+kurt page _ _+kurt page_ _ _ Ӹ _ ũ ̾߱⸦ ߽ϴ. ó Ÿ Ÿ ƴϿ. Ÿ Ż ƴ Դ, װ ƹ ͵ ƴ ó ǵ ó Ÿ ϸ鼭 ư ʾҳ. Ÿ ó , (?) ϸ鼭 . ڿ ƺ ָ鼭 ݾƿ. ƺ Ƽ ε, Ͽư ׷ ׿. ü  Ѿ ʰ ִ ذ ƾ. ũ̶ Ϳ ó ˾ƺ ϴ. 켱, ũ ã ͺͰ ̾ϴ. , ۵ κ Ҵٰ ϴ ͵鵵 Դ ʹ . Ƶ Ӹ ſ ־, ''ʺ ׷ ʾҴ ͵ ϴ. ׷, ũ̶ ŷ ̾ϴ. ׷ ͳ ƴٴϸ鼭 оϴ. ߿ ܿ +ORC (_HOW TO CRACK, by +ORC, A TUTORIAL_) ū Ǿµ. ׷ п  ְ,  α׷ ʰ ȥڼ ũ ְ Ǿ. ó ũ ϸ鼭 Ȩ ϴ. ⿡ ۰, ٸ ũĿ 츮 ű ֽϴ. ۿ, а ִ е ũ ؼ 𸣰 ִٰ ϰ ϴ. ù°  α׷(PicaView32) Ϲȣ ڼϰ 鼭, ũ ʿ  SoftIce Ÿ ⸦ ַ ߽ϴ. ׸, ٸ ũĿ ű ̳ Ʈ ִ ״θ ű ߽ϴ. , 翬 ϴ. ܱ ũĿ , Űϴ. ʺ ߱ ٸ 'Ǹ' ũĿ ű ͵ ʿ ϰԴϴ. ۰ ٸ ũĿ ű ۿ ε ſ. *1999 3 11 +kurt pluskurt@hanimail.com* *_preface_* __ Page 1 W32Dasm ver 7 (demo) Picaview32 ver 1.3 WinRAR95 ver 2.0 AddWeb ver 1.23 HexWorkshop ver 2.53 ũ ù° ̾߱. ũ ʿ 鿡 . PicaView ũ ̾߱ Page 2 Filo ver 1.7, WhoSock ver 1.91, ExIcon ver 1.9a, Horas ver 2.1 AddLink Picaview32 ver1.3 ArjSell32 98 ver 2.32, Visual Basic Crack α׷ ũϱ (NAG Screen) key-gen PicaView ũ (11. Dumb) Flag ̿ ũ(ArjShell) û protection scheme ĺ(1999 :) 98 v2.32 Visual Basic α׷ ũϱ Page 3 Hex Workshop v2.54, ޸(Notepad),ȭ ȣ(Screen saver), ȣȭ(encryption)ڹ ũƮ ۻ ֱ(Netscape), PolyView 3.00 beta 9, Rhino32 Hex Workshop v2.54 3и ũ ޸(Notepad) ۲ ٲٱ(By Mammon_) ȭ ȣ йȣ ũ(By Mammon_) ȣȭ (By Jon) ڹ ũƮ ۻ(JavaScript MessageBox) ֱ ũĿó ϱ(ʺ) ¥ ũ(GetLocalTime) Page 4 Ÿ98 IMF , Window$98 Ϲȣ Ȯ, Netscape Navigator, Disassembly , K.Ƿ, NuMega SoftICE ¥ ũ Window$98 Ϲȣ Ȯ ũ ݽ ٲٱ Disassembly ҽ Ͽ Լ/μ/ ˾Ƴ(By Rhayader, *excerpt from cRACKER's nOTES*) Ÿ Է ũϱ SoftICE ġ ϱ SoftICE KeyGen Page 5 TurboGo for Window$95 v4.01 InstallSHIELD ũ(By NaTzGUL) Sourcer 7.0 ũ flag ̿ ũ InstallSHIELD Script Cracking DOS Interrupt ũ(BPINT) _*index*_ ڷ(tools/links) mail to +kurt ħ ʺ ũĿ FAQ == ˸ == 'ũ'ϴ ϴ , ̹ ġ, Ϲȣ ̸ ¦ δ ƴϿ. ׷ ͵ ã ⿡ ̴ٸ, ٸ ã ſ. (This site contains no crackz/warez/serialz at all. So, if you'd been searching for them, try other pages.) , .. ̷ ϸ ʹ â , ִ '' ؼ ּ(߱ ڸ ϴ ''̶ ǥ ). ϰ Ʈ  '' '' ũϴ ƹ ٰ մϴ. ׷ ũ ް Ǵٸ װ protectionist ٸ . Ǿ Ѵٰ , ׷ â ͱ 𸣰ڰ,   __ α׷ ִٸ װ 񰡸 ִ Ǵٰ մϴ. Ϻδ Micro$oft Internet Explorer ѱ ֽϴ(׸ ׷ Ǵ _ǵ_ ̱). M$-IE е鿡Դ ˼մϴ. ۿ ؼ ̷ '__' Ƽ ̿.  '_ȸ_' Ⱦϴ ݾƿ Ȥó M$-IE ƴ ٸ ѱ ̴ 찡 ˷ ֽø ھ. (*CORPORATE MAGAZINES STILL SUCK - _Kurt Cobain_*). (*CORPORATE PROGRAMMERS STILL SUCK - _+kurt_*). _*notice*_ ڷ(tools/links) mail to +kurt ħ ʺ ũĿ FAQ *pluskurt@hanimail.com* 2. About A Girl 2. About A Girl ũ κ +ORC ũĿ ¿ ϴ. ũĿ Ƿ ϴ ̶ о ̶ մϴ. ̸ HOW TO CRACK, by +ORC, A TUTORIAL Դϴ. ̴ϴ. ۿ +ORC ũ δ α׷ ũϴ ϴ ٶ ߽ϴ. ְ, 켱 ϴ. α׷̶ ؼ ũ ִ ƴ, 켱 .. ؾ , ܾ ׿, 켱 (?)ϴ ܼ߱ ִٰ ϸ ذ ̴ϴ. ׸ ׷ ݵ ũ ʾҽϴ. 帧̶ .  ȸ ǰ ʱ ణ , 밳 ϰ Ա , ʱ ٸ ũ ִٴ Ⱑ ˴ϴ. ׷ ϴϱ, +ORCó ⸦ Ǯ ϴ. , 켱 ϳ α׷ ũϸ鼭, ڼϰ Ϸ մϴ. ׷ ϸ, ٸ α׷ ũϴ ʿ մϴ. ؾ . ٷ '' ũϴ ̴ϴ. 츮 ַ W32Dasm ũϴ װԴϴ. ׷ ۿ W32Dasm ũϰڽϴ. βԵ W32Dasm ũϴ ٸ ũĿ Դϴ. ˾Ƴ ƴ϶ ſ. ۽, ̷ ƴ϶ մϴ. , װ ó ϱ װ ϴ ʱ , ̷ ù ۷ ⿡ ̶ մϴ. Frog's print, +Adynts ϴ. װ ⿡ ٽ Ǯ ̾߱ ϴ ̴ϴ. _W32Dasm7 ũϱ_ intro ߵ w32dasm ֽϴ. ٽ ڸ, 1. ϳ ҽ Ͽ ۾ Ƚ Ǿ ִ. 2. ҽ ̴ϴ. ù° , ƹ α׷(ǵ ũⰡ . ð ɸϱ)̳ disassemble . ׸ 'ã(find)' ؼ, mov ܾ ã . ã⸦ ϴ ̴ ̻ ٶ ڰ ̴ϴ. ̰ ù° ̰. ι° ״ disassemble ؼ ҽ ٴ ̴ϴ. 츮 ҽ ҷ 鿩 ƾ ϴµ, ̷ ٸ, ȵǰ. w32dasm Բ ҽ '' ι° Ǵ ſ. 켱 ° ѻ . ù ° ֱ ؼ ° ־ մϴ. ׷ ؼ w32dasm ҽ ڵ带 ؾ մϴ. װ, w32dasm ̿ؼ . ׷ϱ, w32dasm w32dasm disassembleϴ ̴ϴ. disassembleϴ ְ. ߿ ߸ ų, Disassembler->Open File To Disassemble.. α׷( , w32dasm7.exe) ϸ ˴ϴ. disassemble w32dasmȭ鿡 ҽ Դϴ. ҽ ϴ 𸦰̴ϴ. װ ׷, и ̷ տ ̴ ҽ ٴ ̻. ¿ w32dasm Ѵٸ ҽ ϵ Բ ϴ. ȭ鿡 Ӹ ƴ϶ ũ 󿡼 '' ̴ϴ. Ž w32dasm 캸. Ƹ winsys ̴ϴ. ũ 0byte̱. ( Ž , ǥ.. ¿ Դϴ.) Ӽ (hidden). ٷ ̰ 츮 w32dasmȭ ִ w32dasm ҽ Դϴ. w32dasm ϸ ˴ϴ. ׷, ʰ ϸ ι° ִ ̰ڳ׿. w32dasm޴ ߿ Functions->Import ֽϴ. ̰ α׷ ϴ Լ ݴϴ. ߿ DeleteFileA Լ ã ֽϴ. DeleteFileA.. ̰ ϴ Լϱ.. ã(find) ̿ؼ DeleteFileA ãƺ.(ãµ ð ɸϴ. ֳı? w32dasm ̴ϱ. :) 4 ã ֽϴ. ̴ϴ. * Reference To : KERNEL32.DeleteFileA, Ord:0000h | .... Call 0047ABCC call̶ ƾ θ Դϴ. ٸ, BASIC GOSUB~RETURN . ڽϴ. :α׷_ call ȭ__κ . . . :ȭ__κ ȭ ʿ 1 ȭ ʿ 2 ȭ ʿ 3 . . ȭ ʿ 10 θ ư(ret) . . . : α׷_߰_κ call ȭ__κ . . . . ȭ ⺸ ġ ۾ΰ ϴ. ʿϴٰ . ׷ α׷ ߰߰ ȭ ʿ䰡 ̷ Ѵٸ ϰ. ׷ ȭ__κ ̶ κ(ν) ȭ ɾ call ؼ κ ҷ ָ Ǵ ſ. call  ϴ ˰? ٽ ư, call 0047ABCC FileDeleteA Լ θ ˾ҽϴ. ׷  ؾ ұ. 츮 FileDeleteAԼ ҷ DZ ٶ ʽϴ. 켱 ׷ FileDeleteA Լ Ǵ , 0047ABCC . w32dasm 'Go to location' ̿ؼ, 0047ABCC ֽϴ. ֽϴ. *Reference To: KERNEL32.DeleteFileA, Ord0000h :0047ABCC FF251CA74900 jmp dword ptr [0049A71C] ̹ jmpԴϴ. dword ptr ߿ ƴմϴ. ִٰ ϰ, dword double word '' Ÿ ִ Դϴ. 0101 0101 0101 0101 ̶ 16ڸ ڰ ִٰ ϸ 츮 װ ̷ 4ڸ ְ, 8ڸ ̴ϴ. 01010101 01010101 ó Դϴ. Ǵ 16ڸ ֱ. dword ptr 32ڸ  ϳ ض.. 켱 ˸ ǰڽϴ. ׸ ߿ jmp Դϴ. jmp jump϶ Դϴ. ״Դϴ. ̴ :0047ABCC ̶ ϴ, 'ּ' Դϴ. BASIC ȣ ־ϴ. , 100 a=1 110 b=2 120 print a+b 130 print a-b 140 goto 150 150 end ̶ basic α׷ ִٰ ϸ 100, 110, 120 :0047ABCCԴϴ. ̷ 'ּ' ʿ Ŷ մϴ. ¶ư jmp dword ptr [0049A71C] 0049a71c Ű ϴ 32ڸ ŭ ּ ϰ, ּҷ jumpϿ Դϴ. ̸ ' б'Դϴ. BASIC α׷ goto 150 ̶ ֽϴ. ׸ ׷ jump ϸ Ƹ DeleteFileA Լ ϴ ʿ ɵ Ŷ ְ. ׷ jump ʵ ؾ . RET ̿ϸ ˴ϴ. RET BASIC returnɰ մϴ. call ؼ . call  κ ʿ κ ִ θٰ ߽ϴ. ׷ ҷ ٽ ִ , , ҷ ư ϴ , ׷ ۾ ϴ ٷ ret(return)Դϴ. ׷ϱ 츮 jump ret ٲٹǷν, DeleteFileA ʰ ٷ call 0047ABCC, ҷ ư ϰԲ ̴ϴ. ˰?.. ׷  ׷ . ڵ带 ٲ . jump dword ptr [0049A71C] ڵ ֵ FF251CA74900 Դϴ. ̰ ret ڵ C3 ٲٸ ǰ. Ȯ ϸ C39090909090 ٲ մϴ. ڵ 90 nop ڵ Դϴ. nop ƹ͵ ʴ Դϴ. 츮 ڸ ߱ ؼ 90 ÿ ٿϴ. ߴ hex editor w32dasm  ff251ca74900 c39090909090 ٲָ ° ִ ̴ϴ. ׷ ù ° . ۾ 'Ƚ' Ǿ ֽϴ. .. ڼ , Ƹ ̷ ֽϴ. w32dasm 츮 'Ƚ' ' ִ' ̿. ׷ Ѿ, ̻ ٴ ڸ ̻ ʵ Ѵ. ̷ ϰ. ׷ٸ Ƚ Ѿ ȵǴ '' ٵ.. ࿡ ũ شٸ, 츮 ù° ̴ϴ. 켱, Ƚ '' κ ãƾ ϰ. ⼭ ܼҸ ϰڽϴ. Ϳ ⸦ Ϸ մϴ. ũμ (register) ֽϴ. ʹ α׷  մϴ. ׷ϱ  ϰ ִٴ ⿡. Ϳ ֽϴ. (general-purpose register) ۿ Ư Ǵ ֽϴ. ڼ  å ̴ϴ. 켱 ʹ, ̸ ֵ Ϲ ó ִ ̴ϴ. AX, BX, CX, DX Ͱ ֽϴ. ̷ ͵ 16Ʈ ̸ ϴ. (386̻ ũμ 32Ʈ ̸ ϴ. ׷ ̸ EAX, EBX, ECX.. ó տ E ٽϴ.) 'Ʈ' κ ˰ ̴ϴ. 2 ڸ Ʈ(bit) մϴ. 2 1010 4Ʈ ̷ ִٰ ְ. ̷ 4Ʈ 16 ڸ Ÿ ִٴ ߰, ̹ ˰ մϴ. 8Ʈ 1Ʈ(byte) մϴ. ׷ϱ 1Ʈ ڸ 16 Ÿ Դϴ. ׸ 2Ʈ 1(word) մϴ. ׷ϱ 1 4 16 ڸ Ÿ Դϴ. 1 16Ʈ Դϴ. ̸ڿ X ٷ 带 Ѵٰ ϴ . , AX 16Ʈ ̰, EAX 32Ʈ , , 2(double word, dword) Դϴ. AX : 1111 0000 1111 0000 |=========||========| Ʈ Ʈ ׸ ֵ ϳ ʹ Ʈ Ǿ ְ, Ʈ, Ʈ  մϴ. AX Ʈ AH, Ʈ AL̶ մϴ. BX BH, BL ǰ. ׷ ٽ ư,  ϸ ' ' κ ã .  ̷ ' ' κ ְ, ''Ű Դϴ. 츦 . :Ⱑ_ó ax 1 cx 4 ax Ű cx 0 ΰ? ٸ ι°_κ ʴٸ Ⱑ_ó (loop) :ι°_κ . . . ߿ loop̶ ֽϴ. ̰ ״ ݺ϶ Դϴ. ݺ Ƚ cx ־ϴ. loop cx 1 մϴ. cx 0 Ǹ loop , ׷ ʴٸ ݺմϴ. , w32dasm cxó ϴ  ִٰ ϴ ſ. 'Ƚ' ̰. Ƚ 90̶ ְ, 츮 1 Ѵٰ մϴ. ׸ Ƚ 75 Ǿ , ̻ ϵ Ѵٸ ù° ڵ带 ְ. ƽð?  ̷  Ű dec(decrement)Դϴ. , w32dasm 'dec Ƚ' ó Դϴ. ׸ 츮 32bit ǻ͸ ̴ dword(double word)Դϴ. ׷Ƿ dec dec dword ptr Դϴ. ׷ 츮 ҽ Ͽ dec dword ptr ãƾ . dec dword ptr Դϴ. ٷ 'dec Ƚ' ɼ . ã dec dword ptr ã ٴ ϰ ƴ ϴ. ׷ . grep ϸ ǰ. ˱δ dos grep ϱ, ⸦ grep.com ޾Ƽ ϼ. winsys ִ 丮 մϴ. c:\where_winsys_is_located> grep dec.dword.ptr winsys > dec.crk ׷ winsys ִ ߿ dec dword ptr ִ ãƼ dec.crk Ͽ մϴ. 츮 dec.crk  ǰ. ϴ. File WINSYS: :004028D8 FF8D60FFFFFF dec dword ptr [ebp+FFFFFF60] :00403A41 FF8B523C5300 dec dword ptr [ebx+00533C52] :00403A58 FF8B523C5300 dec dword ptr [ebx+00533C52] :00403A6F FF8B523C5300 dec dword ptr [ebx+00533C52] :0040457B FF8D60FFFFFF dec dword ptr [ebp+FFFFFF60] :004206A1 FF8B523C5300 dec dword ptr [ebx+00533C52] :00420832 FF8B523C5300 dec dword ptr [ebx+00533C52] :00420849 FF8B523C5300 dec dword ptr [ebx+00533C52] :00420860 FF8B523C5300 dec dword ptr [ebx+00533C52] :00420BCB FF8B523C5300 dec dword ptr [ebx+00533C52] :004402FF FF0A dec dword ptr [edx] :004417A3 FF8B39275300 dec dword ptr [ebx+00532739] :00441DB3 FF8B39275300 dec dword ptr [ebx+00532739] :004433D1 FF8B39275300 dec dword ptr [ebx+00532739] :00443BEC FF8B39275300 dec dword ptr [ebx+00532739] :00443F77 FF8B39275300 dec dword ptr [ebx+00532739] :0044420D FF8B39275300 dec dword ptr [ebx+00532739] :00444989 FF8B39275300 dec dword ptr [ebx+00532739] :00444AF6 FF8B39275300 dec dword ptr [ebx+00532739] :00446ADD FF8B39275300 dec dword ptr [ebx+00532739] :00446F0A FF8B39275300 dec dword ptr [ebx+00532739] :00447275 FF8B39275300 dec dword ptr [ebx+00532739] :0044740C FF8B39275300 dec dword ptr [ebx+00532739] :004477EE FF8B39275300 dec dword ptr [ebx+00532739] :00448250 FF0E dec dword ptr [esi] :00448263 FF0E dec dword ptr [esi] :00448276 FF0E dec dword ptr [esi] :004523A9 FF8B91EE0100 dec dword ptr [ebx+0001EE91] :004527BF FF8B09BB4500 dec dword ptr [ebx+0045BB09] :004543F7 FF8BE8295300 dec dword ptr [ebx+005329E8] :004543FD FF8BE4295300 dec dword ptr [ebx+005329E4] :004545BF FF8B24295300 dec dword ptr [ebx+00532924] :0045460F FF8BE3274800 dec dword ptr [ebx+004827E3] :0045641E FF8BC31D4800 dec dword ptr [ebx+00481DC3] :00456604 FF8BAB244800 dec dword ptr [ebx+004824AB] :004572C6 FF8B39275300 dec dword ptr [ebx+00532739] :004573A3 FF8B39275300 dec dword ptr [ebx+00532739] :0045773A FF09 dec dword ptr [ecx] :00457771 FF08 dec dword ptr [eax] :00457891 FF0A dec dword ptr [edx] :00457B2B FF08 dec dword ptr [eax] :00457B6E FF09 dec dword ptr [ecx] :00458143 FF8B09225300 dec dword ptr [ebx+00532209] :00458154 FF8BC3EE0100 dec dword ptr [ebx+0001EEC3] :00459218 FF8BE4295300 dec dword ptr [ebx+005329E4] :00459645 FF8BAC345300 dec dword ptr [ebx+005334AC] :0046401C FF8B39275300 dec dword ptr [ebx+00532739] :004642C6 FF8BAC345300 dec dword ptr [ebx+005334AC] :00464439 FF8BC3EE0100 dec dword ptr [ebx+0001EEC3] :004648D3 FF8B2A5D1100 dec dword ptr [ebx+00115D2A] :0046B846 FF08 dec dword ptr [eax] :0046B9C7 FF0A dec dword ptr [edx] :0046BD19 FF08 dec dword ptr [eax] :0046BDEE FF08 dec dword ptr [eax] :0046CB4C FF08 dec dword ptr [eax] :0046CB54 FF0A dec dword ptr [edx] :0046CBC5 FF08 dec dword ptr [eax] :0046CBF6 FF08 dec dword ptr [eax] :0046CCF8 FF08 dec dword ptr [eax] :0046CDBC FF08 dec dword ptr [eax] :0046CDC4 FF0A dec dword ptr [edx] :0046CF12 FF08 dec dword ptr [eax] :0046D093 FF08 dec dword ptr [eax] :0046D2C5 FF08 dec dword ptr [eax] :00470675 FF08 dec dword ptr [eax] :00470AA9 FF08 dec dword ptr [eax] :00470BAF FF8BE5215300 dec dword ptr [ebx+005321E5] :00471154 FF08 dec dword ptr [eax] :004713F3 FF08 dec dword ptr [eax] :0047177A FF08 dec dword ptr [eax] :00471BBA FF08 dec dword ptr [eax] :00471E59 FF08 dec dword ptr [eax] :00472517 FF08 dec dword ptr [eax] :00472637 FF8BFDBA4500 dec dword ptr [ebx+0045BAFD] :00472642 FF8BD1215300 dec dword ptr [ebx+005321D1] :00472655 FF8BFDBA4500 dec dword ptr [ebx+0045BAFD] :00474594 FF08 dec dword ptr [eax] :00474A7C FF08 dec dword ptr [eax] :00474F64 FF08 dec dword ptr [eax] :004753BF FF08 dec dword ptr [eax] :00475A47 FF8BC3EE0100 dec dword ptr [ebx+0001EEC3] :00475B03 FF8BC3EE0100 dec dword ptr [ebx+0001EEC3] :004761C3 FF08 dec dword ptr [eax] :00476480 FF08 dec dword ptr [eax] :0047677B FF08 dec dword ptr [eax] :00476A34 FF08 dec dword ptr [eax] :00476C82 FF88365D1100 dec dword ptr [eax+00115D36] :00476D18 FF882D275300 dec dword ptr [eax+0053272D] :00476FD8 FF08 dec dword ptr [eax] :004774C0 FF08 dec dword ptr [eax] :004779A8 FF08 dec dword ptr [eax] :00477EB0 FF08 dec dword ptr [eax] :004788B1 FF0A dec dword ptr [edx] :00478A14 FF08 dec dword ptr [eax] :004794C3 FF08 dec dword ptr [eax] :0047972F FF08 dec dword ptr [eax] :0047986D FF08 dec dword ptr [eax] :00479AE8 FF08 dec dword ptr [eax] :0047A07F FF08 dec dword ptr [eax] :0047A0BA FF09 dec dword ptr [ecx] :0047A1C8 FF08 dec dword ptr [eax] :0047A203 FF09 dec dword ptr [ecx] :0047A4A8 FF09 dec dword ptr [ecx] , dec dword ptr [ebx+00532739] ´ٴ ֽϴ. ׷ ebx+00532739 Ű ִ Ű , 'ʱȭ' ϴ ɵ и Դϴ. ã . ʱȭ ϴ  Ű ִ Դϴ. ׷ ϴ movԴϴ. mov move,  ű մϴ. 쿡 mov dword ptr . ڼ ڸ " mov dword ptr [ebx+00532739], ʱⰪ " ɾ Դϴ. winsys  ã mov dword ptr [ebx+00532739] ã . :0043F7F0 C7837C33530001000000 mov dword ptr [ebx+0053337C], 00000001 :0043F7FA C783392753002C010000 mov dword ptr [ebx+00532739], 0000012C κ ã ֽϴ. winsys ϴ. Դϴ. ̰ 츮 ã 'ʱȭ' κ̶ ְ. ֳϸ ʱȭ κ Ÿ ̴ϱ. w32dasm Urbanik Ƚ ʱⰪ 0000012C ־ϴ. ׷ 츮 ξ 000FFFFF ʱⰪ ָ, ι° Դϴ. ڵ带 ٲμ ֽϴ. C783392753002C010000 ̶ ڵ带 캸.  ٲ 츮 ϴ ٲ ִ ϱ. ⼭ . ߴ mov ɾ ڽϴ. mov cx,3039 cx Ϳ 3039 Ű ݴϴ. ̿ ϴ ڵ BA3930Դϴ. ڵ带 캸. BA 39 30Դϴ. ڸ 39 30. ٷ κ 3039 Ÿ κԴϴ. 3039 39 30 ó Ÿϴ. ̷ ñ. 3930 3039 Ʈ ݴԴϴ. ̹ տ ֵ Ʈ Ʈ ˴ϴ. 3039 Ʈ 39̰, Ʈ 30Դϴ. ޸𸮿 ּ Ʈ(39) ϰ, ּ Ʈ(30) ϴ ſ 翬 Դϴ. ׷ 3039 3930ó Ÿ Դϴ. ׷ C783392753002C010000 . C78339275300 2C 01 00 00. 0000012C 000FFFFF ٲ ֱ ؼ ڵ 2C 01 00 00 FF FF 0F 00 ٲ ָ ǰ. ̷ ؼ ι° ׵ dz׿. _w32dasm7.exe ũ_ 1.ff251ca74900 c39090909090 ٲ ݴϴ. 2.C783392753002C010000 C78339275300FFFF0F00 ٲ ݴϴ. ̷ ؼ w32dasm ֽϴ. ٽ , ݱ ˾Ƴ ƴմϴ. Adynts frog's print а ⿡ ű Ϳ Ұմϴ. ۿ ACDSystem ACDSee PicaView ũϰڽϴ.( ֽϴ.) ˾Ƴ Դϴ. ε ˾Ƴ ٸ ũĿ ˾ Ȯ ڽϴ. ------------------------------------------------------------------------------- _̴ _: ٽ Ľϴ. ι° , ʱⰪ ִ ߸Ǿ ־ϴ. (˷ֽ ϴ. : ) Page 1 3. The Man Who Sold The World 3. The Man Who Sold The World ̹ ۿ PicaView32 ⸦ ϰڽϴ. ߾. ũ ó ſ ũ  а Ǿٱ. ٷ PicaView ũϴ ''ϴ. ó а, ϴ. ϰ ִ , ׷ ؾ ϴ . ƹ͵ ϴ. Ӹ ͵ ǰ. ڸ, ó ϴ Ϳ ؼ ó ƹ͵ 𸣴 翬 ʰھ? ׷ ڼ մϴ. ɷ Ǵ ̿. , о Ͻ ٸ Դϴ. Ȯ ϼ̴ մϴ. Ǹ ũ ̾ϴ. , ⿡ ũ ƹ͵ 𸣴 е ϱ, ׷ ϱ ٴ ϸ鼭 ϴ Ϸ մϴ. key generator(KeyGen)̶ θ, Ϲȣ α׷ Դϴ. picaview32.dll disassembleؼ ҽ мؼ, picaview ' ̸(name)' ' ȣ(registration code)' , 츮 ̸ Էϸ ȣ ϴ α׷ Դϴ. ̷ о Ͻ ٸ ſ մϴ. ϴ Ǻб(conditional jump) ġ ϴ.(̰ 𸣼ŵ ˴ϴ.) ׷ ̾߱⸦ ؼ ũ ʿ  api Լ ̾߱ϰ ǰ װ ߿ ũ ̶ մϴ. , ̷ Ϲȣ α׷(keygen) ƴմϴ. ־ , picaview(ACDSee Դϴ.) ܼ ļ Ϲȣ ֱ Դϴ. ׷ ̷ ʺ ۷ε ϴٰ ϰ ڽϴ. ̹ , ̷ Ȩ picaview ־ϴ. ó ϼϱ⵵ , Ȩ ݰ Ǿ, ׳ ϵ ũ ִ ʽϴ. ( ̼ ǻ Ƿ ᱹ ϵ ũ ؾ߸ ߱ .) ̿ ޸ Ҵ ͵ ־ ׸ ʰ. . :) մϴ. Ƹ ׿. ڼϰ ϰڽϴ. :) _PicaView32 (ver 1.3) ũϱ(SoftIce̿)_ PicaView32 ̴ ٵ ˰ ̴ϴ. acdsystem ׸ α׷Դϴ. ȸ翡 ACDSee32 ˰ ̴ϴ. acdsee picaview ȸ ǰ̴ϱ Ϲȣ ڵ嵵 ϴ. picaview acdsee web(www.acdsystems.com) ̴ϴ. ϱ ؼ picaview.dll w32dasm disassemble ߽ϴ.(̷ disassemble  ʰ ſ ŷӴٰ , 츮 ̷ ֽϴ. ƽô 輼? :) ׷ ʾƵ ˴ϴ. softice ̿ؼ ҽ ϱ. sice ̿ؼ ũϰ ִٰ ϰ ̾߱⸦ ϰڽϴ. ׷ϱ sice 츦 ּ. Ž⿡ ׸ Ͽ 콺 ͸ ư ޴ ɴϴ. picaview ޴ Register PicaView32... Ʒ ׸ ɴϴ. Register..޴ ϸ ڰ ɴϴ. ̸ Ϲȣ ִ Դϴ. ̸ pluskurt , Ϲȣ 1234 ڽϴ. е ˴ϴ. ׸ OKư . ߴ ó Ϲȣ Ʋٴ ۻڰ ɴϴ. CtrlŰ DŰ siceȭ . ( siceȭ  CtrlŰ DŰ ٴ ʰڽϴ.) , ׷ ⿡ sice ⸦ ϰڽϴ. siceȭ ȭ ȭ ణ ٸ ֽϴ. sice ƹ͵ 𸣰 ִٰ Ѵٰ ϱ ȭ ϴ 𸥴ٰ ϰڽϴ. ȭ ؼ winice.dat ణ ٲϴ. INIT="lines 60;color f a 4f 1f e;wd 22;wc 22;wr;code on;X;" init="x;" ٲϴ. Ƹ init=κп ׳ INIT="X;" Ǿ Դϴ. κ ó ٲ ָ sice ȭ Դϴ. sice , ׷ ϴ . lines ٲִ ̱, color ȭ ణ ٲ ſ. wd â(data window) Ÿ ϴ Դϴ. wd 22ó 22 Բ ༭ â ũ⸦ ߽ϴ. wc ڵ â(code window), wr â(register window) Ȱȭ Ű Դϴ. ׸ code ڵ带 siceȭ鿡 Ÿ ƴ մϴ. code on̴ϱ ڵ带 Ÿ. ׸ x sice Դϴ. ׷ϱ sice ȭ鿡 , ȭ鿡  ߴ ó Ctrl+D , x ص ˴ϴ. ̷ init=ο ɵ sice óϰ մϴ. ״ sice ʱȭ . siceȭ â(window) еǾ ֽϴ. ࿡ ߴٸ ȭ鿡 â (register window) â (data window) ڵ â (code window) (command line window) еǾ ſ. softice Ŵ ʾƼ  𸣰 Դϴٿ. ׷, softice ޴ о, ִ ̷ ʺ ʾƵ ȴٰ ϳ׿. softice Ŵ ֽϴ. ȳ ũⰡ Ǵ ƿ. ް µ. pdfİ txt ־ ɷ մϴ. о ʾƼ . ٽ siceȭ ư. ִ â ״ ¸ ִ âԴϴ. Ϳ ؼ ۿ ߾. ߴ EAX, EBX, ECX, EDX ̰, ͵鵵 ſ. ͵鿡 ϰڽϴ. ׸ ȭ ʿ ÷(flag) ͵ Դϴ. ÷ ʹ ƯϰԵ 0 1, ϴ. ÷ Ϳ ϱ . б ٴ 忡 100 ޸⸦ ? '' '' ֽϴ. ȣ ϰ ߼ غϰ ִٰ '' 'ø' ٱ ϴ . , 100 ö󰡱 ﷷŸ .. :) ư ÷ ʹ ٷ '' ̴ϴ. ö , 1 0 Ѵٰ . EAXͿ 11̶ ְ, EBXͿ 11̶ Ǿ ִٰ սô. ׷ ͸ ٸ 0 Դϴ. ÷(zero flag) ˴ϴ. ÷װ ''ȴٴ ÷ 1 ȴٴ Դϴ. siceȭ鿡 o d i s z a p c, ̷ 8 ÷ Ͱ ǥ ˴ϴ. z ٷ ÷ Դϴ. ÷װ ũ Դϴ. ֳϸ ó Ϲȣ Էϴ α׷ ִٰ . 츮 Ϲȣ '¥' Ϲȣ ϰ ٸ ÷װ ǰ, ʴٸ ˴ϴ. ÷װ Ǹ  ( ̰.. :) бϰ, ʾҴٸ ٸ б ϰų ƴϸ б ʰų ϴ α׷ ϴ. ̷ Ǻб(conditional jump) ̿ߴٰ . ׷ϱ 츮 Ϲȣ , ÷׸ , Ǵ ؼ 츮 ϴ б ֵ ְ. ̴ ũ ϳԴϴ. ⼭ r(Register)ɿ ˾ƺ. r debug.com(debug.exe) softice ִ r []> ؼ, ٲ ֽϴ. EIP ٲٰ , sice r eip ָ, Ŀ â EIP=00001234 ġϰ ǰ, ű⼭ 츮 ڸ Ἥ eip ٲ ִ ̴ϴ. ÷ 0 1, ϳ ϱ, Ŀ Ű Ȱȭ/Ȱȭ(toggle) Դϴ. , ÷װ Ǿ ¿ r fl z (register flag zero) ÷װ Ǵ Դϴ. ٸ ͵ ٲ ֽϴ. r fl a r fl só ̿. â . ̰ ״ ޸𸮿 ִ ͵ ǥմϴ. â ִ δ d ֽϴ. d eax Ѵٸ eax ִ â Ÿϴ. d ''̶ ϸ '' شϴ κ Ͱ â ǥõ Դϴ. ڵ â ڽϴ. ڵ â ٷ ҽ Ͽ ִ Ÿϴ. 츮 ַ ڵ â ũ ϰ ˴ϴ. ۿ ô ҽ ڵ â Ÿ ̴ϴ. ׸ IP ֽϴ. IP(Instruction Pointer) ip(EIP)Ϳ ˴ϴ. ̸ ֵ, Ǵ ּҸ Ÿ Դϴ. 00001234 ּ ʶ ip 00001234 ̰, ڵ â 00001234ּҿ ִ ɿ ִ Ⱑ ġ ̴ϴ. ǻ ̰ ' ' θڽϴ. 쿡 Ÿϴ. е Ʊ ߴ ʱȭ ߴٸ Ÿ ⸦ ̴ϴ. Ʒ ٷ Ű Դϴ. ִ siceδ '_._' ֽϴ. ħǥ(.) ϸ ڵ â Ⱑ ִ ǥմϴ. ذ ? ׷ CtrlŰ Page Up/Page DownŰ . ڵ â Ѱ ̴ϴ. ̷ Ctrl+PageUp/PageDownŰ ̿ؼ ڵ â 캸 Ⱑ ִ ֽϴ. ħǥ Ⱑ ִ ڵ â Ÿ ȴٴ ⿡. â ̷ ֽϴ. â AltŰ PageUp/PageDownŰ ̿ؼ ֽϴ. . Ⱑ 츮 Դϴ. Help ϸ ٿ Ÿ⵵ . Alt+c ٰ ڵ â ̸ Ŀ Դٰ ϰ ֽϴ. ߵ, Alt+d Ŀ ٰ â ̸ Ű ٴմϴ. Ŀ ٿ ShiftŰ Ű ̿ؼ ٽ ֽϴ. siceȭ鿡 ϰ, sice ɾ ˾ƺڽϴ. sice̶ , debug.com(debug.exe) ɰ . ٸ sice 뼺ְ ϰ, dz ɾ ֽϴ. ⼭ ⺻ ɸ ڽϴ.(Ʊ ߵ, sice Ŵ о ߽ϴ. :) 켱 t(Trace)Դϴ. ܰ ڵ մϴ. ù° ۿ , Ÿ ̿ؼ, 츮 α׷ ܰ ִٰ ߽ϴ. , t ϳ ϴ . ̷ ϳ ɾ ip ɾ Ű.(, Ⱑ Ʒ ٷ Ű ٴ ) siceȭ鿡 t . Ⱑ Ʒ ̴ Ͱ eip ȭ Ȯ ̴ϴ. ̷ t ̿ؼ ϳ ϴ Ƹ tracing̶ ϳ ϴ. 츮δ Ʈΰ? ( Ʈ̶̽ ʰ Ʈ̶ ϴ 𸣰ڽϴ.) ƹư, ̷ t ſ Ŷ ְ. ׷ sice Ű t ְ մϴ. ٷ F8Ű t ִ ŰԴϴ. (̰ winice.dat ĥ ֽϴ. ã .) ׷ϱ tracing̶ Ʈ̶ ʰ, F8 ǥ Դϴ. p(Proceed) ֽϴ. ̰  tɰ ϴٰ ֽϴ. ϳ ɾ մϴ. ٸ и ֽϴ. ڽϴ. :α׷__κ . . . . :α׷_߰_κ call ȭ_ a ȭ____ b . . . :ȭ_ ȭ___ʿ_1 c ȭ___ʿ_2 d . . ȭ___ʿ_10 e ư(ret) f :α׷_ , α׷ ִٰ . ׸ ip ؼ ʿ ĺ ҽϴ. a ʶ . t aɾ մϴ. t cɾ մϴ. ֳϸ call ؼ ȭ_ κ ҷ ־ κ پ Ѿ Դϴ. ٽ t d, ׸ ؼ t ϸ f b մϴ. , tδ a -> c -> d -> -> e -> f -> b sice ȭ Ⱑ Ű ٴ Դϴ. ׷ٸ p . a ʶ ϰ, p c ƴ b ġմϴ. , call ҷ κ ''Ǿ . ׷ϱ, ȭ  ɾ ʿ , ȭ ǰ ִٴ ͸ ˰ p ϸ ǰ. p ٸ, call κ ϱ ̴ϴ. pɰ t ̸ ̴ϴ. sice F10Ű p ϴ ŰԴϴ. ˾ p retԴϴ. p ̹ ˰ ְ, ret ڿ پϴ. ret ؼ ̹ ⸦ ֽϴ. ̷ . α׷ c ִٰ ô. ׷ϱ t ű ̰. ׷ c ϱ ڵ κ̶ ؼ ٷ κ , κ θ κ ư ʹٰ ô. ׷ϱ, b ٽ ư ʹٰ Դϴ. ׷ ϴ t ְ װͺٴ p ret ϴ. p ret ret ϶ Դϴ. f ret ϱ, ű ret ϰ b Ⱑ ġ Դϴ. p ret Ŷ մϴ. sice F12 p ret մϴ. g @ss:esp . ̰ p ret ణ մϴ. ɿ ڼ ʰڽϴ. ڼϰ Ϸ ؾ ϱ Դϴ. stack Դϴ. ׷ p ret g @ss:esp Ŵ.. ϸ ˴ϴ. ణ ⸦ ڸ, call κ ip Ű ٰ սô. ׷ ֿ ϴٰ ret ٽ call θ ip ư մϴ. '' , ּ(return address) ˰ ־ ϰ. ʿ (stack)̶ ̴ϴ. Ϳ ˴ϴ. SP(Stack Pointer) SS(Stack Segment) ٷ Դϴ. g(go till) 'ּ' Բ Ἥ ּұ ϶ Դϴ. ׷ϱ g @ss:esp ' ּ' ϶ ̰. ? ⼭ stack ڼ ʰڽϴ. ȸ ְ. picaview ⸦ ʹ ϰ ־ϱ ư. g @ss:esp ϴ Ű F11Դϴ. , ٽ picaview ư. 츮 ̸ Ϲȣ ְ Ctrl+d siceȭ Խϴ. ׷ ̹ . ٷ ߴ(breakpoint) Ϸ ϴ ̴ϴ. ߴ(, Ƕ ߴ̶ ϰڽϴ) Ʊ gɰ 谡 ֽϴ. g ϰ '' ̶ ߽ϴ. ٷ ̷ 'ߴ ' ִ ߴ ϴ ̶ ˴ϴ. sice ߴ ϴ  ֽϴ. bpx Ϸ մϴ. bpx GetDlgItemTextA մϴ. ׸ sice α׷ ϴٰ, α׷ GetDlgItemTextA Լ ϸ sice α׷ ߰ κ ڵ â ְ ˴ϴ. ϰ ִ ذ ֽϴ. GetDlgItemTextAԼ ϴ , sice  Ѵٴ .. ̿. 켱 bpx GetDlgItemTextA siceȭ鿡 (ҹڸ ʿ ϴ) Ctrl+d sice ȭ . , ߴ ִ ̾߱ ϰڽϴ. bl, bd, bc, be װԴϴ. bl(list breakpoint) ߴ ִ Դϴ. ׷ϱ bpx GetDlgItemTextA bl , ٿ sice ó ߴ Ǿ ִٴ Ÿ ݴϴ. bd(disable breakpoint) ߴ ̴ Դϴ. ߴ ϰ ʹٸ, bd ɰ ߴ ȣ ָ ˴ϴ. GetDlgItemTextA ߴ ȣ 0̴ϱ, bd 0 ߴ ֽϴ. Ǿ Ȯϱ ؼ bl . Ʊʹ ٸ ߰ Դϴ. bc(clear breakpoint) ߴ ƿ ̴ϴ. bd ߴ be(enable breakpoint) ٽ , ߴ ״ ̴ϴ. be ɵ bd ó ߴ ȣ Բ ϴ. ׷, ü 츮 GetDlgItemTextA Լ ߴ ϴ . GetDlgItemTextA Լ ̸ ֵ(Get Dialog Item of Text ΰ? :), ȭ (dialogbox) ̳ ޾Ƶ̴ մϴ. , Լ ߴٸ ̳ ְ, ߴٸ 0 ݴϴ. 츮 (̰͵ ȭ) ̸ Ϲȣ ־ϴ. ̰͵ ޾Ƶ̱ ؼ picaview getdlgitemtext Լ Դϴ. (Լ̸ ڿ A 32bitԼ մϴ) ̷ ȭڿ Ϲȣ ޾ ̴ α׷ getdlgitemtext Լ Դϴ. , GetWindowText Լ ̴ Դϴ. getwindowtextԼ մϴ. â(window) â ǥٿ ִ ޾ƵԴϴ. â ޾ ֽϴ. 츮 getdlgitemtexta Լ ߴ ߴ ˰. ׸ ϳ ִ ֽϴ. picaview getdlgitemtext Լ Ŷ Դϴ. ϳ '̸' ޾Ƶ̱ ؼ ̰, ٸ ϳ 'Ϲȣ' ޾ ̱ ̾ ̴ϴ. , ڿ ִ OKư ô.(׳ ͸ ĵ ˴ϴ) ׷ Ʊʹ ޸ Ϲȣ Ʋٴ ڰ ʰ siceȭ Ÿϴ. Ƹ Ʒ ڵ â Ÿ Դϴ. USER32!GetDlgItemTextA 0137:BFF61657 BC96 MOV CL, 96 0137:BFF61659 55 PUSH EBP . . . 0137:BFF6167E C21000 RET 0100 . . -----------------USER32!.text+0654-------------------- USER32!GetDlgItemTextA Դϴ. picaview getdlgitemtextaԼ ߱ sice 츮 ⿡ Դϴ. Ctrl+d sice . ˴ϱ? sice ϴ. ٽ Ctrl+d sice ֽϴ. Ʊ , picaview getdlgitemtextaԼ ϰ ֳ ϴ. ׷ϱ, sice 츮 װ Ű. sice ȭ Ϲȣ Ʋȴٰ ϴ ڰ ֽϴ. Ȯ ư ڸ ְ, ٽ ѹ OKư ô. ٽ siceȭ Դϴ. ̹ F11 ô. ׷ sice 츮 picaview ڵ尡 ִ ϴ. ֽϴ. sice ó 츮 picaview ڵ尡 ִ ƴմϴ. USER32!.text+0654 ִ κ ֵ װ user32.dll ڵ尡 ִ Դϴ. 츮 κ θ(call) picaview ڵԴϴ. ׷Ƿ F11(G @SS:ESP) picaview ڵ ̴ϴ. picaviewڵ Ʒ ̴ϴ. :10005FBE FFD6 call esi ;call getdlgitemtexta :10005FC0 8D4C2464 lea ecx, [esp + 64] ;Ϲȣ ޾Ƶ :10005FC4 68C9000000 push 000000C9 :10005FC9 51 push ecx :10005FCA 68C9000000 push 000000C9 :10005FCF 57 push edi :10005FD0 FFD6 call esi ; picaview disassembleؼ ҽ Ϻθ ̹Ƿ, siceȭ Ȱ Դϴ. ״ ˾ƺ ſ. F11Ű picaviewڵ call esiƷ 밡 ġ Դϴ. , call esi call getdlgitemtexta Դϴ. call ؼ 'Ϲȣ' ޾ƵԴϴ. F10 ܰ . ´ call esi ٽ ѹ user32ڵ Դϴ. ׷ F11 picaviewڵ ƿɴϴ.( F10(p) ret ǰ, F12 Դϴ.) call esi ؼ '̸' ޾Ƶ鿩 ſ. d esp+64 . â 츮 Ϲȣ Ÿ ſ. 1234. d esp+20 غ 츮 ̸ â Ÿ ̴ϴ. pluskurtԴϴ. ߿ test al, al/je 10006008 ǹ̸ ˾ƺ. mov al, [esp+20] ɿ '̸' alͿ Űٴ . (Ͻ. ax ah Ʈ, al̶ Ʈ ִٴ .) ׸ test al, al al 0 ƴ ȮѴٰ ˴ϴ. , 츮 ̸ ִ  ̰ ־ Ȯϰ ִ ̴ϴ. ̸ ƹ͵ ʾҴٸ 翬 ȵǰ.(picaviewԴ Դϴٿ) je Խϴ. je jump equal, ٸ б϶ Դϴ. б . տ test al, al ؼ al 0̶ zero flag ǰ, ׷ Ǹ je ɿ ؼ б(JUMP) Դϴ. 