Alternitive to Serial # Locating 

           			  Tutorial #4 
			Alternitive to Serial # Locating 
        		    Target : Business Cards 32 v 4.18 
			Level: New to Intermediate 

Motive of Crack: 
    Well we all know that sometimes we cant seem to find the right serail number 
    when we are cracking a program, So this crack is to help you to better understand 
    that there are other ways to register even if you cant find that " GooD " number 
    I will show you that you can simply make the program take any number as a 
    "GooD" one. This type of crack can be hard in some cases but for this example 
    I have choosen a fairly simple program for us to use. If you have read my other 
    Tutorials you should know that I crack in steps to help each of you new crackers 
    to follow along and hopefully not get lost :-). 

About the Crack: 
    This crack will have 3 main Parts to it each of them having there own steps for 
    you to follow. I hope i have made it easy for you and if for some reason you 
    have trouble with it please feel free to join us on EFNET in #cracking4Newbies 
    and ask for help. Please note that we dont mind helping the newest of the 
    Cracking world to better their skills as this is what we are here for. 


The Target: Business Cards 32 v4.18 
Get it From: http://www.midstream.com 
Protection Type: Serial Number Registration with a 30day time limit 
Requested by:     None 
Tools Needed:     SoftIce, Hiew(or other Hex Editor) 

The Crack 

Part #1 
    Ok lets get the crack started, so go and get the prorgram from midstream 
    and install it. Got it installed yet? well do it.... 

Step 1 
    Well let start this crack by looking at our little program, So load Bcards 
    and then you will see the nag screen telling us that we are not a registered user 
    (Not Yet anyway) and that you have 30 days to try the program. Well click and get rid 
    of the nag and then click [HELP] [REGISTER] you will get the little box for you to 
    put in your info. Well put the Name in you want then the company (if you want) and 
    then the serial number. 

Step 2 
    Now if we wanted to find the "GooD" serial number we would have to use softice 
    to find the location that the "GooD" number get compared to ours, But we dont 
    care what the number should be cause we are going to make the program 
    take our bogus number ( And Like It ) and then give us a registered user status. 
    But for us to do this we have to still use Softice so we can find where the program 
    checks for a valid number then make it think any number is a good one 
    so lets get in SoftIce and start the work. Do this Ctrl-D this put you in SI 
    now we need to break when the programs reads our Serial number so 
    we will set a BP(BreakPoint) on GetDlgItemTextA (I have already found the right 
    function for you) so do this BPX GETDLGITEMTEXTA and press enter 
    now we have the only break point we need for this crack. So get out of SI with 
    Ctrl-D. 

Step 3 
    Now you should be back in Bcards at the registration screen, so press enter 
    and you will land back in SI at the GetDlgItemTextA function that was called 
    by our program. Well this is not where we need to be, because our program 
    has three different textboxes to read the data from (1) Name (2) company 
    (3) serial number, and the one we want is the serail number one. So 
    lets press F11 to return to the place the function was called then press F5 
    and let the program continue to run, we will break again at the GetDlgItemTextA 
    function, this is where the program gets our company info, this to is not what we 
    want so Press F11 to return and then F5, now we break at the function once more 
    so we Press F11 to get to where the function was called from. This is where we 
    will start to do the real cracking of the program. 

Step 4 
    Now that we are in the part of the code that will be checking our serial number 
    and deciding if we are a (GooD Guy) or a (Bad Cracker) we will need to do some single 
    stepping to see what happens here. So Press F10 and watch the lines of code as they 
    pass. We will want to stop on the code below. 

Your addresses may differ but the code it's self should look the same 

:00412C3A    ADD    ESP,04 
:00412C3D    CMP    BX,AX [STOP HERE] <---- compares part of our serial # with parts of the good one 
:00412C40    JNZ    00412C7E <---- if all is good then go ahead and if not the jump 
:00412C42    LEA    EAX, [EBP-0C] so this is one of our points we need to make a change to 


    Ok we will need to change the JNZ (Jump if Not Zero) to JZ (Jump if Zero) and in doing this 
    if we were to enter a valid serial number the program would not allow it to register as it 
    will then think that it is a Bad number. So lets make a note of the the address we 
    will need to change and also you should do a D xxxx:00412C40 and then write down 
    the value from the data window for later use. Or if you just want to crack your program 
    and not make a general crack to distribute you can make the change in SI like this 

A xxxx:00412C40 [ENTER] <----- Press the Enter Key 
xxxx:00412C40    JZ 00412C7E [ENTER] [ENTER] <---- Press Enter Twice 
    (Note the xxxx is the starting value for the address as you see it on your system mine is 0137) 

    now this will not modify your program on the disk only what is running in the system memory 
    after you close the program the changes you made will be gone, but if you do all the right 
    steps the program will still be registered. 
     
