000 mov ecx, dword ptr [esi+00002A7C] :0040A776 6A00 push 00000000 :0040A778 8B01 mov eax, dword ptr [ecx] :0040A77A FF5018 call [eax+18] :0040A77D 6A00 push 00000000 :0040A77F 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"The unregistered version has a " ->"limit of five minutes" | :0040A781 6878BC4500 push 0045BC78 :0040A786 E8E0060300 call 0043AE6B :0040A78B C786D803000000000000 mov dword ptr [esi+000003D8], 00000000 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040A763(C), :0040A767(C) | :0040A795 8B86D8030000 mov eax, dword ptr [esi+000003D8] :0040A79B 33D2 xor edx, edx :0040A79D F7B614010000 div dword ptr [esi+00000114] :0040A7A3 8D8E44020000 lea ecx, dword ptr [esi+00000244] :0040A7A9 50 push eax ... if you look at lines 0040a763 and 004a767 you will see that this is where it is telling audiotools to jump-if-less-or-equal to address 0040a795 which is just after the message that we dont want to see. So if we change the Jump-if-less-or-equal to just jump we wont see the message. 4. double click on the line 0040a763 (make shore it hilighted) and look at the offset at the bottom of the screen its A763. Do the same for 0040a767 and write down the offset (A767). 5. Open up Hexworkshop (or any other hex editor) and open the file audiocrk.exe. Go down to offset A763 and your cursor will be at 7E (jump if less or equal) change this to EB (jump). do this for the other address and save the file. 6. Run audiocrk.exe and record something for 5mins and look Yipee no more message. The program is now fully working, but there is one more thing still to do get rid of " - Unregistard" in the title bar coz this looks LaMe. 7. Go back into W32Dasm and look at the stringrefs. Lool for " - unregistard" once you have found it double click on it so you are the possition in the code. 8. You should now have something looking like this- :00402E78 C744241400000000 mov [esp+14], 00000000 :00402E80 E842DC0200 call 00430AC7 :00402E85 8A8658020000 mov al, byte ptr [esi+00000258] :00402E8B 84C0 test al, al :00402E8D 750E jne 00402E9D <-- this is it * Possible StringData Ref from Data Obj ->" - unregistered" | :00402E8F 68E4B74500 push 0045B7E4 :00402E94 8D4C2408 lea ecx, dword ptr [esp+08] :00402E98 E8F2CB0200 call 0042FA8F * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402E8D(C) | :00402E9D 8B4C2404 mov ecx, dword ptr [esp+04] :00402EA1 51 push ecx :00402EA2 8B4C241C mov ecx, dword ptr [esp+1C] Now line 402E8D is telling audiotools to jump to line 402E9D if not equal(jne) so if we chang this to jump if equal or just jump then the Unregistered sign will not appier. 9. Write down the offset of line 402E8D and go back to hexworkshop go dwn to the offset and your cursor should be at 75 change this to EB and then save the changes (make shore audiotools is not running) 10. Start audiocrk.exe, And there you go YOU have just cracked audiotolls 2.4. pascal Source code for the crack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Uses Crt; Const A: Array[1.. 3 ] of Record A : Longint; B : Byte; End = ((A:$a763;B:$eb), (A:$a767;B:$eb), {<----offests to be changed} (A:$2e8d;B:$74)); Var Ch,c:Char; I:Byte; F:File; FN:file of byte; Size:longint; Begin writeln ('By : *TheRiZLa*'); writeln (''); writeln ('Program : AudioTools v2.4'); writeln (''); writeln ('Target : Audio.exe'); writeln (''); writeln ('Comment : Make full version'); Writeln (''); writeln ('Greets : S*W*A*T'); Writeln (''); Writeln ('Press any key to Patch'); c := readkey; clrscr; writeln('Patching please wait...'); writeln(''); Assign(F,'audio.exe'); {$I-} Reset(F,1); {$I+} If IOResult <> 0 then begin writeln('Error: Could not open file, No changes have been made'); halt(1); end; For I:=1 to 3 do Begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); End; Writeln('AudioTools v2.4 Patched, Enjoy!'); End. **---** end of code **---** This pascal code will make a vey small (5k) .exe file that when run in the audiotools directory will patch audio.exe to make it the full version. In the next tutorial I will be looking at simple general cracking technices for removing nag screens. Have Fun, Lithium Joe zetnet.admin@england.com (sorry about the crap email address, new one coming soon)