츮 , ̸ ־ ⼭ б ʽϴ(NO JUMP). ⼭ . r fl z . sice ȭ鿡 NO JUMP JUMP ٲ ̴ϴ. ٽ ѹ r fl z NO JUMP ˴ϴ. ׷ ؼ κ . :̸_о_̱ :10005FE2 0FBE16 movsx byte ptr edx, [esi] ;̸ ھ о :10005FE5 52 push edx :10005FE6 E81D210600 call 10068108 ;빮ڷ ٲ :10005FEB 83C404 add esp, 00000004 :10005FEE 3C41 cmp al, 41 ;'A' :10005FF0 7C04 jl 10005FF6 ; :10005FF2 3C5A cmp al, 5A ;'Z' :10005FF4 7E04 jle 10005FFA ;'A'~'Z', ĺΰ? :10005FF6 3C20 cmp al, 20 ;ƴϸ ĭΰ? :10005FF8 7506 jne 10006000 ; ƴѰ? :10005FFA 8A06 mov al , [esi] ; :10005FFC 884500 mov [ebp+00], al ;ҷ ̸ ڸ :10005FFF 45 inc ebp ; :10006000 8A4601 mov al , [esi+01] ; ڸ :10006003 46 inc esi ;о ࿡ :10006004 84C0 test al , al ;̸ о :10006006 75DA jne 10005FE2 ;ʾҴٸ ̷ ڵ带 ó е ణ ϱ ̴ϴ. Ӹ ߴ°ɿ. movsx byte ptr edx, [esi] Ʊ esi ̸ Ű ִٴ ˾ҽϴ. movsx ߿ ۿ ȸ ֽϴ. ڼ ϱ ϰ, 켱 ⼭, 츮 ̸ ھ о ̰ ִٰ ϸ ˴ϴ. call 10068108 ̰ ϴ κ θ callϱ. к ڸ 츮 ̸ о 빮ڷ ٲְ ִ κ ȣϴ callԴϴ. ִٰ ٽ ڼ . cmp al, 41 al 빮ڷ ٲ ̸ ֽϴ. al 41 ''ϰ ִ ̴ϴ. cmp compare, ϴ Դϴ. 41 ٷ asciiڵ A شϴ Դϴ. ׷ϱ 빮ڷ ٲ ̸ A ϰ ִ ̴ϴ. jl 10005FF6 cmp al, 5A jle 10005FFA jl jump if less, ؼ 񱳵 ۴ٸ б϶ Դϴ. cmp al, 5A al 5A(asciiڵ Z شմϴ) ϶ ̰, jle jump if less or equal, ų б϶ ǰڽϴ. , 빮ڷ ٲ ̸ ĺ Ȯϰ ִ ڵ尡 ǰ. al A ũ Z Դϴ. pluskurt ù p 빮ڷ ٲ P, ̰ ĺ̴ϱ jle 10005FFA бϰ. cmp al, 20 jne 1000600 ڵ尡 ϴ ̴ϴ. 빮ڷ ٲ ̸ ĺ ƴ ⿡ Ǵµ, Ȯϴ ڵԴϴ. 20 asciiڵ忡 (SPace)̴ϱ. 鵵 ƴ϶ 100600 бմϴ. mov al, [esi] mov [ebp+00], al inc ebp 빮ڷ ٲ ̸ ĺ̳ ⿡ ɴϴ. inc ebp (increment)׽ϴ. mov al, [esi+01] inc esi test al, al jne 10005FE2 inc esi esi ŵϴ. ׷ ̸ '' ڸ ޾Ƶ غ ϴ Դϴ. 캼 ̸ ḭ̆ų ĺ 쿡 ebp Ų Ŀ ̰ , ٸ 쿡 ebp Ű ʰ ȴٴ ſ. ࿡ ̸ pluskurt ʰ, +kurt ٸ, + ĺ 鵵 ƴϱ ebp Ű ʰ ٷ ̰ . ˰? test al, al/jne 10005FE2 ̸ о 鿴 Ȯϰ ׷ ʴٸ ٽ :̸_о̱ ư κ ݺϰ մϴ. ؼ ڵ带 . :10006008 8D4C2464 lea ecx, [esp + 64] :1000600C 8D542420 lea edx, [esp + 20] :10006010 51 push ecx :10006011 52 push edx :10006012 C6450000 mov [ebp+00], 00 :10006016 E835020000 call 10006250 :1000601B 83C408 add esp, 00000008 :1000601E 83FB01 cmp ebx, 00000001 :10006021 7539 jne 1000605C :10006023 8D442464 lea eax, [esp + 64] :10006027 8D4C2420 lea ecx, [esp + 20] :1000602B 50 push eax :1000602C 51 push ecx :1000602D E83EF6FFFF call 10005670 ; ? ũ ó д ̶ ذ ȵ ϴ. ڼ Ѵٰ ߴµ,  𸣰ڽϴ. ̹ '' غ. ù° ȭǥ ִ ޿ ܰ躰 .( F10 p ̶ ƽ?) ׸ ߴ մϴ. ִ ߴ ϴ. 콺 call 1005670̶ ִ κп Ŭ ϸ ٲ ߴ ˴ϴ. ũ ϴٺ ϴ. ߿ call̰ ƴ Դϴٿ. , ó ׷ . ù° ȭǥ ִ call ߿ callԴϴ. ׷ . t call  κ ȣϰ ִ ڼ , ° ȭǥ ִ б(jle) . sice JUMP ̴ϴ. r fl z zero flag ؼ NO JUMP ٲ㺸. ׸ siceȭ ͺô. (Ctrl+d ų F5 ˴ϴ. F5 xԴϴ.) Ʊʹ ٸ ڰ ɴϴ. ༭ ٴ Դϴ. ׷ 츮 ũ ɱ? ٽ ѹ picaview ׷ ʴٴ ֽϴ. ( ڵ带 ٲٰ Դϴ.) call 10005680 add esp, 00000008 test eax, eax jle 10006077 츮 ٲ б jle eax бϴ ̾ϴ. eax 0̾ jle б⸦ ߴ ̾µ 츮 r fl z б⸦ ʰ ٲ . , ׷ б⸦ ٲٱ⸸ Ѵٰ ũ Ǵ ƴմϴ. ׷, ̷ Ƿ call 1005680̶ call ſ ߿ call̶ ֽϴ. call eax ؼ, Ǵ ϴ б⸦ ϴϱ Դϴ. ׷ϱ call ȣϴ κ ڼ ʿ䰡 ְ.(̷  call test eax, eax ͼ call ˻ϰ, ٷ бⰡ α׷ Դϴ. б⸦ ִ ͸ε ũ 찡 ϴ.) ۿ ٽ ڽϴ. ð ɾƼ ϱ, ʹ 鱺. ------------------------------------------------------------------------------- ̴ test eax, eax/jle 10006077 κп JUMP NO JUMP ߸ Ǿ ־ϴ. piranha@jean.ssm.samsung.co.krԲ ˷ ּż ƽϴ. ϴ. Page 1 4. The Unforgiven 4. The Unforgiven ۿ øڽϴ. 켱 ⿡ ٸ ũĿ Ű ýϴ. 뵵 ׷ ƴմϴ. (beginners ߱) ٿ غ, ׳ ״ 츮 ٲٱ⸸ ߽ϴ. ۵ ̶ ۵ մϴ. Ȥ 𸣴 κ , picaview а ٽ о ֽϴ. д տ ۰ Ǵ κ Դϴ. , տ picaview ũ Ϲȣ ̸ 踦 캸, ̸ Էϸ Ϲȣ ϴ α׷(keygenerator) ߽ϴ. ũĿ ٸ ߽ϴ. ٸ ְ, ũĿ ִ ̶ մϴ. ۾̴ Little-John̶ ϴ ũĿԴϴ. ------------------------------------------------------------------------------- winrar 95 ver.2.0: the guts of a simple protection Written by Little-John Micro$oft ûϰ ġū α׷̳  ø ϰ ִ. 95 ׵ OS ġų, RAM ũ ý ڿ ȿ ø ʴ Ȳ, 츮  ؾ ұ? ̴. ũ ϴ ũⰡ ū ϳ ̴. ִ Ʈ ִ. ( ) ϳ, Ǿ Ǹ Pkzip ִ, Winzip 6.x̴. װͿ ߰, ٸ ãٰ Ǹ GUI 32bit ⸦ ãƳ´. Eugene Roshal WinRAR 95 v2.0 ٷ װ̴. ʿ :(SoftIce) Hex Editor γ(brain) ϴ ٸ ̿ص ȴ. Winrar ϴ , ¥ ϴ ' ڵ(Authenticity Code)'̴. ƴ Ϳ ִ. , , , , , , ... ƾ.. ư , (Ϳ :) ڰ ̷ ߴ : " ִ ̶ϴ". , ũ, ٸ ̿ ģ... ׸ ص, Eugene ׷ ȭ ʾҴ. ϵ " ƴ" WinRAR95 ̴. Ǭ ʰ, Ӹ ʿ䵵 , warez ӿ Ϻϰ ϵ ־. ׷ ũϴ Ѵ. Soft-Ice ũ.. ... ڵ带 ϱ ߴ. WinRAR95 ϰ, Option޴ Registration Ѵ. "Enter your regstration (AV) text" ִ ̸(Ǵ :) ִ´. , Johnny . ׸ ڵ带 ִ ϴ ִ´.( 123321 Ѵ.) Soft-Ice (Ctrl-D ), GetDlgItemTexta ߴ Ͼ . ̸ ޸𸮿 ȴ. ó ؾ Ƹ ޸𸮿 ߴ ϰ ̸  ȭ ֳ 캸 Դ. ڵ带 캸. ǥ ũϷ װ Ѵ. ؼ, g , ٸ USER32!GetDlgItemTextA Լ ̴. ׷ ̹ ʿ . ؼ ڵ带 ̷ ڵ带 ִ. :004226CC 8D8554FFFFFF LEA EAX,[EBP+FFFFFF54] :004226D2 50 PUSH EAX :004226D3 8D459C LEA EAX,[EBP-64] :004226D6 50 PUSH EAX :004226D7 E84D66FFFF CALL 00418D29 ; ̷ο call :004226DC 83C408 ADD ESP,08 ;(stack) ġ :004226DF 85C0 TEST EAX,EAX ;Ϲȣ ³? :004226E1 752F JNZ 00422712 ;¾/Ʋ :004226E3 6A30 PUSH 30 :004226E5 6A1A PUSH 1A "Ϲȣ ½ϴ. ּż ϴ" ִ ڸ ʹٸ :004226E1 752F JNZ 00422712 ;¾/Ʋ :004226E1 742F JZ 00422712 ;¾/Ʋ ġ ȴ. δ ġ ʴ. ࿡ Option->General ޴ ؼ Authenticity Code ٸ, "Ϲ մϴ" ϴ ۻڸ ̴. "CALL 00418D29"  WinRAR  ൿϳ ƾ ϴ ̴. ó Call ִ, ׸ 츮 ִ. ϳ ̸ Ϲȣ ̿  谡 ִ ˾Ƽ ùٸ Ϲȣ ˾Ƴ ̴.(̰ ô ̴. ʿϴٰ ϴ°?) ٸ ϳ  ̸ ´ ȣ ̴.(ª Ǹ ̴. Ѵ. û 鿡 ֱ KeyGenerator ʿ ʴ.) ° ϱ ٶ.... .. ƿ. ׷ ϰڴٴ ϴ. :) winrar 츮 Ϲȣ ´ Ʋ ϴ ˱ ؼ Ʊ call(CALL 00418D29) ãư Ѵ. տ ڵ , ڵ尡 ̴: :00418F7D 8D8574FFFFFF LEA EAX,[EBP+FFFFFF74] ;̸/Ϲȣ call :00418F83 50 PUSH EAX ; :00418F84 FF35706D4400 PUSH DWORD PTR [00446D70] ;̸/Ϲȣ call :00418F8A E871240100 CALL 0041B400 ; Call Ű ƿ :00418F8F 83C40C ADD ESP,0C ; ġ :00418F92 85C0 TEST EAX,EAX :00418F94 0F94C0 SETZ AL :00418F97 83E001 AND EAX,01 ;if EAX EAX=0 => :00418F9A A348074400 MOV [00440748],EAX ; =>Ͼ :00418F9F FF3528074400 PUSH DWORD PTR [00440728] :00418FA5 E8BA830100 CALL 00431364 :00418FAA 59 POP ECX :00418FAB 33C0 XOR EAX,EAX :00418FAD A328074400 MOV [00440728],EAX :00418FB2 A148074400 MOV EAX,[00440748] ;EAX=1 => WINRAR95 ϵ :00418FB7 5F POP EDI ;EAX=0 => WINRAR95 ȵ :00418FB8 5E POP ESI :00418FB9 5B POP EBX :00418FBA 8BE5 MOV ESP,EBP :00418FBC 5D POP EBP :00418FBD C3 RET RET Ʒ ڵ . :004226DC 83C408 ADD ESP,08 ; ġ :004226DF 85C0 TEST EAX,EAX ;EAX=1ΰ? ƴ - ׷ :004226E1 752F JNZ 00422712 ; ´ - ׷ ȶ ũĿ ڵ, call ൿѴ. EAX=0̸ ߸ Ϲȣ , EAX=1̸ Ϲȣ ̴. EAX 1 ǰԲ ȴ. ? . :00418F8F 83C40C ADD ESP,0C :00418F92 85C0 TEST EAX,EAX :00418F94 0F94C0 SETZ AL :00418F97 83E001 AND EAX,01 :00418F9A A348074400 MOV [00440748],EAX 츮 ڵ带 ٲٸ ȴ. :00418F8F 83C40C ADD ESP,0C :00418F92 33C0 XOR EAX,EAX ; EAX 0 . :00418F94 B800010000 MOV EAX,1 ;EAX=1 =>ϵ :00418F97 90 NOP :00418F9A A348074400 MOV [00440748],EAX EAX ׻ 1̴.  ̸ Ϲȣ ִ ׻ ϵȴ. α׷ Ϲȣ ־ٰ ϴ´. α׷ ְ ȴ. Ciao a tutti By Little-John ------------------------------------------------------------------------------- , ٸ ũĿ ű Ͱ  ٸ ̰ ִ , ϴٸ ̴ϴ. Page 1 5. Lithium 5. Lithium ٽ picaview ̾߱Դϴ. the unforgiven ó ܱ ũĿ ׳ 츮 ű⸸ ϴ . ̷ ٴ Դϴ. the man who sold the world 'ǽɽ' call(call 115670) ãƳ ߾ϴ. ǽɽ call eax ϵǾٴ ۻڸ , ƴϸ Ϲȣ Ʋȴٴ ڸ ȴٰ ߽ϴ. ̹ ǽɽ call ȣϴ κ . :10005670 56 push esi :10005671 8B742408 mov esi, [esp + 08] :10005675 56 push esi :10005676 FF15F8600710 Call [KERNEL32!lstrlen] ;̸ ̸ Ѵ :1000567C 83F805 cmp eax, 00000005 ;5 ̻ΰ? :1000567F 7D04 jge 10005685 ;׷ٸ б :10005681 33C0 xor eax, eax ;ƴ϶ eax 0 :10005683 5E pop esi :10005684 C3 ret ;ret ǽɽ call κ θ ֽϴ. κ ̸ '' ϴ κ̶ ֽϴ. ٷ Call [KERNEL32!lstrlen] ϰ . (, lstrlenԼ ũ̶ Ͱ е װ  ϴ ˰ մϴ. 𸣴 е ְ. ڸ, lstrlenԼ ̸ ϴ ԼԴϴ. ̸ Ʈ (ANSI version), character(Unicode version) ݴϴ( (null terminated string) ʽϴ)) cmp eax, 5 jge 10005685 ׸ ̰ 5 ū Ȯմϴ. , 츮 ̸ 5ڰ Ѵ Ȯϴ . pluskurtϱ 8ڸ ־. ׷ϱ Դϴ. ࿡ 5 ̻ ʾҴٸ ڵ մϴ. xor eax, eax pop esi ret xor eax, eax eax 0 ϴ. ۿ õ eax 0 Ǹ Ϲȣ Ʋٴ ڰ ˴ϴ. ׷ ȵ. ׸ ϰڽϴ. xor eax, eax eax 0 ɱ.(the unforgiven ̷ ־.) xor XOR ϴ Դϴ. , OR, AND, NOT ? ߿ XOR(eXcluded OR)̶ ͵ ̴ϴ. A B XOR A XOR B 0 0 0 0 1 1 1 0 1 1 1 0 XOR մϴ. ׷ϱ, ٸ 1 ְ, 0 ݴϴ. ׷ xor eax, eax eax ϴϱ 翬 0 ְ ǰ eax ˴ϴ. eax 0 Ǵ . ذ ǰ? eax 0 sub eax, eax ְ. sub(Subtract) ״ Դϴ. eax=eax-eax ϴϱ 翬 eax 0 . ̷  0 ʿ䰡 xor eax, eax Ѵٰ ϳ׿. ׷ ϴ ó ӵ ٰ մϴ. , the unforgiven ó  ̸/Ϲȣ Ű Ἥ ũ ְ, 츮 װͺٴ keygen ִ ̴ϱ, 5ڸ Ѱ Ἥ jge 10005685 бϵ . :10005685 682D224900 push 0049222D ;49222D.. μ :1000568A 56 push esi ;esi-->pluskurt :1000568B E820AD0000 call 100103B0 , ⿡ call ֽϴ. 츮 call ϴ ˾ ؼ call ȣ κ 캸ƾ ұ? , ׷ ϸ Ȯ ̴ϴ. װ ſ ϰ ð ɸ ǰ. ׷ ̷ keygen ʽϴ. , call ȣϴ κ ڼ , call 캸 call  ϴ ֽϴ. 켱 ù° call ڽϴ. push esi call 100103B0 mov esi, eax push ɾ Խϴ. push ణ . ƸƮ 信 ־.  ̶̼ ü ̾µ, ־ϴ. ģ ϰ ̾ ص ű⼭ ִ ٰ̾ ˴ϴ. Ͻô е鵵 е̾. ̽, ĵ ϰ ⵵ ϰ.. ׷ ̾. п , ϰ Ǿϴ. : ) ̽ ϴ ̾. ͼ ϰ ִ ģ .. ̾. ģ, ƸƮؼ ε ٰ ߴµ, ٳԳ 𸣰ڱ. .. Ͽư, ׷ ? ׷ ð ֽϴ. ø  մԵ ư. push '' 谡 ֽϴ. '' Ͷ ϰ, ò̸ ޸𸮶 . ø ϴ ũ μ : ) ٷ ̷ ø ò̿ ϴ push ̴ϴ. ͸ ޸𸮿 ϴ . մ ؼ ø ϴ popԴϴ. ޸𸮿 Ǿ ִ ͸ . push esi esi ޸𸮿 ϴ Դϴ. ͵ ? ׷ ̷ ƸƮ ϱ ϸ鼭 ÿ . ̰ ð 谡 ִ Դϴ. LIFO(Last In First Out)̶ Ҹ Դϴ. 츮 ϸ () ɱ. ø ϼ, մ ø ߿ . ذ ǰ? (ò) ͸ ϰ, ͵ Դϴ. push ʹ ߿ pop˴ϴ. push esi, push eax ߴٸ pop eax, pop esi ͸ ִ . ׷ push esi ÿ esi ߽ϴ. ⼭ esi pluskurt, ־ ̸Դϴ.(d esi Ȯ ֽϴ.) ̰ call 100103B0 ҷ ̴ϴ. call eax ˴ϴ. mov esi, eax eax esi Ű . eax siceȭ â Ȯ . pluskurt , eax 104C5DE5Դϴ. ߿. sice ? 104C5DE5(Ǵ ? eax ɵ Դϴ.) . ? 16 10 ٲ ִ Դϴ. 104C5DE5 10 273440229Դϴ. ٷ pluskurt "¥" Ϲȣ. ? call ̷ϴ. esi ִ '̸' ޾ 鿩 'Ϲȣ' . eax , ٽ esi Űϴ. ϰ ˾Ƴ Ϲȣ ־ picaview ֽϴ. װ͵ ũ.(ED!SON̶ ũĿ ¿ ̷ Ǿϴ. , ۵ о ʰ ⿡, ̸ pluskurt Ϲȣ 273440229 Է ְ. װ ũ ƴ. ̸ ְ ݱ ϴٰ siceȭ鿡 ̴ '' Ϲȣ ϴ ũԴϴ. ⿡ pluskurt Ϲȣ ̾߱⸦ ϱ ؼԴϴ.) Ϲȣ α׷ ̱ call ȣϴ κ ڼ ϰ. ׷ Ʒ ִ ° call  ϴ 캸.( ġ ִ ̶ ̹ ְ Դϴٿ) mov eax, [esp+14] push eax call 10068043 add esp, C xor ecx, ecx cmp esi, eax sete cl mov eax, ecx pop esi ret ó mov eax, [esp+14] Խϴ. [esp+14] Ű ִ Ϲȣ Դϴ. 1234. ̰ eax ű pushմϴ. ° call 1234 ְڱ. ڸ ° call 1234 picaview ˾ ִ Ϲȣ ٲ㼭, ù ° call ¥ Ϲȣ غ ϴ ̴ϴ.  е picaview ˾ ִ Ϲȣ ٲ۴ٴ ذ ٵ. ̷ ſ. 1234 "" ƴմϴ. Ʊ ù ° call picaview Ϲȣ 16 104C5DE5 ""ϴ. 1234 ״ ڿ Դϴ. ° call 1234 ڿ 16 ٲٴ ̴ϴ. ° call eax 4D2 ̴ϴ. 16 4D2 10 ٲٸ 1234, õ ̹ 簡 Ǵ ſ. ׷ϱ μ picaview 4D2(1234) 104C5DE5 ִ Ű. ذ ǰ? ι° call ϴ ذ Ǽ ˴ϴ. ׷ 츮 call ι° call ƴ϶ ù ° call̰. picaview ̸ Ϲȣ ߿, ڿ 1234  ٲٳ ϴ ϴ. ׸ ɵ 캸. ° call , 츮 Ϲȣ(4D2) ¥ Ϲȣ(104C5DE5) ϴ Դϴ. xor ecx, ecx ϴ е ſ. cmp esi, eax ϴ ˰ڱ. , ° call eax(4D2) ù ° call ִ esi(104C5DE5) ϴ . cmp ؼ ÷׸ Ѵٰ ߾. ( , ״ ÷״ ̴ϴ.) sete cl̶ ο ֽϴ. SETE(SET if Equal)  (condition) ϳ Ʈ(byte) 01 (set) ϴ (Set on Condition) ϳԴϴ. ÷װ Ǿ̰, Ǿٸ cl͸ 01 . տ Դ cmp esi, eax ؼ (Ϲȣ) ٸ ÷װ Ǿ ̰, ׷ٸ sete cl ؼ cl 01 (set) Դϴ. ׷ Ǹ mov eax, ecx ؼ eax 1 װ retǾ Ҵ test eax, eax / jle κп NO JUMP Դϴ. ̰ 'ϵǾ' ڸ Ÿ ϴ . ˰? ׷ ġ ̶ ⼭ ũϴ ãƳ ſ. ã ̳? keygen ʰ picaview ׳ ũϴ ̿. ׷ ֽϴ. ϳ α׷ ũϴ 󸶵 ϱ. ⼭ ݹ ã ִ sete ̿ Դϴ. , . picaview 츮 Ϲȣ ¥ Ϲȣ ؼ cl͸ 01 ϴ. ʴٸ 00 . ٽ eax ȴٴ , ٷ ߴ ݾƿ. ٷ eax 00 Ǵ 01 ǴĿ Ǵ ĸ ϴ ̴ϴ. .. 츮 Ϲȣ Ϲȣ clʹ 01 ˴ϴ. 00 . ׷ ݴ شٸ  ɱ? ̳ ϸ. 츮 Ϲȣ Ϲȣ ϶ clͰ 00 ǰ, ׷ 쿡 clͰ 01 Ǵ ſ. ׷ 츮 ƹ ȣ( Ϲȣ ƴ ȣ) ־ picaview 츮 Ű. ׷? ׷ ϸ ˴ϴ. ϰ. sete 츮 Ϲȣ ¥ Ϲȣ ؼ '' cl 01 ̶ . ׷ setne(Set If Not Equal, setnz) Ѵٸ... , 츮 Ϲȣ ¥ Ϲȣ ؼ ' ' cl 01 . sete cl ڵ 0F94C1̾ϴ. setne cl ڵ 0F95C1Դϴ.  ˾ҳİ? ̾߱⿡ б je(jump if equal, jz) ڵ 74Դϴ. jne(jump if not equal, jnz) ڵ 75Դϴ(쿡 ̵ ڵ ٲ ֽϴ). ٷ 74 75 ٲٴ ũ ̰, ݱ Ǵ ũ Դϴ. . 츮 Ϸ ϴ ݾƿ? ׷ϱ sete ڵ 94 ϱ, Ƹ setne ڵ忡 95 ʰڳ ϰ ִ ſ. ׷ Ȯ ֽϴ. ٷ a(Assemble) ̿ϴ ̴ϴ. sice a ָ ip ְ ݴϴ. ׷ϱ е siceȭ鿡 Ⱑ sete cl ġ a . ׷ ٿ Է ְ Ǵ ֽϴ. ű⼭ setne cl̶ ϴ. ׷ sice Էϱ ٸϴ. ̻ Է ׳ ͸ ġ a ¸ մϴ. ׸ Ⱑ ִ ڵ尡 0F94C1 0F95C1 ٲ ֽϴ. setnz cl̶ ٲ ̿. (equal̶ Ͱ zero ٲ㰡 ִٴ ̹ ƽ? sice zero ϴ.) ׷ ġ Ŀ sice . 'ϵǾϴ'ϴ ۻڰ ٸ ̴ϴ. ̷ ϵ 'Ͻ' Դϴ. 츮 aδ (޸ 󿡼) picaview ڵ带 ٲִ ƿ ٲ ƴϱ Դϴ. ƿ ٲٷ hex editor picaview  ٲ .(hex editor ڵ带 ٲٴ ƽ. about a girl w32dasm ũ ߾) ׷ hex editor ٲ 'Ͻ' ƴ϶ Ǵ ſ. . ̰͵ ϳ ũ ǰ? ݱ picaview ũϴ ˾ҽϴ. ϳ ¥ Ϲȣ siceȭ鿡(ù° call eax) ڿ ִ ̾. ٸ ϳ ̷ sete cl setne cl ٲٴ . ¶ư 츮 ⼭ ׸ , ǥ keygen ؼ . , ù ° call ȣϴ κ ڼ ҽϴ. ݱ , 츮 ϴ Ϲȣ α׷ Ǵ ƴմϴ. ߿. picaview, 츮 ̸  Ϲȣ ״ϱ. . ݱ picaview '̸' ڰ ҽϴ. ڰ ̶ ٷ ̸ '' 5 ̻̾ Ѵٴ . ⿡ '' ĺ 鸸 ϴ. +pluskurt pluskurt picaview 忡 ̰ 8ڷ ̴ ̴ϴ. '+' ĺ ƴϰ 鵵 ƴ 'Ư'̱ ̸ ̸ , . ݱ Cα׷ ڽϴ. for (i=0; (c=getchar()) != '\n' ; ++i){ name[i]=toupper(c); /*빮ڷ ħ*/ if (isalpha(c)) /*ĺ̶ */ ++length; /* ̸ ԽŴ*/ else if (isspace(c)) /*鵵 */ ++length; /* ̸ ԽŴ*/ else /* 쿡*/ --i; /*о */ } name[i]='\0'; if (length30) /*̰ 30ڰ 30° ʹ*/ name[30]='\0'; /**/ .. ֽϴ. б C , ù  ķ Ƿ̴ϱ ̿.(.. ѽ. ׶ б ׷ Ⱦ߳ ȸ˴ϴ. θԲ ˼ϱ. ϱ 鿩 ϸ б ̴ּµ, ׷ ̿.) ׳ ȥ ɽ Cå 鼭 󼭿. ? ׸ ̸ ִ ̸ ƹԳ ֵ Ǿ ִ ƴմϴ. picaview ڿ ̸ ڳ ޾Ƶ̴ . 30 Դϴ. ̸ 30 Ѱ , ׷ Ȯ ϱ ؼ Ʒ 뵵 Խ׽ϴ. ̹ . picaview ȣ ڵ带 ڽϴ. ׷ϱ ù ° call ȣϴ κ . Page 1 6. Until It Sleeps 5. Until It Sleeps ι° ܱ ũĿ űϴ. ۵ ʺڸ ̴ ϱ⿡ Ư ϴ. 漳 ణ ʿ κе Ƽ 漳 ϰڽϴ. 켱 츮 ű鼭 ܾ ε, protection scheme̶ ܾ ״ Űϴ. 츮 ٲ ã ؼԴϴ. protection scheme ˾Ƴ ' ' ͵ ũ̶ ְ. protection scheme . 켱 ̸ Ϲȣ Էؾ ϴ paper protection scheme ֽϴ.  . ȿⰣ ξ Ⱓ ϵ ϴ best before protection scheme ֽϴ. ̿ ణ Ⱓ ƴ϶, ߴ α׷ Դϴ. , 20 ̻ Ǹ ȴٴ ϴ. ̷ ͵ Cinderella protection scheme̶ . ٸ ְ, ַ Դϴ. ̷ ⸦ ϸ , protection scheme ˰? , ۿ Nop ̾߱⸦ ϰڽϴ. w32dasm ũ Ⱑ Ǿ. ߿ nop ƹ ǹ̾ ̰, ڵδ 90̶ ߽ϴ. w32dasm ũ ff251ca74900̶ ڵ带 3c9090909090 ٲپ ־. 3c ret ڵ̰, 90 ä ־ϴ. ̷ ϴ 'nopѴ'(nopping) ǥմϴ. ̰ 츮 ʾƼ ׳ ״ ϴ. ׷ +ORC ¿ ̷ 90 ؼ ʴٰ ߽ϴ. ũĿ ̷ nopping ϱ , protectionist( ܾ ƽð? : ) α׷ , 90 ̻ ؼ ݺǸ װ ˾ ϰų, ƴϸ α׷ ̷ а(?)ϵ ڵ带 Ѵٴ ̴ϴ. ׷ϱ  ڵ带 ַ 90 ؼ ʴٴ . ׷ +ORC . Ʒ ۿ Ͱ inc ax, dec ax, inc ax, dec ax.. þ Դϴ. inc ax ڵ 40, dec ax ڵ 48Դϴ. inc ax ax ״ٰ dec ax ٽ Ű ᱹ ƹ͵ ̵. ׷ϱ 9090ٴ 4048 nopϴ Ǵ ̴ϴ. inc bx, dec bx . ------------------------------------------------------------------------------- ʺ û protection (1997)! ȣȭ Ϲȣ : ʺڸ ̾߱ by Tristan +HCU л а, +ORC Ǹ 츮 ְ , ڵ鿡 λ縦 帳ϴ. ϱ ϰڽϴ. ũ ۿ ʾҽϴ. ó ũ õ ۵ ߰, ̹ ũ ϴ Ϳ Ұ. Ⱓ Ŀ μ ũ ְ Ǿϴ. ׵ protection scheme Խϴ. ׷, '' α׷鿡 Ⱑ ׾ ũ õ е鿡 ⸦ ְ ϴ. , ü ũ ذ ˴ϴ. ʺڵ鿡 ְ ְ, ϱ protection scheme鿡 ϴ. ϰ "ʺ , . ã protection scheme ũϸ и ҷ ſ." ̴ϴ. 谡 ֽϴ. " ٺ protection " ĺ ã ϴ. û : ϱ ŭ û protection scheme 츮 ũ α׷ cyberspace hq. Add Web 1.23Դϴ. www.download.com̳ α׷ http://www.cyberspacehq.com/home.htm ٿ ֽϴ. Ǵ ˻ ˰ ִٸ, ٸ ̳ ֽ ã ְ. 켱 ũ . ׷ Add Web ִٴ ֽϴ. ù° ν縸 ϸ . Դϴ. , Ȩ 10 search engine ִ ϴ Դϴ. 355 search engine Ȩ Ͻִ Դϴ. (, . ʿ search engine ʰ ̰, ͵). ϴ ' (gold registered version)'Դϴ. " report header footer ĥ ִ ϸ, e-mail reports ִ ɵ մϴ." Add Web Ͽ ؼ ٿϴ. ܿ . ȣ ־ ϴ. ƾƾ.. Ʈ . α׷ Դϴ : =========================== $49.00 $89.00 89 ޷? ̷ α׷ ʹ α. Win95 ׷Ա Ŷ մϴ( 찡 󸶳 װ ϸ ׷ ݵ ƴ Դϴ) ̷ ̴ϴ: .. ̷ α׷̶ и protection scheme ְ. ũ . ù° : addweb.exe(732,160 bytes ũԴϴ) w32dasm 8.9 ϴ. ׸ (+ORC ڵ ) "now registered" "sorry this was a bad reg. number" ã. ׸ ̷ ִ κ ãҽϴ. ̷ ִ ã: "AW21-JH8WFHB-84EWFW8" "AW23-JH843H8-8426298" "AW98-2J882DB-JW01192" "AWD8-362HF83-8EHE532" "AWE1-F373736-UJU8376" "AWGD-WDWD824-4962345" "AWGE-DWE837A-FE97438" ... and a lot more ... ̰͵ ̴ ϱ? ״ ޽δ ʴ . ׷ ? ȣȭ Ϲȣ ƴұ. ۽, ׷ٸ ׷ ȣȭ Ǿ? ׷ٸ Ȥ....? Ƴ, ! ׷ ︮! Ȥ ü Ϲȣϱ? Ǫ .. ׷. ( ) ׷ Ϲȣ ־ . ۻڰ Ƣñ ϸ鼭 Դϴ. ׷, ϴ. ̷ ִ ۻڰ ſ. '49(Ǵ 89) ޷ ּż ϴ'... ȣȭ ü Ϲȣ ̴ϴ. ! Ǫ.. "ũ" ϴ 2е ɸ ʾҽϴ. Ӹ ʾҰ. , ũ ƴմϴ. ̹ ߵ ϱ. '' ''. About ڸ ϱ, '' ϵǾ ִ. ׷ ̹ Ϲȣ ٽ ѹ ýϴ. . о . ̰ ݸ غ ִ Ŷϴ. Ϲȣ ! ˾Ƴ³? ƹ о ʰ, ñ⸦ ٶϴ. ʹ ϴ. Ģ ֽϴ. - Ϲȣ AW մϴ.(̷, Ȥ AddWeb Ÿ ϴ ǰ? : ) - AW G մϴ.(G Gold ϰ. ..) - G ʴ ٸ Ϲȣ '' Դϴ. , ϰ ѹ ٽ . ʿ ʹ ? ι° : ̹ Ϲȣ ̿ؾ߸ ϴ . α׷Ӱ û ʾҴٸ ũ . Wdasm ٽ ؼ Ϲȣ ãư. ׷ ڵ尡 Դϴ. * Referenced by a Jump at Address:045A459(C) | :045A495 8B831C050000 mov eax, dword ptr [ebx+0000051C] * StringData Ref from Code Obj ->"AW25-7JREG7C-3H1EG54" "AWGM-MCC77WA-G55WGS5" Ʒ ݺմϴ. :045A505 66BA0A00 mov dx, 000A :045A509 66B86200 mov ax, 0062 :045A50D E826C4FAFF call 00406938 :045A512 DD9B14050000 fstp qword ptr [ebx+514] :045A518 9B wait :045A519 C783280500000B000000 mov dword ptr [ebx+528], B :045A523 C7832C050000CE070000 mov dword ptr [ebx+52C], 7CE ߴ ũ . ֽϴ. 켱 ǰ ϳ ؾ մϴ. ̶ :0045A4A5 ִ jne, ̶ :0045A4F1 ִ jne ľ մϴ. ֽϴ. б⸦ Nop ƴϸ б ٲ ؾ մϴ. nop ̶ 753A 9090 ٲ ϰ. ٲ ַ 753A 743A(75="jne" 74="je") ٲ ϰ. (ι° ֽϴ: ࿡ Ϲȣ ִ´ٸ бⰡ б⸦ ϰ ǰ :-) ܼ 90 nopϴ (+ORC 츮 ) protectionist '̳' ɸ ֽϴ. (, ̷ û α׷Ӱ α׷ ũϴ 쿡 ׷ . 츮 ׷ '̳' ̷ ִٰ ϰ ⸦ ) ũĿ鿡 '̳' ־ 90 ̿ nop ϸ 츮 ϵũ ͸ ڻ쳻 ٰ (, Ʈ ͸ ڻ쳾 ֽϴ. ׷ ǻ ̷ ְ). ׷ ؼ ' nop' ֽϴ. 2Ʈ nop inc ax 40 1000000 dec ax 48 1001000 - - ~ - - inc bx 43 1000011 dec bx 4B 1001011 - - ~ - - inc cx 41 1000001 dec cx 44 1000100 - - ~ - - inc dx 42 1000010 dec dx 4A 1001010 FEC0 inc al , FEC8 dec al 4Ʈ nop ֽϴ. ڵ带 ϸ '' ڵ嵵 ũ ֽϴ. װ ׳ α׷ ũϴ Ͱ . Ʈ: ࿡ ٽ Ѵٸ Win95 regedit  AddWeb ã. 丮 Init RegNum̶ Ű ã ֽϴ. װ ϸ ٽ ˴ϴ. ¥ Ʈ: Ư¡ ϳ, ⿡ ũ ƹ͵ 𸣰 ־ ũ ִٴ ̴ϴ. ũ 켼. װ () ϴ ͺ ϴ. ¥ ¥ : ϰ ִٸ Ʒ ּ: to(point)tristan(at)usa(point)net Winimage ũϰ ֽϴ.( ̰ ũϰ ִ ֳ? ּ!) ׸   ֽñ ٶϴ. Ͼ ŵ. ׷ϱ Ͼ ص ǰ. Tristan. All rights released. -------Tristan---------------- ------------------------------------------------------------------------------- Page 1 7. Yellow Submarine 7. Yellow Submarine ̹ picaview , ٽ ܱ ũĿ űϴ. picaview ҰԿ. ̹ HexWorkshop(ver 2.53) ũϴ Դϴ. , ٸ ũ . ũϴ ̰, ִ Դϴ. ȸ hexworkshop ũߴ ؼ ̾߱ϰڽϴ. ʺ̰, ũ ζ, ֽϴ. ҽ м ڼ Ǿ ʱ ε. ׷ е ׳ . ۵ , ٽ ذ ȵǾ κ , ظ ſ. ------------------------------------------------------------------------------- How to register HexWorkshop v2.52 (32bit) - by Heres - [Courier New 8Ʈ ̿ؾ Դϴ.] ̸ ãƳ ⺻ ϴ, ҽ ̿ ̴. ũ ִ 丮 HEXWORKS.REG(ũ 0 byte) ִ. ڸ ãư. * Possible StringData Ref from Data Obj ->"HEXWORKS.REG" ;ƿ, ֱ. | :0043B10C BAC05B4800 mov edx, 00485BC0 :0043B111 83E103 and ecx, 00000003 :0043B114 F3 repz :0043B115 A4 movsb :0043B116 8D7C240C lea edi, [esp 0C] :0043B11A B9FFFFFFFF mov ecx, FFFFFFFF :0043B11F 2BC0 sub eax, eax :0043B121 F2 repnz :0043B122 AE scasb :0043B123 4F dec edi :0043B124 8B02 mov eax, [edx] :0043B126 8B4A04 mov ecx, [edx] :0043B129 8B5A08 mov ebx, [edx] :0043B12C 6A00 push 00000000 :0043B12E 8907 mov [edi], eax :0043B130 8A420C mov al , [edx] :0043B133 894F04 mov [edi], ecx :0043B136 8D4C2410 lea ecx, [esp 10] :0043B13A 895F08 mov [edi], ebx :0043B13D 51 push ecx :0043B13E 88470C mov [edi], al * Reference To: KERNEL32._lopen, Ord:0262h ; | :0043B141 FF15C85A4900 Call dword ptr [00495AC8] :0043B147 83F8FF cmp eax, FFFFFFFF :0043B14A 8BF0 mov esi, eax :0043B14C 0F84D7000000 je 0043B229 :0043B152 8B9C2418010000 mov ebx, [esp 00000118] :0043B159 68D2000000 push 000000D2 ;ũⰡ 210 bytes̻̾ Ѵ :0043B15E 53 push ebx ;Ͽ о ... :0043B15F 56 push esi * Reference To: KERNEL32._lread, Ord:0263h ;Ͽ о . | :0043B160 FF15CC5A4900 Call dword ptr [00495ACC] :0043B166 8BF8 mov edi, eax :0043B168 56 push esi * Reference To: KERNEL32._lclose, Ord:025Fh ; . | :0043B169 FF15D05A4900 Call dword ptr [00495AD0] :0043B16F 81FFD2000000 cmp edi, 000000D2 ;ũⰡ 210bytes¾? :0043B175 752A jne 0043B1A1 :0043B177 81ECD4000000 sub esp, 000000D4 :0043B17D 8BF3 mov esi, ebx :0043B17F 8BFC mov edi, esp :0043B181 B934000000 mov ecx, 00000034 :0043B186 F3 repz :0043B187 A5 movsd :0043B188 66A5 movsw :0043B18A E861020000 call 0043B3F0 ;Ϲȣ :0043B18F 81C4D4000000 add esp, 000000D4 :0043B195 3B83CE000000 cmp eax, [ebx000000CE] ;ȣ! Ϲȣ! :0043B19B 0F8418010000 je 0043B2B9 ;ϵǾٸ б * Referenced by a Jump at Address:0043B175(C) | :0043B1A1 66C7030000 mov word ptr [ebx], 0000 :0043B1A6 BFD05B4800 mov edi, 00485BD0 :0043B1AB B9FFFFFFFF mov ecx, FFFFFFFF :0043B1B0 2BC0 sub eax, eax :0043B1B2 F2 repnz :0043B1B3 AE scasb :0043B1B4 F7D1 not ecx :0043B1B6 2BF9 sub edi, ecx :0043B1B8 8BC1 mov eax, ecx :0043B1BA C1E902 shr ecx, 02 :0043B1BD 8BF7 mov esi, edi :0043B1BF 8D7B02 lea edi, [ebx] :0043B1C2 F3 repz :0043B1C3 A5 movsd :0043B1C4 8BC8 mov ecx, eax :0043B1C6 83E103 and ecx, 00000003 :0043B1C9 F3 repz :0043B1CA A4 movsb * Possible StringData Ref from Data Obj ->"Unregistered" ; +ORC ã ߴ | :0043B1CB BFD45B4800 mov edi, 00485BD4 , hexworkshop ִ 丮 ũⰡ 210 bytes ̻  HEXWORKS.REG ̸ . ( ) Ʒ ִ. ߿Ѱ ũ̴ϱ 켱 ׳ . xx0000000000 Heres xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ٸ 0Dh, 0Ah ִ´.(׳ ȴ.) α׷ ũϴ ִ. 1. ڵ带 ġ 켱 HWORKS32.EXE Ѵ.( ڸ HWORKS32.ORI) OFFSET: -- 0003A59B 0F8418010000 je 0043B2B9 ;ϵǾ б OFFSET: -ũ- 0003A59B E919010000 jmp 0043B2B9 ; б 0003A5A0 90 nop ; :-o 2. Softice ̿ؼ Ϲȣ ˾Ƴ Softice hexworkshop  ߴ Ѵ. bpx cs:43B195 F5 Ų... ׷ Ϲȣ Ÿ ̴. :0043B195 3B83CE000000 cmp eax, [ebx+000000CE] ; ȣ! Ϲȣ! .. ̷ӱ... EAX HEXWORKS.REGϿ Ųٷ ؼ ̴. Ʊ 4 byte ƴ. 78h, 78h, 0Dh, 0Ah 36h, E8h, 0Fh, C8h HWORKS32.EXE ٲ۴. .. İ ũ ´. ð ִٸ, Ϲȣ  Ϲȣ α׷ ̴. ˸:  ̼ߴٸ ֱ ٶ. Ǹ +ORC ¸ ũ Ż̴. Heres, 1997 7 3. (c) Heres 1997. All rights reserved ------------------------------------------------------------------------------- Page 1 8. Come As You Are 8. Come As You Are ٽ PicaView Դϴ. ۿ κ Ϲȣ κ , call ҽϴ. ̹ ۿ Ϲȣ κ ڼ ϰڽϴ. к ڸ Ϲȣ κ ũ κ ֽϴ. κ ģ ణ ļ Ϲȣ ϼϰ Ǵ . ̹ ۿ Ƹ ù ° κи ĥ ϴ. ׷ κ ѹ . ˾ƺ ٷ call 100103B0 Ϲȣ ȣϴ ̾ϴ. ׷ 100103B0 . :100103B0 81ECA8000000 sub esp, 000000A8 :100103B6 55 push ebp :100103B7 8BAC24B0000000 mov ebp, [esp + 000000B0] ;pluskurt ebp ű :100103BE 56 push esi :100103BF 57 push edi :100103C0 8BFD mov edi, ebp ;pluskurt edi ű :100103C2 83C9FF or ecx, FFFFFFFF ;ecx Ʈ 1 :100103C5 33C0 xor eax, eax ;eax 0 :100103C7 33F6 xor esi, esi ;esi 0 :100103C9 F2 repnz ;⼭ ʹ :100103CA AE scasb ;pluskurt :100103CB F7D1 not ecx ; :100103CD 49 dec ecx ;Դϴ. :100103CE 8974240C mov [esp + 0C], esi :100103D2 6683F901 cmp cx, 0001 ; 1 ū :100103D6 0F8299010000 jb 10010575 ;Ȯ :100103DC 6683F950 cmp cx, 0050 ; 80 :100103E0 0F878F010000 ja 10010575 ;Ȯ :100103E6 8B8424BC000000 mov eax, [esp + 000000BC] ;49222D :100103ED 53 push ebx ; :100103EE 3BC6 cmp eax, esi ;49222D 1 :100103F0 0F85C4000000 jne 100104BA ;翬 ʽϴ. :100103F6 8BF9 mov edi, ecx :100103F8 33D2 xor edx, edx :100103FA 81E7FFFF0000 and edi, 0000FFFF :10010400 7E11 jle 10010413 :10010402 33C0 xor eax, eax , ̸(pluskurt) Ϲȣ ٽ ̸ ̸ Ȯϴ ϴ. ĺ 鸸 ٽ ̸ ̸ ϴ.