Step 5 
    Ok that was one of the 3 changes that will need to be made becasue if you scroll down with the 
    Ctrl-downarrow you will see the following code after you locate it Press F10 till you get to the 
    CMP then if you wish you can make your changes. 

:00412C62    ADD    ESP,04 
:00412C65    CMP    SI,AX [STOP HERE] <---- compares part of our serial # with parts of the good one 
:00412C68    JNZ    00412C7E <---- Notice that the jump is to the same address as before 
:00412C6A    LEA    EAX, [EBP-0C]      so we will need to do the same as we did above 

    do a D xxxx:00412C68 the write down the value from the data window for this one 
    and again if you want to you can make the change from right here in softice 

A xxxx:00412C68 [ENTER] <----- Press the Enter Key 
xxxx:00412C68    JZ 00412C7E [ENTER] [ENTER] <---- Press Enter Twice 

    now that is the second change now we have one more then the crack will be done 

Step 6 
    Now F10 just a few lines and you will see this code below 
     
:00412C62    ADD    ESP,04 
:00412C65    CMP    EAX, [EBP-0098] [STOP HERE] 
:00412C68    JZ    00412C91     <--- Jump if all the code is good 
:00412C6A    LEA    EAX, [EBP-0C]      
         
    Remeber to do a D xxxx:00412C68 and write down the values. 
    Now here we will need to change the JZ to a JNZ and once we have done this we can disable our 
    breakpoints and hit F5 or Ctrl-D and let the program continue and as we pop back to the program we 
    will see that we are now a registered owner of this program ....... 


    Ok we ahve now Cracked this program and if we want to we can make a general crack 
    so everyone can crack there copy. to do this just follow the steps below 

Part 2 

Step 1 
    Ok remember the values I told you to write down ? did you ? well if not i have provided them     below     

First one was 
    xxxx:00412C40 75 3C 8D 45 F4 50 E8 59 
         ^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need 

Second one 
    xxxx:00412C68 75 14 8D 45 F4 50 E8 31 
         ^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need 

Third one 
    xxxx:00412C7C 75 13 8D 45 F4 50 E8 1D 
         ^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need 

    The following instructions are for users of HIEW only if you are using a different 
    Hex editor then you will need to find the commands that do the same procedures 
     
    ok Start Hiew by editing the bcards.exe file (Make a backup first) 
    then do the following 

    1) when hiew starts press the F4 key to get Hex view 
    2)press F7 to search 
    3) enter the first string from above(only the ones marked) 
    4)press F2 to get the Code view 
    5)press F3 to edit the code 
    6)press F2 for ASM mode 
    7)change the JNZ to a JZ 
        (This may show as a JE or a JNE depending on the step you are in 1,2 or 3) 
    8)press F9 to update 
    9)Press F10 to exit 
     
    now do the same for each of the three strings, you will need to restart Hiew each time 
    to insure that you are able to get the proper search result 
    (Note for the last on make sure you change the JZ to a JNZ) 
    after you are done with all three you can then exite Hiew and continue to part 3 

Part 3 

    Makeing a Patch with Gpatch 

    ok remember I told you to make a back up copy of your file before you used HIEW 
    well you should name it like this Bcards32.bak and the one you edited should be 
    Bcards32.exe (note you should read the Doc that comes with gpatch to full understand 
    how to use it) if you want you can make a txt file named gpatch.txt and put any nfo 
    about your patch you want. now run gpatch like this gpatch bcards32.exe 
    it will make you a patch and name it patch.com you can now rename it to whatever you 
    like and distribute it . well thats it for this tut. 

    I hope this Tutorial has been helpful and showed you another way to crack 
    those serial number protections. Well even if you cant seem to make the crack work 
    (Dont see why you couldn't) i have included the crack with the tutorial. 

Enjoy and Happy Cracking.........