(̸ ִ !@#$% 'Ư'ڵ ) mov ebp, [esp+B0] esp+B0 Ű ִ pluskurt ebp ű, mov edi, ebp pluskurt edi űϴ. edi ű ֽϴ.(scasb) or ecx, -01 xor eax, eax xor esi, esi repnz scasb not ecx dec ecx pluskurt Դϴ. w32dasm ҽ Ͽ or ecx, ffffffff Ǿ siceȭ鿡 or ecx, -01̶ ſ. Դϴ.(ñϽ е  о . ffffffff -01 ſ.) ۿ repnz scasb siceȭ鿡 ٿ Ÿ, ҽ Ͽ ٸ ٿ Ÿϴ. ϴ. 켱 or ecx, -01 ecx ffffffff ˴ϴ. ̷ ϴ Ʈ ϱ ؼ or ϴ ſ. . A or B AorB 0 0 0 0 1 1 1 0 1 1 1 1 ƽð or ൿմϴ. , ϳ 1̸ 1 ſ. ׷ٸ, CX Ʈ 1 ʹٸ  ϸ ɱ. or cx, 00ff ̷ ϸ ɰ̴ϴ. ff Ʈ ǥϸ 11111111 ˴ϴ. cx 1010 1010 1010 1010̶ , cx 1010 1010 1010 1010 OR |00ff 0000 0000 1111 1111 ---------------------------- 1010 1010 1111 1111 |========| ֵ Ʈ 1 Ǿϴ. ׷ or ecx, ffffffff ecx Ʈ 1 ذ ſ. , ̹ ִ xor ̿ؼ eax esi 0 ϴ. repnz scasb ó . 켱 scasb(SCAn String by Byte) ˾ƺ. ״ ڵ о Դϴ. ڼ ڸ ALͷ ڸ о 鿩 es:di ִ 񱳸 ϴ . ׷ ݺ cpu ŭ di Ű鼭, ÷׸ Ǵ մϴ. ⼭ pluskurt(es:edi) ڸ о 鿩 0(eax) մϴ. ٵ ƽð ڵ(strings) ޸𸮿 , , 0(null character) ֽϴ. ׷ϱ pluskurt ޸𸮿 p l u s k u r t 70 6c 75 73 6b 75 72 74 00 ̷ Ǿ ִ . sice ȭε Ȯ ̴ϴ. scasb pluskurt 0 ϴ ɱ. repnz ϸ ֽϴ. repnz(REPeat while Not Zero) scasb ΰ մϴ. , pluskurt о ٰ 0 . 0 pluskurt а null character̴ϱ, ᱹ repnz scasb pluskurt ݺ϶ . ְ , ̳׿. ϰھ? ƹư ̷ repnz scasb pluskurt о , ڸ ecx ϳ մϴ. ó ecx ffffffff ⿡ . , repnz scasb ġ ecx fffffff6 ˴ϴ. ׸ not ecx Ʈ ٲٰ(notƽ?), dec ecx ϳ ҽŰ ecx 8, pluskurt ̰ ˴ϴ. ̷ pluskurt ̸ ˾ ſ. ̷ ecx(cx) մϴ. cmp cx, 1 jb 10010575 cmp cx, 50 ja 10010575 ̸ ̰ 1̻ 80 ƴϸ б϶ Դϴ. бϴ (10010575) ʴ ƴ϶ ְ? mov eax, [esp+BC] push ebx cmp eax, esi jne 100104ba esp+BC Ű ִ 49222D Ϲȣ Դϴ. ׷ϱ 켱 ϰ ־ . eax esi մϴ. esi Ʊ 0 ̰, eax 49222DԴϴ. 翬 . Ϲȣ .. Ư Ϲȣ üǴ ڵ бϴ , Ȯ 𸣰ڽϴ. ⼭ ̷ ȵǴ 񱳸 ؼ б⸦ ϴ ̿. ƽô ּ. ¶ư ⼭ б 'ùٸ' б̴ϱ ׳ ؿ. Ϲȣ бմϴ. :100104BA 8BD9 mov ebx, ecx ;ebx ű :100104BC 33FF xor edi, edi ;edi 0 :100104BE 81E3FFFF0000 and ebx, 0000FFFF ;ebx 常 :100104C4 7E2C jle 100104F2 :ù°_κ_ :100104C6 0FBE0C2E movsx byte ptr ecx, [esi + ebp] ;̸ ڸ :100104CA 51 push ecx ;ϳ ϳ ҷ 鿩 :100104CB E8387C0500 call 10068108 ;빮ڷ ٲ :100104D0 0FAF8424C4000000 imul eax, [esp + 000000C4] ;eax*=49222D :100104D8 03C7 add eax, edi ;eax+=edi :100104DA 83C404 add esp, 00000004 :100104DD 25FFFF0000 and eax, 0000FFFF ;eax 常 :100104E2 99 cdq :100104E3 F7FB idiv ebx ;eax:edx=eax:edx/ebx :100104E5 47 inc edi ; :100104E6 6689547418 mov [esp + 2*esi + 18], dx ;'' ۼ :100104EB 0FBFF7 movsx word ptr esi, edi ; ڸ о :100104EE 3BF3 cmp esi, ebx ; ǰ? :100104F0 7CD4 jl 100104C6 ;ƴϸ ݺ pluskurt ̸ Ϲȣ ϴ κԴϴ. κ , picaview  ̸ Ϲȣ ⸦ . Ƹ..  å . å ̷ ־ϴ. ð л鿡 ɰ ٿ κб 縦 ν߸ ʰ ¿ Ѵٸ, л ʹ  ̴. , ʶƮ ̶ ˷ ְ Ѵٸ л ְ ̴. , а ִ е л, ǹ Ϸ ϴ ƴϱ. ׳ ׷ . ڸ, pluskurt ̸ ҷ 鿩 빮ڷ ٲߴϴ. ׷ϱ, pLuSkUrT plusKURT picaview ޾ ̴ .(PLUSKURT) 빮 asciiڵ ణ մϴ. ׸ װ '' '' ϴ. κ ù ° κ̱. '' ϳ ϳ о ٽ  Ĩϴ. ׷ ؼ ϳ 'ȣ' ϴ. ȣ ȣ , ̸ , ̸  ؼ ο ȣ ϴ. 0̸ ̹ 'غ' ȣ մϴ. ׷ ؼ ȣ ٽ  , ٷ 'Ϲȣ' Ǵ ſ. ׷ٴ ⱸ, ù κ ڵ带 ڼ . mov ebx, ecx xor edi, edi and ebx, FFFF jle 100104f2 ecx Ǿ ִ ebx մϴ. edi 0 ϴ. ̸ ڸ ϳ ϳ ޾ 鿩 ٰ . edi ڰ ° ΰ Դϴ. ebx 尪 մϴ. or ϴ ŭ Ʈ ִٰ ߴ , andδ ϴ κ Ʈ ְ ݴϴ. . bx : 1010 1010 1010 1010 AND | 0000 0000 1111 1111 ========================= 0000 0000 1010 1010 and bx, FF bx Ʈ Ƶΰ Ʈ 0 ſ. ׷ Ʈ ְ Ǵ . ǰ? ebx '' Ǿ ֽϴ. ׷ ū ƴ , ¶ư ߽ϴ. ٽ ѹ 0 Ȯմϴ. movsx byte ptr ecx, [esi+ebp] push ecx call 10068108 esi Ʊ 0 Ǿ־. ebp pluskurt 'Ű' ֽϴ. [esi+ebp] esi 0 p, esi 1 l, 2 u..̷ ǰ. ̷ ̸ ڸ ù ھ ɴϴ. װ ecx Ű , call 10068108 ؼ 빮ڷ ٲ ˴ϴ. Ȯ ڸ 빮 asciiڵ ̰, . ⼭ call 10068108 θ ִ κб 鿩 ʰڽϴ. κп  빮ڷ ٲٴ ñϽ е . imul eax, [esp+C4] add eax, edi add esp, 4 and eax, FFFF 빮 asciiڵ ణ մϴ. imul̶ Գ׿. ϼ̰ mul(multiplication), ϱ⸦ ϴ Դϴ. (Ӹ ƴϰ) ȣ ִ ȣ ֽϴ. ׷ϱ ϱ⵵ ȣ ִ ȣ , ־ . imul ȣ ִ , mul ȣ Դϴ. ׸, siceȭ鿡 Ȯ ֵ esp+C4 49222DԴϴ. ⼭ ó imul eax, [esp+C4] δ eax*49222D ؼ eax մϴ. addԴϴ. ״ ϴ Դϴ. eax+edi eax . add esp, 4 , 츮μ Ű ʾƵ Ǵ ſ. ..̶ Ͱ Ǿ ִ ǵ. ׷ ⼭ ʰڽϴ.  ̾߱Ⱑ ƴϴϱ. and eax, FFFF ٽ ѹ մϴ. cdq idiv ebx inc edi mov [esp+2*esi+18], dx movsx word ptr esi, edi cmp esi, ebx jl ù°_κ_ ҽϴ. cdq Խϴ. ̰, ׷ϱ غ ۾ ϴ ɾε. Ʒ idiv, ϱ ؼ غ ϴ ſ. Ʊ ߵ ȣ ִ Ŀ ޶ Դϴ. idivó ȣ ִ ϱ ؼ, cdq eax͸ ȣ ִ ִ ſ. ̰  movsx ɰ ִ ǵ. ߵ, Ȩ . picaview ũϴ ⸦ ߾µ, ̷ cdq, movsx Ϳ ؼ ⸦ ߾. ׷, ߿ ϱ ׷ ʾƵ 󱸿. ߿ ȸ ϱ ϱ. 켱, ϱ غ ۾̶ ˰ ϴ. idiv ebxԴϴ. edx eax ִ ebx( ) , eax ϰ, edx մϴ. mov [esp+2*esi+18], dx ֵ picaview մϴ. '' ִ Դϴ. ϰ , esi  ϴ 캸 '' ִ ϰ ִٴ . movsx word ptr esi, edi Ʊ inc edi edi ׽ϴ. edi esi Ű ϰ ֽϴ. ׸ ebx .(cmp esi, ebx) ebx ִ ? ̿ϴ. ׷ϱ κ pluskurt, ڸ ó ߳ Ȯ ϴ . jl(Jump if Less) esi ebx ۴ٸ, ó ʾҴٸ, ٽ ݺϴ ſ. ù° κԴϴ. ٽ ϸ, ڸ ϳϳ оͼ 빮ڷ ٲٰ, ascii ణ 峭 ģ '' ϴ .  pluskurt ù° p  ġ . 켱 빮ڷ ٲϴ. P asciiڵ 50( ε 16 մϴ)Դϴ. 49222D մϴ. 16DAAE10Դϴ. ⿡ edi, ڸ( °) մϴ. p ù° ̴ϱ 0(1 ƴմϴ. 0 մϴ.) 0 Ծ 16DAAE10Դϴ. ׸ 常 մϴ. AE10 ǰ. ebx, ̷ ϴ. pluskurt 8̴ϱ, AE10/8Դϴ. '' ֽϴ. 0̱. ׷ l . L asciiڵ 4CԴϴ.(.. ascii ڵ ǥ ? ׷ ڷǿ . ƴϸ siceȭ鿡 ? 'L' ˾Ƴ ֱ. :) 49222D . 15B6255C. ⿡ 1 ؾ . u pluskurt '1'° ڴϱ. 15B6255D. 255D ؼ 8 5 Ͽ ֽϴ. u. ̷ ؼ, ̸ ڸ ó ݺմϴ. '' '' ϵ˴ϴ. '' ״ ߿մϴ. ׷ κ C ٽ . for (i=0; ilength; ++i){ lst[i]=(int)(((name[i]*0x49222d+i))%length); } ? 켱 ۿ ̶ ̾ϴ. length ߾. ״ ⿡ ſ. ׸ lst array '' . ª ׿. Ȩ , κп ũⰡ 20k Ʈ Ѿ . 򿡴 ϴ ׿. ڼϰ ʾƼ ׷. movsx cdq, idiv 뵵 , . ׷ ۿ, κ ؼ ڽϴ. Page 2 9. Eight Days A Week 9. Eight Days A week ִ Դϴ. protectionist ûϰ ̶ +ORC ٽ Ǵ Դϴ. α׷ ϳ ũ ܹ ũϴ ϰ ִ Դϴ. ֵ ũ ʽϴ. б⸦ ٲٴ . , hwnd task, bmsg , BPR ο(?) ߴ ϴ ɾ ͼġ ʺе鿡Դ ణ ذ Ǵ κ ־. +ORC ¿ . ׷ 켱 ϰ о ׿.(siceȭ鿡 task hwnd [+task name] ͸ε ׷ ϴ ͵ ſ.) ƴϸ +ORC ã ø, ׷ ϴ ̴ϴ. ⼭ ̴ ڵ , picaview ۿ ͵ ϸ, keygen ŭ ͵ ƴϿ.( keygen . :) ۿ ó, ũϴ α׷ '' ' ȸ' ߿ Ұ . , ؼ α Ÿ鼭 ִ picaview ص ׷. ȸ ǰ ACDSee protection ֱ , picaview keygen Ϲȣ ACDSee ִ . ׷, ACDSee(ver 2.4) ٸ Ϲȣ ִ. ο ã ٴϸ鼭 ٿ ʴµ, ߵ ϵ带 ϰ ޾ . keygen(picaview 켭 ) Ϸ ߴ Ǵ. ϱ, ACDSystem Ϲȣ ٲ . ʹ ũĿ ACDSee picaview ũϱ. 츸 ص ũ ȵǼ ED!SON ¿ϴ. ʺ ̾µ, ̾. ACDSee  . ( ACDSee ο (2.4) ũϴ ۵ øڽϴ. , Ƽ.. ũ ʾҰŵ. : ) ------------------------------------------------------------------------------- Ʈ ȸ縦 ġ! Part 1 _by Plushmm [PC'97]_ 97 8 8 α׷ӵ ̴... ؼ, ϰ ϵ ϰ, ׵ α׷ ؾ Ҿ ֱ ̴.(, ׵ ؾ ִٸ ̴ :-) α׷ ϴ ð ̴. ⼭ '' α׷ӵ ϰ ִ ƴϴ. 鿡, ULEAD ū ȸ糪 Micro$oft ȸ protection 󸶳 ûϰ ͵ ̴. ȸ α׷ ߿  ̵ ϳ ũ ϸ, ͵鿡 ũ ̹ ̴. ̷  ִ ̴. ȸ簡 α׷ ߿ ϳ ũ ؼ θ ũ ִٴ ̴. ⺻ . 1) ϴ α׷ ȸ Ʈ ã . 2) װ ٿ ޾Ƽ.. ũѴ.. Ƹ, ũϴ ɸ ð 5 ̴... ¼ 3ð ɸ ̴.. * ũϴ ̶ ð Ǵ ƴ ̴...* 3) ũ ߴٸ, ȸ翡 ٸ ǰ ũ ִ. ֳ.. ׵ ̴ϱ. ... ܼҸ ׸ϰ ù° α׷ ũ ... Basta Computing, LLC http://www.basta.com ȸ α׷ ̵ . ߿ ˷ Filo, Winsock, ExIcon ֽϴ. 켱 _Filo v1.7_ . ϸ α׷ 󸶳 ִ ˷ִ ڰ ϴ. REGISTER ϸ '' ĭ ɴϴ. ƹ ڳ ְ register մϴ. .. ׷ '߸ ' ڸ ٰ . Disassemleؼ ҽ , ϵǾٰ ִ κ 𿡼 ã ٴ ֽϴ. ҽ ֵ, Call Jump ϰ ִٴ ͵ . ... ׷ٸ SoftIce ؾ. ڷ ȣ 12121212 34343434 ְ SoftIce մϴ. _task_ .. task name Filo _hwnd_ Filo ( ĭ, edit box) handle ؼ _bmsg_ ̿ؼ ű⿡ wm_gettext ߴ մϴ. ;+ORC . :) α׷ ƿͼ OKư ϴ. SoftIce . F5 ϴ.... ̷ ؼ α׷ Edit Box( ĭ) ִ о ϴ . _s 30:0 lffffffff "12121212" _ Ϲȣ Ǿ ִ ã ſ. _BPR_ ߴ մϴ. ٽ α׷ ϰ մϴ. ׷ Softice ٽ ߴ . , α׷, Է Ϲȣ  "1212121234343434" ٴ ̴ϴ. κп _BPR_ ߴ ϰ ٽ α׷ ϰ մϴ. ׷ Ϲȣ ϴ κ 򰡿 softice Դϴ. Ʒ . * Referenced by a Jump at Address:00407901(C) | :004078E9 8A0431 mov al, byte ptr [ecx + esi] :004078EC 3C30 cmp al, 30 ;"0" :004078EE 0F8CC4000000 jl 004079B8 ;ڰ ƴϱ :004078F4 3C39 cmp al, 39 ;"9" :004078F6 0F8FBC000000 jg 004079B8 ;ڰ ƴϱ :004078FC 8BC1 mov eax, ecx :004078FE 49 dec ecx :004078FF 85C0 test eax, eax :00407901 75E6 jne 004078E9 :00407903 0FBE5E0F movsx ebx, byte ptr [esi+0F] :00407907 83EB30 sub ebx, 00000030 :0040790A 8D4301 lea eax, dword ptr [ebx+01] :0040790D 83F80F cmp eax, 0000000F :00407910 7C03 jl 00407915 :00407912 83E80F sub eax, 0000000F * Referenced by a Jump at Address:00407910(C) | :00407915 40 inc eax :00407916 83F80F cmp eax, 0000000F :00407919 7C03 jl 0040791E :0040791B 83E80F sub eax, 0000000F * Referenced by a Jump at Address:00407919(C) | :0040791E 8BC8 mov ecx, eax :00407920 83C003 add eax, 00000003 :00407923 83F80F cmp eax, 0000000F :00407926 7C03 jl 0040792B :00407928 83E80F sub eax, 0000000F * Referenced by a Jump at Address:00407926(C) :0040792B 0FBE3C31 movsx edi, byte ptr [ecx + esi] :0040792F 8BC8 mov ecx, eax :00407931 83C003 add eax, 00000003 :00407934 83EF30 sub edi, 00000030 :00407937 83F80F cmp eax, 0000000F :0040793A 7C03 jl 0040793F :0040793C 83E80F sub eax, 0000000F * Referenced by a Jump at Address:0040793A(C) | :0040793F 8BD0 mov edx, eax :00407941 83C003 add eax, 00000003 :00407944 83F80F cmp eax, 0000000F :00407947 7C03 jl 0040794C :00407949 83E80F sub eax, 0000000F * Referenced by a Jump at Address:00407947(C) | :0040794C 0FBE0C31 movsx ecx, byte ptr [ecx + esi] ; ࿡ :00407950 0FBE1432 movsx edx, byte ptr [edx + esi] ;̷ ڵ带 ٸ :00407954 8D0C89 lea ecx, dword ptr [ecx + 4*ecx];ݵ :00407957 8D0C4A lea ecx, dword ptr [edx + 2*ecx];ǽ մϴ. :0040795A 0FBE1430 movsx edx, byte ptr [eax + esi] ;̷ ڵ :0040795E 8D0C89 lea ecx, dword ptr [ecx + 4*ecx];Ϲȣ :00407961 8D844A30EBFFFF lea eax, dword ptr [edx + 2*ecx - 000014D0];̴ϱ :00407968 83F803 cmp eax, 00000003 ; ڵ尡 ;eax 3 ̴ϴ. :0040796B 754B jne 004079B8 ; б :0040796D 33C0 xor eax, eax :0040796F B90F000000 mov ecx, 0000000F * Referenced by a Jump at Address:00407982(C) | :00407974 0FBE1431 movsx edx, byte ptr [ecx + esi] ;ణ :00407978 0FAFD1 imul edx, ecx :0040797B 03C2 add eax, edx :0040797D 8BD1 mov edx, ecx :0040797F 49 dec ecx :00407980 85D2 test edx, edx :00407982 75F0 jne 00407974 :00407984 8D4B0E lea ecx, dword ptr [ebx+0E] :00407987 83F90F cmp ecx, 0000000F :0040798A 7C03 jl 0040798F :0040798C 83E90F sub ecx, 0000000F * Referenced by a Jump at Address:0040798A(C) | :0040798F 0FBE1431 movsx edx, byte ptr [ecx + esi] :00407993 0FAFD1 imul edx, ecx :00407996 2BC2 sub eax, edx :00407998 49 dec ecx :00407999 7903 jns 0040799E :0040799B 83C10F add ecx, 0000000F * Referenced by a Jump at Address:00407999(C) | :0040799E 8A1C31 mov bl, byte ptr [ecx + esi] ; ۿ :004079A1 0FBED3 movsx edx, bl ; Ͱ :004079A4 0FAFCA imul ecx, edx ;"" ڵ尡 :004079A7 2BC1 sub eax, ecx ;ǰ :004079A9 B90A000000 mov ecx, 0000000A :004079AE 99 cdq :004079AF F7F9 idiv ecx :004079B1 80C230 add dl, 30 :004079B4 3AD3 cmp dl, bl ;ι° մϴ :004079B6 7406 je 004079BE ; б * Referenced by a Jump at Addresses:004078C9(C), :004078DE(C), :004078EE(C), :004078F6(C), :0040796B(C) | :004079B8 33C0 xor eax, eax :004079BA 5F pop edi :004079BB 5E pop esi :004079BC 5B pop ebx :004079BD C3 ret ڵ带 , keygenerator ̴ϴ. keygen ƴϱ ׳ ġ ϱ . :0040796B 754B jne 004079B8 ; б 4840 ٲپ б ʰ մϴ. :004079B6 7406 je 004079BE ; б EB06 ٲپ бϵ մϴ. .. ̰ _Filo v1.7_ ũ ϴ. ̹ _WhoSock v1.91_ . ... ...Filo ڵ尡 ֿ ... ... * Referenced by a Jump at Address:00406737(C) | :0040673C 0FBE0C31 movsx ecx, byte ptr [ecx+esi] :00406740 0FBE1432 movsx edx, byte ptr [edx+esi] :00406744 8D0C89 lea ecx, dword ptr [ecx+4*ecx] :00406747 8D0C4A lea ecx, dword ptr [edx+2*ecx] :0040674A 0FBE1430 movsx edx, byte ptr [eax+esi] :0040674E 8D0C89 lea ecx, dword ptr [ecx+4*ecx] :00406751 8D844A30EBFFFF lea eax, dword ptr [edx+2*ecx-000014D0] :00406758 83F809 cmp eax, 00000009 ;񱳵Ǵ ణ ٸ! :0040675B 754B jne 004067A8 ;Ȱ бϴ ! :0040675D 33C0 xor eax, eax :0040675F B90F000000 mov ecx, 0000000F * Referenced by a Jump at Address:00406772(C) | :00406764 0FBE1431 movsx edx, byte ptr [ecx+esi] :00406768 0FAFD1 imul edx, ecx :0040676B 03C2 add eax, edx :0040676D 8BD1 mov edx, ecx :0040676F 49 dec ecx :00406770 85D2 test edx, edx :00406772 75F0 jne 00406764 :00406774 8D4B0E lea ecx, dword ptr [ebx+0E] :00406777 83F90F cmp ecx, 0000000F :0040677A 7C03 jl 0040677F :0040677C 83E90F sub ecx, 0000000F * Referenced by a Jump at Address:0040677A(C) | :0040677F 0FBE1431 movsx edx, byte ptr [ecx+esi] :00406783 0FAFD1 imul edx, ecx :00406786 2BC2 sub eax, edx :00406788 49 dec ecx :00406789 7903 jns 0040678E :0040678B 83C10F add ecx, 0000000F * Referenced by a Jump at Address:00406789(C) | :0040678E 8A1C31 mov bl, byte ptr [ecx+esi] :00406791 0FBED3 movsx edx, bl :00406794 0FAFCA imul ecx, edx :00406797 2BC1 sub eax, ecx :00406799 B90A000000 mov ecx, 0000000A :0040679E 99 cdq :0040679F F7F9 idiv ecx :004067A1 80C230 add dl, 30 :004067A4 3AD3 cmp dl, bl ; ι° :004067A6 7406 je 004067AE ;Ȱ б!!! ̷̷.. ̹ _ExIcon v1.9a_ .. ... ...Filo Ȱ ڵ... ... * Referenced by a Jump at Address:0040AC77(C) | :0040AC7C 0FBE0C31 movsx ecx, byte ptr [ecx+esi] :0040AC80 0FBE1432 movsx edx, byte ptr [edx+esi] :0040AC84 0FBE0430 movsx eax, byte ptr [eax+esi] :0040AC88 8D0C89 lea ecx, dword ptr [ecx+4*ecx] :0040AC8B 8D0C4A lea ecx, dword ptr [edx+2*ecx] :0040AC8E 8D1489 lea edx, dword ptr [ecx+4*ecx] :0040AC91 8D8C5030EBFFFF lea ecx, dword ptr [eax+2*edx-000014D0] :0040AC98 83F902 cmp ecx, 00000002 ;񱳵Ǵ ణ ٸ ! :0040AC9B 754B jne 0040ACE8 ;Ȱ б!! :0040AC9D 33C0 xor eax, eax :0040AC9F B90F000000 mov ecx, 0000000F * Referenced by a Jump at Address:0040ACB2(C) | :0040ACA4 0FBE1431 movsx edx, byte ptr [ecx+esi] :0040ACA8 0FAFD1 imul edx, ecx :0040ACAB 03C2 add eax, edx :0040ACAD 8BD1 mov edx, ecx :0040ACAF 49 dec ecx :0040ACB0 85D2 test edx, edx :0040ACB2 75F0 jne 0040ACA4 :0040ACB4 8D4B0E lea ecx, dword ptr [ebx+0E] :0040ACB7 83F90F cmp ecx, 0000000F :0040ACBA 7C03 jl 0040ACBF :0040ACBC 83E90F sub ecx, 0000000F * Referenced by a Jump at Address:0040ACBA(C) | :0040ACBF 0FBE1431 movsx edx, byte ptr [ecx+esi] :0040ACC3 0FAFD1 imul edx, ecx :0040ACC6 2BC2 sub eax, edx :0040ACC8 49 dec ecx :0040ACC9 7903 jns 0040ACCE :0040ACCB 83C10F add ecx, 0000000F * Referenced by a Jump at Address:0040ACC9(C) | :0040ACCE 8A1C31 mov bl, byte ptr [ecx+esi] :0040ACD1 0FBED3 movsx edx, bl :0040ACD4 0FAFCA imul ecx, edx :0040ACD7 2BC1 sub eax, ecx :0040ACD9 B90A000000 mov ecx, 0000000A :0040ACDE 99 cdq :0040ACDF F7F9 idiv ecx :0040ACE1 80C230 add dl, 30 :0040ACE4 3AD3 cmp dl, bl ;Ȱ !! :0040ACE6 7406 je 0040ACEE ;Ȱ б!! _Horas v2.1_ . .. ̸ϸ Ϸ . ٸ α׷鵵 ߴ Ƽ Ȯ ʾҽϴ. , ȸ ǰ 4 ߴٸ (Ȯ ؼ 8 ֽϴ) protection . ·ư, ȸ ǰ θ ũ ִ ġ Ʒ ϴ... ! Plushmm [PC'97] done := False; location := $FF; {Skip the initial codes} Repeat if thefile(location) = $75 and thefile(location+1) = $4B then if thefile(location+$4B) = $74 and thefile(location+4C) = $06 then begin Patch_File done := True; end; location := location+1; Until done or limit_reached; (c) Plushmm 1997. All rights reserved ------------------------------------------------------------------------------- ű , ó ݸ űٰ, ߿ ٲ ȳ׿. 븻 ϴ. ģ , ݸ ʾƿ. Ͽư ̻ ̶ , . : ) Page 2 10. Year Of The Boomerang 10. Year Of The Boomerang ű鼭 ε. picaview ũϴ о е鿡 帳ϴ. ⼭ ׷, picaview siceȭ鿡 ' ' Ϲȣ ˾ ־. ׷ ؼ  Ϲȣ Ƽ Ͻ е, а ũ , ؾ . ׷ 𸣴 е Ƽ մϴ. ⸦ ߾ ߴ , ߳׿. ƹư, ⿡ Ʈ ǵ帮 ˴ϴ. ۾ ǥ '' '' մϴ. ɾ Էϴ regedit ͸ Ʈ Ⱑ ɴϴ. ʿ ̴ ͵ ߿ HKEY_LOCAL_MACHINE̶ , ٽ ACDSystems , , PicaView, ׸ LicenseŰ ֽϴ. .. picaview ° ֵ DZ, ƴϸ LicenseŰ ൵ ˴ϴ. Ʈ ũ Դϴ.( iniϵ Դϴ. winzip ũ Դϴ. +ORC ¿ Ծ. WritePrivateProfileString̶ Լ 캸 ִ Լ ߾.) ׸, ۵ ִ Ұ Դϴ. ̷ ..ϴ . ۿ keygen 'ο' Դϴٿ. ݱ ۰ , 뵵 ʽϴ. ſ. ------------------------------------------------------------------------------- AddLink KeyGenerator _- ۻڸ keygen ٲ!-_ Written by Jon ȳϼ. α׷ ũߴ. ΰ α׷ Firas El-Hasan ͵̴. װ α׷ ִ Window$ ƿƼ̴. , ŸԵ α׷ ΰ , ** ڰ . ׷ α׷ Ұ ð ۿ ɸ ʾ ϸ ¥ ƴ . α׷ . SysDate - ýۿ Ͽ ִ α׷̴. StartClean - ϰ . SysLaunch - α׷ ϰ ִ, '' ޴ lite ̴. QuickDesk - ALT+TABŰ ۾ ǥٿ Ŭ ϸ â ǥ÷ ش. HotCorners - ȭ 콺 ͸ ȭ ȣⰡ ǵ ش.(ȣ..ѱ) DirectNet - ͳ ü(ISP) ȭ ɾ, ϴ ͳ α׷ ϰ ش.( ֳ?) AddLink - ư α׷ Ŭϸ ޴ ߰ ش. ׸, DOS-Explore DialMSN (MSN? !!!) ִ. װ͵ freeware̱ , ũ ʿ䰡 . :-) ũ Ϸ Ѵ. 1. SoftIce ̿ϴ "Hear the echo". 2. SoftIce/HIEW ̿ؼ α׷ key-gen . α׷ ִ AddLink ؼ ̴. , StartClean α׷̴. Qapla ̹ α׷ ũϴ ¸ .( ̴) ٸ α׷ ִ  ϰڴ. , ٸ α׷ ٸ ִٸ, װͿ ؼ ϰڴ. _ʿ :_ SoftIce 3.22 for Win95/NT(ƹ ̶ ) HIEW 5.66(Ǵ ִ hex editor ƹ ̳) _URL/FTP_ α׷ Ȩ ٿ ִ. http://users.aol.com/felhasan/ _History_ 𸥴( ׳ ¼ٰ ˰ ͵̶)... ñ , Ȩ ̴. ׷ AddLink(ƴϸ, α׷ ߿ ũϰ ƹų) ν. ƹ Ͽ ư Ŭϰ Send To--> Start ޴ ؼ AddLink Ѵ. α׷ ϴ '' Ѵٴ ˷ ִ, ** ڰ ̴. SoftIce ϰ(_Ctrl+D_) _BPX Lstrcmp_ ׸ F5 SoftIce ´.. Register ޴ Ѵ.. ̸ ִ´. ( _-=[JON!]=-_̶ ) Ϲȣ ִ´. _1212121212_ (Copyright +ORC) Ű .. ׷ SoftIce _Lstrcmp_ ̴. _BC *_ Էؼ ߴ . _F11_ ҷ ư. ణ ȭ ÷ ڵ带 ̴. _ CALL 00401BB0 ; Ϲȣ . LEA EAX,[ESP+18] ;츮 Ϲȣ EAX Ѵ. ADD ESP,08 PUSH EAX ;츮 Ϲȣ PUSH. PUSH 004051C8 ; Ϲȣ PUSH. CALL [Kernel32!lstrcmp] ;ڸ Ѵ. TEST EAX,EAX ; Ǿ? JNZ 00401BA5 ; Ǿٸ, ۻ ! _ ¥ Ϲȣ ؼ, 츮 Ϲȣ PUSHߴ κп ߴ Ѵ. ̷ Ϸ ׳ Ŭϱ⸸ ϸ ȴ.(࿡ 콺 ϴ Ȳ̶, BPX XXXX:YYYYYYYY ߴ Ѵ. XXXX:YYYYYYYY ޸ ̴ּ.) , SoftIce ͼ ٽ ѹ ̸ Ϲȣ . Okư ٽ ѹ SoftIceȭ Ÿ ̴. _BD *_ ߴ Ѵ( Ŀ ٽ ̴). ׸ _D 004051C8_ . ׷ _-=[JON!]=-_ Ϲȣ _14621-136061-2316-6752_ ̴. ⼭ ׸ ΰ? key-gen ǰ? ٽ keygen Ϸ, ؾ ̴. Ʈ Ű(_HKEY_CURRENT_USER\SOFTWARE\ADDLINK_) ؼ ִ. Ǿ. ٽ α׷ ؼ, SoftIce . ׸ _BE *_ ߴ ٽ Ѵ. ƹ ̸ Ϲȣ ְ, Ok . Ϲȣ PUSHǴ , SoftIceȭ ٽ ̴. ߴ . _BC *_ , PUSHԼ 16 ڵ带 ޾ :_ 68C8514000 _ 68C8514000 PUSH 004051C8 ;¥ Ϲȣ PUSH ڵ尡 , F10 . _ PUSH 00 PUSH 00 PUSH 004051B4 ;"Incorrect code!" PUSH PUSH ESI CALL [USER32!MessageBoxA] ; ڸ MOV EAX,00000001 ;EAX 1 (ϵ ) _ _E XXXX:YYYYYYYY_̶ Ѵ. XXXX:YYYYYYYY _PUSH 004051B4_ ִ ̴ּ. Ʊ ξ 16 ڵ(_68c851400_) ִ´. _F5_ SoftIce ´. ׷ ̴°? Է ̸ Ϲȣ ִ ** ۻڰ ִ!!!_ ?_ ũ ϱ ؼ: _ HIEW ADDLINK.EXE _ F7_ : 6A006A0068B451400056_ ^^ ãƼ _ 6A006A0068C851400056_ ٲ۴. _ (_F9_) (_F10_), key-generator ̴! 6A006A0068B451400056 ;߸ Ϲȣ pushϴ ڵ尡 6A006A0068C851400056 ;¥ Ϲȣ pushϴ ڵ ٲ ̴ տ α׷ (ణ ʿϰ) ִ. ٸ, QuickDesk SysLaunch . ̰, Ϲȣ ޸𸮿 Ǵ * * ٸ ͷ ̴. :-( ϸ Ϲȣ ̴. 츮 ͵. 1. Lstrcmp ڵ带 ϴ δٸ, ڵ带 ã ׸Ա̴. ̹ Ǿ ϱ ̴. 2. "Ϲȣ ƲȾ" ڰ Ÿ ¥ Ϲȣ , κ 쿡 츮, 츮 '' key-gen ִ. 3. α׷ӵ α׷ ϳ ̶̻, ٸ protection scheme ̴. 4. SoftIce debugger̴! 5. ũ ̴! Ʒ е鿡 ٴ մϴ. +ORC, The +HCU, Fravia+, +Gthorne, (+)ũĿ Ǹ ũ ׷, spam ѷ óġ , ׸ а ִ ſ! ׷ Ϸ Ǽ! :-) By Jon, 1998 2 9 ߽: ۿ ؼ ǰ(Ḭ̄ ̰) е ּ. jon101514(at)cyberjunkie(point)com ------------------------------------------------------------------------------- Page 2 11. Dumb 11. Dumb ȳϼ. picaview dz׿. ʾ. ٻ ô ϴ.. : ) 󵵿 ִ ٳ ־, ű⸦ ٳԾ. ε ټ ð̳ ɸ. ޿.. Դٰ ϴ 10ð ɷ.. £ ʾҴµ, ű⿡ . ߸ ãƼ 鼭 . ϱ .. ׷ ƴϰ. ˰ڽϱ. ƹư, ۿ Ϲȣ ù ° κ ҽϴ. ̸ ھ ҷ 鿩 빮ڷ ٲ ణ ļ '' Ҿ. 캼 ι° '' ̿մϴ. ι° ù ° ٴ ణ , ׷ ſ. ϱ. : ) ׷ ô ڵ ٷ ڵ带 캸. :100104F2 33FF xor edi, edi ;edi 0 :100104F4 3BDF cmp ebx, edi ;ڼ(ebx) 0 :100104F6 897C2414 mov [esp + 14], edi ;[esp+14] 0 Ȯ κ ״, κԴϴ. ̸ ־, ٽ Ȯϰ ֽϴ. edi 0 ٴ Ͱ [esp+14] 0 ʱȭ ״ٴ ξ մϴ. :Ϲȣ__ι°_ :100104FC 33F6 xor esi, esi ;esi 0 :100104FE 668B747C18 mov si, [esp + 2*edi + 18] ;'' '' ϳ :10010503 0FBE142E movsx byte ptr edx, [esi + ebp] ;, ''° :10010507 52 push edx ; ڸ :10010508 E8FB7B0500 call 10068108 ;빮ڷ ٲ۴ :1001050D 8BD0 mov edx, eax :1001050F 8BCE mov ecx, esi ;Ͽ ''->ecx :10010511 D3E2 shl edx, cl ;̸ Ʈ ű->edx :10010513 83C404 add esp, 00000004 :10010516 47 inc edi ;edi :10010517 8B742410 mov esi, [esp + 10] ;pre_code esi :1001051B 0FAFD7 imul edx, edi ;edx=edx*edi :1001051E 0FAF9424C0000000 imul edx, [esp + 000000C0] ;edx=edx*49222D :10010526 0BD0 or edx, eax ;edx|eax :10010528 8B442414 mov eax, [esp + 14] ;eax ׳ ٿ ذ ? ׷ е鵵 ð. ڼ ڽϴ. xor esi, esi mov si, [esp+2*edi+18] movsx byte ptr edx, [esi+ebp] 켱 esi 0 ʱȭ , '' о 鿩 si մϴ. ڵ带 ˰, edi κ ݺ (inc edi)մϴ. ׷ϱ '' ù ° ʷ о ְ. '' . ׷ о '' si ǰ ٽ [esi+ebp] ֵ ̸ ڸ ҷ ˴ϴ. ebp ̸ ù ° ڸ 'Ű' ֽϴ. , movsx byte ptr edx, [esi+ebp] ̸ ' ' ° ڸ ҷ Դϴ. ذ Ǽ? ޸ 𿣰 pluskurt ̸ Ǿ װ, 'Ű(pointing)' ִ ebp. , pluskurt Ǵ , p Ű ְ. ׷ 0+ebp , p ̰, 1+ebp l, 2+ebp u..̷ ǰ. esi ϳ Ѽ ̸ ھ ҷ ִ Ŷ . ׷ picaview ̸ ó ϳϳ ҷ ƴ϶, ' (esi)' ° ڸ ҷ ´ٴ ſ. ù° 0̾, ι° 5ٴ come as you are 鼭 ˾ . ׷ϱ ó 0+ebp, p ҷ ̰, κ ٽ 5+ebp u ҷ . push edx call 빮ڷ_ġ mov edx, eax ׷ ̸ ' ' ° ڸ ҷ ͼ, 빮ڷ ٲߴϴ. call 10068108 call? ׷ 빮ڷ ٲ ٽ, edx Ű ϴ. mov ecx, esi shl edx, cl ' ' esi ecx űϴ. ׸ shl Խϴ. shl(SHift Left) Ʈ 󸶸ŭ ̵Ű Դϴ.  ax 0000 1111 0101 1010̶ ְ shl ax, 3̶ ϸ ax 0000 1111 0101 1010 | shl ax, 03 | ax 0111 1010 1101 0000 ̷ ax 3Ʈ Ű ȴٴ . ̷ 3Ʈ Űܰٸ ax 2 3 . ׷ shl ̵(arithmetic shift) Ѵϴ. ׷ϱ picaview 쿡 빮ڷ ٲ ̸( asciiڵ ϴ)ٰ 2 ' ' ǰ. add esp, 4 inc edi mov esi, [esp+10] edi Ѽ , ' ' ҷ غ մϴ. esp+10 ִٰ ٽ , 츮 ִ '(pre_code ǻ ̸ ٿϴ)' Դϴ. Ʊ 0 ʱȭ Ǿ. imul edx, edi imul edx, [esp+c0] Ա. ݱ ִ edx, edi մϴ. edi ' °' ΰ ϴ ִµ, ϱ 1 ְ. ٽ . picaview ó ڵ带 ϰ ִٸ 'ù°' 0 ϰ ̴ϴ. 'ù°' edi 0̱ װ. ° picaview κ ڵ带 ϰ ִٸ 'ι°' 5 ϰ ̰, edi 1 . ׷ edi 'ī' ϰ ֽϴ. ׸ imul edx, edi ɿ edi 'ī' 1 ū ִٴ ؾ մϴ. , κ ڵ带 picaview ó ϰ ִٰ ص imul edx, edi edi 0 ƴ϶ 1. ٷ inc edi Ǿ Դϴ. imul edx, [esp+c0]̳׿. esp+c0 Ű ִ ٸ ƴ 49222DԴϴ. ϳ? ¶ư ˾ ٽ imul edx, edi ------ edx Դϴ. or edx, eax mov eax, [esp+14] add esi, edx inc eax movsx word ptr edi, eax cmp edi, ebx mov [esp+10], esi mov [esp+14], eax jl Ϲȣ__ι°_ edx eax ORմϴ. OR? OR ˰, edx ݱ ̰, eax Ʊ 빮ڷ ٲ ascii ڵ ֽϴ. ణ 򰥸 ִ κε, ƴմϴ. esp+14 Ķ eax  踦 ΰ ֳ ϴ ͸ ſ. Ʊ Ʊ edi 0 , ٽ 0 [esp+14] Ű Ͻ. ׷ϱ [esp+14] 0 ʱȭ Ǿֽϴ. 0 eax Ű, (inc eax), edi Ű, ٽ [esp+14] Ű ϴ. ᱹ κ, 'Ϲȣ__ι°_' ߳, ̸ ִ (pluskurt) ó߳ ϴ Ȯϴ Դϴ. ٽ . ſ(ebx ̸ ϰ ?). ׸ ̿ add esi, edx mov [esp+10], esi ֽϴ. . ? edx ݱ Դϴ. ̰Ͱ esi ؼ esi ٽ ϰ ֱ. ׷... ϼ? Ʊ mov esi, [esp+10]̶ ־. ׸ esp+10 pre_code ̸ ٿٰ ߱. ׷ϱ . edx esi ؼ esi ֽϴ. [esp+10](pre_code)̶ ˴ϴ. ׸ ٽ Ϲȣ__ι°_ mov esi, [esp+10]̶ , ٷ ߾ pre_code esi Ű ˴ϴ. add esi, edx edx Ǿ esi(pre_code) ؼ, ο pre_code ſ. pre_code ٽ ױ. ˰? C ǥڸ pre_code+=(¼ ¼) ó ǰ. jl, cmp edi, ebx бϴ , ̸ ڸ ó߳ Ȯϴ ̶ ƽ ̴ϴ. ̷ ؼ ι° Ҵ . ذ Ǽ̴ 𸣰ڱ. ι° κ C ֽϴ. ̰Ͱ 鼭 ٽ ذ ſ. pre_code=0; for (i=0; ilength; ++i){ pre_code+=((long)(name[lst[i]]*pow(2,lst[i])*(i+1)*0x49222d)|name[lst[i]]); } pre_code ߱, lst come as you are '' Դϴ. ׸ shl 䳻 ؼ pow()Լ ϴ. (left shift) ᵵ ǰ( ִٴ ˱ picaview ũϰ keygen ŵ. ߾. ȥ Cå ' ִ' C ζ. ִ ˾.. Ƽ ٲ ʾҽϴ. ݾƿ. : ) ׸ length ó length( )Դϴ. κ . κ 'ι°' pre_code , , 0 ణ ٷ ¥ 'Ϲȣ' κԴϴ(pre_code ű⿡ ־ : ). κ մϴ. :1001053E 8BC6 mov eax, esi ;pre_code eax ű :10010540 85C0 test eax, eax ;eax 0 ? :10010542 7D08 jge 1001054C ;ƴ϶ ? :10010544 F7D8 neg eax ;0 ۴ٸ ȣ ٲٱ :10010546 89442410 mov [esp + 10], eax ; :1001054A 85C0 test eax, eax ;ٽ ѹ Ȯ :eax_0̴ :1001054C 750C jne 1001055A ;0̾? :1001054E C7442410DC6F2400 mov [esp + 10], 00246FDC ;׷ pre_code 246FDC :10010556 8B442410 mov eax, [esp + 10] ;ٲ۴ :eax_0_ũ :1001055A 99 cdq :1001055B B900CA9A3B mov ecx, 3B9ACA00 :10010560 F7F9 idiv ecx ;ecx:eax / ebx :10010562 89542410 mov [esp + 10], edx ; :10010566 8B442410 mov eax, [esp + 10] ;eax ű :1001056A 5B pop ebx :1001056B 5F pop edi :1001056C 5E pop esi :1001056D 5D pop ebp :1001056E 81C4A8000000 add esp, 000000A8 :10010574 C3 ret ʾƵ ٵ ſ. pre_code esi Ǿ ֽϴ. װ eax ű ȣ մϴ. ׷ 0 ۴ٸ neg(NEGate), ȣ ٲݴϴ. 0̶ ̹ 'غ' 246FDC pre_code ϴ. 0 ũٸ pre_code 3B9ACA00  eax ű ſ. ٷ eax '¥' Ϲȣ Ǵ . ׷ κ C ڽϴ. code=0; if (pre_code0) pre_code=-pre_code; if (pre_code==0) pre_code=0x246fdc; code=pre_code%0x3b9aca00; code Ϲȣ ǰ. ׷, ļ ϰ picaview keygen Ѳ ڽϴ. #include #include #include #define MAX 80 int main(void) { char c, name[MAX]; int i, length=0, lst[MAX], lst_str; long pre_code, code; printf("\nPicaView32 ver 1.3 KeyGenerator .. Cracked By +kurt\n"); printf("Name: "); for (i=0; (c=getchar()) != '\n' ; ++i){ name[i]=toupper(c); if (isalpha(c)) ++length; else if (isspace(c)) ++length; else --i; } name[i]='\0'; if (length30) name[30]='\0'; for (i=0; i , ó C α׷ ſ. ̰ picaview ⸦ ġڽϴ. Ʋ , Ʋ , ۿ  ̶ ǰ ø ˷ ּ. ׸, keygen Ϲȣ ACDSee ֽϴ. ֱ (v 2.4) . ֱ ũ߽ϴ. ȸ Ǹ ڽϴ. Page 2 12. Revolver 12. Revolver , ۾ ̵ ªϴ. ª ȿ ʺ ؼ ڼ Ʈ ʾҽϴ. bc, bpm, hmemcpy  ϴ ׿ ģ Դϴ. , 캸 Ǵ ҽ κп ׷ , ̰ ſ. ݱ ۵ о е̶ װ͵ ״ϱ. ۿ 'Flag' ϴ ϴ Դϴ. , (save) ؼ  ڰ ʿմϴ. , ؾ ϴ . ׷, α׷ 'ڰ'  ƴ. ٷ 'Flag' ƴ ſ. ⿡ al մϴ. , al 0 Ǿ , ̰, al 1 Ǿ ִ . ̷ flag 'ڰ' Ǵϴ α׷ ִ Դϴ. ٸ ڸ ̷ ְ.  α׷ 30 ۿ Ѵٰ մϴ. ׷ 30 ѵ .. ɴϴ. ׷ ý ð踦 ĥ Ҵٰ . ׸ ٽ ϱ, ٰ ſ. , ׷ α׷ 츮 ð踦  ˾ ? Ƹ ̷ ̴ϴ. 30  flag մϴ. , 30 ʾҴٸ 0 ִ κ ֽϴ. 30 1 ϴ . ׷ ٽ ð踦 30 DZ Ƶ, α׷ flag 30 ̹ ٴ ְ. ̷ α׷ ũϷ flag Ǿִ ã , ð ׻ 0 Ǵ Ű.(+ORC ¿ Դϴ. : ) ƹư, ̷ flag ⸦ ̾߱ Դϴ(⼭ ϴ flag flag register ϴ ƴ϶ ˰ : ). ------------------------------------------------------------------------------- ARJSHELL DISABLED SAVE FUNCTION by Rundus (20 September 1997) 켱 ʹ Ϳ ؼ 帳ϴ. KISS(Keep It Simple Stupid) Ģ Ű ϰ ְŵ. 츮 ũ α׷ Arjshell version 1.2 http://www.windows95.com ̳ http://www.filez.com(arjsh12.zip) ã ֽϴ. α׷ α׷ arj.exe ִ α׷Դϴ. (save)ɰ dos-batch ٰ ֽϴ. project ִ ɵ ϴ. Arjsh32.exe Wdasm  String Function References ã κ ã ֽϴ. "Sorry, saving projects is possible in registered version only" "Sorry, saving Dos-batch is possible in registered version only" "Sorry, loading projects is possible in registered version only" "You are a registered user of Arjshell" κп Ŭϸ Ʒ ִ ڵ带 ã ϴ. |:0042F693(C) | :0042F702 E87D450000 call 00433C84 : call մϴ. :0042F707 A2D3774300 mov byte ptr [004377D3], al ;Flag ( ÷) :0042F70C 803DD377430000 cmp byte ptr [004377D3], 00 ; / ? :0042F713 747F je 0042F794 ; ̸ б :0042F715 8D55FC lea edx, dword ptr [ebp-04] :0042F718 8B83B4010000 mov eax, dword ptr [ebx+000001B4] :0042F71E E8492CFEFF call 0041236C :0042F723 8B45FC mov eax, dword ptr [ebp-04] :0042F726 50 push eax :0042F727 33C9 xor ecx, ecx * StringData Ref from Code Obj ->"ArjShell\UserName" | :0042F729 BA0CF84200 mov edx, 0042F80C :0042F72E B800000080 mov eax, 80000000 :0042F733 E810BCFFFF call 0042B348 :0042F738 8D55FC lea edx, dword ptr [ebp-04] :0042F73B 8B83B8010000 mov eax, dword ptr [ebx+000001B8] :0042F741 E8262CFEFF call 0041236C :0042F746 8B45FC mov eax, dword ptr [ebp-04] :0042F749 50 push eax :0042F74A 33C9 xor ecx, ecx * StringData Ref from Code Obj ->"ArjShell\UserID" | :0042F74C BA28F84200 mov edx, 0042F828 :0042F751 B800000080 mov eax, 80000000 :0042F756 E8EDBBFFFF call 0042B348 :0042F75B B8D0764300 mov eax, 004376D0 * StringData Ref from Code Obj ->"You are a registered User of ArjShell " ->"now !" | :0042F760 BA40F84200 mov edx, 0042F840 :0042F765 E89E65FDFF call 00405D08 :0042F76A 6A40 push 00000040 * Reference To: user32.MessageBeep, Ord:0000h | :0042F76C E83F56FDFF Call 00404DB0 :0042F771 6A40 push 00000040 * StringData Ref from Code Obj ->"Registering successful" ã ֽϴ. :00431F02 803DD377430000 cmp byte ptr [004377D3], 00 :00431F09 751D jne 00431F28 * StringData Ref from Code Obj ->"Sorry, saving DOS-Files is possible " ->"in the" | :00431F0B 6848214300 push 00432148 * StringData Ref from Code Obj ->"Warning" ã ֽϴ. :00432EF2 803DD377430000 cmp byte ptr [004377D3], 00 :00432EF9 751D jne 00432F18 * StringData Ref from Code Obj ->"Sorry, loading Projects is possible " ->"in the" | :00432EFB 6804364300 push 00433604 * Possible StringData Ref from Code Obj ->"Warning" ã ֽϴ. * Referenced by a Jump at Address:004322C2(C) | :00432338 803DD377430000 cmp byte ptr [004377D3], 00 :0043233F 751D jne 0043235E * StringData Ref from Code Obj ->"Sorry, saving Projects is possible " ->"in the" | :00432341 68EC2A4300 push 00432AEC * StringData Ref from Code Obj ->"Warning" , ֵ [004377D3] Ǿ ִ ϴ. ׸ AL ִ װ ϴ Դϴ. ׷ call 00433C84 ȣϴ κ ϰ. .. κ̰ ٸ call ֱ. ׷ softice ̿ . :0042F702 E87D450000 call 00433C84 ; Call ſ :0042F707 A2D3774300 mov byte ptr [004377D3], al :0042F70C 803DD377430000 cmp byte ptr [004377D3], 00 (1) Arjshell32.exe ϰ Preference޴ Register մϴ. (2) ̸ Ϲȣ ƹ ̳ ֽϴ. (3) Ctrl+D softiceȭ ϴ. (4) :bpx hmemcpy ;츮 ϴ ɿ ߴ մϴ. (5) :bpm 004377D3 ;޸ ߴ մϴ. (6) F5 ϴ. ׷ Ʒ κп ֽϴ. ׸Ʈ Ͱ ٸ ֽϴ. ſ.(????:0042F707) 014F:0042F702 call 00433C84 014F:0042F707 mov byte ptr [004377D3], al 014F:0042F70C cmp byte ptr [004377D3], 00 (7) :bc * ;ߴ ϴ. (8) :bpx 014F:042F702 ; callκп ߴ մϴ. (9) F5Ű softice մϴ. (10) ٽ softiceȭ Ÿϴ. F8Ű call ȣϴ κ ϴ. (11) Ʒ κ F10 ϴ.( 35 ϴ) :00433CF2 E931F3FCFF jmp 00403028 :00433CF7 EBEB jmp 00433CE4 :00433CF9 8BC3 mov eax, ebx :00433CFB 5F pop edi :00433CFC 5E pop esi :00433CFD 5B pop ebx :00433CFE 8BE5 mov esp, ebp :00433D00 5D pop ebp :00433D01 C3 ret ڵ â 7ٷ ϴ. :wc 7 00433CF9 eax 0 ˴ϴ. κ ٲ ϰ. ׷ 츮 2Ʈ ۿ ϱ mov eax, 0001(B801000000) ϴ. mov al, 01(B001) մϴ. ڵ忡 ʿϽ е http://www.expage.com/page/w32dasm ãư . Arjshell32.exe hex editor  κ ٲ ֱ⸸ ϸ ˴ϴ. (save)ɰ (load) ֽϴ. ϱ ư Ǿ ˴ϴ. 30 α׷ ְ, ̸ Ÿ ϱ ̰ ɰ . softice ebx 00000000 00000001 ٲ Ҵ, HKEY-LOCAL-MACHINE\Software\Classes\Arjshell ̸ Ϲȣ Ű . Ƹ α׷ Ǿ ʾҳ κ ؼ Ȯϰ ֳ ϴ. Registerư κ ߿ ڽϴ. ٲٴ 𸣴 ؼ 帮. (1) mov eax, ebx F10 ϴ. (2) :r ebx ; ٲٶ Դϴ. (3) 00000000 00000001 ٲߴϴ. (4) Esc ϴ. Ƹ ٸ ũĿ, ãƳ ã ְ. Դϴ. п Ǿٸ ڱ. cheers Rundus (c) Rundus 1997 All rights reversed ------------------------------------------------------------------------------- Page 2 13. Something In The Way 13. Something In The Way ȳϼ. ̹ ۿ ̾߱ ' 98 v2.32'Դϴ. α׷ ϴ ̴ 𸨴ϴ. PC Խǿ ִ α׷̶ ϴ , ׷ Ͱ ̶. 켱, α׷ ˰  в ± Դϴ. α׷ ũϴ (?) ϼ. : ) ׷, PCſ  ڷǿ ã ô, û ũ󱸿(4, 442, 838 bytes).  ӵεٰ ȭ ǰ ؼ, ٿ ޱⰡ ʾҾµ, ߿ (?) ؼ ٿ ޾Ҿ. û ð 鿩 ٿ ޾Ƽ, ũ ϱ.. ũϴ ɸ ð 3е ʴ. в keygen ϼ ׷ ʿ䵵 ϴ. α׷ Visual Basic ϴ. Visual Basic α׷ ũϴ Դϴٸ, 쿡 ٴ ǥ Ʊϴ. ƹ ʿ ٰ ϴ ſ(Visual Basic ũϴ ٴ ǥ źΰ ʱ ٶϴ. ߳ ô Ϸ ƴմϴ. ũĿ ̿ ߿ ̷ ־. IF visual basic Then Cracked At Once. ʺ ũĿԴ ׷ ƴϰ Դϴٿ. : ). 켱 α׷ readme ֽϴ. 98 2.32 (/) ǰ : 10 ׽Ʈ 7ϵ ƹ 밡 ѵ 98 6 Ǹ մϴ. : ٿ ʹ 7ϵȸ ֽϴ. Ŀ ̻ ǰ Ϸ ϰ Ļڷ Ͻʽÿ. ҹ δ 98 ̿ ùԿ ó ˷帳ϴ. ǰ Ź ġ ǰȣ ˴ϴ. ϱ äϿϴ. Ϲȣ ߰ 帳ϴ. : Ź ʳ? Ϸ 10 ϴ Űڱ. ȣ.. 10̶.. ̰͵ α׷̱. ̰ ƴϰ, 7 ۿ ʴ±. ȿ 󷷾 ׽Ʈ ض... 6 ¥ ʴ 缭 . Ŀ.. ̷ ϵ ,  ڱ. ҽض.. 6 ̳ ְ, ʴ Ǵٴ, óϰ . ־. ε. ܱ ڳ տ å þ , ƴϸ 7õ ΰ ȴ󱸿. ٰ å Ƽ Ϸ . ʸ ٷ ϱ, å ٰ ƹ å ٸ ѱ ſ. ä ٷ. 10 ٸ ڴϱ, ͼ å 3 ¥ ϴ. ߸ ˰ ۿٰ ٰ... ׷ ٽ ͼ ô, åε å ڿ CD ִ. ׷ϱ, CD ҷǰ Ȱ, ︸ ް.. , ȭ . Ź ġ ǰȣ ȴ... ҹ ϱ ̶.. 𸣰, ϱ, ڼ ϴ. ũ , û protection scheme 츮 󿡼 α׷ ĺ ϴ. ͳݿ Ϲȣ  ؼ α׷ 'ġ' ̶ մϴ.  α׷ ִٸ 翬 ġ ϰ(κ '' ġ Ѵٴ 츮 Դϴٿ). Ϲȣ ؾų ѹ ˷ ְ, ʹ ްڴ.. ̶.. ϱ. ݱ Ƽ ټ ũؼ ϱ, ̽ ̳׿. . ¶ư ٽ 帮, α׷  ̶ ϼž . 츮 ʺ ũĿ '' α׷  'ũ'ϴ ̴ϴ. : ) _ 98 v2.32 ũϱ_ α׷ ũϸ鼭 ϴ. ⼭ protection scheme ũ ٴ ܿ Դϴ. , Ѱ ֳ׿. α׷ ũϱ ƴ϶ . ̷ ͵ ִٴ Դϴٿ. , ׷ 'ƹ ' ũ . ̹ ˰ ֵ α׷ 7 ۿ ϴ. ¥ ٽ ٰ ص, α׷ װ ˾ ϴ. : ) α׷ ؼ 'ǰ'->'ǰ' ޴ ϴ. ǰȣ Ÿ ְ Ϲȣ ĭ ֽϴ. ǰȣ 295324Դϴ(¾ ٽ ġص ǰȣ ʾҽϴ). Ϲȣ ó 1234 ־ϴ. 'Ȯ' ư Ŭϸ, ߴ ۻڰ Ƣ ɴϴ. Ϲȣ ƲȽϴ. Ȯ Ŀ ٽ ԷϽʽÿ. ¶ư 츮 ϱ ׿. ܱ α׷ ũϴٰ 츮 󿡼 ũϴϱ ̰ . : ) ׷ ̹ ߴ ؾ ٵ.. ϴ GetDlgItemTextA ߴ ؾ ұ? ҿϴ. GetWindowTextAԼ ߴ ص . bpx hmemcpy ߴ մϴ. ̰ ޸𸮿 ִ ڿ( "1234" ǰ) κп ߴ ϴ ̿. ٽ Ȯ ư siceȭ ϴ. F11 ؼ F12 18 ڵ ãưϴ. CALL 004040B8 ;Ϲȣ о ̱ MOV EAX,[00486144] ;¥ Ϲȣ о ̱ MOV DWORD PTR [EBP-6C], 00008008 MOV [EBP-64], EAX LEA EAX, [EBP-3C] PUSH EAX LEA EAX, [EBP-6C] PUSH EAX CALL 004040E8 MOV SI, AX LEA EAX, [EBO-3C] PUSH EAX LEA EAX, [EBP-2C] PUSH EAX PUSH 02 CALL 0040405E ADD ESP, 0C CMP SI, DI JZ 0044CC31 ;Ϲȣ Ʋ б CMP [00486BEC], EDI JNZ 0044CAAD ڵ尡 ̴ ſ. ׷ bpx hmemcpy ߴ ϰ CALL 004040B8 ߴ ٽ մϴ( Ŭ ߴ / ִٴ ƽð : ). ׸ sice ͺ. ׸, ٽ 'Ȯ' ô. ׷ siceȭ ٽ ϴ. call 004040b8 ߴ Ⱑ ſ. F10 ܰ躰 ؼ mov dword ptr [ebp-6c], 8008 ⸦ űϴ. ׷ '' '1234' а, ¥ Ϲȣ оϴ. 486144 'Ű' ִ ٷ ¥ Ϲȣ. ׷ ⼭ d eax . â Ÿ Դϴ. 2.C.7.8.D.D.8.0. ..c...e.t.\.0.0. 0.1..... $... ............. .. ... ....... .... .......3J....... 4.......2.9.5.3. 2.4...o.t....... ȭ Ʒ ̴ 295324 ˰ھ? ٷ ǰȣ. ִ 2C78DD80 ׷ ? visual basic ڿ 16 ڵ 00 ڿ ̸ ϴ ϴ. ̷ Wide Format̶ Ѵٳ׿. ƹư Ϲȣ տ ũ ϴ. Ϲȣ ֽϴ. ƴϸ JZ 0044CC31 Ⱑ , JUMPϴ r fl z zero flag ٲ㼭 NO JUMP ٲݴϴ. ׷ α׷ Ʈ Ϲȣ Ű  ݴϴ(HKEY_CURRENT_USER\Software\VB and VBA Prgram Settings\ 98\Setup\RegCode). ׷ϱ Ǻб⸦ hex editor  ٲ ʿ ٴ ſ. ׷ ٲٰ е JZ 0044CC31 ڵ 0F849B010000 0F859B010000 ٲ ָ ǰ. ̷ ؼ ũ ϴ. ٿ ڸ, visual basic α׷ ũϴ visual basic ϴ dll ڵ带 ãƼ ũؾ մϴ. ̷ Ϲȣ ִ 쿡 dll߿ ڿ ''ϴ κ ãƼ ũؾ ϰ. ȸ Ϳ øڽϴ. ͳݿ η ִ warez/crackz/serialz ã ٴϸ ֽϴ. α׷ 'ġ' . ׷ Ƶΰ ̷ д ̶ α׷ 'ġ' Ͱ ũϴ Դϴ. ׸.. Ϸ ƽ ̴ϴ. : ) Page 2 14. Imagine 14. Imagine +Sync ũĿ Դϴ. Visual Basic α׷ ũϴ ؼ, ʺ ũĿ ؼ ª Դϴ. ٷ (something in the way) wide format ؼ ϰ ֽϴ. , ⿡ 츮 Ϲȣ ãƼ ߴ Դϴ. ׷ s(Search) մϴ.  Ϲȣ '1234' ־ٸ, :s 30:0000 lffffffff '1234' ؾ ϰ. ̷ 쿣 Ϲȣ 1234ó ӵǴ ڸ ִ ʴٴ ͵ ˾ μ( ó 1234 µ, ٲٴ ͵ ׷ ؼ ֽϴ : ). ׷ ؼ 츮 Ϲȣ ִ ޸ ּҸ ˸, ߴ ϸ ˴ϴ.  о̴ κп ߴ Ѵٴ ϸ ǰ. (something in the way)̳ ۿ ֵ Visual Basic α׷̶ ʿ䰡 . ׸ s ɿ ؼ ϸ, s 30:0000 ã ִ ſ. ó (ɾ ƴ) κ ׸Ʈ(segment) 30Դϴ. ׷ϱ ׸Ʈ 30 (0000)0000 ffffffff (l, length) ŭ ߿ '1234' ãƶ ϴ ǰ. ------------------------------------------------------------------------------- How to Crack SSS Convertable by Scientific Solutions Software by +Sync May 12, 1997 http://members.aol.com/sss5000/ α׷ ִ. ̷ Ǵٴ óϰ . α׷ ݲ ô α׷ ߿ ġũ α׷̴(̰ ȸ簡 Ȩ aol ׸ ϵ ƴϴ). α׷ ϴ ٲٴ ۾ 뿡 ٴϴ ״ ־ ٿ ޾Ҵ. α׷ Ϲȣ ִ ϰ ִ , disassembleؼ ڵ带 , Ϲȣ ڴٰ , ׷ ʾƵ α׷̾. ⿡ ߴ ϱ Բ . α׷ӵ ṵ̂, ⿡ ٷ Ű ̴. ó α׷ ġϰ  ư α׷ . Help޴ Register ϸ Ϲȣ ´. ڿ 'Enter the password to unlock below:' ״ ޾ . ׸ hex editor convertable.exe  ô. ֿ Ⱦ ٰ ߰ 'VB40032.DLL'̶ ڿ. ̷ . VB α׷̱. 츮 ˷ ش. 1. α׷Ӵ ûؼ ¥ α׷  ٷ 𸥴. װ ̴. 2. α׷ ̴. 3. Winice ܰ躰 ϴ (tracing) ̴. 4. ڿ Wide Format Ǿ ִ. ° ǿ ʿ䰡 ִ. VB 4.0 ڿ 16 00 Ѵ. ̰ Ȯϱ ؼ 'Enter the password' ڿ ã 翬 ƹ ͵ ã . ׷ wide format ã Ҵ. Hex: 45 00 6E 00 74 00 65 00 72 00 20 00 74 00 68 00 65 text: E . n . t . e . r . . t . h . e ʿ䵵 , ڿ ִ ã ־. 7DBA ־. ϱ, ٷ wide format 'Garbonzo' ڿ ã ־. װ 7E56 ־. ̷ ̷.. Ϲȣ ȿ ؽƮ ־ Ŵ. α׷ ٽ Ѽ Ϲȣ Garbonzo ְ  dz . ׸ ̵ α׷ . , 츮 ? ʴ. . 1. 翬 ãƳ. ư . 2. . VB 4 wide format Ѵٴ 𸣰 ־ٸ ƹ ã ޵ ϴ ڿ ã ̴. 3. . ũ ʿ hex editor ϳ ̾. winice Ϲȣ ߴ ϴ ũ ̴. , α׷ ִ Ϸ ϸ鼭 ã°? Դ DZ ٶ鼭 . ª ̰, ణ 踸 ִ ̶ ˰ , տ ΰ ã ϴ ִ. ʺڵ ٴ ؾ ̴. 븦 ̾ Ĺ ũĿ鿡 ϰ ִ. ũ Ǹ ۾̴. ġְ ٶ. ˸: α׷ ȸ ٸ α׷  . Ƹ Ȱ û protection scheme ̴. +Sync ------------------------------------------------------------------------------- Page 2 15. Heart-Shaped Box 15. Heart-Shaped Box ̹ ũ α׷ Hex WorkShop v2.54Դϴ. α׷ ũϴ ̹ Heres ۿ Ұ ֽϴ. ̹ ϳ ö Ƹ ũ Ŷ մϴ. ݱ Ե, ȸ ǰ̰ų α׷ ٸ ̸ ũ ֱ ׷ ǵ, Ȯ ʾҽϴ. ʺ ũĿ Heres ϴ ü , ۿ Ұ ణ '' Դϴ. ϴٴ ǹ̴, ׷ϱ  call  ϴ ʰ ׳ '' ˾ Ҵٴ Դϴ. ̷ ִ CALL Ϲȣ_ϴ_ TEST EAX, EAX J(N)Z / ̷ ʹ ̰ ֱ Դϴ. ̹ ũ Hex Workshop Դϴ. Visual ¼ ϴ '' protection scheme ̷ ۿ ٰ մϴ( ũĿ ̷  ¥ α׷ ʰ ־). ¶ư, Ϲȣ ִ κ ã κ ̸ ũ ̹ ̳ ٸ . ̷ α׷ ũϴ ְ, ߿ 켱 ִ J(N)Z Ǻб⸦ ٲ ִ ̰. ִ CALL Ϲȣ_ϴ_ ؼ ҷ ãư eax 츮 ϴ ֽϴ. , 츮 ϴ eax 1̶ retDZ xor eax, eax/inc eax(33C0/40) eax 1 ְ. mov eax, 0 ɵ ɿ ڵ B800000000Դϴ. mov ax, 0 ڵ 66B80000, mov al, 0 ڵ B000Դϴ. ߿ ϸ ǰ. ܿ ſ. ƹư, ڵ带 α׷ ֽϴ. ۿ ̷ ڵ带 ٲ ʿ ϴ. Hex WorkShop 쿡 HEXWORKS.REG մϴ. ϴ ϸ Ǵϱ, sice ؼ (On the fly) ڵ带 ٲ㼭 ϴ ſ.(Heres ۿ ٷ Ұ ߾ϴ) ׷, ϰ ũ . _Hex WorkShop v2.54 ũϱ _ Hex WorkShop ϰ Help->About Hex Workshop... ϸ Ϲȣ ִ ڰ ɴϴ. ƯϰԵ ⿡ Ϲȣ ֽϴ. ݲ 츮 ߴ Ͱ ణ ٸϴ. ̸ Ϲȣ ų, ƴϸ ǰȣ ˸´ Ϲȣ Դϴٿ. Ƹ Hex Workshop ũ Ű ʾҴ 𸣰ڳ׿. ƹư, ⼭ 츮 ִ , ٸ ʹ ٸ Ƹ 'غ' Ϲȣ Ŷ ̴ϴ. , PicaView ó ̸ Ϲȣ ͵ ƴϴϱ, ̹ غǾ ִ Ϲȣ 츮 Ϲȣ ϴ Ŷ ְ. ó 1234 Register߸ ϴ(׳ ͸ Help߰ Ǿ ֽϴ). ߴ 1234 Ϲȣ ƴϿ. Ϲȣ ߸ Ǿٴ ڰ Ÿϴ. ׷, ߴ ʰ ǰڱ. ߴ ؾ ұ. ̴ GetDlgItemTextA GetWindowTextA ϱ, Ǵ. GetWindowTextA ߴ ϸ ˴ϴ. , GetWindowTextAԼ ڿ о ̸ شٰ մϴ. 1234 ϱ 4 ְڱ. ƹư ߴ ϰ sice ͼ ٽ Register ư siceȭ ٽ ϴ. F11 Hex Workshop ڵ ãưϴ. :00454485 FF15541D4900 Call [USER32!GetWindowTextA] :0045448B 6AFF push FFFFFFFF ;eax=4 :0045448D 8B4D10 mov ecx, [ebp+10] :00454490 E8EB82FFFF call 0044C780 :00454495 EB0B jmp 004544A2 ;ecx->1234 :00454497 8B4510 mov eax, [ebp+10] :0045449A FF30 push dword ptr [eax] :0045449C 56 push esi :0045449D E8C3EAFFFF call 00452F65 :004544A2 5F pop edi :004544A3 5E pop esi :004544A4 5D pop ebp :004544A5 C20C00 ret 000C GetWindowTextAԼ eax 4 ˴ϴ. ̰ sice ȭ â Ȯ ֽϴ. call 44C780 ϴ call ˱ ؼ F8 ã ʰڽϴ. ũ '' ٰ ݾƿ. call , ׷ϱ Ⱑ jmp 4544A2 d ecx . ׷ â Ϲȣ ֽϴ. 쿡 1234 Ÿϴ. ׷, call 츮 Ϲȣ ϴ Ѵٴ ְڳ׿. ret Ǿ Ʒ Ѿ ϴ. :00409AC6 E88BA90400 call 00454456 :00409ACB 6A08 push 00000008 ; . κ Ϲȣ ִ ' ' 谡 ִ ϴ. ƹư F12(P Ret) Ѿ . :0044B17A C745E801000000 mov [ebp-18], 00000001 ; ̰ڳ׿. call Դϴٿ. P Ret. :00409C41 E8E6140400 call 0044B12C :00409C46 8B8DFCFEFFFF mov ecx, [ebp+FFFFFEFC] ;Ret :00409C4C 83C15C add ecx, 0000005C :00409C4F E82C80FFFF call 00401C80 :00409C54 50 push eax :00409C55 8D45DC lea eax, [ebp-24] :00409C58 50 push eax :00409C59 E8E2F30200 call 00439040 :00409C5E 83C408 add esp, 00000008 :00409C61 6874D84700 push 0047D874 :00409C66 8D45DC lea eax, [ebp-24] :00409C69 50 push eax :00409C6A E8810B0300 call 0043A7F0 :00409C6F 83C408 add esp, 00000008 :00409C72 85C0 test eax, eax ;call 004373C0 ;je 00409D18 ;No Jump == ߿ ߰ߴٴ . call ֽϴ. call 캼 ʿ ϴ. и ΰ ϰ ְ. 츮 ִ ڵ ù° ȭǥ ִ test eax, eaxԴϴ. ׸ ؼ [ebp-14] [ebp-24]Դϴ. d ֵ ebp-24 '1234', 츮 Ϲȣ Ű ֽϴ. ׸ ebp-14 0 ƴ ֽϴ. ôٿ. и call 1234  ۾ ϰ ֽϴ. 츮 ñ Դϴ. CALL 0043A7F0 ؼ eax FFFFFFFF ˴ϴ. ׷ test eax, eax/je 00409C8E б ʽϴ. ࿡ б ߴٸ ebp-14 Ű 0 ̰, ׷ cmp [ebp-14], 00/je 00409D18 б ̴ϴ. CALL 004373C0 ؼ eax 0 ˴ϴ. eax mov [ebp-14], eaxɿ ؼ ebp-14 Ű 0 Դϴ. ̰ test eax, eax/je 00409C8E б Ͱ . ڸ call 004373c0 츮 Ϲȣ Ȯϰ ִ ϴ. 켱 Ϲȣ ̰ 8 ƴϸ eax 0 , 8̶ Ϲȣ Ȯմϴ. ƹư, ⼭ ִ ebp-14 Ű 0 Ǹ ȵȴٴ Ű. 1234 'Ʋ' Ϲȣ ؼ ebp-14 0 Ǿϱ. ebp-14 Ű 0 бϴ je 00409D18 ' ' б ֽϴ. r fl z JUMP NO JUMP ٲ . ׷ ϴ ͸ε ȴٴ ̴ϴ. .  ؼ , je 00409d18 NO JUMP شٸ 츮 ϰ ˴ϴ. , α׷ ũϷ ܼ, je 00409d18 r fl z б⸦ ʰ ְų, ƴϸ r al al ٲ ְ , װ 1(0 ƴ  ) ٲ ָ Ǵ ̴ϴ. ִ call Դϴ. picaview ó keygen ƴ϶ ׷ call ʿ䰡 ϴ(ð е ). ϴ ׷ ϸ ' ' HEXWORKS.REG ǰ, װ ũ ģ ſ. ̷ call ʰ '' '߿' κ ãƼ ũ ֽϴ. ̱ Դϴٿ. Hex Workshop ũϴ 3е ɸ ʾҽϴ. Ͽ ħ Ͼ  ұ ϴٰ,  ' ' ũ߽ϴ. ׷ ϱ Hex Workshop ־ ϴµ, Ⱓ ƴٰ ϴ. Hex Workshop ũϴ ̷Դ , ũؾ ϰ ߴ , 3е ɸ. ̷ ۷ , ǿܷ ̷ ε ũ ִ û α׷ ϱ.. ... ׳ ϴ. Page 3 16. Nothing Else Matters 16. Nothing Else Matters ȳϼ. ̹ Mammon_ ̶ ũĿ Űϴ. ũ α׷ ٷ ޸(Notepad)Դϴ. ޸ ũѴٴ ̻. ũ̶ Ϲȣ ˾ ߰, ð ִ ϴ ƴ϶ ݰ ִ Դϴ. Ư Mammon_̶ ũĿ ְ (.. ̳׿ : ) ũ Ұ߽ϴ. ߿ Netscape ư ʿ ư ٲٴ ְ, ٷ ۿ ޸ '۲' ٲٴ ־ϴ. ޸ 쿡 ִ α׷̴ϱ Դϴ. ̱. ׷ ޸忡 ̴ '' ۲ ٲٴ ũ Ұϰ ֽϴ. dz ũ Ǵ ̹Ƿ, 츮 ʺ ũĿԴ о ̶ ؼ ⿡ Űϴ. ˸: + ޸ ׳ Notepad Űϴ. ̸ Notepad.exeϱ, ȥ ʵ ״ notepad ϴ. + ׸ (?) pen, brush, font ׳ ״  ϴ. ׿ ϴ 츮 󼭿. + , prototype̶ ͵ ̿ ϴ 츮 𸨴ϴ. ִ Cå Ŷ, ׳ prototype̶ ۿ ( ߾. б C ۿ ʾҴٱ. : ) .. ׸ ¸, ݱ ׻ disassemble̶  , 𽺾 ̶ ʱ. 𽺾̶ ̻ 츮 Ⱑ Ⱦ ̱⵵ ϱ, ٸ е ε , ̶ ϴ. s ΰ? װ͵ Ȯ , ׳ disassemble̶ ֽϴ. ------------------------------------------------------------------------------- _Project One_ *The Target* Notepad, ٷ ־ ϴ, ۰(34K) ̴. α׷ ִ. , ϳ ϸ ٷ ְ, ٷ ִ ũⰡ Ǿ ְ, ý ۲ شٴ ̴. ѻ ٲ Ѵ. ------------------------------------------------------------------------------- *The Job* 켱, 32Ʈ disassembler Notepad.exe Ѵ. w32DASM ִ. w32DASM ְ( demo̴), ϱ ̴. ҽ Ĵ ų, ϳ ϳ ľϴ ƴϴ. ׷ ϴ ʿ ̴. 츮 ִ '۲' ̱ ̴. Notepad ý ۲ ϴ ý ̴; ۲ ý ڿ Ǿ ̸, Ȯ GDI32.DLL ȿ ִ(GDI pen, bursh, font, Device Context ü ٷ, USER window, menu, icon, constrol, timer, task management, messaging, the clipboard, network ٷ. ׸ KERNEL memory management, dynamic linking, task scheduling, and program loading ٷ). 츮 W32DASM Functions->Imports ޴ ؼ GDI ̴. GDI32.AbortDoc GDI32.CreateDCA GDI32.CreateFontA GDI32.DeleteDC GDI32.DeleteObject GDI32.EndDoc GDI32.EndPage GDI32.GetDeviceCaps GDI32.GetStockObject GDI32.GetTextCharset .... CreateFontA κ ִ. -----ASM Excerpt 1---------------------------------------------------------------------- * Menu: MenuID_0001, Item: "Save" * String Resource ID=00001: "Cannot open the %% file. Make sure a disk is in the drive y" | :004037B2 6A01 push 00000001 :004037B4 53 push ebx * GDI32.SetBkMode, Ord:010Dh | :004037B5 FF15C0724000 Call dword ptr [004072C0] :004037BB 8D8558FFFFFF lea eax, dword ptr [ebp FFFFFF58] * GDI32.GetTextMetricsA, Ord:00CDh | :004037C1 8B35BC724000 mov esi, dword ptr [004072BC] :004037C7 50 push eax :004037C8 53 push ebx :004037C9 FFD6 call esi * Menu: MenuID_0001, Item: "Page Setup..." * Dialog: DialogID_000E, CONTROL_ID:0020, ":" * String Resource ID=00032: "%%" | :004037CB 6A20 push 00000020 :004037CD 8D4590 lea eax, dword ptr [ebp-70] :004037D0 50 push eax * String Resource ID=00057: "Courier New" | :004037D1 6A39 push 00000039 :004037D3 FF3570514000 push dword ptr [00405170] * USER32.LoadStringA, Ord:0168h | :004037D9 FF15B0734000 Call dword ptr [004073B0] :004037DF 8D4D90 lea ecx, dword ptr [ebp-70] :004037E2 51 push ecx :004037E3 6A31 push 00000031 :004037E5 6A00 push 00000000 * Menu: MenuID_0001, Item: "Page Setup..." * Dialog: DialogID_000E, CONTROL_ID:0020, ":" * String Resource ID=00032: "%%" | :004037E7 6A20 push 00000020 :004037E9 6A00 push 00000000 :004037EB FF75F8 push [ebp-08] :004037EE 6A00 push 00000000 :004037F0 6A00 push 00000000 :004037F2 6A00 push 00000000 :004037F4 FFB574FFFFFF push dword ptr [ebp FFFFFF74] :004037FA 6A00 push 00000000 :004037FC 6A00 push 00000000 :004037FE 6A00 push 00000000 :00403800 FFB558FFFFFF push dword ptr [ebp FFFFFF58] * Reference To: GDI32.CreateFontA, Ord:002Bh CreateFontAԼ /μ(Save/Print) ȭ Ϻκμ ȣǰ ִٴ ִ. Notepad Ȯ ִ -- ý ۲ ƴ϶, Courier New۲÷ ǰų μȴ. ƹư, ڵ ȭ (dialog box) ȣ Ǵ , α׷ ҷ ƴϴ -- 츮 ã ִ, α׷ ⺻ ۲(default font) ƴϴ. ׷ٸ 츮 δ GetStockObject ִ. Win32 API , "GetStockObject Լ pens, brushes, fonts, Ǵ palettes Ѵ" ִ. ٷ 츮 ã ִ . Լ ȣϴ κ Ʒ . -----ASM Excerpt 2--------------------------------------------------------------------- :004027A0 688C614000 push 0040618C * Data Obj ->"Edit" | :004027A5 6890614000 push 00406190 :004027AA 6800020000 push 00000200 :004027AF FFD7 call edi :004027B1 A304604000 mov dword ptr [00406004], eax :004027B6 3BC3 cmp eax, ebx :004027B8 0F8401030000 je 00402ABF * String Resource ID=00016: "Cannot find "%%"" | :004027BE 6A10 push 00000010 * GDI32.GetStockObject, Ord:00BCh | :004027C0 FF1594724000 Call dword ptr [00407294] :004027C6 6A00 push 00000000 ------------------------------------------------------------End of ASM Excerpt 2------------ API Լ disassemble , Լ ʿ Ķ(parameters) ÿ (pushed)ȴ. ׸ APIԼ ̷ Ķ͵ (pops), Լ AX(DXͰ ִ) ȴ. ̷ Ķ͵ Լ prototype ȴ. GetStockObject prototype : HGDIOBJ GetStockObject( int fnObject // type of stock object ); fnObject Ķ ߿ ϳ Ѵ: BLACK_BRUSH, DKGRAY_BRUSH, GRAY_BRUSH, HOLLOW_BRUSH, LTGRAY_BRUSH, NULL_BRUSH, WHITE_BRUSH, BLACK_PEN, NULL_PEN, WHITE_PEN, ANSI_FIXED_FONT, ANSI_VAR_FONT, DEVICE_DEFAULT_FONT, OEM_FIXED_FONT, SYSTEM_FONT, SYSTEM_FIXED_FONT, DEFAULT_PALETTE. GetStockObject ϳ Ķ ϱ Լ ȣ DZ ٷ ÿ (pushed) "00000010" ٷ fnObject ִ. ׷ٸ 10  Ķ͸ ϴ ϱ? ˾ƺ, C/C++ Ϸ Include 丮 ִ, WinGDI.h ã Ѵ. Ͽ SYSTEM_FONT ãƺ κ ִ: /* Stock Logical Objects */ #define WHITE_BRUSH 0 #define LTGRAY_BRUSH 1 #define GRAY_BRUSH 2 #define DKGRAY_BRUSH 3 #define BLACK_BRUSH 4 #define NULL_BRUSH 5 #define HOLLOW_BRUSH NULL_BRUSH #define WHITE_PEN 6 #define BLACK_PEN 7 #define NULL_PEN 8 #define OEM_FIXED_FONT 10 #define ANSI_FIXED_FONT 11 #define ANSI_VAR_FONT 12 #define SYSTEM_FONT 13 #define DEVICE_DEFAULT_FONT 14 #define DEFAULT_PALETTE 15 #define SYSTEM_FIXED_FONT 16 #if(WINVER >= 0x0400) #define DEFAULT_GUI_FONT 17 16 10h, 10δ 16 SYSTEM_FIXED_FONT ִ. 츮 notepad.exe ҽ ִ. :004027BE 6A10 fnObject = SYSTEM_FIXED_FONT; :004027C0 FF1594724000 HGDIOBJ GetStockObject( fnObject ); Ǵ :004027BE 6A10FF1594724000 HGDIOBJ GetStockObject( SYSTEM_FIXED_FONT ); hex editor ϱ, Courier 10۲ ANSI_FIXED_FONT, 16 0B ϸ ȴٴ ־. ̷ ٲٱ ؼ :004027BE ڵ 6A10 6A0B ٲ Ѵ. , ϴ hex editor ̿ؼ FF1594724000 ٷ տ 3BC30F84010300006A10 ãƼ, 6A10 6A0B ٲ. ׸ ϸ, Notepad ũ ̴. ------------------------------------------------------------------------------- ϱ, ѱ۵ ڰ Ϸ 6A11(DEFAUT_GUI_FONT) ġ ͵ ׿. 6A11 ļ ֽϴ. Mammon_ ű ̶ ٽ ϴ. Page 3 17. Battery 17. Battery ٷ (Nothing Else Matters) Ұ Mammon_ ϺԴϴ. Ʒ ֵ ' 2' ű Դϴ. SoftIce Ұ ٷ ֽϴ. ׸ Sice Ҵ , ⼭ ű κ ٷ ° Դϴ( ʹ  ű ߽ϴ. ƯⰡ ٻ_ô_ϱ . : ) ȭ ȣ ȣ ũϴ Դϴ. Ʒ Ⱑ Ǿ, ࿡ ȣ ؾ ȴٸ ٽ ϴ ۿ ״ ϰ. ̷ ʿ ̿(, ٸ 뵵 е Ŷ մϴ. : ) ⿡ encrypt/encrypting 'ȣȭ' Űϴ. 'ȣȭ' ؼ ƴ , (walk!) 'ȣȭ' Űϴ. ִ е . ׷, о.. ؼ 𸣱 , ű ߴ ű 𸣰ڳ׿. о ð, Ʋ ּ. ׸ ߰ ġ, Բ κ ֽϴ. κ ణ ǹ̰ Һи κԴϴ. ׷, ణ ߽ϴ. , ϱ(Ƹ.. ׷. : ), Բ Ǿϴ. Ǵϼ. ------------------------------------------------------------------------------- *Excercise 2: Regaining Lost Access* ý öϰ Ҵٸ, ȣ ؾ ڷῡ յ Ǵ ó ֱ ؾ ̴. Ƹ κ 쿡 ȣ (Ǵ  Ǿ) (dictionary attack)ϴ ̴. ڸ ̿, ȣ ɸ ȭ ȣⰡ ߰, ȣ ؾ ȴٸ ٽ ϴ ۿ ̴. ׷ ϸ ڷ ̹ ̰. , Soft-Ice ̷ Ȳ ó ŭ ϴ. 켱, ( ġ ʾҴٸ) Windows 95 ̿ؼ йȣ Ȯ ɸ ȭ ȣ⸦ ġѴ. ȭ ȣⰡ ٸ , 콺 ȣ ִ login ȭ ڰ Ÿ Ѵ. : 1) ƹ йȣ ִ´. ׸ _Ctrl-D_ hmemcpy ߴ Ѵ(_bpx hmemcpy_)--hmemcpy ޸ ȿ ڿ ̸ ű ϴ, kernel Լ̴. , йȣ ؼ йȣ ȭ ڿ ִ 쿡 ̴. _Ctrl-D_ ٽ ȭ ȣ ƿͼ, OK ư . Soft-Ice ٽ ̰ KERNEL!LOGERROR 0123̶ 츮 ̴. 2)Kernel.Alloc̶ _F12_ (10 ). ׸ F12 츮 ϴ ڵ ã . 쿡 츮 ϴ ڵ (Ե) PASSWORD!.text̴. windows\system 丮 ȿ ִ passwrod.cpl̶ ڵ尡 츮 տ δ. Password.cpl 37,376 bytes ũ (Control Panel extension)̴. 츮 .scr Passwords Control Panel α׷ ؼ ۾ Ѵٴ ִ. Password.cpl Ʒ Լ Ѵ: 0000 00001151 CPlApplet 0001 00003f3b PPChangePassword 0002 00003eb9 PPGetPasswordStatus 0003 00004006 VerifyScreenSavePwd , (ٸ α׷ó) ִ ٸ Լ鵵 Ѵ. MPR.dll 0015 PwdSetPasswordStatusA 004e WNetVerifyPasswordA 0011 PwdChangePasswordA 0013 PwdGetPasswordStatusA 003f WNetGetUserA ־ . , Ϳ ' ġ(full reverse)' ° ʿ . 3) κ ڵ带 : 0137:7C45428F CALL [7C4582BC] 0137:7C454295 TEST EDI, EDI 0137:7C454297 JNZ 7C4542B1 0137:7C454299 LEA EAX, [EBP-04] 0137:7C45429C LEA ECX, [EBP-14] 0137:7C45429F PUSH EAX 0137:7C4542A0 PUSH ECX 0137:7C4542A1 CALL 7C454536 0137:7C4542A6 TEST EAX, EAX 0137:7C4542A8 JZ 7C4542DE 0137:7C4542AA MOV EAX,00000001 0137:7C4542AF JMP 7C454322 йȣ ϴ ȿ ȣȭ йȣ(unencrypted copy of the password) ޸𸮿 ø ʴ´. Ϲ ڰ йȣ, йȣ ȣȭ ϴ Ȱ ļ ȣȭ , ȣȭ Ǿ ִ ¥ йȣ 񱳵ȴ(, ξ ϰ ְ, ⺻ ̷ٴ ̴). ̿ 츮 ִ , *'¥'* йȣ ˾ Ѵٸ Ǯ ̶ ̴; йȣ *''*ϱ⸸ ٶٸ, CMP ɸ ٷ ȴٴ ̴ -- "flag ġ" ̴. κ ڵ , бⰡ ִٴ ̴: ϳ 7C4542xx κ б ϴ ̰(7C454297 ִ JNZ 7C4542A8 ִ JZ), ٸ ϳ 7C4543xx κ б ϴ ̴(7C4542AF ִ JMP). If you eyeball the code a little, You'll notice that there are two classes of jumps: one that dumps you in the 7C4542xx range(the JNZ at 7C454295 and the JZ at 7C4542A8), and the one that dumps you in the 7C4543xx range (the JMP at 7C454322). ̷ ڵ 鼭 ִ. Ƹ Ȯ κ ̴(ϳ йȣ ̸ Ȯϴ װ, ٸ ϳ йȣ Ȯ ϴ ̴. ̷ Ȯ κ ߿ ʴ). ׸ κ "" ƴٸ EAX 00000001(boolean "" ϴ ̴)̶ ̰, бⰡ ̴. , κп ׳ ؼ(, б ʰ) 7C454322 ; Ѵٴ ִ.  װ ƴİ ´ٸ, ׳ ׷ ̶ ۿ . κ ڵ ܰ躰 ٸ, йȣ Ʋȴٸ б κп JumpѴٴ ̴(, ù ° б⿡ Jump ʾҴ, ° б⿡ Jumpϰ ̴). ׸ "йȣ Ʋȴ" ϴ ڰ ̴. (4)JNZ 7C4542B1 _F10_ , zero flag ٲ ش(_r fl z_). ׸ _F10_ ٽ JZ 7C542DE ´. ̹ , zero flag ٲ ش, ׸ _CTRL-D_ ȭ ȣ ´... ׷ ȭ ȣ ٷ ȭ ٸ ̴. hmemcpy ߴ ..... ҽ, Soft-Ice ȭ麸ȣ ͸ йȣ-protection scheme ִٴ ̴. ҽ, ħϷ ϴ ý Soft-Ice ġ ̶ ̴. , ڼ ũ ٸ, .scr̳ .cpl ϰ α׷ ̴. ׸ α׷ CD-ROM autorn.inf Ͽ ̴. ħϰ ; ϴ ǻͰ "autoplay" Ǵ ̱⸦ ٶ鼭.... ------------------------------------------------------------------------------- Mammon_ ű ̶ ٽ ϴ. Page 3 18. Walk! 18. Walk! ȣȭ(encrypt) Jon ¸ Űϴ. ũ о߷ , о߸ ִ ϳ ٷ 'ȣȭ' Դϴ. ׸ŭ а, ͵ ٴ . ʺ ũĿ о߿ մϴ. Jon̶ ũĿ 'ȣȭ' ũĿ Դϴ. , ƴ  ű 𸣰ڳ׿. Ʋ __ ãø ̵ ּ. Ϸα: brute force attack + : + , 츦 õϴ . + Ϲ, ȣȭ ˾ ٸ key ȣȭ Ǯ⸦ õϴ ̴. + (dictionary attack) -> cryptanalytic attack + : ȣȭм encrypting + : ȣȭ decrypting + : ȣȭ Ǯ algorithm + : ˰ round + ڷ ݺϴ Ϸ . + , DES 16 round Ѵ. + round ŭ Ѵ. hash + :ؽ : ) + ڷ ũ , ۾. + ̷δ, ԷµǴ ڷḦ ణ ٲپ ٲ ִ. + ڷḦ ̷ hashϸ, Ư hash ´. ׸ ڷᰡ Ǵ DZ ڷ Բ ־ ȴ. ڷḦ о , hash ؼ ڷῡ Ե hash 񱳵ȴ. ׷, ٸٸ ߸ ִٴ ̰, ̷ ڷḦ 䱸ϰ ȴ. key +  ڷḦ "ڹ" ٴٴ ǹ̴, "(key)" ߸ ڷῡ ְ ٴ ǹ̴. + ȣȭ , 츮 ˾ ִ (plaintext) ȣȭ ϴ ϴ ְ ش. + Ư key ؼ · ȣȭ ִ ̴. + ׸ 츮 key ˰ ִٸ, ȣȭ ٽ 츮 ˾ ֵ ĥ ִ ̴. + ٸ key ִ ϸ , ϰ ̴. crack/reverse engineer + :ũ + ƴ϶ ű ۿ, ۿ Դϴ. Crack Reverse Engineer 'ũ' Űϴ. ƴ϶ մϴ. , ȿ 'ũ' ǹ̷ ؼ, Reverse Engineer Ѵٰ ּ. ------------------------------------------------------------------------------- Encryption, a short tutorial How to reverse engineer encrypted files by Jon (12 October 1997) Encryption. Copyright by Jon. With additions and corrections by Joe Peschel. [September 28th, 1997.] : 1. (ȣȭ ) 2. ȣȭ  ̷ 3. ȣǮ 4. ȣȭ ũϱ + ( ݰ Ű(key)˾ ) 5. ˰(most known algorithms) 6. ȣȭ α׷ Ұ [1. (ȣȭ ).] ȣȭ ǻ , ִ йȣ ؼ, ڼ ̴. Ƹ ȣȭ ' Ű(digital key)' ϴٰ ϸ ̴. ϴ ǻ 鿡 Ű ؾ ϴ° ݹ ̴. ۽, 빮 ʴ°. ״°? ٸ İ ϵ ϱ ؼ ̴. ȣȭ ̴. ڷḦ ڼ Ű 𸣴 Դ ̴. н ϰ ڷ ִ. ȸ ְ, , α׷ ҽ ڵ, ִ. ͳݿ XXX-images ̴( .  c:\download\xxx\pamela.jpg ߰ߴٸ ϰڴ°?). Ǿ , ȣȭ ̴. ȣȭ ȣɸ  ̵鿡Դ, ̴. ȣȭ protection scheme Ϻην α׷ ̴. ̰Ϳ ̾߱ ⼭ ʰڴ. ִٸ +HCU л +ORC о߿ ۵ о ٶ. [2. ȣȭ  ̷.] ϴ ȣȭ α׷  ˰ ̿ؼ ȣȭ ̷(˰ ؼ 5 ).  ȣȭ α׷ ˰ Ѵ. ׷ ڰ ִ. ȣȭ ۾ ̷: ȣȭ ϸ, йȣ ´. κ Է ȣ, ؽ(hash)۾ ģ. ȣȭ α׷ ̷ (hash function) ʴ´ٸ, ȣȭ ̰, йȣ ŭ ̷ ̴. ȣȭ α׷ ̾߱ 6 . ȣȭ α׷ CBC(Cipher Block Chaining) ¿ ۾Ѵ. ̰ Ȯ ְ ش. , Blowfish α׷ ߿ CBC Initialization Vector 64 bit . ̷ ͵ ȣȭ ϵ ٸ ϵ ٸ ( ˰ йȣ ؼ ȣȭ ߴٰ ص, ϵ ٸ). CBC ̿ ڷ, Ǿ ִ (block) ȣȭ ȴ. ̷ ؼ ȣȭ Ⱑ . ECB(Electronic Code Book) ϴ ȣȭ α׷ , ̷ ͵ ؽƮ (plaintext attack) ֱ ϴ. ȣȭ , ȣȭ ڷᰡ Ͽ .  ȣȭ α׷ ̸ Ƿ (̷ ϸ  ƹ ). ٸ ȣȭ α׷ ׳ Ͽ . '(archive)' ϴ α׷ ִ. ̷ ϸ ϳ ȣȭ Ϸ ִ. ϴ α׷ κ '(compress)'ɵ Ѵ. ϰ δ. Ͽ, PGP Ű(public key) ̿ ȣȭ α׷ ϴ. [3. ȣǮ] ȣǮ⿡ ؼ . ȣȭ ݴ ۾̴. ȣǮ⸦ ϱ , α׷ (signature) ȮѴ(κ ȣȭ α׷ , ׸ ȣ Ǫ α׷ Ȯϴ ̴). ࿡ ٸ ˰/α׷ ̿ؼ ȣ Ǯ Ѵٸ ״ϱ, ̷ ϴ. [4. ȣȭ ũϱ( ݰ Ű ˾Ƴ)] ȣȭ ˰ ũ ִ. ⿡ ũ : MS Word 2-7 , Excel, Word Perfect 7, Windows 3.x and 95 ȭ ȣ (Fravia Lonely Hawk о ), PKzip(Peter Conrad Biham/Kocher ؽƮ α׷), CtypEdit, ׸ Crypt-o-Text. Crypt-o-text α׷ ũϴ Casimir ۵ ִ(Fravia ). ˰ ũǰ ( κ α׷ ), йȣ ˾ ð ̴. Pkzip ؽƮ ð ణ ɸ ִ. ̳ ũ α׷ ƴϴ. , ȣȭ ˰̶ йȣ ȣȭ Ͽ ʴ´. ٸ Ѵ. 1. α׷ Ѵ. ְ, ͳݿ ϳ ͵ ȴ. ̴. ˰ keysize ʹ Ŀ, ο ǻͿ ɸ 𸥴. õ ǻͰ ͳݿ 48-bit RC5 56-bit DES ũǾ. (RSA Data Security Secret Key Challenge ؼ http://www.rsa.com/rsalabs/97challenge/ ã ٶ) ظ ǻͿ ASCII ͸ wordlist ̴. 2. ٸ , ȣȭ , ִ ϴ ̴. ׵ (Ųٷ ̰, ٲ ̴)̳, ֹεϹȣ, ⸣ ̸ ̿ؼ ȣȭ Ѵ. 3. ǻ ̳ ȭ ȣ, MS-Word Excel ȣ ϰ, йȣ ̿ؼ ȣȭ ϴ ̴. 4. Mitnick̶ Ҹ Social engineering. 5. keystrokes Ͽ ϴ Keyboard loggers. , 56 Ʈ йȣ( Ӹ ƴ϶ Ư ڱ ) Ŭ 忡 ȣȭ ۾ ϴ α׷  ִ. ׷ ؼ, CTRL+V йȣ ִ. ̷ ǻ͸ ƹ ϴ( ǻͿ ִٸ ƾ Ѵ. ħ(attacker) ݹ ˾ ç ̴). [5. ˰(most known algorithms).] Blowfish Blowfish θ ˷ ϳ̴. . P200 ִ Window$ 95 5,2 mb/s ӵ (WinNT 32Ʈ OS ̴). ׸ ϳ̴. key-size 448Ʈ(56 Ʈ) ְ, key-size Ѵٸ (brute-force) ҿ ȴ. ·δ 16 rounds ȣȭ Ѵ. ø ְ ִ.  32 rounds ϸ ð 谡 ɸ ȣȭ ۾ ش. Blowfish Bruce Schneier , Doctor Dobb's Jornal 94 4 ȣ Ƿȴ. ˷ ʾҴ. Cobra Cobra ˰̴. Blowfish ϴ. Cobra 128 Ʈ, 24 rounds , Blowfish ٲ ִ. Cristian Schneider , 1996 4 ׷ sci.crypt.research ǥ Ǿ. DES ̰ θ ˷ ˰̴(׷ٰ ٴ ƴϴ). DES(Data Encryption Standard) 1974, NSA IBM ڵ ȣȭ ˰ ؼ ϸ鼭 ۵Ǿ. ó װ NSA Բ װ ʾҴ. θ ̰ Ǿ. 1976 1997 , - (federal non-classified documents) ȣȭ ϴ Ǿ. ϵ ̵ , Ʈ ϸ . װ ΰ ƴϴ. ˰ key-size 7 Ʈ(56 Ʈ) ۿ ʴ´. key յ, ǻͿ ð ׽Ʈ ִ. ( 56 Ʈ DES key ũϴ 鰳 ǻ͸ ̿ؼ ̳ ɷ, ̱ ǻͷδ и DES ũ Ŷ ҹ ־Դ). DES ణ ˰ ִ. key-size 21 Ʈ (triple) TDES(Triple DES) ӵ NewDES ʴ. GOST ̰ ̱ DES ϴ, þƿ ˰̴. Ǿ, ʾҴ. keysize 32 Ʈ̰, 32 rounds ȣȭ Ѵ. Blowfish ȣȭ Լ ξ ϴ. IDEA ̴ ˰̴. 128 Ʈ(16 Ʈ) key Ѵ. ó ˰̶ ˷ ִ. IDEA Zurich Xuejia Lai James Massey ؼ . RC4 RSA , ҽ ʾұ ó ˰ ؼ ˷ . ׷ Cypherpunks Ƹ ҽ sci.crypt̶ ׷쿡 ߴ. RSADSI BSAFE Toolkit(ҽ Բ) ִ. Bruce Schneier Applied Cryptography 2ǿ ˰ ڼ ִ. psuedo-RC4(RSA ǥ) α׷ . Ronald Rivest . SAFER SAFER James Massey(IDEA ϳ) , Secure and Fast Encryption Routine Ѵ. ٸ key ִ. ̴ 128 Ʈ key-size SAFER SK-128, key-size ٸ . (Blowfish Bruce Schneier , "NSA ") CYLINK û ؼ SAFER . Bruce Schneier SAFER, ݱ ˷ ȣȭм ݿ ƳҴ. [6.ȣȭ α׷ Ұ] ̹ 忡 Ǹ ȣȭ α׷ Ұϰڴ. α׷: ϴ ȣȭ α׷ Blowfish Advanced 95 8.2f Kremlin 1.21̴. Blowfish Advanced α׷̴. 5 ˰ ִ: Blowfish, Blowfish32(Blowfish 32 rounds ؼ ȣȭ Ѵ), GOST, Triple-DES, Cobra. Blowfish 448 Ʈ ˰ Ѵ. http://www-hze.fht-esslingen.de/~tis5maha/software.html ٿ ε ְ, Ϲȣ http://www.chez.com/jon101514/pc_bfa2f.zip ִ. Kremlin 1.21 ̴. Ϻ ' (drag-n-drop)' Ⱑ ϴ. 8 ˰ ִ, ASCII, Blowfish, DES, IDEA, NewDES, SAFER, Psuedo-RC4(RC4 ), Vigernere. ִ key-size 160 Ʈ̱ Blowfish Advanced 95 ŭ ʴ. ׸ EBC ·θ ۾Ѵ( ϴ). http://www.mach5.com ٿ ε ִ. ࿡ оٸ, ׸ ˰ ϴ Ϳ ȭ ٸ, 9797708151 (1.1 1.2 1.21 ) ϱ ٶ. / ȣȭ α׷ ִ. http://www.tucows.com/̳ http://www.shareware.com/̳ http://www.mysharewarepage.com/ ѷ . Yahoo ̿ؼ α׷ ã ̴. ׷ ȣȭ α׷ Ǵ ϰ ִ, ûϰ ѵ ã ĥ ̴. ׷Ƿ ٿ α׷ Ȯϱ ٶ( α׷ ٿ ִ : þ, , ״, ĭ𳪺, ̴). : ⿡ Ǹ ũ ҰѴ( ۿ ̹ ͵ ؼ): http://www.counterpane.com/blowfish.html - Blowfish . Blowfish ҽ ִ. http://www-hze.fht-esslingen.de/~tis5maha/software.html - Blowfish Advanced 95 ִ. http://www.mach5.com/ - Kremlin ִ( ȣȭ ִ) http://www.chez.com/jon101514/pc_bfa2f.zip - Blowfish Advanced 95 Ϲȣ http://www.tucows.com/, http://www.shareware.com/, http://www.mysharewarepage.com/ - + / ִ.  α׷ Ǿ ִ(κ ̱ + α׷̴). http://hack.box.sk/ - α׷(ũ, Ϲȣ, ŷ α׷ ִ) http://ourworld.compuserve.com/homepages/c_schneider/ - Cobra http://www.cs.auckland.ac.nz/~pgut001/links.html - Peter Gutmann Ȩ. , ȣȭ ִ Ʈ. http://www.sni.net/~mpj/crypto.htm - ũ ִ, Ǹ ȣȭ ̴. http://members.aol.com/jpeschel/index.htm - Joe Peschel Ȩ. α׷, ȣȭ . ׷ sci.crypt - ׷̴. sci.crypt.research - ׷ ũ ȣȭ Ұ. Ұ Ʈ ãư ҽ ٶ. Joe Peschel ٴ ϰ ʹ. ״ Ʋ ְ, ٿ ־ . ׷ ξ . :-) (c) Jon 1997. All rights reversed ------------------------------------------------------------------------------- Page 3 19. In Dreams 19. In Dreams ȳϼ. ̹ ø Ǿϴ. ־, ǻ͸ ̿. ִ Դϴ.  Ʈ , ϸ ڹٽũƮ ۻڰ Ƣ ɴϴ. Ƹ е ̷ ſ. , ô  ڹٽũƮ ۻڰ ͼ " Ʈ 뿡 å , θ ּ.." ־ϴ. Ʈ ŷ/ũŷ ̾ ׷ ϴ ̾ϴ. ׷ Ǹ ָ, Ȯ ϰ, Ok(Ȯ) ư ͵ ( Դϴٿ : ) ۿ ̷ ڹٽũƮ ۻڰ ʰ ֵ Netscape ũϴ ϰ ֽϴ(Ȯϰ ڸ, ڵ Ok(Ȯ)ư ó ϴ ſ). ׷ , ڼ ϴ. ܼҸ Ĵٸ, ߿ inc eax inc ax Ʈ ϳ ٰ ϴ ֽϴ. ̳ ϸ inc eax ڵ 40Դϴ. ׸ inc ax ڵ 6640Դϴ. ׷ϱ 66̶ Ʈ ϳ Ѵٴ . ƴ? ⼭ xor eax, eax eax 0 inc ax eax 00000001 ִ ſ. ̷ ϴ. ۻ Okư Cancelư ֽϴ. ư ߿ ϳ ۻڰ ̴ϴ. Netscape 츮  ư  ƴ ɱ. 츮 Ok(Ȯ)ư ٸ eax 1, Cancel()ư ٸ eax 0 ǵ ϴ Լ ֽϴ. װ Netscape, 츮  ư Ȯϴ . ࿡ Լ θ κ ְ, eax 1 ִ ڵ带 ִ´ٸ.. ⼭ +YOSHi ̷ Դϴ. ׸ (?) ؼ ڹٽũƮ ۻڰ Ƣ ߽ϴ. ⸦ ֽϴ. ------------------------------------------------------------------------------- Killing those Javascript Messageboxes by +YOSHi 켱, ü ڹٽũƮ ۻڸ ־ ϴ ɱ? ۽, Ű(cookies) ־ ϴ ̴. , ڲٸ Ƣ´. κ 쿡 ޾Ƶ ʴ ϸ鼭 ̴. Netscape ۻڸ MessageBoxA Լ Ѵٴ ο ξ Ѵ. a. Netscape Ѵ(SoftIce ̹ Ǿ ̴). fravia+ Ȩ ó, ڹٽũƮ MessageBox ϴ . b. , Bpx messageboxa ߴ Ѵ. c. Netscape . d. ׷ SoftIce messageboxa ڵ κп ̴. ⼭ ũ ؾ Ѵ. e. P RET ϰ ڵ带 . ߿ ó ̴ ̴. Ʒ κ p ret . mov ebx, [eax + 4c] call display add esp, 08 f. callκ ٷ տ ߴ , Netscape ReloadѴ. g. ٽ SoftIceȭ ̴. F10 call ִ κ ش. xor eax, eax xor eax, eax inc ax inc eax ſ inc ax ؾ Ѵ. 쿡 , inc ax Ʈ ϳ ϰ ȴ. F5 SoftIce ͺ... ۻڰ ̻ ̴! ġ Ok ư ó ׳ ̴. ƴϴ. ġ ʾϱ, (翬) ޸𸮻󿡼 ۵ ̴. ׷ϱ ġؼ ٶ :) ̴. ڴ! :) +YOSHi yoshi@ij.net *EoF* Enjoy (c) +YOSHi, 1997. All rights reversed. ------------------------------------------------------------------------------- Page 3 20. In My Life 20. In My Life ⺻ ⸦ ϰ ֽϴ. ִ ٸ ۵ е̶ ̹ ˰ ϴ. ũ ణ ƽô е鿡 ʿ ϴ. ׷ϱ, и ũ , Ǿٰ Դµ, α׷ ٽ ϵǾ ʴٰ ͼ ׷ ñϰ ϼ̴ е鿡 ' ' ִ Դϴ. 뿡 ܼҸ ʿ ϴ. ------------------------------------------------------------------------------- Thinking Like a Cracker A lesson for beginners Written by The_RudeBoy_[PC] ʺ ũĿ ̴. ũĿ ó ϵ ִ ̴. ũ ؼ Ǿٰ Դ , ٽ α׷ ϸ ʾҴٰ ° ϴ ʺ ũĿ ޾Ҵ. ̿ ش ϴ. "ũĿ ó ϴ" ʿϴ. : W32Dasm 8.9(ƴϸ ϴ  ̶ ) Hex Workshop(ƴϸ ϴ  hex editor ) PolyView 3.00 beta 9 ٿε ִ http://www.polybytes.com/betafiles/pvbeta.exe PolyView 3.00 beta 9 ũ ϱ , ũĿ/α׷ ó ϴ ˾ ʿ䰡 ִ. α׷Ӵ, óؾ ۾ ְ ۾ ̻ ؾ , ۾ óϴ Լ , ۾ ؾ Լ ҷִ α׷ 鵵 . ׸ κ α׷Ӵ ̸/Ϲȣ ¦ Ȯϴ ۾  ̻ Ѵ. Ϲȣ ־ , α׷ . ̷ α׷Ӵ Ϲȣ Ȯϴ ۾ ϴ Լ . ⸦ , ϰ ϴ Ⱑ ̴. Ϲȣ Ȯϴ Լ ũѴٸ, α׷ Ϲȣ Ȯ ̴. , ̷ ν PolyView 3.00 beta 9 . α׷ ϸ, ⿡ "Registration"̶ ޴ ̴. ׸ Ʒ "License Information"̶ κе ̴. ̸ Ϲȣ ִ ִ. ƹ ̳ ְ "OK"ư . Ϲȣ ʾҴٸ, "Please enter a positive interger( )" ޼ ̴. 쿡 "Registration Unsuccessful( )" ޼ ̴. W32Dasm ϰ PolyView.exe . string references ϰ "Registration Unsuccessful"̶ ڿ ã´. ڿ Ͽ ڿ ãҴٸ, ٷ "Registration successful"̶ 嵵 ̴. "Registration Unsuccessful" ũؼ Ʒ ڵ κ ãư: * Referenced by a Jump at Address:004400C9(C) | * Possible Reference to String Resource ID=00141: "Unregistered" | :0044016C 688D000000 push 0000008D :00440171 8BCF mov ecx, edi :00440173 E8D9070600 call 004A0951 :00440178 53 push ebx :00440179 53 push ebx * Possible StringData Ref from Data Obj ->"Registration unsuccessful. please " ->"verify that you have entered the " ->"information exactly as shown on " ->"your registration letter." | :0044017A 684C364F00 push 004F364C :0044017F 899E70010000 mov dword ptr [esi+00000170], ebx :00440185 E8D88A0600 call 004A8C62 켱 ˾ ִ κ 004400C9 ִ б⿡ ؼ ҷٴ ̴. 004400C9 ִ ãư, Ʒ κ ̴: :004400B7 50 push eax :004400B8 51 push ecx :004400B9 898670010000 mov dword ptr [esi+00000170], eax :004400BF E8DCF0FEFF call 0042F1A0 ;Ϲȣ_Ȯ_Լ() :004400C4 83C408 add esp, 00000008 :004400C7 85C0 test eax, eax ; TEST. :004400C9 0F849D000000 je 0044016C ;je _ ̹ . je 004016c ׳ NOP ٸ, α׷  Ϲȣ ־ Ǿٰ ̴. α׷ ٽ ϸ "Unregistered" ̴. Ʊ α׷ӵ Լ ϳ , ʿ װ ҷ Ѵٰ ϴ°? α׷ α׷ӵ ׷ . call 0042F1A0 ٷ Լ θ ִ ̴. W32dasm 0042F1A0 ãư , Ʒ ڵ尡 ̴: * Referenced by a CALL at Addresses: |:0040423B , :004046B8 , :004055FA , :0042DDBE , :0042DE36 |:004395C4 , :0043CE1A , :0043D6B0 , :0043E35A , :00440025 |:004400BF , :004419BC , :0044234D , :00452FF9 , :004531CB |:004B9033 | :0042F1A0 64A100000000 mov eax, dword ptr fs:[00000000] ִ ּҵ Ǿ Ȯϱ ؼ, Ϲȣ_Ȯ_Լ() θ ִ ̴. ׷ ñ ̴.  ؾ ִ ɱ. call Ϲȣ_Ȯ_Լ() ִ κ ٽ . Ư _ κ бϴ , eax 0 бѴٴ ̴. , α׷ ũϴ ߿ , call ؼ ҷ mov eax, dword ptr fs:[00000000] ſ push 00000001 pop eax ret ٲ ִ ̴( ڵδ 6A0158C3) Լ eax 1 ش. ׸ α׷ ϵ ̶ ̴. ۿ ̸/Ϲȣ Ȯ κп Ǵ ƴϴ. а , ٸ protection scheme ִٴ ̴( , κ ¥ Ȯ ̳, ۻڸ ̿ϴ protection scheme Լ Ѵ.) ------------------------------------------------------------------------------- The_RudeBoy_[PC] ű ̶ ٽ ϴ. Page 3 21. Por Una Cabeza 21. Por Una Cabeza ------------------------------------------------------------------------------- What Time Does the Library Open? Written by Sojourner , ftp://ftp.mcneel.com/pub/rhino/rhino32.exe ִ α׷ Ÿ ׽Ϳ. ftp://ftp.mcneel.com/pub/1.00/demo ִ. ٶ. Ҵ. "ֽ" ű⿡ ־. model, 3DS Max plug Բ ̴. 츮 鿡Դ ƴ . 3D õ ϱ α׷ Ǿ, ɿ ߴ. , ִ Ÿ 1.00 ٸ ٰ ߴ. ֳϸ Ⱓ $795 "full" ִٰ ̴. , ϰڴ. Ÿ Ȱ 'full' ŭ ̴. Ÿ 1998 10 ϴ "ŵ protection" ־µ, װ ̾ PC ð踸 ġ ʿ α׷ ־... Ƹ û Ŷ ϰ ִ. , ¶ų () ũĿ̱ , ڵ带 ڴٰ Ծ. ̹ ° õϴ ũ̱ , ؼ ణ ̾. 1997 12 31Ͽ Tristan о. ״ "ʺ , " ⸦ ־ , ⸦ Ǿ. , ٸ +HCUл ۵  30 ̻ а "" ߴ. ̷ ߴ. "࿡ ̰ ũѴٸ, ϴ Ǹ Ǵ ž. ũ Ѵٰ ص,  ڵ忡 ݾ!" ð 帣, α׷ Ϸ ǻ ð踦 ġ ϰ ʾҴ. Ӹ θŰ ũϱ ߴ. ˸: WDASM89 α׷ ũϷ  200 ް Ʈ ־ Ѵ. ׷ ð ɸ. rhino_main.exe 츮 disassemble ̰, 80 ް Ʈ ũ ҽ . 20-30 ɸ ״ϱ, WDASM89 ư ٸ ض. ũ ׷, ߿ϴ ٶ. ׷ ϸ ð ̴. WinAPI ڷᵵ ߿ϴ. ϴٸ Win95, 98, NT α׷ å ̴. ̷ ͵ ʿϴ. : WDASM89, UltraEdit, Soft-Ice 3.2 ⼭ Rhino ִ! History : Ÿ ؼ 3 full Դ. ũ : α׷ ũϴ Ϸ κп ؼ ؾ Ѵ.  鿡 ΰ ִ. ˸ - α׷ ̹ Ǯ ġߴٰ Ѵ. Ǿ ִ ũϷ ٶ. ؾ ʰڴ°. :-) 1. ð踦 ߰ Rhino Ѵ( ð̶ 1998 9 ù° 10 ̸ Ѵ). α׷ ̴. α׷ ̿ؼ ۾ ϰ װ Ϸ Ѵ. ũ ϱ ؼ ̴. 2. ð踦 , 98 12 ߾ . Rhino ٽ . . "This beta version has expired(Ÿ Ⱓ ϴ)" ޽ ۻڰ ߰ α׷ ̴. 츮 " μ(Exit Process)" ̴. ޽ α ٶ. 3. ˾ WDASM89 ũ . W32DASM "Import Functions" Kernel32 GetLocaltime ã ƾ Ѵ. ֳ? α׷ , Rhino Ȯϰ ̹ ִ ڵ ̴. 1998(07CEh) 11(000Bh) Ͱ ̴. Ʒ ڵ带 캸. ࿡ ٸ, α׷ , ׷ ʴٸ  Ǵ ˰ ̴. δٸ, "This beta version of Rhino has expired" ڿ ã ̴. ׸ Ȯ 츮 ϴ κ ڵ带 ãƳ ִ. ̷ protection ûϱ ̸, ׻ ̷ ϴ ƴϴ. * Reference To: KERNEL32.GetLocalTime, Ord:00F5h | :00488AE9 FF15088D8C00 Call dword ptr [008C8D08] :00488AEF 66817C2404CE07 cmp word ptr [esp+04], 07CE ֵ, ΰ κ ý ð "" ð Ѵ. 忡 ð 16 Ǿ ִ. ù° б⿡ 1998 ƴ϶ б ̰, ° б⿡ 11 ̶ б ̴. ̷ ͵ WinAPI Լ GetLocalTime . . Ʒ 00488B00 κ . ( Ǿٸ) κ ret ´. ׷ ʴٸ 00488B0E Ⱓ Ǿٴ ۻڰ Ÿ ̴. :00488B00 33C0 xor eax, eax :00488B02 5B pop ebx :00488B03 83C410 add esp, 00000010 :00488B06 C3 ret :00488B07 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Beta copy expired" | :00488B09 6810C67F00 push 007FC610 * Possible StringData Ref from Data Obj ->"This beta version of Rhino has " ->"expired." | :00488B0E 68E8C47F00 push 007FC4E8 :00488B13 6A00 push 00000000 츮 ٲ Ѵ. :00488AF6 7508 jne 00488B0E ð  Ǿ α׷ ְ Ǿ. ! . . . װ ƴϴ! WDASM89 ٲ ð踦 ٲ㰡鼭 α׷ . ǰ ִ ó δ. ִ hex editor α׷ ģ ð踦 . ׷ϱ 2010 ̴. ׸ ׷ ģ WDASM . α׷ ϰ( ), ̴. ׷ ? Ʊ 츮 ߴ ϴ°? . ? . ׷ ̹ ణ ģ غ. ! α׷ ٽ ȴ. ü ̰ ΰ? 츮 ׸ ģ ˾Ҵµ! , ؼ κп ָ Ծ. "" ư history ¸ ȴ. ó ̰ GetLocalTimeԼ 򰡿 ǰ ֱ ̶ ߴ. ׷ WDASM ߴ ϰ κ ߴ. ƹ͵ ã . ׷ ٸ ߴ. ư ư ¸ Ȯϴ Լ ã Ҵ. ׷ ̹ ߴ. и ð õ Լ üũ ϰ Ŷ ߴ. ׷ ̹ SoftIce3.2  GetLocalTime ߴ ߴ(BPX GetLocalTime). Ctrl-D α׷ ƿ ٽ SoftIceȭ . 츮 Ʊ "ƴ" κ ̴. κ hex editor ƴ, ׷ ʳ? ٽ Ctrl-D α׷ ƿ ȭ ۾ ְ ȴ. ׷ Ʊ  ణ ģ "" ư . ̹ SoftIce GetLocalTime Լ ߴѴ. ׸ F12 F10 Ʒ κ ̴. κ SoftIce , WDASM89 ҽ Ͽ ̴. Ʒ ֵ "Free Library" κ ȣϴ call ִ. װ ϳ? 0041785E F10 dword ptr [ebp+FFFFFF6C], eax ϴ κ ´? װ ϴ ɱ? SoftIce װ͵ п ش. Ʒ ƶ. ׸ ٷ Ʒ 0041786A ٸ κ ִ. ϰ ִ ɱ? * Reference To: KERNEL32.FreeLibrary, Ord:0098h | :00417832 FF15A88C8C00 Call dword ptr [008C8CA8] :00417838 8B857CFFFFFF mov eax, dword ptr [ebp+FFFFFF7C] :0041783E 25FFFF0000 and eax, 0000FFFF :00417843 898578FFFFFF mov dword ptr [ebp+FFFFFF78], eax :00417849 33C0 xor eax, eax :0041784B 668B857EFFFFFF mov ax, word ptr [ebp+FFFFFF7E] :00417852 898564FFFFFF mov dword ptr [ebp+FFFFFF64], eax :00417858 8B8578FFFFFF mov eax, dword ptr [ebp+FFFFFF78] :0041785E 39856CFFFFFF cmp dword ptr [ebp+FFFFFF6C], eax [⼭ eax GetLocalTime ⵵ ] [ΰ ϴ ̴. , [ebp+FFFFFF6C] ̹ ] [07C(1998) ̹ ִ ̴. ] :00417864 0F8516000000 jne 00417880 :0041786A 8B8564FFFFFF mov eax, dword ptr [ebp+FFFFFF64 :00417870 3945F8 cmp dword ptr [ebp-08], eax [⼭ eax GetLocalTime ] [ΰ ϴ ̴. , [ebp-08] ̹ ] [000B(11)̶ ִ ̴. ] :00417873 0F8E07000000 jle 00417880 :00417879 33C0 xor eax, eax :0041787B E925000000 jmp 004178A5 Ʒ ֵ ¿(00417880) ߿ бⰡ κ Ű ִ. ׸ κ α׷ Ų. 츮 ƹ ð ְ Ϸ ľ б ̴. κ ġ , ׳ 00417864( ִ) 00417873( ִ) 6 nop ̾. ׷ ϸ α׷ eax xor бؼ 004178A5(Ʒ ִ) 츮 ̴. α׷ Ϻϰ Ǵ ̴. 1980 2095 ð踦 İ ƹ . Ѵ hex editor ̿ؼ ģ Rhino ! * Referenced by a Jump at Addresses: | :00417880 C70508488C0000000000 mov dword ptr [008C4808], 00000000 :0041788A E8514F0300 call 0044C7E0 :0041788F A1844F8C00 mov eax, dword ptr [008C4F84] :00417894 50 push eax * Reference To: USER32.DestroyWindow, Ord:008Ah | :00417895 FF1544918C00 Call dword ptr [008C9144] :0041789B B801000000 mov eax, 00000001 :004178A0 E900000000 jmp 004178A5 * Referenced by a Jump at Addresses: |:004177FD(U), :0041781F(U), :0041787B(U), :004178A0(U) | :004178A5 5F pop edi :004178A6 5E pop esi :004178A7 5B pop ebx :004178A8 C9 leave :004178A9 C3 ret ó ٴ ˾ƾ ̴. (ʺ) ״ ˾Ƴ ð̳ ɷȴ. +orc "zen"̶ ͸ŭ 赵 츮 ش. δ ƴϴ. ʴ´ٸ 赵 ҿ ̴. ũ ũĿ鿡 ٰ ؾ 𸣰ڴ. 츮 ʿϴ.(׸ , 츮 ̴). ؼ, ׸ ũؼ . ũĿ protector Բ ֵ ̴! û: ٸ dllϷ call! Լ, â, ޽ Ƴ 鿡 . Thanks! :-) ------------------------------------------------------------------------------- Sojourner ű ̶ ٽ ϴ. Page 3 22. Love Buzz 22. Love Buzz ̹ ۿ Ÿ̶ α׷ ؼ ̾߱ Ϸ մϴ. α׷ ̸ ־, ٿ ſ. ƹư, PC ڷǿ ã ϱ, IMF̶ ִ(?) ִ. ϱ, IMF̶ ٸ ʹ ణ ٸ (?) ־ϴ. ġ ִ ƴ϶, ִ ¥ ֽϴ. 3 31ϱ 4 30ϱ ó Դϴ. Ⱓ ġ ޾Ƽ Ⱓ ų ֽϴ. Ÿ ϸ â Ʒ κп ɴϴ. ׷ϱ, ְ ϴ ſ ִ ſ. ׸, ġ ޾Ƽ ٲ ִ ſ. ? ۿ (?) 4 30ϱ ִ Դϴ. ִ ̴ (protection scheme) ״ϱ װ ſ. ׷, 4 30  Ǵ ý ð ٲ . ִ ǻ ð 4 23 7 33Դϴ. 4 30 ʾϱ ˴ϴ. ð踦 5 23Ϸ ٲ㺸 , ִ ۻڰ ɴϴ. Ⱓ Ⱓ Ǿϴ. ġ IMF ġ ٿε ޾ ġϽ ÿ. ġ ġ α׷ ۶ 10ʰ ˴ϴ. ġ ġ ʾҴٰ ؼ ƴϱ. ٸ 10 ٷ ϰ, ڲٸ ġ ڰ Ƣ ɴϴ. ƹư, Ÿ ð踦 4 ٲٰ ٽ α׷ . ׷ α׷ ƹ ٴ ۻڸ Ÿ ʰ ˴ϴ. ׷ϱ α׷ '¥' Ȯϰ ִٴ ſ. ̷ ý ¥ Ȯ ̴ Լ GetSystemtime̿. α׷ ݰ sice  bpx GetSystemtime ߴ ٽ α׷ ŵϴ. ׷ siceȭ Ÿϴ. F11 F12 Dmimf ڵ ã ô. :004160F0 E8EFDC0500 Call 00473DE4 :004160F5 8B08 mov ecx, dword ptr [eax] :004160F7 890D98134B00 mov dword ptr [004B1398], ecx :004160FD 8D4C240C lea ecx, dword ptr [esp+0C] :00416101 E822DB0500 Call 00473C28 :00416106 8D54240C lea edx, dword ptr [esp+0C] :0041610A C784249000000000000000 mov dword ptr [esp+00000090], 00000000 :00416115 52 push edx :00416116 E8C5FD0300 call 00455EE0 :0041611B 83C404 add esp, 00000004 :0041611E 8D44240C lea eax, dword ptr [esp+0C] :00416122 8D4C2410 lea ecx, dword ptr [esp+10] ̷ κ µ, 츮 ִ κ ƴմϴ. ٽ ѹ F12 P retմϴ. :0041630F E8BCFDFFFF call 004160D0 ;GetSystemtime :00416314 85C0 test eax, eax ;(ret ) :00416316 740D je 00416325 :00416318 E893FFFFFF call 004162B0 ; ̴ κ 츮 ϴ. ι° ̴ б jne 004163E4 б⸦ ϸ(JUMP) ۻڰ Ÿ ʰ, б⸦ (NO JUMP) call 00473AA8 ؼ ۻڰ Ÿϴ. . ð踦 5 Ҵٸ jne 004163E4 NO JUMP ̰, ð谡 4 ־ٸ JUMP ؼ ۻڴ Ÿ ſ. ׷ ⼭ ٷ ũ ? ׷ϱ, ¥ jne 004163E4 б⸦ ϵ ڵ带 ٲ ٸ . κ ڵ 0F85BF000000 E9C0000000 90(JMP 004163E4/nop) ٲٴ ſ. ׷ ϸ ۻڴ ſ. ¥  Դϴٿ. ó ̷ ϱ ũ ˾Ҿ. ׷ α׷ ϱ, ٸ ۻڰ ٽ . ٸ ¥ Ȯϰ ġ ۻڸ ϴ κ ־ ſ. ׷ϱ, α׷ κи ģ. 'ٺ' ũ ؾ ϰ? (, ۻڸ Ÿ ٸ ãư Ǻб⸦ ٲִ ᵵ ſ. , ׷ κ ã ٴϴ ͵ . : ) 츮 ٲ ־ б jne 004163E4, ٷ ִ call 004162B0 (eax) ؼ б ΰ Ǵ ſϴ. ׷ call 004162B0 ãư . :004162B0 51 push ecx :004162B1 8B0D90134B00 mov ecx, dword ptr [004B1390] :004162B7 8BC4 mov eax, esp :004162B9 8908 mov dword ptr [eax], ecx :004162BB B998134B00 mov ecx, 004B1398 :004162C0 E89B0B0000 call 00416E60 ;4/30 °? :004162C5 85C0 test eax, eax :004162C7 751F jne 004162E8 :004162C9 8B1594134B00 mov edx, dword ptr [004B1394] :004162CF 51 push ecx :004162D0 8BC4 mov eax, esp :004162D2 B998134B00 mov ecx, 004B1398 :004162D7 8910 mov dword ptr [eax], edx :004162D9 E8720B0000 call 00416E50 ;3/23 °? :004162DE 85C0 test eax, eax :004162E0 7506 jne 004162E8 :004162E2 B801000000 mov eax, 00000001 ; flag :004162E7 C3 ret :004162E8 33C0 xor eax, eax ; flag :004162EA C3 ret call 004162B0 θ ִ κ ϴ. ⸸ ص  ִ ֽϴ. 'flag' ̿ ̿. call(call 00416E60, call 00416E50) ְ Ǻб(jne 004162E8) ֽϴ. ǺбⰡ бϴ Դϴ. xor eax, eax. ࿡ б ʾҴٸ mov eax, 00000001 ؼ eax 1̶ flag մϴ. ƽð? Ƹ call ¥ Ȯϴ call ſ. ׷ ¥ ¥ٸ б ̴ϴ. ׷ eax 1̶ ְ ret˴ϴ. ¥ ʴٸ eax 0 ְ ret˴ϴ. Ʊ ô call 004162B0/test eax, eax/jne 004163E4 eax 1 бմϴ. ҵ б⸦ ϸ ۻڸ ʰ DZ.  ؾ ƽð? ¥ Ǿ eax 1 ָ Ǵϱ, xor eax, eax ٲ . ٲ ִ ڵ尡 2Ʈ 33C0Դϴ. ׷ϱ B001, mov al, 1 ٲָ ˴ϴ. ̷ Ȯϴ ⱸ, ΰ call 츮 '¥' Ȯϴ κ ȣϰ ִ ϱ? Ƹ ׷ ſ. ù κп ҵ κ GetSystemtimeԼ ٷ κ̴ϱ. ׷ ãư . :00416E50 8B09 mov ecx, dword ptr [ecx] ;time(NULL) :00416E52 8B542404 mov edx, dword ptr [esp+04] ;3/23/0:00 :00416E56 33C0 xor eax, eax :00416E58 3BCA cmp ecx, edx :00416E5A 0F9CC0 setl al :00416E5D C20400 ret 0004 :00416E60 8B09 mov ecx, dword ptr [ecx] ;time(NULL) :00416E62 8B542404 mov edx, dword ptr [esp+04] ;4/29/23:59 :00416E66 33C0 xor eax, eax :00416E68 3BCA cmp ecx, edx :00416E6A 0F9FC0 setg al :00416E6D C20400 ret 0004 ι° call call 00416E50 θ ִ 00416E50κ . (.. ۿ ٿ ִ ϳε, sice IP(instruction pointer) Ű ִ ִ ⸦ մϴ : ) 00416E66 xor eax, eax :? ecx ɰ :? edx . ý ð 99 4 25 0:54:33 ֽϴ. ecx edx 10 924969724 922114800Դϴ. ׸ cmp ecx, edx/setl al ؼ 񱳵˴ϴ. picaview 𿡼ΰ setzɿ ̾߱⸦ ִ ɷ մϴ. setl ̶ ? Ƹ SET if Less ǹ ſ. cmp ecx, edx ecx edx ؼ ecx edx '۴ٸ' al (1)մϴ. ׸ ret˴ϴ. ׷ ü 924969724 922114800 񱳸 ϴ ɱ? ΰ ϸ û ̰ŵ. ׷ ó µ. C time()̶ Լ ־. time(NULL) 1970 1 1 ý ð ʰ ϴ ŵϴ.( 1970 1 1 ͳ ϸ, UNIX ̶ ׷ٰ ϴ, ? : ) ׷ Ȯ þ. 922114800 3600*24*365 ϱ 19 . 1970 + 19 = 1999 ݾƿ. ϸ ecx ý ð ð ̱, edx 1999 3 23 0 00 ð Դϴ.( κ ణ ̻ؿ. sice Ȯ ̷ 3 23 0 00ʱ 922114800̾µ, time(NULL) Ἥ α׷ ˾ ϱ 3 22 10 00ʱ 922114800̴. α׷ֿ ؼ 𸣴ϱ, 쿡 time(NULL) ϴ Լ  ۵ϴ 𸨴ϴ. ̷ ̰ ƽô ּ : ) ׷ϱ α׷, 3 23ϱ ð edx ý ð谡 Ű ð ð ecx ϰ ִ ſ. ٽ ϸ, ý ð 99 3 23 Ȯϰ ִ . ׷ 3 23 ʾҴٸ(ecx 2 ޸ POP , ޸ ESP -> 1 esi edi 2 ޸ , eax = 2 esi = push esi edi = push edi ÿ ª ̾߱⸦ ߱⸦ ٶ. _Լ ˾Ƴ_ W32DASM̳ IDA Pro disassembler Լ ãƳ, disassembler Լ ϴ 찡 ִ. Ϳ ؼ Լ ׷ ̴. Ϸ Լ  ٲٴ ˾ƾ ʿ䰡 ִ. _CALLɰ RET_ ؼ call α׷ ٸ κ ѱ ̴. ġ _jmp_ _j*condition*_ ó ̴. ƿ ׳ Ѱ б ɰ ٸ call return ϸ鼭 ѱ. ׷ ȣ(called) κ _ret_ Ǹ α׷ ȣ (caller) ٽ ư ȴ. ̷ Ƿ, call δ ǵư ʿ (return information) ϰ ޷ȴٴ ִ. ȣ κ TSS(task state segment) task gate ƴ϶ ϴ. ȣ κ ȣ κ ּҸ ϴ Ἥ ٽ ư ִ. _call_ ȣ κ бϱ (E)IP ؼ ׷ ִ ̴. Ƹ е ̹ ˰ ְ, (E)IP CPU ؾ Ű ִ. ܼ (E)IP ٲٴ ͸ε α׷ Ǵ ٲ ִ ̴. call ÿ _push_ؼ Ѵ. (E)IP ϱ , ÿ push call κ (E)IP̴. 32Ʈ α׷ call ٰŸ ȣ(near call)̴. ׸Ʈ(intrasegment) ̵ ʿ ִ 16Ʈ α׷ Ÿ ȣ(far call) ʿ䰡 ִ. Ÿ ȣ⿡ CS:(E)IP Ǿ Ѵ. CSͰ push , (E)IPͰ ÿ pushȴ. ȣ κ , _ret_ (E)IP( CS, Ÿ ȣ⿡) _pop_ؼ (E)IP( CS) Ű ´. call ̴ ϴ. ҷ κп , ̴ : _ call * address*_ call ּ .  call edi call [ebx+0dh] װ̴. ù° , call ִ, edi ִ ãƺ ȴ. ̷ ּҰ Windows API ̴ּ. ι° , Ÿ ϴ ִ. ߴ , ebx ˾ . Ǵ ãƳ ֵ ̴. Fravia+ ̹ call relocation Ǹ . о . IDA Pro ̿ϸ call relocation table Search in Core ̿ؼ ã Ŷ ̴. û ּҸ ϴ C++α׷ ּҰ κ Ű ִ ˾Ƴ Ұϴ. W32DASM IDA Pro ̴. Բ ִ Ÿ ̿ϸ ׷ ּҸ ã Ա̴. call Լ Ǵ Ѵٸ, ret Լ κ ų ̶ 翬ϴ. ⺻ ret (E)IP( CS, Ÿ ȣ⿡) ؼ ȣ κ ư. call ( ȣ κ) , _ret_ _retn_(near return), _retf_(far return), _iret_(involving task switching) ִ. ret ν Ѱ ȿ n̳ f ޷ ʰ Ÿ. IDA Pro disassembler α׷ ϰ ҽ disassembleѴ. ׷ ν Ѱ ȿ ret ִ´. ׷ ϸ ret ν (ٰŸ Ÿ) ̴. ret ּ(return address) pop , 󸶸ŭ Ʈ ϴ ϴ Ķ͸ ִ. Ʒ ڵ带 ٸ: _ν proc near ... ... pop edi pop esi add esp, 10h pop bp ret 8 _ν endp _ν ÿ push popߴٰ Ѵٸ, ȣ κ ´ Ʒ ̴: ... ; esp xxxxxxxx Ŵ push 32bit_ ; esp 32bit_ Ŵ push _ٸ_32bit_ ; esp _ٸ_32bit_ Ŵ call _ν inc edi ; ret ; ׸ esp xxxxxxxx Ŵ ... Լ ϴ 򰥸 ִ. compiler optimizer Ȱȭ ¶, Լ ȣ ư ִ ִ. Լ ٸ Լ ۵ȴ. ret ִٰ ϴ ret Լ 𿡼 ˾Ƴ ִ. disassembler Լ Ȯϰ ǥ شٸ, ̰ ̴. ׷ , 츮 Լ ۺκ(prologue) ã ޾߸ ̴. _Լ ۺκа κ(Function Prologue and Epilogue)_ Ϸ ؼ Լ ۺκ Ʒ ̴: + (E)BP ÿ + (E)SP( ) (E)BP ͷ ű + Ѽ ڸ + Լ ͸ ÿ Ÿڸ Ʒ ̴(32bit): push ebp ;ȣϴ EBP frame mov ebp, esp ;ο EBP sub esp, xxxx ;xxxx Ʈ push esi ;ȣϴ push edi ... C/C++α׷ ȣ Լ ͸ ؾ Ѵ: (E)SI, (E)DI, (E)BP, (E)SP, CS, DS, SS. , ȣ Լ ͸ ٲ ̴. ࿡ ȣ Լ ̷ ͸ Ѵٸ(ESI EDI ̴ ̴), װ ÿ ؾ ̴. ׷ ȣ Լ ִ: (E)AX, (E)BX, (E)CX, (E)DX, ES. ̰͵ ʿ ִ. Ϸ Լ ۺκп ̷ ۾ ̴. _ENTER LEAVE_ 80286 ̻ μ Ư ߰ Ǿ. ƾ ȣ stack frame ʿ ޾ ؼ ٷ ENTER LEAVE̴. 80286̻ code generation Ȱȭ ¶, Ϸ ̷ ̴. Ʒ : enter xxxx, 0h ;xxxx Ʈ push esi push edi ... ENTER ɿ 0h level number̴. level 0 _enter_ Ʒ ļ stack frame : push ebp mov ebp, esp sub esp, xxxx level 0̶ ENTER θ(parent's) (E)BP ϰ, level (E)BP (E)BP Ѵ. ̷ , α׷ level ϴ ϰ ش. Լ level Ϸ Ѵٸ, Ʒ ڵ带 ̴: mov esi, [ebp-4] ;ֻ level (E)BP ; level (E)BP [ebp-8] mov eax, ss:[esi-8] ;ֻ level ù° ;ù° 32Ʈ ̸ ; [ebp-C] level 0 ̻󿡼 α׷ ENTER . Clarion α׷ ܴ. ֵ, level 0̻󿡼 ENTER stack frame ʿϴ. LEAVE ܼ (E)BP (E)SP Ѽ, ÿ stack frame ֹ. push ȣ Լ ư Ѵٴ ߿ϴ. ׷ ret ߸ (E)IP popϰ ̴. ̷ Լ κ Լ ùκа ´. ̹ Լ ùκп ߴ Ųٷ ϴ ̴. Ҵ Ѵٸ ڵ Ʒ ̴: .... pop edi pop esi add esp, xxxx pop ebp ret Ǵ LEAVE ̿ؼ: .... pop edi pop esi leave ret ó ִ. ڵ ݽ . δ Ϻκ ִ. ࿡ α׷ ʿ ʴ ̶ Ϸ stack frame ̴. 32Ʈ α׷ ʿ ebp stack frame ʾƵ ȴ. 32Ʈ ּ Ŀ Ϸ μ ּҸ ESP ִ. α׷ ɼ ִ ̴. ׷ ݱ 츮 ߴ ͵ ִ. ׾߸ α׷ ̴. _MFC message maps macro ؼ ȣǴ Լ_ ҽ ̿ ũ ó Դ κ ִ. α׷ MFC ̿ϰ ְ Ϸ(Watchcom Symantec ) װ ϰ ִ. ׷ κ ˾ƾ Ѵ. Ѵٸ κ ִ. ϴ κ ˾ ִ. .rdata κ Ű ִ hex editor ̿ ְ IDA Pro Search in Core ̿ ִ. message maps ˰ ִٸ ̴. װͿ ⼭ ʰڴ. MFC α׷Ӱ ƴ϶ George Shephered Scot Wingo Visual C++ Developer Journal Ǹ о ̴. ⼭ ٷ message maps AFX_MSGMAP_ENTRY̴. ȴ: struct AFX_MSGMAP_ENTRY { UINT nMessage; UINT nCode; UINT nID; UINT nLastID; UINT nSig; AFX_PMSG pfn; }; ù° ʵ ý ޽̴. ޽ Ǵ SDK װͰ . 츮 ɸ´ ߿ ޽ WM_COMMAND̴. װ 0111h ǰ 츮 ޴ ư Ŭ 찡 ޽̴. ι° ʵ WM_NOTIFYڵ带 Ÿ. ° ʵ ù° control ID̰ ׹° ʵ control ID̴. ϰ ġǾ ִ ¶( ư (radio button group)̳ ޴(cascading menu) ), ù° nID ġϰ nLastID ġѴ. ټ° ʵ ޽ ó Լ (signature)̴. ׸ ʵ ޽ ó Լ ̴. ̷ ˸ Ư ư̳ ޴ Լ ã ִ. disassemble ȭϷ ڿ ù° ̴. Visual C++'s resource editor ؼ ׷ ۾ Ѵ. ϴ κ ڿ ãƳ װ ID ˾Ƴ. ״ MFC α׷ ϳ disassembleؾ Ѵ.  MFC α׷̶ .   Լ α׷ (save) ޴ ٷ ̴ ˰ ʹٰ . resource eidtor Ҵ (Save) ޴ ID 57603̾. IDA Pro .rdataκ (View , Segment .rdata Ѵ). IDA "Search for Text in Core..." ̿Ѵ(Alt+B). ã "Ʒ" õǾ ִ Ȯϱ ٶ. ׷ ʴٸ Ҹ TABŰ ̿ؼ ã ٲ ش. ã ڿ 57603 decimal Ŭ OK . IDA Ʒ ϰ ̴ ̴: .... 0045C738 db 3 Ŀ ġ dword decimal ٲش. "o" "h" ̴(o dword ٲش, h װ dword decimal ٽ ٲش. ƴ DZ ȴ. . :). ׷ 57603̶ ̴. ׷ ʴٸ ã⸦ . ׷ Դٸ Ŀ ִ ó ִ 鵵 ٲ㺻. ׷ Ʒ ϰ ̴: .... 0045C730 dd 111h 0045C734 dd 0 0045C738 dd 57603 0045C73C dd 57603 0045C740 dd 0Ch 0045C744 dd offset loc_423280 .... 423280 κ ޽ ٷ Լ ã ̴. ̰ ƴϴ. ID ٸ class鿡 DZ .rdata ׸Ʈ ã⸦ ؾ Ѵ. ID ̴ ã Ʈ 캸Ƽ ˾Ƴ ̴. ߴ ó ٲ ָ ȴ. ȭ ȿ ư ã ִٸ ȭ ȿ ִ ٸ ư鵵 ִ. ޴ ã ִ. α׷ CView class ִٸ Ȱ ID Ÿ ִ ִٴ ̴. ͼ ̴. ؼ ̷ ϴ FRMSPY EXE2DPR 𸣰ڴ. ˰ ִ ̴. debugger ̿ϴ ٵ ̴. SoftICE stack ̿ؼ ã ̴. ׷ Ȯ ġ ã ؼ Ѵ. MFC ؼ ʺ. ׷ϱ ٸ ˰ ִٸ ֱ ٶ. ׷ ¿ ̴. _Լ Return _ Լ return ؼ . 32Ʈ α׷ Լ EAX return Ѵ. 16Ʈ α׷ 16Ʈ AX ϰ 32Ʈ DX:AX  Ѵ. α׷ ٸ Լ return  ִ. , Լ boolean Լ ij ÷ (CF) ϰ Ѵٴ ̴. 쿡 JC JNC ã ִ. _Լ μ(Function Arguments)_ Լ μ  ˾ Ŀ ϱ Լ ȣϴ ̴ ӵ(calling convention) ؼ ʿ䰡 ִ. fastcall calling convention 찡 ƴ϶ Ϸ ȣ Լ μ ÿ Ѵ. Լ ȣ ӿ ؼ ˾ Լ μ ִ ˾ ̴. Լ ȣ   μ Լ Ѱ Լ  ؼ Ѵ. Ʒ ǥ Լ ȣ Ϻθ . _Լ ȣ _ _μ ѱ_ _ _ _Լ ̸ Ÿ(C only) _ __ __pascal ʿ . ȣ Լ ڽ μ ÿ ּ 16Ʈ Լ ̴ Լ κп __cdecl (C Calling Convention) ʿ ȣϴ Լ ÿ μ Լ ̸ տ . : _Foo CRT(C runtime library) . __stdcall ʿ ȣ Լ ڽ μ ÿ Լ ̸տ . Լ ̸ ڿ [@+(μ Ʈ 10 )] : _Foo@10 Win32 ̴ Լ κп __fastcall ó ΰ DWORD μ ECX EDX, ʿ ȣ Լ ڽ μ ÿ Լ ̸ տ @ . Լ ̸ ڿ [@+(μ Ʈ 10 )] :@Foo@10 ͸ ̿ϴ Ưϱ CPU . Borland Ϸ ̴ ⺻ Լ ȣ (Delphi ) thiscall this pointer ECX, μ ʿ ȣϴ Լ ÿ μ . C++ ڵ忡 ڵ naked ʿ ȣϴ Լ ÿ μ VxD . ˸: ǥ MSJ John Robbins ۿ Դ. "Penguin guy" Ǽ ʴ , Ϸ Ȯ ô. C++ Ϸ Ȯϰ ʹٸ C++ name mangling ϱ ؼ extern "C" ̿ϱ ٶ. Ϸ(MSVC 4.2) ִ Լ ȣ ɿ ΰ ִ. Pascal Լ ̴. pascal Լ ̸  ˰ ʹٸ ϱ ٶ. 츮 ´ ߿ κи ¤ Ѿ ̴:_μ ѱ_ _ _ װ̴. Դٰ κе "츮 " ݳ. : ) _μ ѱ_ κ α׷ Լ ȣ μ  ÿ pushǴ ش. μ _ʿ _ pushȴٸ, Լ Ǿ : _Լ (0x1000, 0x2000, 0x3000); Ÿ ̴: push 1000h push 2000h push 3000h call _Լ ... , μ _ _ pushȴٸ, ̴: push 3000h push 2000h push 1000h call _Լ ... μ _͸ ̿ؼ Ѱٸ_(: fastcall style): push 3000h mov edx, 2000h mov ecx, 1000h call _Լ ... push ϳϳ ؼ ̶ ϸ ȵȴ. Win32 α׷ heap ޸𸮸 ġϷ Ѵٰ . ׷ Ϸ HeapAlloc Լ ̴. ٸ heap ſ μ heap ʹٰ . ̴: LPVOID lpMem = HeapAlloc(GetProcessHeap(), 0, 1024); ׸ disassembly ҽ Ͽ Ÿ ̴: push 400h ;HeapAlloc μ push 0 ;HeapAlloc μ call ds:GetProcessHeap ;GetProcessHeap μ ʴ´. ; Լ push ;Ű澲 ʴ´ push eax ;GetProcessHeapԼ ;޸ HANDLE push call ds:HeapAlloc ; HeapAlloc μ óϱ Լ ȣ mov [ebp-20], eax ; LPVOID ͸ ... _ _ ؼ . retɿ ؼ μ pushDZ (E)SP ǵ ޴ ٰ ߴ ϰ ִ°? ؼ װ ̴. (E)SP ϴİ ̴. ȣ Լ Ѵٸ, Ʒ κ Լ κп ̴( Լ 32Ʈ Լ̸, 32Ʈ μ ´.): ... ;32Ʈ ڵ̴ pop edi pop esi add esp, 20h ret 0Ch ; , 12 Ʈ pop. ȣϴ Լ ϴ Ѵٸ, ȣϴ κ Ʒ ̴: ... ;32Ʈ ڵ̴ push 3000h push 2000h push 1000h call _Լ add esp, 0Ch ; , 12Ʈ pop. call add esp, xxxx Ŷ ϸ ȵȴ. ȣǴ Լ ϳ ΰ μۿ Ϸ ʿ Ϳ popų ֱ ̴. ó: ... ;32Ʈ ڵ̴ push 1000h ;μ ϳ call _Լ pop edx ; , 4Ʈ ;edx ʿ ־ mov edx, [ebp-20] ;ٸ edx غ Ŵ ... 츮 Լ 󸶳 μ ϰ ֳ ˾ ֵ ش(push ϳ ϳ ؼ ʴ ٴ ϶). 32Ʈ Լ 10h ÿ popߴٸ Լ 4 μ ϰ ִ ̴. Ѹ Win32 APIԼ μ 32Ʈ ̴. ǥ κ C Լ ȣ Ӹ ȣ Լ Ѵٴ ̴. C α׷ Լ μ ִٴ ϳ ̴. printfԼ . ȣǴ Լ μ  ̸ Ƿ Լ ȿ ̴. ȣϴ κ ؾ ϴ ̴. ̰ Ϻ Win32 API stdcall Լ ȣ , C Լ ȣ ̴. wsprintf Լ ϴ α׷ ̴. α׷ disassemble Լ μ ִ ˰ ʹٸ, 켱 ؾ Լ  Լ ȣ ִ ϴ ˾Ƴ ̴. Լ  Լ ȣ ִ ˾ ̴. ̹ ѹ ڴ(Ƹ push 1000h ܿ ̴ :). Win32 ȭ ν: LRESULT CALLBACK AboutProc(HWND hDlg, UNIT msg, WPARAM wParam, LPARAM lParam) Լ Լ óκ (, move ebp, esp ), Ʒ ̴. _ _ _ּ_ __ lParam [EBP+14h] ȣϴ κп push wParam [EBP+10h] ȣϴ κп push msg [EBP+0Ch] ȣϴ κп push hDlg [EBP+08h] ȣϴ κп push return EIP [EBP+04h] CALL ɿ push Previous EBP [EBP+00h] Լ ó κп push [EBP+08h] ּҸ ڵ尡 Լ ڵ ȿ ִٸ, κ hDlg ϰ ִٴ ִ. [EBP+08h] [hDlg] ٲ ִ. [EBP+0Ch] [msg] ٲ ִ. ⼭ ߿ (׸ ؾ ): _Լ (E)BP stack frame Ѵٸ_ _Լ μ (E)BPκ ¿ ִ_ ̴. ̰ 16Ʈ ڵ忡 ̴. 16Ʈ ڵ忡 μ 16Ʈ ṵ̃, Ÿ ȣ CS ÿ pushȴ. CS pushǰ([BP+04h]), IP pushȴ([BP+02h]). μ( ̴) ˾ , Win32 α׷ ˰ ִٸ ô̳ ȴ.  α׷Ӱ handle ִ. ࿡ ִ Լ ȣϰ ִ κ Win32 GetParent()Լ ȣߴٰ . 츮 ִ Լ ȣ κп شٸ Լ hwndParent ʴ´. CreatFile()Լ ؼ ޴ handle Ͽ handle ִ´. ũ ϱ disassemble ϰ ְ, Լ ȣ κ ȭڸ ϱ ؼ hwndParent Ѱٸ װ  ̰ ִ Ű澲 ʾƵ ȴ. ̿ ̷ μ Բ ȣǴ Լ ʾƵ ش. ʹ Լ ٸ ٲ ִ. ̷ disassembly Ÿ ʴ´.  32Ʈ 32Ʈ ̴. װ ڿ structure ̴. ׷ ̸ Ǹ ؾѴ. ׷ ƴ ִ. 32Ʈ α׷ Ϸ [ESP+20h]ó ESP μ ּ ϱ⵵ Ѵ. ̷ ٸ ̸ ؾ Ѵ. ÿ  pushǰų pop ESP ٲ ̴. [ESP+20h] Ǿ ִ ڿ ߿ Լ ΰ DWORD ÿ pushѴٸ [ESP+28h] ٲ ֱ ̴. 츮Դ ེԵ IDA Pro disassembler ִ. IDA Pro disassembler ȿ μ ̸ ٲ ִ. ׸ EBP̰ ESP̰ IDA Pro ǹٸ ̸ ٲ ̴. _ ˾Ƴ_ _ _ Լ ÿ ȴ. Ϸ ͸ ̿ؼ ϴ 쵵 ִ. ׷ Ư Ͱ Ư ɿ ̱ (MOVSD EDI ϰ, īͰ ʿ ɿ ECX ϰ, IDIVɿ EAX ó), Լ Ǵ ؼ ϴ ͸ ϴ 幰. ߿ _Լ (E)BP stack frame _ (E)BP ¿ ġѴ_ ̴. Լ μ ּ ESP ߴٸ ּ ESP Ѵٴ ̴. Լ ESP , μ ESP ¿ ġѴ. 캼 Լ Լ ȣ ٸ . ٸ naked Լ ȣ ε, α׷Ӱ Լ ̴. ˾ μ ˾ ó ƴϴ. μ push ؼ װ 16Ʈ 32Ʈ ־. ˾ ؼ Ư  ̴ Ѵ. ޺κп  ؼ ̴. Լ ŭ Ʈ ̴ ִ. 츮 sub esp, xxxx ɾ Լ ùκп Ҵٸ, xxxx ٷ Լ ʿ ϴ Ʈ ̴. _ü (Global Variables)_ Լ ̴ ü ϴ . ü EBP ESP ּ ϴ. Ҵٸ: mov eax, [00421EB0] 츮 Լ ü ִ ִ. ׷ ϴ ϴ . Լ װ  ϴ ˾ƾ Ѵ. disassembler װ ٲپ (ü ּҰ Ǿ disassembler ãƳ ɿ ), ׻ ƴϴ. disassembler Ÿ ̴. 츮 Ӹ ̴. : ) 16Ʈ α׷ ü ̸ ٲ ؾ Ѵ. ׸Ʈ(DS Ǵ ES) Ű ִ 켱 Ȯؾ Ѵ. _ ˾Ƴ_ ̹ Win32 API  Լ μ ϴ ߴ. Ȱ ϴ δ. Լ ִ ϰ , Win32API ãƾ Ѵ. Win32 API ̴ ̸ ٲ ִ ͸ ҽ ξ ִ. ڵ带 : ... push offset 00423440 lea edx, [ebp-5BOh] push edx push offset 0041EC2C push offset 0041EC34 call ds:WritePrivateProfileStringA ... API 򸻿 , WritePrivateProfileStringԼ ȴ: BOOL WritePrivateProfileString( LPCTSTR lpAppName, // pointer to section name LPCTSTR lpKeyName, // pointer to key name LPCTSTR lpString, // pointer to string to add LPCTSTR lpFileName // pointer to initialization filename ); 00423440 .INI ̸ ã ִٴ ȴ. ׸ [EBP-5B0h] key ڿ̴. 0041EC2C 0041EC34 szKey szSection ٲ ִ. μ ˾Ƴ ִٸ ޴ (return value) ˾Ƴ ִ. Ʒ : ... call ds:_hread mov [ebp-40h], eax ... API 򸻿, _hread о Ʈ شٴ ִ. ̹ ٴ, return value eax ȴ. [EBP-40h] о Ʈ dword ̴. Ƹ װ dwRead ̸ ĥ ̴. ӽ δ. ׸ α׷ װ ٸ ִ. ̸ ٲ α׷  ̴ ׻ Ȯؾ Ѵ. װ ؼ  Ư ̰ ִٸ Ƹ ̴. 򿡴 IDA Pro disassembler ̷ ͵ ر ÷ȴ. Win32 API ִ ġ ƴ϶ FLIRT , IDA Pro 츮 Լ CRT(C runtime library), MFC classes, Delphi function, Borland's VCL function ش. ࿡ Delphi α׷ Ѵٸ, Peter Sawatzki ٿε Delphi FLIRT library ٿ ִ. α׷ ˷ API ʴ´ٸ ˾Ƴ ̴. ˾Ƴ boolean ̴. Ʒ ڵ带 ٸ: ... move eax, [ebp-40h] test eax, eax jz 41453D_ּ ... [EBP-40h] Ƹ BOOL ã ̴. ˾ ִ ϳ for īͰ ִ. C for Ʒ δ: for (i=0; i Ʒ ڵ带 ڼ ٶ. [EBP-164h]  ̴ : ... mov dword ptr _[ebp-164h]_, 0 ;[ebp-164h] ʱȭ jmp short 41453D_ּ ;41453D_ּ 41452E_ּ: mov ecx, _[ebp-164h]_ ; ѹ [EBP-164h] inc ecx ; mov _[ebp-164h]_, ecx ; 41453D_ּ: cmp dword ptr _[ebp-164h]_, 400h;[ebp-16] > 1624 ? jnb short 414567_ּ ;ũٸ б ... ;ٸ ... ;̿ϴ ڵ ... ; ϱ jmp short 41452E_ּ ;ǵư 414567_ּ: ...  Ǵ ˰ڴ°? ´ [EBP-164h] ī̴. C α׷Ӱ ƴ϶ ִ ̴. C α׷Ӵ ī͸ ʴ´. ࿡ ҽ Ͽ for ã ´ٸ κ ٸ Լ for ī͸ ٽ ̴. α׷Ӱ for ϳ array ű ̴. Ʒ ڵ κп ű ̴: mov eax, [ebp-164h] mov edx, ds:00423194[eax*4] ڵ忡, [EBP-164h] ds:00423194h ִ array ǵ ü ϰ ִ. array 32Ʈ ̴. װ īͰ 4Ʈ([eax*4]) ϴ ̴. array CHAR(1 Ʈ)̾ٸ ڵ ̴: mov eax, [ebp-164h] mov edx, ds:00423194[eax] array װ ű ڵ尡 ó ̴. DWORD array disassemble ̴: mov eax, [ebp-164h] mov edx, [ebp+eax*4-40h] ڵ忡 [EBP-40h] ϴ DWORD array ã ̴. ̴. Ϸ ڵ带 ִ. ˾Ƴ ⿡ . ϴ Ȯ ̴. Disassembling Ȯϰ ˾Ƴ . Լ ˾Ƴ Ȯϰ Ŷ ϸ ȵȴ. Ÿ ̿ϴ ٴ ҽ ̿ϴ Ѵ. disassembly 츮 ִ û̶ ϸ ȴ. ſ ʸ ִ ؼ 3MB α׷ disassembleϷ ٷ Ѵٸ ȵ ̴. disassembleϳ, ؼ Ѵ. Ÿ ̿ ũ ߿ Լ ȥ ɼ ũ. ߴ ޴޸ ٴ Լ 캻. װ GetLastError ȣϴ call ( ׷ ϴ°? ;) ------------------------------------------------------------------------------- Rhayader ű ̶ ٽ ϴ. Page 4 26. All Apologies 26. All Apologies ̹ α׷ K.Ƿ()̶ α׷Դϴ. ø ϳ  ƴ ȭȣ Ҿ ڹް α׷ ϴ. ̷ α׷ ִٴ ˰ , 쿬 Ź 翡 ϴ. ο Ʈ ̾ ϴ 簡 Ǹ ־ϴ. о߿ 2000 KǷ, Ͼ , ѱ98 ־ϴ. ϴ PC ڷǿ ϱ KǷ() ִ. ڷǿ Ұ ۿ ̶ ִ 50 Ǿ ְ ٰ ߽ϴ. ޿..  ũؾ ? ϵ κ ſ. ׸ Ȯ 50 Ѱ Ϸ Ѵٸ ϽŰ ʰ. 츮 κ ãƼ 50 Ѿ ϽŰ ָ ǰ? ׷ Ȥ ̷ Ͻô 𸣰ڽϴ. α׷ ü 50 Ÿ ó ֵ ϳ..ϴ ̿. ׷ϱ ܼ ϵ Ȯϴ ƴ϶ ƿ 50 ̻ Ÿ ó ƴұ. ׷ ? Ƹ +ORC ¸ о ż α׷Ӱ  ˰ е̶ ̷ ̶ ˰ ſ : ) 6, 740, 640 Ʈ Ŵ ũ ٿ ޾ҽϴ. ׸ ġ ϴϱ ִ. ߿ K.Ƿ 1, 924, 608 Ʈ ũ(k_his.exe)Դϴ. 켱 50 ̻ Ͻ . ׷ α׷  ϴ ϴϱ. 50 ̻ ô 52° ۻڰ Ƣ Խϴ. ۻڸ ϱ MessageBoxϴ. ǥ ִ. ׷ Sice Bpx MessageBoxA ߴ , ٽ ѹ 52° Ͻ . ϽŰ '' ư Sice ȭ ϴ. F11 MessageBoxA ȣ ã * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044C7B5(C) ; | :0044D1F1 68FF000000 push 000000FF :0044D1F6 6830655300 push 00536530 * Possible Reference to String Resource ID=17431: " X? ; ڿ ڿ | ; Ⱥ ˰? :0044D1FB 6817440000 push 00004417 :0044D200 A144565300 mov eax, dword ptr [00535644] :0044D205 50 push eax * Reference To: USER32.LoadStringA, Ord:0177h | :0044D206 FF150C8B5300 Call dword ptr [00538B0C] :0044D20C 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"50" ;50..̶ ڱ | :0044D20E 68CC5F5200 push 00525FCC :0044D213 6830655300 push 00536530 :0044D218 8B4508 mov eax, dword ptr [ebp+08] :0044D21B 50 push eax * Reference To: USER32.MessageBoxA, Ord:0188h | :0044D21C FF15108B5300 Call dword ptr [00538B10] ; ִ ڵ W32DASM disassemble Ϳ Ϻθ Ű Դϴ. κ ȣ Sice ãư ƴ Ƽ W32DASM disassemble߽ϴ. ֵ ۻڸ ȣ 0044C7B5Դϴ. б(Conditional Jump) Ա. ã ô. :0044C7AE E893180600 call 004AE046 ;50 ̻ΰ Ȯ :0044C7B3 85C0 test eax, eax ;50 Ѿ? :0044C7B5 0F85360A0000 jne 0044D1F1 ;Ѿ б->MessageBoxA :0044C7BB 68B6140000 push 000014B6 :0044C7C0 8B4508 mov eax, dword ptr [ebp+08] :0044C7C3 50 push eax ܼ ִ б(jne 0044D1F1) ָ ɱ? call 004AE046 ǽɽ call̶ Ȯմϴ. б⸦ ϴϱ. Ȥ 004AE046 κ ȣϴ ٸ ִٸ κ б⸦ ġ ͸δ ϴ. call 004AE046 ȣϴ ã . ⼭ eax(Լ ) 0̸ 50 ̰ 0 ƴ ̶ 50 ̻ ̶ ٽ ѹ ϰ Ѿô.(test eax, eax/jne 0044D1F1 ƽ?) :004AE046 55 push ebp :004AE047 8BEC mov ebp, esp :004AE049 83EC04 sub esp, 00000004 :004AE04C 53 push ebx :004AE04D 56 push esi :004AE04E 57 push edi :004AE04F A174645300 mov eax, dword ptr [00536474] :004AE054 50 push eax * Reference To: c4dll.d4recCount, Ord:007Ch | :004AE055 E8C43F0600 Call 0051201E :004AE05A 8945FC mov dword ptr [ebp-04], eax ;[ebp-04]=ϵ :004AE05D 837DFC32 cmp dword ptr [ebp-04], 00000032 ;ϵ > 50 ? :004AE061 0F8E0F000000 jle 004AE076 ;ϵ > 50 ̶ :004AE067 B801000000 mov eax, 00000001 ;eax 1 ű :004AE06C E90C000000 jmp 004AE07D ;ret :004AE071 E907000000 jmp 004AE07D * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004AE061(C) | ;ϵ ʹϴ .  ̷ 鿩 ̰ protection scheme ٴ.. ̻ Ÿ ʿ䵵 ? 32h(10 50) ͵ ƹ Ӽ ׳ 豺. κ ڵ带 ġ ְ 004AE067 ִ mov eax, 00000001 mov eax, 00000000 ϴ. ׷ϱ B801000000 B800000000 ٲپ ִ ſ. ׷ ϵ 50 ̻̰ ̰ eax 0 ˴ϴ. ٷ eax Ʊ Ҵ test eax, eax/jnz 0044D1F1 ۻڴ Ǵ ſ. ణ ڼ ͵ , ۵ о ʺ ũĿ ϼ Ŷ մϴ. Page 4 27. FAGET 27. FAGET ƹ ġ ̶ űϰ (?) ̶ ֽϴ. ִ ͵  ؼ ̴ ϱ,  ˰ ʱ ϴ ͵ ̿. ޸ ҳ̶󼭰 ƴ϶ ûؼ ׷ ϳ ϴ. ׷ Ȱ ũ ϴٰ ׷ ֽϴ. SoftICE Ŵ Ǹ ϴ Դϴ(ϱ 'ǻ' ü űմϴ). ű߽ϴ. SoftICE ִ ɷ̶ ̿. '' ϴ. а ̶ Ƹ κ SoftICE Ŷ մϴ. ׸ κ ٸ 'ũĿ' ˷ Ϲȣ ϼ ̱. а __ ̸ __ Ϲȣ SoftICE ſ. , ׷ ϸ NuMega Ʈ _׷̵_ ſ. Ʊ ó SoftICE Ǹ Ŷ մϴ. ¥ ''ؼ ᵵ Ʊ Ǹ α׷̶ մϴ. ߿ ó ҽ л ִ ƴϰ. а , (?) ߽ϴ. Ƽ 帮 SoftICE --------------------------------- _NuMega SoftICE_ version 3.25 --------------------------------- This program is registered to: +kurt nowhereland 4811-2345FF-FF --------------------------------- . ִ '' Ͻ ð? а Ϲȣ ٵ ̿(, ̹ ''ؼ ݾƿ?). ׳ Ƽ 帰 ſ. Ʒ ̰ ׷ ƴ ϴ. л̳ л ۿ , ϴٴ . ------------------------------------------------------------------------------- _How to trick Numegas registration routines(and to download everything you want from Numega's site) disassembling Softice itself by +OCHE SATRIANI's &+OBLLEK's _ ó SOFTICE ٿ CRACKSTORE's page . 'Ƹٿ ' ð ɷȴ 𸣰ڴ. 3ð ͳݿ Ÿ ִ ˸ 츮 ̷ ̴. ׷ ð ũĿ DZ ؼ ó ̾. ٿ FOSI ϴ Ϲȣ α׷ ġߴ. , ó, ־. (CRACKER's page Ϲȣ) NUMEGA's PAGE softice Ʈ Ϸ ߴ.  ? There has been a problem processing your request because the file has been downloaded an excessive amount of times. Error 100 Please contact Customer Service ¼ SOFTICE Ʈ ϱ û ۼؾ ϴ ۼߴ, ̷ ޽ Դ. NuMega Product Registration You have used a test serial number. Please use your back button to return to the form. ... ̷ ٺ϶. Ƹ NUMEGA Ϲȣ BLACKLIST ÷ ҳ. ø , SOFTICE ġ Ϲȣ ̶ . ׷ ׷... ڱⰡ ؾ Ų NUMEGA 츮 SOFTICE Ʈ ϴ ž! _[WARMING UP]_ , SOFTICE ġ . ¼ ¼ .... ̰ , , ۾ , InstallShield ̸ ҼӰ Ϲȣ ´. ̸ Ҽӿ ƹ ų ְ, Ϲȣ 1234-567890-AB ƹ Ϲȣ . ߴ  ؾ Ҵ ϱ, BPX SENDDLGITEMMESSAGEA ٴ ˾Ҵ(SENDDLGITEMMESSAGEA  Ǵ ñϴٸ WINAPI ϶. WINAPI ʴٸ http://www.crackstore.com/tools.htm ٶ). 켱 PROTECTION ִ ˾ ̴. װ ã Ʊ ٷ ̴. _[YES I'VE FOUND IT!]_ ã ´ٰ? , ģ. .  ư ֳ . ִ ˰ ִ°? 𸥴ٰ? SOFTICEȭ鿡 NMINST32! .text+0E44 ̴°? NMINST32.DLLȿ ִٴ ̴ : ) ׷ ؼ . :10001E44 FFD5 call ebp :10001E46 8D7C2418 lea edi, dword ptr [esp+18] ----------------- ----------------- ----------------- :10001E87 8D442410 lea eax, dword ptr [esp+10] :10001E8B 50 push eax :10001E8C 6800620110 push 10016200 ù° ǥ :10001E91 E81A800000 call 10009EB0 :10001E96 83C408 add esp, 00000008 ġ :10001E99 85C0 test eax, eax :10001E9B 7542 jne 10001EDF :10001E9D 8D442410 lea eax, dword ptr [esp+10] :10001EA1 50 push eax :10001EA2 68A0620110 push 100162A0 ι° ǥ :10001EA7 E804800000 call 10009EB0 :10001EAC 83C408 add esp, 00000008 :10001EAF 85C0 test eax, eax :10001EB1 752C jne 10001EDF :10001EB3 8D442410 lea eax, dword ptr [esp+10] :10001EB7 50 push eax :10001EB8 6850620110 push 10016250 ǥ :10001EBD E8EE7F0000 call 10009EB0 :10001EC2 83C408 add esp, 00000008 :10001EC5 85C0 test eax, eax :10001EC7 7516 jne 10001EDF :10001EC9 8D442410 lea eax, dword ptr [esp+10] :10001ECD 50 push eax :10001ECE 68B0610110 push 100161B0 ǥ :10001ED3 E8D87F0000 call 10009EB0 :10001ED8 83C408 add esp, 00000008 :10001EDB 85C0 test eax, eax :10001EDD 740F je 10001EEE :10001EDF 68D0660110 push 100166D0 ֵ Ȱ call ȣϰ ִ. call 10009EB0 װ̰, call ȣDZ ĶͰ pushȴ. . _ù° Ķ_ lea eax, dword ptr [esp+10] ----------> EAX  ּ ȴ push eax SOFTICE EAX ̴: 123.....AB.890.. ˰ڳ.....? 츮 ߿ ó 11°, 12°, 8°, 9°, 10° ڸ ؼ ù° Ķͷ ̴. [׷ ڴ ʿ ڳ]........ ̷ ߴٸ ߸ ̴. ڵ ¥ Ϲȣ ̱ ̴! _ ° Ķ_ PUSH 10016200 ù° ǥ ÿ ϰ, PUSH 100162A0 ι° ǥ Ѵ. ù° ǥ Ʒ ̴: 190 400 401 410 411 420 421 430 431 480 481 ι° ǥ ù° ǥ 190 191 ٲ._ ó ڷ ΰ ϳ ִٴ ̴_, ϳ . CALL 10009EB0 ´, װ ? ߿ , CALL ƿ EAX 0̾ ȵȴٴ ̴. EAX 0̶ JNE 10001EDF б ̱ ̴. _[INSIDE THE CALL 10009EB0]_ :10009EB0 8B4C2408 mov ecx, dword ptr [esp+08] ECX = 123.....AB.890.. :10009EB4 57 push edi :10009EB5 53 push ebx :10009EB6 56 push esi ____________ 츮 ù° ڸ :10009EB7 8A11 mov dl, byte ptr [ecx] | DL ű :10009EB9 8B7C2410 mov edi, dword ptr [esp+10] | EDI = ù° ǥ :10009EBD 84D2 test dl, dl | :10009EBF 7469 je 10009F2A | :10009EC1 8A7101 mov dh, byte ptr [ecx+01] | ι° ڸ DH ű :10009EC4 84F6 test dh, dh | :10009EC6 744F je 10009F17 ____________| ù° ι° ڸ ʾҴٸ call * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:10009F02(C), :10009F15(U) | :10009EC8 8BF7 mov esi, edi :10009ECA 8B4C2414 mov ecx, dword ptr [esp+14] :10009ECE 8A07 mov al, byte ptr [edi] :10009ED0 46 inc esi :10009ED1 38D0 cmp al, dl :10009ED3 7415 je 10009EEA ---------> ڰ ٸ ڸ . _[THE CALL 10009EB0 CONCLUSION]_ 1234-567890-AB ƹԳ Ϲȣ ־ , Ϲȣ ó ( , 123) 190 񱳵ȴ. ࿡ ʴٸ 400 񱳵ǰ, ʴٸ 401... ̷ ؼ 񱳵Ǿ 481 񱳵ȴ(׷ϱ ǥ ִ ο 񱳵Ǵ ̴). 찡 ù . ٷ XOR EAX, EAX Ǿ EAX 0 ̴. ׷, ó ڴ ݵ ǥ ȿ ִ ϳ ƾ ϴ ̴. ׷ ⼭ Ʊ 츮 ־ Ϲȣ 1900-123456-78 ٲ(ǥ ߿ ɷ ƹ ̳ ȴ!) * ǥ Ư ǹ̰ ִ. װ͵ ׽Ʈ غ ٶ. _[JNE 10001EDF]_ ׷ Դٸ ù° PROTECTION ѱ ̴. ׷ 10001EDF б. :10001EDF 68D0660110 push 100166D0 :10001EE4 E8C77B0000 call 10009AB0 ?????????????? :10001EE9 83C404 add esp, 00000004 :10001EEC 8BF0 mov esi, eax :10001EEE 85F6 test esi, esi :10001EF0 7549 jne 10001F3B CALL 10009AB0 EAX 0 Ǹ ȵȴ. EAX=0̶ ESI=0 ̰, ׷ٸ 10001F3B б ʴ´. ׷ Ǹ Ϲȣ Ʋȴٴ ۻڰ Ƣ ȴ. _[INSIDE THE CALL 10009AB0]_ :10009AB0 83EC34 sub esp, 00000034 :10009AB3 33C0 xor eax, eax ----------------- ----------------- ----------------- ----------------- ----------------- :10009B0F 83C408 add esp, 00000008 :10009B12 85C0 test eax, eax :10009B14 7408 je 10009B1E 㵵 ڵ κ̴!!! ƹư JE 10009B1E Ǻб̴.  Ǿ Ʒ ̴ бȴ: :10009B1E 6840630110 push 10016340 * Reference To: KERNEL32.LoadLibraryA, Ord:018Eh ___ | | :10009B23 FF15D4E10110 Call dword ptr [1001E1D4] | UTILITY.DLL Ȯ :10009B29 8BF8 mov edi, eax | :10009B2B 85FF test edi, edi | :10009B2D 752F jne 10009B5E __| SOFTICE ȭ鿡 ޽ ̴: WINICE:Load 32 .......¼ ¼ ..... Mod=UTILITY UTILITY.DLL̶ Ҹ DLL C:\WINDOWS\TEMP\_ISTMP0.DIR ε εǴ DLL ؼ ڼ ˰ MOD UTILITY ƶ. ׷ DLL PATH ִ ̴. ƹư װ DLL ֳ Ȯϴ κ̴. ࿡ DLL ٸ ERROR VALUE ۻڸ ̴. 츮 ϵ ũ ϰ DLL ϰ ϱ, ʿ . * Possible StringData Ref from Data Obj ->"DigitCheck" | :10009B5E 68AC3F0110 push 10013FAC :10009B63 57 push edi * Reference To: KERNEL32.GetProcAddress, Ord:0115h | :10009B64 FF15C4E10110 Call dword ptr [1001E1C4] :10009B6A 85C0 test eax, eax :10009B6C 740E je 10009B7C :10009B6E 8D4C2408 lea ecx, dword ptr [esp+08] :10009B72 51 push ecx :10009B73 FFD0 call eax ---------> ̰ 캼 Call̴ :10009B75 83C404 add esp, 00000004 :10009B78 8BF0 mov esi, eax :10009B7A EB2D jmp 10009BA9 κ CALL EAX UTILITY.DLL ȣϰ ִ. DLL  ̰, ٷ κ 񱳺κ ִ ̴. _[CALL EAX]_ Exported fn(): DigitCheck - Ord:0001h :10001110 56 push esi :10001111 B9FFFFFFFF mov ecx, FFFFFFFF ----------------- ----------------- ----------------- ----------------- ----------------- :1000113D E87E010000 call 100012C0 ¥ Ϲȣ :10001142 33C0 xor eax, eax --->EAX = 0 (ù° ڸ Ŵ) _______ :10001144 8A8814B30010 mov cl, byte ptr [eax+1000B314] |¥ Ϲȣ :1000114A 328810B30010 xor cl, byte ptr [eax+1000B310] | ٽ :10001150 0A0D17B30010 or cl, byte ptr [1000B317] |ݺ :10001156 888818B30010 mov byte ptr [eax+1000B318], cl | :1000115C 80C930 or cl, 30 |[1000B318] :1000115F 888818B30010 mov byte ptr [eax+1000B318], cl | _______| :10001165 80F939 cmp cl, 39 |ΰ? :10001168 7609 jbe 10001173 |ƴ϶ ĺ :1000116A 80C107 add cl, 07 |ٲ :1000116D 888818B30010 mov byte ptr [eax+1000B318], cl ______|. :10001173 8A90E8B20010 mov dl, byte ptr [eax+1000B2E8] 츮 Ϲȣ :10001179 8A8818B30010 mov cl, byte ptr [eax+1000B318] ¥ Ϲȣ :1000117F 3AD1 cmp dl, cl , ? :10001181 740C je 1000118F ______ :10001183 80C920 or cl, 20 | ʴٸ :10001186 A30CB30010 mov dword ptr [1000B30C], eax |ҹڷ :1000118B 3ACA cmp cl, dl | :1000118D 7513 jne 100011A2 ______| б * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:10001181(C) | ___ :1000118F 40 inc eax | 4 ۿ :10001190 A30CB30010 mov dword ptr [1000B30C], eax | 񱳸 ʴ :10001195 83F804 cmp eax, 00000004 | PROTECTION :10001198 7CAA jl 10001144 __| [1000B318] ¥ Ϲȣ ְ, 츮 Ϲȣ [1000B2E8] ִ. 츮 Ϲȣ 1900-123456-78̾ٴ ϴ°? 񱳺κ ( , 5678) ¥ Ϲȣ Ѵ. ʴٸ ҹڷ ٲ㼭 Ѵ. ׷ ʴٸ XOR EAX, EAX κ (׷ !) ¥ Ϲȣ 츮 Ϲȣ . ׷ϱ 츮 Ϲȣ κ Ŷ ߸ ̴. κп EAX ̴: EAX '' ڸ Ű ̴. 1000118F ִ INC EAX Ȯ ̴. _[THE LAST PART] _ NUMEGA's page SOFTICE . 1ܰ http://www.numega.com/support/register.asp Ϲȣ ִ´. ׷ Ʒ Ƹٿ ޽ ̴: NuMega Product Registration Thank you, OCHE SATRIANI, for registering your NuMega solution. As a registered user, look forward to exciting updates and announcements. 2ܰ http://www.numega.com/support/updates/updates.shtml SOFTICE Ʈ . 1900-xxxxxx-xx Ϲȣ SOFTICE 3.24 Ʈ ϴ ִٰ . ׷, 4xxx-xxxxxx-xx Ϲȣ ־ Update Status The following component versions are available: + BC 5.0 Standard - Version 5.03 + BC 5.0 Visual C++ - Version 5.03 + SI 3.20 Windows 95/98 - Version 3.24 + CodeReview 5.0 - Version 5.01 + FailSafe 5.0 - Version 5.21 + TrueTime 1.x Visual Basic Edition - Version 1.20 + SI 3.20 Windows NT - Version 3.24 *Ʊ и ǥ ִ Ư ǹ̸ ִٰ ߴ. ̴. _[SOCIAL ENGINEERING]_ NUMEGA ִ ʴ. GARY TAN(Numega ƽþ- ), ϵ ǰ ִµ ٸ ǰ  Ʈ ϴ CD-ROM Ʈ Ϸ  ؾ ϴ Ϸ , ״ û Դ. йȣ ָ鼭 http://www.numega.com/downloads/start.shtml URL ־. װ ׷ ûѰ ϴ . ֳϸ URL SMARTCHECK Ǹ Ʈ ־ ̴. Ʈ , װ͵ Ϲȣ ˾Ƴ ̶ ȮѴ. ״ ̷ ߴ: Ʈ ҹ SoftICE ̻ 츮 ٿ ϴ.(...) ŵ Ӽ ٶ. FX38xx йȣ  ߴ  ٰ غ, û ̶ ſ йȣ 𸣴 ƴѰ. ó: info@numega.com Better be QUICK don't let NUMEGA recognize your newly reversed SN# again, coz it's STILL FRESH FROM THE OVEN ! OE'97 ITS 4397100xxx GREAT THANKS to +MaLaTTiA + OCHE SATRIANI + OBLEK oche_satriani@start.com.au oblek@start.com.au ------------------------------------------------------------------------------- Page 4 28. I Hate Myself And Want To Die 28. I Hate Myself And Want To Die ȳϼ. ̹ ۿ SoftICE Key Generator ⸦ Ϸ մϴ. KeyGen ̹ ° dz׿. PicaView ̴ϱ. ̱ (FAGET) о ̶ ſ. (+OCHE SATRIANI, +OBLLEK) Ƹ 츮 ʺ ũĿ ַ KeyGen ڼ ʾҳ ϴ. ̹ 'ϵ(?)' SoftICE ϱ, KeyGen , ̶ ſ.  ũĿ ϼ̵ ũĿ α׷ ڱⰡ ũϴ ͸ ƴݾƿ(ٸ ũĿ ׷, ũ ϰ α׷ ϴ, SoftICE ׷). ٽ 帮 KeyGen ʿ Ʈ (FAGET) Խϴ. ׷ϱ о ñ , о ð, ȥڼ KeyGen . ׷ ŭ ûϰ KeyGen ݾƿ. Ҹ ⼭ ġ, . ڼ ϰڽϴ. FAGET ϱ. Ʒ . :10001110 56 push esi :10001111 B9FFFFFFFF mov ecx, FFFFFFFF :10001116 57 push edi :10001117 2BC0 sub eax, eax :10001119 8B7C240C mov edi, dword ptr [esp+0C] :1000111D F2 repnz :1000111E AE scasb :1000111F F7D1 not ecx :10001121 2BF9 sub edi, ecx :10001123 8BC1 mov eax, ecx :10001125 C1E902 shr ecx, 02 :10001128 8BF7 mov esi, edi :1000112A BFE0B20010 mov edi, 1000B2E0 :1000112F F3 repz :10001130 A5 movsd :10001131 8BC8 mov ecx, eax :10001133 83E103 and ecx, 00000003 :10001136 F3 repz :10001137 A4 movsb ;츮 Ϲȣ ڷ :10001138 E893000000 call 100011D0 ;ٲ ִ call :1000113D E87E010000 call 100012C0 ;Ϲȣ__Լ() :10001142 33C0 xor eax, eax :10001144 8A8814B30010 mov cl, byte ptr [eax+1000B314] :1000114A 328810B30010 xor cl, byte ptr [eax+1000B310] :10001150 0A0D17B30010 or cl, byte ptr [1000B317] :10001156 888818B30010 mov byte ptr [eax+1000B318], cl :1000115C 80C930 or cl, 30 :1000115F 888818B30010 mov byte ptr [eax+1000B318], cl :10001165 80F939 cmp cl, 39 :10001168 7609 jbe 10001173 :1000116A 80C107 add cl, 07 :1000116D 888818B30010 mov byte ptr [eax+1000B318], cl :10001173 8A90E8B20010 mov dl, byte ptr [eax+1000B2E8] :10001179 8A8818B30010 mov cl, byte ptr [eax+1000B318] :1000117F 3AD1 cmp dl, cl :10001181 740C je 1000118F :10001183 80C920 or cl, 20 :10001186 A30CB30010 mov dword ptr [1000B30C], eax :1000118B 3ACA cmp cl, dl :1000118D 7513 jne 100011A2 :1000118F 40 inc eax :10001190 A30CB30010 mov dword ptr [1000B30C], eax :10001195 83F804 cmp eax, 00000004 :10001198 7CAA jl 10001144 :1000119A B801000000 mov eax, 00000001 :1000119F 5F pop edi :100011A0 5E pop esi :100011A1 C3 ret :100011A2 33C0 xor eax, eax :100011A4 5F pop edi :100011A5 5E pop esi :100011A6 C3 ret FAGET κ [CALL EAX] κ ٷϴ(ã ). FAGET 1000113D ִ call Ϲȣ κ ȣϴ call̶ ߽ϴ. κ ʾҾ. 츮 ϴ ⼱ KeyGen̴ϱ 켱 call ȣϴ κ . κ ߿ ٽ ڽϴ. :100012C0 53 push ebx :100012C1 BA08000000 mov edx, 00000008 ;edx=>ī (8) :100012C6 C7050CB3001000000000 mov dword ptr [1000B30C], 00000000 ;(ī) غ :100012D0 8B0D0CB30010 mov ecx, dword ptr [1000B30C] ;ecx=> :100012D6 A10CB30010 mov eax, dword ptr [1000B30C] ;eax=> :100012DB 81C110B30010 add ecx, 1000B310 ;ecx--->ڷ ٲ Ϲȣ Ŵ :100012E1 33DB xor ebx, ebx ;ebx(bl)->ecx Ű ޾ƿ :100012E3 8B0485B0900010 mov eax, dword ptr [4*eax+100090B0] ; о :100012EA 8A19 mov bl, byte ptr [ecx] ;ڷ ٲ Ϲȣ(x) :100012EC 8A0418 mov al, byte ptr [eax+ebx] ; x° о :100012EF 8801 mov byte ptr [ecx], al ;ڷ ٲ Ϲȣ ٲٱ :100012F1 FF050CB30010 inc dword ptr [1000B30C] ;(ī) :100012F7 39150CB30010 cmp dword ptr [1000B30C], edx ;8 ó߳? :100012FD 7CD1 jl 100012D0 ; ݺ :100012FF 5B pop ebx :10001300 C3 ret ϰ Դϴ. κп Ϲȣ ƴѵ, ۾ ̷ մϴ. SoftICE  Ϲȣ , 켱 帮. SoftICE ̸ غ '' ֽϴ. ׸ ڰ Ϲȣ ó 8ڸ о ͼ '' ̿ؼ ο 8ڸ ڸ ϴ. ׸ ο 8ڸ ڸ ̿ؼ ο 4 ڿ ϴ. 4 ڿ ڰ Ϲȣ 4ڸ ؼ, Ϲȣ ´ θ ϴ ſ. ׷ κ  ϰ ִ . mov edx, 8 mov dword ptr [1000B30C], 0 mov ecx. [1000B30C] mov eax, [1000B30C] add ecx, 1000B310 xor ebx, ebx mov eax, dword ptr [4*eax+100090B0] 1000B30C ּҰ . Ʒ ִ cmp dword ptr [1000B30C], edxɿ ֵ 'ī' ϰ ֽϴ. 켱 0 ʱȭ ǰ inc dword ptr [1000B30C] ϳ ϰ ֽϴ. ecx eax ⼭ '' ϰ ִµ. ecx ڷ ٲ Ϲȣ, eax Ʊ ȴ غ '' Ű ֽϴ. 켱 0 ʱȭ add ecx, 1000B310 ecx ڷ ٲ Ϲȣ Ű ǰ, mov eax, dword ptr [4*eax+100090B0] eax '' Ű ˴ϴ. ׷ ڷ ٲ Ϲȣ , ''̶ . ̹ ˰ ð 츮 Ϲȣ '' ƴմϴ. 4001-2345AB-CD(Ϲȣ ó ڰ Ư Ѵٴ FAGET ⼭ ʰڽϴ) Ϲȣ ٰ . SoftICE ̰ '' ʰ ڿ ޾ƵԴϴ. Ư ó 8ڸ о δٰ ϱ 40012345 ޾ ̰. о ̴ ascii ڵ带 ̿ؼ 4 34( 16), 0 30, 1 31 ... ̷ ޾ Դϴ. ̷ ̾߱ picaview ̾߱⸦ Ծ. ̷ ڿ Ϲȣ '' ٲ ſ. SoftICE ̹ ׷ ϴ Լ ȣؼ Ϲȣ ٲ㼭 ޸𸮿 ÷ Ҵٴ ſ. ׸ κ ּҰ ecx ֽϴ. :d ecx . ޸ â Ÿ DZ ٸ 04 00 00 01 02 03 04 05 ó Ÿ ִٴ ſ. ׷ϱ ecx κ 'Ű' ִ Դϴ. [4*eax+100090B0]̶ ּ ָؾ մϴ. װ Ʊ 帰 'غ' Ű ֽϴ. Ƹ siceȭ鿡 [EAX*4+01E090B0] ó Ÿ ſ. mov eax, dword ptr [4*eax+100090B0] :d eax . 0F 01 0B 03 08 04 0D 07 0C 00 00 00 00 00 00 00 0A 0C 01 08 02 00 09 0F 05 0B 00 00 00 00 00 00 09 05 0C 02 07 06 0F 04 0E 0A 00 00 00 00 00 00 03 04 0C 0B 01 0A 0D 08 00 0E 00 00 00 00 00 00 0D 01 06 0A 05 09 04 08 00 03 00 00 00 00 00 00 07 0B 06 0A 05 09 04 08 00 03 00 00 00 00 00 00 00 0D 03 0F 0A 08 02 0C 04 06 00 00 00 00 00 00 09 05 0D 01 03 0B 0C 04 02 08 00 00 00 00 00 00 Ÿ â ̷ Ÿ ſ. ٷ غ ''Դϴ. ̰ ٸ 10 ְ 8 ֽϴ. 8. 츮 óϴ ̱. ׷ϱ SoftICE 츮 Ϲȣ ó 8ڸ о鼭 ڿ ؼ ſ. ù° ڿ ؼ ù° ٿ ִ ϳ, ι° ڿ ؼ ι ° ٿ ִ ϳ.. ̷ ؼ ̿. ƹư eax '' Ű ֽϴ. mov bl, byte ptr [ecx] mov al, byte ptr [eax+ebx] mov byte ptr [ecx], al Ʊ ecx ڷ ٲ Ϲȣ Ű ִٰ ߽ϴ. ׷ϱ mov bl, byte ptr [ecx] Ϲȣ ϳ(byte ũ) ͼ bl Ű ִ Դϴ. Ű ֳİ? ɿ ɴϴ. mov al, byte ptr [eax+ebx] eax Ű ִٰ ߽ϴ. eax+ebx ? Ͽ ebx(bl) ° ִ al Ű ֶ ̿. 츮 κ 'ó' Ѵٰ . ׷ Ϲȣ 40012345 ߿ ù° '' 04 о ̰ ְڱ. 04 bl Ǿ ֽϴ. 'ù°' ٿ 04° ִ о al űϴ. ⼭ , 0° Ѵٴ ſ. ׷ϱ ù ° 0F 01 0B 03 08 04 0D 07 0C 00 00 00 00 00 00 00 ׹°(04) 03 ƴ϶ 08Դϴ. κ ι° ϴ ̶ Ϲȣ ι° 00 о bl ű , ι° 00° 0A о al ű ű. ׷ ؼ 8 ڸ óϴ ſ. ׷ al Ű mov byte ptr [ecx], al ecx Ű , ڷ ٲ Ϲȣ ִ ٽ Űϴ. Ÿ â ϸ鼭 ܰ ϰ ִ ƽ ſ. inc dword ptr [1000B30C] cmp dword ptr [1000B30C], edx jl 10001200 pop ebx ret κ ī͸ Ű, ī (8) ؼ ڸ ó ߳ Ȯϴ ̿. ̷ 츮 ŭ ǰ? ó ʾҴٸ jl κ ٽ ݺմϴ. ϰ ڷ ٲ Ϲȣ 8 ſ 'ο' 8 ڰ ? ׷, κ C ڽϴ. غ ϰ ǥ(FAGET ΰ ǥ) array(ref[8][16], table[13][3]) Ἥ ϴ. ( CǷ¿ ؼ ٽ ȵ帮ڽϴ.) for (i=0; i ׷, κ ȣߴ ٽ θ  ̿ϴ ô. :10001110 56 push esi :10001111 B9FFFFFFFF mov ecx, FFFFFFFF :10001116 57 push edi :10001117 2BC0 sub eax, eax :10001119 8B7C240C mov edi, dword ptr [esp+0C] :1000111D F2 repnz :1000111E AE scasb :1000111F F7D1 not ecx :10001121 2BF9 sub edi, ecx :10001123 8BC1 mov eax, ecx :10001125 C1E902 shr ecx, 02 :10001128 8BF7 mov esi, edi :1000112A BFE0B20010 mov edi, 1000B2E0 :1000112F F3 repz :10001130 A5 movsd :10001131 8BC8 mov ecx, eax :10001133 83E103 and ecx, 00000003 :10001136 F3 repz :10001137 A4 movsb ;츮 Ϲȣ ڷ :10001138 E893000000 call 100011D0 ;ٲ ִ call :1000113D E87E010000 call 100012C0 ;Ϲȣ__Լ() :10001142 33C0 xor eax, eax :10001144 8A8814B30010 mov cl, byte ptr [eax+1000B314] ; 4+n° :1000114A 328810B30010 xor cl, byte ptr [eax+1000B310] ; 0+n° XOR (, n κ ° Ǵ , Ƚ մϴ,n 0 3) :10001150 0A0D17B30010 or cl, byte ptr [1000B317] ; ٽ , 7° OR :10001156 888818B30010 mov byte ptr [eax+1000B318], cl ; :1000115C 80C930 or cl, 30 ; 0x30 OR :1000115F 888818B30010 mov byte ptr [eax+1000B318], cl ;غ ڰ Ǵ :10001165 80F939 cmp cl, 39 ;Ȯ :10001168 7609 jbe 10001173 ;ڰ ƴ϶ :1000116A 80C107 add cl, 07 ;7 :1000116D 888818B30010 mov byte ptr [eax+1000B318], cl ;׷ :10001173 8A90E8B20010 mov dl, byte ptr [eax+1000B2E8] ;ڰ Ϲȣ :10001179 8A8818B30010 mov cl, byte ptr [eax+1000B318] ; :1000117F 3AD1 cmp dl, cl ;? :10001181 740C je 1000118F ; ڸ :10001183 80C920 or cl, 20 ; 빮 :10001186 A30CB30010 mov dword ptr [1000B30C], eax ;Ȯ :1000118B 3ACA cmp cl, dl ;ٽ :1000118D 7513 jne 100011A2 ;׷ ʴٸ XOR->ret :1000118F 40 inc eax ; ڸ о :10001190 A30CB30010 mov dword ptr [1000B30C], eax ;δ. :10001195 83F804 cmp eax, 00000004 ;4ڰ ? :10001198 7CAA jl 10001144 ; ٸ :1000119A B801000000 mov eax, 00000001 ;eax=1 :1000119F 5F pop edi :100011A0 5E pop esi :100011A1 C3 ret :100011A2 33C0 xor eax, eax ; ڶ ʴٸ :100011A4 5F pop edi ;eax=0 :100011A5 5E pop esi :100011A6 C3 ret Ʊ 8 ڸ ϴ ۾ ʽϴ. ֵ 켱 8 ڸ պκ 4ڿ ޺κ 4ڷ ѷ ϴ. , 4 4 . ¦ ? mov cl, [eax+1000B314] xor cl, [eax+1000B310] eax+1000B314 eax+1000B310 ̶ ּҸ . յڷ ھ ? ù° ھ XOR ݴϴ. or cl, byte ptr [1000B317] mov byte ptr [eax+1000B318], cl or cl, 30 mov byte ptr [eax+1000B318], cl cmp cl, 39 jbe _ add cl, 07 mov byte ptr [eax+1000B318], cl : mov dl, byte ptr [eax+1000B2E8] mov cl, byte ptr [eax+1000B318] cmp dl, cl ׷ 4 (1000B317 ִ ) ݱ OR ݴϴ. ׸ 30 OR ༭ ascii ڸ Ÿ Ȯ(cmp cl, 39/jbe)մϴ. ڶ ٷ 츮 Ϲȣ ϰ, ڰ ƴ϶ 7 ༭ ASCII 빮ڸ Ÿ ݴϴ. ׸ 츮 Ϲȣ մϴ. 4ڸ ó 4 ݺմϴ.(cmp eax, 00000004/jl 10001144) óǴ ڴ ó ڰ ǰ. ʳ? Ʒ κ 츮 Ϲȣ ϴ κ̴ϱ ̻ ڼ ʰڽϴ. ص KeyGen ʿ ϱ. ׷ ؼ C ҽ ڽϴ( C ҽ ڽ ʶ ). #include #include #define MAX 13 int main(void){ char c, bval[MAX]={0}; char table[13][3]={{'1','9','0'},{'4','0','0'},\ {'4','0','1'},{'4','1','0'},\ {'4','1','1'},{'4','2','0'},\ {'4','2','1'},{'4','3','0'},\ {'4','3','1'},{'4','8','0'},\ {'4','8','1'},{'5','1','0'},{'5','1','1'}}; /*ǥ */ char dval[8]={0}; char ref[8][16]={{0xf,1,0xb,3,8,4,0xd,7,0xc,0,0,0,0,0,0,0},\ {0xa,0xc,1,8,2,0,9,0xf,5,0xb,0,0,0,0,0,0},\ {9,5,0xc,2,7,6,0xf,4,0xe,0xa,0,0,0,0,0,0},\ {3,4,0xc,0xb,1,0xa,0xd,8,0,0xe,0,0,0,0,0,0},\ {0xd,1,6,0xb,8,0xa,0xe,4,3,0xc,0,0,0,0,0,0},\ {7,0xb,6,0xa,5,9,4,8,0,3,0,0,0,0,0,0},\ {0,0xd,3,0xf,0xa,8,2,0xc,4,6,0,0,0,0,0,0},\ {9,5,0xd,1,3,0xb,0xc,4,2,8,0,0,0,0,0,0}}; /*غ */ int i, j, length=0, get_ref; char pre_code[8]={0}, new[8]={0}, cl[8]={0}; printf("\nSoftICE version 3.x KeyGenerator ... coded/cracked by +kurt"); printf("\n\n(originally cracked by +OCHE SATRIANI, +OBLLEK)\n\n"); printf("enter 5 random digits: "); for (i=0; (c=getchar()) != '\n' ; ++i) { if(c>=0x30 & c=0x30 & pre_code[i] C α׷ , ش ? ׸, ߿ ߸ κ ֽ (pluskurt@hanimail.com) ּ. ׷, Ϸ Ǽ Page 4 29. Serve the Servants 29. Serve the Servants ȳϼ. ̰ 󸶸 ø 𸣰ڳ׿. , 28 ִµ, ̰ Ȩ ̿. ׷ϱ, Ʋ ϳ ø ̳׿. ó ׷ (?) µ, ʾҾ. Ƹ ũ ̶ ˾ұ ƴұ. ˰ ϱ, ۵ β׿. ׷, β ϳ øϴ. ۿ ִ ũ 뵵 ϴ. ʺ ũĿ ϱ⿡, α׷ ũϱⰡ ͵ ֽϴ. ϰ ִ 𸣴 ä ũ 쵵 ϱ. ̷ ϴ ũ̶ Ϳ (?)Ϸ ϴ ʺ ũĿ鿡 ʹ ̸ ϰ ;. ׷ ͸ ִ ƴϿ. ó ̿. ۿ ũϷ ϴ α׷ TurboGo α׷Դϴ.(TurboGo for Window$95 v4.01) ̷ Ȩ ִٴ ߽ϴ. 'Patch' ÷Ⱦ. ׷ Patch ø ʴµ, patch ø , ũ е ؼ. ø patch 'ٵ' α׷ patchϴ. ó Ƿ ߿ ٵ Ͻô е ְ, ٵ Ͻô ߿ е ұ, ׷ е ũ 幮 ݾƿ. ׷ ׷ е ؼ, ũ ٵ α׷ patch ÷ȴ ǵ, ̹ ũ α׷ TurboGo ٵ α׷̿. Ƿ , α׷ Ƿ 𸨴ϴ. , ׷ ̸ ˷ α׷ ϱ, ʰ. , ̷ ٵ α׷() ߿ Taku Chan̶ α׷ ֽϴ. ̰ Ϻ ٵ α׷ε, web ʰ Ͻ ſ. Taku Chan 3ܰ ޼(?) ִ α׷Դϴ. ׷, ޼ ۿ 뱹 ϴ. ʺ (ũĿ)е鿡 α׷Դϴ. ũ . ϴ. ƹư, TurboGo protection ֽϴ. 5ܰ ޼ ߿ ܰ(Strongest, Stronger)δ 뱹 ϴ. , ׷ TurboGo ¥ Ƿµ ݾƿ. ׷ ϰ TurboGo ϰھ? , ũ ߴ α׷̶ ؾ Ѵٰ մϴ. ׷ϱ, TurboGoó, ũ ؼ '' α׷ , α׷ ؼ ʰھ? ũ ؼ ܰε 뱹 '' ǰ? , , α׷ , ϶ ڰ Ÿϴ. ׷, ũ . ̸ ȵ ϴ. α׷(TurboGo.exe) ϸ ϶ ڰ Ÿϴ. Register߸ , ̸(Name) Ϲȣ(Serial nr) ִ ĭ ִ ڰ Ÿϴ. ĭ ƹ ų ְ, OK ߸ ô. ó, Ϲȣ Ʋȴٴ ۻ(messagebox) Ÿϴ. ׷ . ̷ 'Ϲȣ' protection scheme GetDlgItemTextA GetWinowTextAԼ ߴ ؾ ұ. ׷ ߴ ʽϴ. ׷ hmemcpy ߴ ְ, ̹ ٸ ڽϴ. K.Ƿ ũ ó, '߸ Ǿ' 'ۻ' ߴ ϴ ſ. Ʊ, ƹ ų OK߸ Ϲȣ '߸ Ǿ' ۻڰ Խϴ. 'ۻ' ϴ Լ messagebox Լε, Լ ߴ Ѵٸ, ׷ '߸ Ǿ' ۻڸ ȣϴ κ ã ̱, ׷ٸ κ ȣϴ κе ã ְ. Ͻðھ? ۵ о ź̶ ذ ǰ, ٽ 帱. ̷ ſ. 츮 Ϲȣ ''ϴ κ Ŷ ſ. ׸ Ϲȣ ߸Ǿٸ, ۻڸ ȣϰ. ׷ ۻڸ ȣϴ κ ãƼ 'Ž ö󰡸' Ϲȣ ϴ κ ã ϴ ̿. messageboxԼ ߴ ϱ ؼ, sice bpx messageboxa մϴ. ׸, TurboGo ƿͼ ٽ ѹ OK߸ , siceȭ Ÿϴ. F11 messageboxԼ ȣ TurboGo ڵ ãư, ٽ TurboGo ۻڰ Ÿϴ. 'Ȯ' ư ٽ siceȭ ƿɴϴ. :0042D5BF 57 push edi :0042D5C0 56 push esi :0042D5C1 8B4324 mov eax, dword ptr [ebx+24] :0042D5C4 50 push eax :0042D5C5 E82A8DFDFF Call 004062F4 ; MessageBoxA :0042D5CA 8945FC mov dword ptr [ebp-04], eax :0042D5CD 33C0 xor eax, eax :0042D5CF 5A pop edx :0042D5D0 59 pop ecx :0042D5D1 59 pop ecx :0042D5D2 648910 mov dword ptr fs:[eax], edx :0042D5D5 68F3D54200 push 0042D5F3 :0042D5DA 8B45F4 mov eax, dword ptr [ebp-0C] :0042D5DD E8DA9BFFFF call 004271BC :0042D5E2 8B45F8 mov eax, dword ptr [ebp-08] :0042D5E5 50 push eax :0042D5E6 E8918DFDFF Call 0040637C :0042D5EB C3 ret :0042D5EC E97B5EFDFF jmp 0040346C :0042D5F1 EBE7 jmp 0042D5DA :0042D5F3 8B45FC mov eax, dword ptr [ebp-04] ; RET :0042D5F6 5F pop edi :0042D5F7 5E pop esi :0042D5F8 5B pop ebx :0042D5F9 8BE5 mov esp, ebp :0042D5FB 5D pop ebp :0042D5FC C20400 ret 0004 ׷ ⼭ F12(P RET) κ ȣ ã , RET ּ RET ˴ϴ. F12 ã ô. :0047407C 6A30 push 00000030 :0047407E 8B0D68D04800 mov ecx, dword ptr [0048D068] :00474084 8B15B8D14800 mov edx, dword ptr [0048D1B8] :0047408A A140D04800 mov eax, dword ptr [0048D040] :0047408F 8B00 mov eax, dword ptr [eax] :00474091 E8F694FBFF call 0042D58C :00474096 33C0 xor eax, eax ; RET :00474098 5A pop edx :00474099 59 pop ecx :0047409A 59 pop ecx :0047409B 648910 mov dword ptr fs:[eax], edx :0047409E 68B3404700 push 004740B3 :004740A3 8D45FC lea eax, dword ptr [ebp-04] :004740A6 E81DF9F8FF call 004039C8 :004740AB C3 ret :004740AC E9BBF3F8FF jmp 0040346C :004740B1 EBF0 jmp 004740A3 :004740B3 5E pop esi ; RET :004740B4 5B pop ebx :004740B5 59 pop ecx :004740B6 5D pop ebp :004740B7 C3 ret Ǵ . , call 0042D58C Ʊ κ(messagebox ִ ) ȣ ̶ ֽϴ. ٽ F12 Ʒ RET ּ RETDZ, F12 Ʒ ϴ. :0041E0BF 8BD8 mov ebx, eax :0041E0C1 8BD0 mov edx, eax :0041E0C3 8B83A8000000 mov eax, dword ptr [ebx+000000A8] :0041E0C9 FF93A4000000 call dword ptr [ebx+000000A4] ; ׷ϱ, ȭǥ κ(call dword ptr [ebx+000000A4]), ݱ κ ȣϰ ִ ų׿. ׷ ߴ ߴ (Ǵ ), ȭǥ κп ߴ մϴ. ׸, sice ͼ, ٽ ѹ . ׷, ߴ ߴ , siceȭ ߰ Ŀ ߴ ߴ, ȭǥ κп ֽϴ. ׷ F8(T, Trace) call ȣϴ κ ã ô. :00473F1C 55 push ebp :00473F1D 8BEC mov ebp, esp :00473F1F 6A00 push 00000000 :00473F21 53 push ebx :00473F22 56 push esi :00473F23 8BD8 mov ebx, eax :00473F25 33C0 xor eax, eax :00473F27 55 push ebp :00473F28 68AC404700 push 004740AC :00473F2D 64FF30 push dword ptr fs:[eax] :00473F30 648920 mov dword ptr fs:[eax], esp :00473F33 8D55FC lea edx, dword ptr [ebp-04] :00473F36 8B83E8010000 mov eax, dword ptr [ebx+000001E8] :00473F3C E89397FAFF call 0041D6D4 :00473F41 8B45FC mov eax, dword ptr [ebp-04] :00473F44 E83B6AFCFF call 0043A984 ;Ϲȣ ˻ :00473F49 84C0 test al, al ;Ϲȣ 質? :00473F4B 0F842B010000 jz 0047407C ;ƴϾ? ׷ messagebox. :00473F51 A13CD34800 mov eax, dword ptr [0048D33C] ; ? ׷ turbogo.ini :00473F56 803800 cmp byte ptr [eax], 00 :00473F59 0F8514010000 jne 00474073 :00473F5F A13CD34800 mov eax, dword ptr [0048D33C] :00473F64 C60001 mov byte ptr [eax], 01 :00473F67 8D55FC lea edx, dword ptr [ebp-04] :00473F6A 8B83EC010000 mov eax, dword ptr [ebx+000001EC] :00473F70 E85F97FAFF call 0041D6D4 :00473F75 8B55FC mov edx, dword ptr [ebp-04] :00473F78 A1CCD14800 mov eax, dword ptr [0048D1CC] :00473F7D E89AFAF8FF call 00403A1C :00473F82 8D55FC lea edx, dword ptr [ebp-04] :00473F85 8B83E8010000 mov eax, dword ptr [ebx+000001E8] :00473F8B E84497FAFF call 0041D6D4 :00473F90 8B55FC mov edx, dword ptr [ebp-04] :00473F93 A1E0D04800 mov eax, dword ptr [0048D0E0] :00473F98 E87FFAF8FF call 00403A1C :00473F9D 6A40 push 00000040 :00473F9F 8B0D20D04800 mov ecx, dword ptr [0048D020] :00473FA5 8B15D8D04800 mov edx, dword ptr [0048D0D8] :00473FAB A140D04800 mov eax, dword ptr [0048D040] :00473FB0 8B00 mov eax, dword ptr [eax] :00473FB2 E8D595FBFF call 0042D58C ڵ带 ȣϰ ־ ǵ. . ָ κ call 0043A984/test al, al/jz _0047407C_. jz 0047407C ٷ Ʊ Ҵ ۻڸ ȣϴ (Ķ ǥ ) бŰ ݾƿ. ׷ϱ, Ϲȣ ʾҴٴ ۻڴ jz 0047407C бؼ ȣ ̿. ̰ Ȯ , F10(P, Proceed) , jz 0047407C ܰ辿 , װ r fl z Zero flag ٲ㼭, б(JUMP) ʰ(NO JUMP) . ׸ F5(X) TurboGo Ű, ̹ Ʊʹ ٸ 'ۻ' Ÿ ſ. Thank you for registering TurboGo. Your version is now fully functional! ̶ ִ ۻڰ Ϳ. ũ ų ٸ? ֵ call 0043A984/test al, al/jz 0047407C ߿ κԴϴ. call 0043A984 Ϲȣ Ȯ , al Ϳ ְ, װͿ бϴ İ Ǵ Ű. ׷, 츮 call 0043A984 ȣϴ κ ãư ? :0043A984 55 push ebp :0043A985 8BEC mov ebp, esp :0043A987 83C4C0 add esp, FFFFFFC0 :0043A98A 53 push ebx :0043A98B 56 push esi :0043A98C 57 push edi :0043A98D 33D2 xor edx, edx :0043A98F 8955D0 mov dword ptr [ebp-30], edx :0043A992 8945FC mov dword ptr [ebp-04], eax :0043A995 8B45FC mov eax, dword ptr [ebp-04] :0043A998 E85B94FCFF call 00403DF8 :0043A99D 33C0 xor eax, eax :0043A99F 55 push ebp :0043A9A0 689AAB4300 push 0043AB9A :0043A9A5 64FF30 push dword ptr fs:[eax] :0043A9A8 648920 mov dword ptr fs:[eax], esp :0043A9AB C645F835 mov [ebp-08], 35 :0043A9AF C645F959 mov [ebp-07], 59 :0043A9B3 C645FA49 mov [ebp-06], 49 :0043A9B7 8B45FC mov eax, dword ptr [ebp-04] :0043A9BA E88592FCFF call 00403C44 ;Ϲȣ о :0043A9BF 83F809 cmp eax, 00000009 ;Ϲȣ 9ڸ? :0043A9C2 7409 jz 0043A9CD ;׷ٸ flag 1 :0043A9C4 C645FB00 mov [ebp-05], 00 ;ƴ϶ flag 0 ϰ :0043A9C8 E9AF010000 jmp 0043AB7C ;Ϲȣ ʿ䵵 . :0043A9CD C645FB01 mov [ebp-05], 01 ;Ϲȣ :0043A9D1 8D45E0 lea eax, dword ptr [ebp-20] :0043A9D4 8B55FC mov edx, dword ptr [ebp-04] :0043A9D7 8A12 mov dl, byte ptr [edx] :0043A9D9 885001 mov byte ptr [eax+01], dl :0043A9DC C60001 mov byte ptr [eax], 01 :0043A9DF 8D55E0 lea edx, dword ptr [ebp-20] :0043A9E2 8D45DC lea eax, dword ptr [ebp-24] :0043A9E5 E82A80FCFF call 00402A14 :0043A9EA 8D45D8 lea eax, dword ptr [ebp-28] :0043A9ED 8B55FC mov edx, dword ptr [ebp-04] :0043A9F0 8A5206 mov dl, byte ptr [edx+06] :0043A9F3 885001 mov byte ptr [eax+01], dl :0043A9F6 C60001 mov byte ptr [eax], 01 :0043A9F9 8D55D8 lea edx, dword ptr [ebp-28] :0043A9FC 8D45DC lea eax, dword ptr [ebp-24] :0043A9FF B102 mov cl, 02 :0043AA01 E8DE7FFCFF call 004029E4 :0043AA06 8D55DC lea edx, dword ptr [ebp-24] :0043AA09 8D45D4 lea eax, dword ptr [ebp-2C] :0043AA0C E80380FCFF call 00402A14 :0043AA11 8D45D8 lea eax, dword ptr [ebp-28] :0043AA14 8B55FC mov edx, dword ptr [ebp-04] :0043AA17 8A5205 mov dl, byte ptr [edx+05] :0043AA1A 885001 mov byte ptr [eax+01], dl :0043AA1D C60001 mov byte ptr [eax], 01 :0043AA20 8D55D8 lea edx, dword ptr [ebp-28] :0043AA23 8D45D4 lea eax, dword ptr [ebp-2C] :0043AA26 B103 mov cl, 03 :0043AA28 E8B77FFCFF call 004029E4 :0043AA2D 8D55D4 lea edx, dword ptr [ebp-2C] :0043AA30 8D45E7 lea eax, dword ptr [ebp-19] :0043AA33 B103 mov cl, 03 :0043AA35 E8F67FFCFF call 00402A30 :0043AA3A 8D45E0 lea eax, dword ptr [ebp-20] :0043AA3D 8B55FC mov edx, dword ptr [ebp-04] :0043AA40 8A5204 mov dl, byte ptr [edx+04] :0043AA43 885001 mov byte ptr [eax+01], dl :0043AA46 C60001 mov byte ptr [eax], 01 :0043AA49 8D55E0 lea edx, dword ptr [ebp-20] :0043AA4C 8D45DC lea eax, dword ptr [ebp-24] :0043AA4F E8C07FFCFF call 00402A14 :0043AA54 8D45D8 lea eax, dword ptr [ebp-28] :0043AA57 8B55FC mov edx, dword ptr [ebp-04] :0043AA5A 8A5207 mov dl, byte ptr [edx+07] :0043AA5D 885001 mov byte ptr [eax+01], dl :0043AA60 C60001 mov byte ptr [eax], 01 :0043AA63 8D55D8 lea edx, dword ptr [ebp-28] :0043AA66 8D45DC lea eax, dword ptr [ebp-24] :0043AA69 B102 mov cl, 02 :0043AA6B E8747FFCFF call 004029E4 :0043AA70 8D55DC lea edx, dword ptr [ebp-24] :0043AA73 8D45D4 lea eax, dword ptr [ebp-2C] :0043AA76 E8997FFCFF call 00402A14 :0043AA7B 8D45D8 lea eax, dword ptr [ebp-28] :0043AA7E 8B55FC mov edx, dword ptr [ebp-04] :0043AA81 8A5201 mov dl, byte ptr [edx+01] :0043AA84 885001 mov byte ptr [eax+01], dl :0043AA87 C60001 mov byte ptr [eax], 01 :0043AA8A 8D55D8 lea edx, dword ptr [ebp-28] :0043AA8D 8D45D4 lea eax, dword ptr [ebp-2C] :0043AA90 B103 mov cl, 03 :0043AA92 E84D7FFCFF call 004029E4 :0043AA97 8D55D4 lea edx, dword ptr [ebp-2C] :0043AA9A 8D45EB lea eax, dword ptr [ebp-15] :0043AA9D B103 mov cl, 03 :0043AA9F E88C7FFCFF call 00402A30 :0043AAA4 8D45E0 lea eax, dword ptr [ebp-20] :0043AAA7 8B55FC mov edx, dword ptr [ebp-04] :0043AAAA 8A5208 mov dl, byte ptr [edx+08] :0043AAAD 885001 mov byte ptr [eax+01], dl :0043AAB0 C60001 mov byte ptr [eax], 01 :0043AAB3 8D55E0 lea edx, dword ptr [ebp-20] :0043AAB6 8D45DC lea eax, dword ptr [ebp-24] :0043AAB9 E8567FFCFF call 00402A14 :0043AABE 8D45D8 lea eax, dword ptr [ebp-28] :0043AAC1 8B55FC mov edx, dword ptr [ebp-04] :0043AAC4 8A5202 mov dl, byte ptr [edx+02] :0043AAC7 885001 mov byte ptr [eax+01], dl :0043AACA C60001 mov byte ptr [eax], 01 :0043AACD 8D55D8 lea edx, dword ptr [ebp-28] :0043AAD0 8D45DC lea eax, dword ptr [ebp-24] :0043AAD3 B102 mov cl, 02 :0043AAD5 E80A7FFCFF call 004029E4 :0043AADA 8D55DC lea edx, dword ptr [ebp-24] :0043AADD 8D45D4 lea eax, dword ptr [ebp-2C] :0043AAE0 E82F7FFCFF call 00402A14 :0043AAE5 8D45D8 lea eax, dword ptr [ebp-28] :0043AAE8 8B55FC mov edx, dword ptr [ebp-04] :0043AAEB 8A5203 mov dl, byte ptr [edx+03] :0043AAEE 885001 mov byte ptr [eax+01], dl :0043AAF1 C60001 mov byte ptr [eax], 01 :0043AAF4 8D55D8 lea edx, dword ptr [ebp-28] :0043AAF7 8D45D4 lea eax, dword ptr [ebp-2C] :0043AAFA B103 mov cl, 03 :0043AAFC E8E37EFCFF call 004029E4 :0043AB01 8D55D4 lea edx, dword ptr [ebp-2C] :0043AB04 8D45EF lea eax, dword ptr [ebp-11] :0043AB07 B103 mov cl, 03 :0043AB09 E8227FFCFF call 00402A30 :0043AB0E C645F303 mov [ebp-0D], 03 :0043AB12 8D75E7 lea esi, dword ptr [ebp-19] :0043AB15 8D5DF8 lea ebx, dword ptr [ebp-08] :0043AB18 8D45D0 lea eax, dword ptr [ebp-30] :0043AB1B 8BD6 mov edx, esi :0043AB1D E8C690FCFF call 00403BE8 :0043AB22 8B45D0 mov eax, dword ptr [ebp-30] :0043AB25 8D55F4 lea edx, dword ptr [ebp-0C] :0043AB28 E8CB80FCFF call 00402BF8 :0043AB2D 8BF8 mov edi, eax :0043AB2F 837DF400 cmp dword ptr [ebp-0C], 00000000 :0043AB33 753A jnz 0043AB6F :0043AB35 897DD4 mov dword ptr [ebp-2C], edi :0043AB38 DB45D4 fild dword ptr [ebp-2C] :0043AB3B 33C0 xor eax, eax :0043AB3D 8A03 mov al, byte ptr [ebx] :0043AB3F 8945CC mov dword ptr [ebp-34], eax :0043AB42 DB45CC fild dword ptr [ebp-34] :0043AB45 DEF9 fdivp st(1), st(0) :0043AB47 E8607EFCFF call 004029AC :0043AB4C 8945C8 mov dword ptr [ebp-38], eax :0043AB4F DB45C8 fild dword ptr [ebp-38] :0043AB52 897DC4 mov dword ptr [ebp-3C], edi :0043AB55 DB45C4 fild dword ptr [ebp-3C] :0043AB58 33C0 xor eax, eax :0043AB5A 8A03 mov al, byte ptr [ebx] :0043AB5C 8945C0 mov dword ptr [ebp-40], eax :0043AB5F DB45C0 fild dword ptr [ebp-40] :0043AB62 DEF9 fdivp st(1), st(0) :0043AB64 DED9 fcompp :0043AB66 DFE0 fstsw ax :0043AB68 9E sahf :0043AB69 7504 jnz 0043AB6F :0043AB6B 85FF test edi, edi :0043AB6D 7504 jnz 0043AB73 :0043AB6F C645FB00 mov [ebp-05], 00 ;Ϲȣ Ʋ, flag 0 :0043AB73 43 inc ebx :0043AB74 83C604 add esi, 00000004 :0043AB77 FE4DF3 dec [ebp-0D] :0043AB7A 759C jnz 0043AB18 :0043AB7C 33C0 xor eax, eax :0043AB7E 5A pop edx :0043AB7F 59 pop ecx :0043AB80 59 pop ecx :0043AB81 648910 mov dword ptr fs:[eax], edx :0043AB84 68A1AB4300 push 0043ABA1 :0043AB89 8D45D0 lea eax, dword ptr [ebp-30] :0043AB8C E8378EFCFF call 004039C8 :0043AB91 8D45FC lea eax, dword ptr [ebp-04] :0043AB94 E82F8EFCFF call 004039C8 :0043AB99 C3 ret :0043ABA1 8A45FB mov al, byte ptr [ebp-05] ;flag al Űܳ :0043ABA4 5F pop edi :0043ABA5 5E pop esi :0043ABA6 5B pop ebx :0043ABA7 8BE5 mov esp, ebp :0043ABA9 5D pop ebp :0043ABAA C3 ret ڵ尡 Ϲȣ ''ϴ κε, keygen ƴ϶ ڼ ʿ䰡 ϴ. Ķ ǥ κи . TurboGo  Ϲȣ ϴ, ߿ 'flag' ̿Ѵٴ ſ. Ϲȣ , Ϲȣ ̶ [ebp-05] κп 1 մϴ. ׷ ʴٸ [ebp-05] 0 մϴ. [ebp-05] flag ҷϴ. ƹư, ׷ [ebp-05] ߿ alͷ Űϴ. ׸, ٷ alͿ ִ TurboGo ٽ, Ϲȣ Ǿ Ǵϰ Ǵ ſ. ﳪ? κ Ҵ ߿ϴٰ ߴ call 0043A984/test al, al/jz 0047407C κи̿. ű⼭ test al, al/jz 0047407C ֵ, ٷ al Ϲȣ Ǵϰ ִ ſ. ̷ , κ ó 뿡 call 00403C44/cmp eax, 00000009/jz 0043A9CD/mov [ebp-05],00/jmp 0043AB7C/mov [ebp-05], 01 ڵ忡 ݾƿ. κ ٷ, Ϲȣ ڸ ־ Ȯؼ, 9ڸ ־ [ebp-05] 1 Ϲȣ ϰ, ׷ [ebp-05] 0 Ϲȣ ʰ κ Դϴ. ø, ϰ ִ ƽ ſ. , ũ ϴ.  ؾ ұ? ְ, 켱 Դϴ. 0043AB6F ִ mov [ebp-05], 00 mov [ebp-05], 01 ٲپ ִ 켱 ְ. mov [ebp-05], 00 Ϲȣ , Ϲȣ Ʋ , flag , ebp-05 Ű 0 ϶ ε, mov [ebp-05], 01 ģٸ, Ϲȣ Ʋ , flag 1 ״ϱ. ׷ϱ, mov [ebp-05], 00 ڵ C645FB00 mov [ebp-05], 01 ڵ C645FB01 ٲ ָ Ǵ ſ. 0043ABA1 ִ mov al, byte ptr [ebp-05] mov al, 01/nop ٲִ ſ. ׷ϱ, TurboGo flag ϰ ִ [ebp-05] ſ. TurboGo Ϲȣ ؼ flag , alͿ flag ־ϴ. , 츮 flagʹ alͿ '' 1 ־ ſ. ׷ Ϲȣ ƲȰ ¾Ұ TurboGo ׻ Ϲȣ ɷ ϰ? ٽ ϸ mov al, byte ptr [ebp-05] ڵ 8A45FB mov al, 01/nop ڵ B001/90 ٲָ Ǵ ſ. ù° ٰ ߳ ϸ, ù ° Ϲȣ 9ڸ ʾ TurboGo Ϲȣ Ʋ ˾Ƴ ̿. ׷, ׷ٸ  ؾ ұ ϴ ȵ ƽǰſ. TurboGo ũϴ ̾߱⸦ ߽ϴ. ߾, ʳ? ̷ ̸ ڸ, 'Ž ö󰡱' ϰ ͽϴ. 'ʺ ũĿ' , ̷ ũ ִ '' α׷δ '츮 ͳ 2.0'̶ α׷ ֽϴ. α׷ TurboGo ũϴ ó, Ž ö󰡼 flag ٲ ũ ֽϴ. ׸, ٽ 帮  α׷ ִٸ ؼ( ϴ մϴ), װ 밡 ־ Ѵٰ մϴ. ׷ ʴٸ, ̷ ʿ䰡 ? θ warez/crackz. ̹ ϵǾ ִ α׷ 'ļ' , Ϸ ġ ũ ? Page 5 30. Mondschein Sonate op.27 30. Mondschein Sonate ȳϼ. ̹ InstallSHIELD Դϴ. InstallSHIELD ŹϽ ż ãƺٰ NaTzGUL̶ ũĿ Ƽ Űϴ. ôٽ, . ƿ~ ̰ ű ð µ ű 𸣰ڳ׿. ذ ǰŵ.. ׷, ű '' ذ Ǵ, д в ذ ǽ ڳ׿. 帮 , ű , ƴϸ ߿ Ʋ κ ּ. Ʋ κ ֽô е Ҵµ, 򿡴 ׷ 輼. ϰԵ ŷϴ ޶ ô е . ٽ Window$ ɿ ϴ. 70Kb , ̷ Ŀ ϱ, 50Kb Ѿ ƿ ؽƮ Ϳ ѱ ⸦ ź ± . ߸ߴ ¾ , ϴ. ϵ带 ߱ ִ ؽƮ Ͱ µ, ޸ '(= , , ü)' ؽƮ Ϳ ѱ ʳ׿. Aurora UltraEdit ٽ ٿ ޴ ͵ ؼ ٷ ٵ 𸣴(?) vi ֽϴ. 쿡 ڷ Ʋ 鼭 ִ ϳ Ƽ, ׷ Դµ, 찡 ٽ ϴ ¿ . Ҹ ϴ. ۿ Ư Ʋ ϴ. ׷ Ư(?) Ȩ ÷ ҽϴ(). ø鼭 ֽñ, Ʋȴ ϴ ּ. ׷ в ݾƿ. ̴ : ߿ G) WIN32.HLP ű ʾҽϴ. ¿ ʿ ͵ ƴϱ, WIN32.HLP ٸ ־. ű Ƽ ū . ------------------------------------------------------------------------------- ۾ : NaTzGUL [REVOLT?7] ޴ : natzgul@hotmail.com InstallSHIELD Script Cracking : + A) Ұ ( 'Ұ' ̴) + B) ʿ (Ƹ κ ʿ ̴) + C) ΰ(D б κ б⸦ ٶ) + D) ù° (ٸ ) + E) ι° (ũƮ ũ!!) + F) ̴ ( InstallSHIELD ġ ) + G) WIN32.HLP( ) + H) ̴ (̰ о ) + I) е( κ б⸦ ٶ, !!) ------------------------------------------------------------------------------- A) Ұ ù° ũ ¿ ȯѴ. ε ũ¸ Ѵ. Ͷ ¸ ־, ٸ   д η ;) ׷ ( ) 뼭ϰ ֱ ٶ. : ũ ־, ִ Ϸ ̴. ׷ Ƹ ʺ ũĿ ¸ ̴(Ƹ ;). ̹ ߵ, ¸ 鼭 Ƹ '' , . : 츮 ũ α׷ Twelve Tone Systems Cakewalk HomeStudio α׷̴. α׷ #Cracking(EFNET) Kirk_Hammκ - 𸥴. ״ ũ ʿ ̴. װ ø̼ ü ƴ϶ ġ Ǵ ʿ ̾. ũ 536KBۿ ʴ´. ׷ϱ ࿡ ߿ ʿ ִٸ Efnet̳ Email ؼ ָ, ٻ ְڴ =). PROTECTION : α׷ 3 protections ִ. 1. CD-CHECK 2. CD-KEY 3. SERIAL ------------------------------------------------------------------------------- B) ʿ ʿϴ: -Numega SoftICE 3.x (Ǹ ̴. Numega ) -URSoft W32Dasm 8.9 (ڷᰡ ִ ) -Hex-Workshop Ǵ ٸ  Hex-Editor (ȫ, ڵ尡 ִ ) -InstallSHIELD / α׷ Icompx ( Ȩ ÷ Lord Caligo ) - +Cracker, Ƽ Ǵ ī, ƴϸ 谡 ʿ ̴ ;) Lord Carligo Ȩ ִ. ߿ Ǹ ũ ڷ (Cracking Resource)̴. http:/cracking.home.ml.org ------------------------------------------------------------------------------- C) ΰ C:\TEMP 丮 Ǯشٸ Ʒ ̴: _SETUP.LIB 151 KB SETUP.EXE 659 KB _SETUP.DLL 5,98 KB SETUP.INS 89,5 KB SETUP.PKG ̰ . (ø̼ ü ߴٸ ξ ִ) 켱 츮 ؾ ϰڴ. InstallSHIELD ġϴ 쿡 δ. _SETUP.LIB InstallSHEILD ͺ̽ ̴. ġ ϴ exe̳ dll ֵ.  쿡 ̷ (Support Files) SETUP.EXE ִ 丮 ִ. 츮 Ϸ ũ 쿡 ϵ _SETUP.LIB ӿ Ǿ ִ(ڿ ٽ ). #Cracking ִ α׷ ü ϰ ִ ͺ̽ (xxx.1-x, xxx.z)̴. ũ ũ ;). . ֳϸ 츮 ũϴ α׷ ʿ䰡 ϱ ̴. ͺ̽ "13 5D 65 8C 3A 01 02 00" Ѵ. е xxx.z xxx.1-x ã ̷ Ʈ ڵ带 ã . ׸, ͺ̽ κп ̸ ִ. SETUP.PKG α׷ ͺ̽ Ͽ ִ ̸ ִ. 츮 ũϴ ̰͵ ʿ ʴ. SETUP.PKGϵ 츮 ʿ ʴ. InstallSHIELD ġ α׷ ϵ , SETUP.PKG ̿ϴ ƴѰ Ѵ. ƹư, 츮Դ ʿ ϱ Ѿ. _SETUP.DLL InstallSHIELD Resource DLḺ 츮Դ ߿ ʴ. ֳϸ װ  α׷ ġ̰ InstallSHIELD ġϴ ̶ ׻ ٴϴ Support File̱ ̴. SETUP.INS ġ ũƮ(Installation Script) ̸, InstallSHIELD ġ ־ ߿ κ̴ !!!. ۾ ϸ ġ κ ޼ ְ, 츮 ι° ߿ ϰ ̴. SETUP.EXE ͵ ߽ Ǵ ̸, ڸ ġ (Installation Engine)ν ũƮ ϰ DLL ȣϸ ũ (Disk-Access) Ѵ. ݱ . InstallSHIELD ؼ ˾Ҵ = ) ... ------------------------------------------------------------------------------- D) ù° (FIRST APPROACH) (CD-CHECK) : SoftICE ϰڴ. F5="^x;" F7="^here;" F8="^t;" F9="^bpx;" F10="^p;" F11="^G @SS:ESP;" F12="^p ret;" SoftICE ġ 丮 ִ winice.dat ϰ ־ Ѵ. EXP=c:\windows\system\kernel32.dll EXP=c:\windows\system\user32.dll Ʈ : տ "*"ǥð ְ ȣ ȿ ִ SoftICEȿ ؾ ϴ ͵ Ѵ! : ũ . 켱 ׳ ġ ϰ(SETUP.EXE)  ư 캸. , 켱 ۻڰ ϳ Ƣ ͼ ̷ Ѵ. "Setup must be run from the original CD(ġ CD Ǿ մϴ)". 츮 ۾ GetDriveTypeA("A" SETUP.EXE 32 Ʈ α׷̱ ̴.) ߴ ϴ ġ ´ ̴. GetDriveType ؼ ڼ Ѵٸ G) WIN32.HLP . * Ctrl+D SoftICE  , "BPX GetDriveTypeA" Ѵ. * "Ctrl+D"("F5") ƿ , ٽ Setup.exe Ѵ. , ۻڰ Ÿ SoftICE ̴. 츮 Kernel32 GetDriveTypeA ִ. κ . * "F11" , INSHELP Ű . ̷ !!! ̰ ? ̰ 丮 ʾҴµ!! * Ͽ ؼ ڼ ˾ "MOD INSHELP" ߴ, Ʒ ִٰ SoftICE ˷ ־: C:\TEMP\_ISTMP0.DIR\INSHELP.DLL 츮 , InstallSHIELD _ISTMP0.DIR̶ ̸ ӽ 丮 ־ ̶ ˾ҵ. °? Ʊ C) ͺ̽ Ͽ ʰ ֳ? ϴ°? Ѵٸ ٽ о!!! DLL и _SETUP.LIBϿ ̴. ׷ 츮  ġ ? 츮 ICOMPX InstallSHIELD / α׷ ִ ; ) _SETUP.LIB decompress ("ICOMP _SETUP.LIB *.* -d -i") Ʒ ִ: INSHELP.DLL UNINST.EXE _ISRES.DLL Ʒ ٸ support file ̰ 츮 ߿ ʴ. 츮 ˰ ִ INSHELP.DLL CD-CHECK ϰ , _SETUP.LIBȿ ְ, 츮 _SETUP.LIB Ǯٰ ٽ ִٴ ̴. "ICOMP" ϸ α׷  ϴ ؼ ڼ ̴. Ͽ ,  patchؾ ˾ϱ SoftICE ̿غ. 츮 INSHELP.DLLȿ ִ. ׷ κ /ڵ Ʒ ̰ڴ. ִ Ͱ ù° 4ڸ ּҴ ٸ ִ!(relocation) ׸ SoftICE 100011A0 (0) Ÿϱ, װ !!! DWORD TABLE: :10001308 BA120010 DWORD 100012BA κ б(indirect jump) :1000130C C7120010 DWORD 100012C7 DWORD͵̴. :10001310 D4120010 DWORD 100012D4 κ ⿡ :10001314 E1120010 DWORD 100012E1 ϴ :10001318 EE120010 DWORD 100012EE ϱ Բ ϱ ؼ̴ ;) :1000131C B0110010 DWORD 00011B0 :10001320 FB120010 DWORD 100012FB Start of this routine: :10001160 81ECE8020000 sub esp, 000002E8 ӽ Stack-Frame :10001166 B9FFFFFFFF mov ecx, FFFFFFFF ecx=FFFFFFFF (ī) :1000116B 2BC0 sub eax, eax eax=0 :1000116D 56 push esi esi :1000116E 57 push edi edi :1000116F 8BBC24F4020000 mov edi, [esp + 000002F4] edi "C:\TEMP\" Ű ȴ :10001176 F2 repnz :10001177 AE scasb 0(end)̶ ڸ ˻ :10001178 F7D1 not ecx ecx=̰+1=9 :1000117A 2BF9 sub edi, ecx edi :1000117C 8BC1 mov eax, ecx ̰ eax :1000117E C1E902 shr ecx, 02 ̰ 4 ش = 2 :10001181 8BF7 mov esi, edi esi=edi "C:\TEMP\" Ű :10001183 8D7C2448 lea edi, [esp + 48] "CWHS_601" | :100011ED B938600010 mov ecx, 10006038 * Referenced by a Jump at Address:1000120C(C) | :100011F2 8A10 mov dl, [eax] ⼭ Volume Name "HD_C" :100011F4 3A11 cmp dl, [ecx] "CWHS_601" :100011F6 751A jne 10001212 (5) б! :100011F8 0AD2 or dl, dl :100011FA 7412 je 1000120E :100011FC 8A5001 mov dl, [eax+01] :100011FF 3A5101 cmp dl, [ecx+01] :10001202 750E jne 10001212 (5) б! :10001204 83C002 add eax, 00000002 :10001207 83C102 add ecx, 00000002 :1000120A 0AD2 or dl, dl :1000120C 75E4 jne 100011F2 * Referenced by a Jump at Address:100011FA(C) | :1000120E 33C0 xor eax, eax ! :10001210 EB05 jmp 10001217 ؼ ܰ躰 Ϸ б nopѾ Ѵ. * "F10" ܰ躰 Űٰ б⿡ , "a" "nop" ΰ ԷѴ. (4) б ġ CD Ǿ бȴ. ű⼭ ׷ бߴٸ Volume Filetype üũ ʴ´. F)κ о GetVolumeInformation (FileSystemFlags) ؼ ˾ƺ ٶ !! (5)κ б Ʒ κ б ̴... * Referenced by a Jump at Addresses:100011F6(C), :10001202(C) | :10001212 1BC0 sbb eax, eax eax=0 :10001214 83D8FF sbb eax, FFFFFFFF eax=1 * Referenced by a Jump at Address:10001210(U) | :10001217 85C0 test eax, eax eax=0̶ :10001219 740D je 10001228 10001228 б! ! :1000121B 33C0 xor eax, eax ׷ :1000121D 5F pop edi eax=0 б! ! :1000121E 5E pop esi :1000121F 81C4E8020000 add esp, 000002E8 :10001225 C20400 ret 0004 * Referenced by a Jump at Address:10001219(C) | :10001228 8D4C2414 lea ecx, [esp + 14] ecx File System "FAT" Ŵ * Possible StringData Ref from Data Obj ->"CDFS" | :1000122C B848600010 mov eax, 10006048 * Referenced by a Jump at Address: |:1000124B(C) | :10001231 8A11 mov dl, [ecx] ⿡ File System "FAT"̴ :10001233 3A10 cmp dl, [eax] "CDFS" 񱳵ȴ ! :10001235 751A jne 10001251 (6) б ! :10001237 0AD2 or dl, dl :10001239 7412 je 1000124D :1000123B 8A5101 mov dl, [ecx+01] :1000123E 3A5001 cmp dl, [eax+01] :10001241 750E jne 10001251 (6) б ! :10001243 83C102 add ecx, 00000002 :10001246 83C002 add eax, 00000002 :10001249 0AD2 or dl, dl :1000124B 75E4 jne 10001231 * Referenced by a Jump at Address:10001239(C) | :1000124D 33C0 xor eax, eax ! :1000124F EB05 jmp 10001256 ٽ (6) б⸦ nopѾ Ѵ!! ׷ (10001251) ' 'ν ϰ ȴ. * Referenced by a Jump at Addresses:10001235(C), :10001241(C) | :10001251 1BC0 sbb eax, eax , (10001212) ٽ ! :10001253 83D8FF sbb eax, FFFFFFFF * Referenced by a Jump at Address:1000124F(U) | :10001256 85C0 test eax, eax :10001258 740D je 10001267 10001267 б :1000125A 33C0 xor eax, eax :1000125C 5F pop edi :1000125D 5E pop esi :1000125E 81C4E8020000 add esp, 000002E8 :10001264 C20400 ret 0004 * Referenced by a Jump at Addresses:100011E0(C), :10001258(C) | :10001267 8A442448 mov al, [esp + 48] ;al=̺ ̸ "C" 43h :1000126B 8D8C24D8010000 lea ecx, [esp + 000001D8] :10001272 51 push ecx :10001273 A250600010 mov [10006050], al ^-------------"X:\Cakewalk\_setup.lib" * Possible StringData Ref from Data Obj ->"C:\Cakewalk\_setup.lib" | :10001278 6850600010 push 10006050 :1000127D E8EE010000 call 10001470 , Windows95 CD-Protection ˾Ҵ. -INSHELP 켱 ġ CD-ROM ǰ ִ ȮѴ. - Volume Name File System üũѴ. -׸ "setup.lib"̶ ȮѴ. - INSHELP ߵǾٸ "1" ְ ߸ ִٸ "0" ش. ̷ CD-CHECK ũ ִ. Ѿ... (CD-KEY) , ۻڴ ٽô ʴ´. 츮 ȯϴ â . ִ ĭ , 13ڸ CD-KEY ֱ ¼ ¼ ϶ ´. * "1234567890123" ְ GetWindowTextAԼ ߴ Ѵ : "BPX GetWindowTextA" NEXT -> ߸ SoftICE Ÿ. ̰ ʹ ; ) * 츮 GetWindowTextA ִ. "F11" α׷ ڵ ư. EAX ô. ֳϸ GetWindowTextAԼ ڿ ̰ ֱ ̴. ׷ ̷ !!!! ڿ ̰ ƴϾ. ڿ о ƴ ̴. = ( . ̰ ʺ ũĿ ũ ϰ ز Ӽ ̴. ̷ Ʈ α׷ Դٴ ͵ ˾ !! Setup 츮 ڿ о ̱ ؼ GetWindowTextA Ѵ. װ 츮 NEXT -> ư ٸ ʴ´. 츮 ϳ о ̴ ̴. * ׷ϱ 츮 ߴ : "BD 0", ׸ "12345678901234" ٽ ߴ * "BD 0".(̷ SoftICE ) ڸ back-spaceŰ §!!! ٽ GetWindowTextA Դ. * "F11" α׷ ڵ . ξ δ. ֳϸ EAX 0D, 13̱ ̴. ׷ϱ, 츮 ڿ ̴ ; ) 츮 Setup ȿ ִ. GetWindowTextA ٷ "LEA EAX, [EBP+FFFFFBF4]" ִ. ̰ EAX, 츮 ڿ Ű ִ ̴. * "F8"̳ "F10" ܰ躰 . * "D EAX" "1234567890123" ִ!! * ׷ 츮 ϴ ϱ, "BC *" ߴ . ޸𸮸 о̴ κ(Memory Access) ߴ . * "BPM EAX". ׸ SoftICE , ٷ ٽ SoftICE ̴. SoftICE ٸ ߴܵǾ, 츮 ߿ lstrcpyA̴. Ʒ ڵ ̴ : ... ............ REPNZ SCASB Դٸ ߴ ߴ . * "F8" ɸŭ ܰ Ѵ EDI ߴ : * "BPM EDI". ƴϸ ׳ SoftICE ͼ ġ â ƿ NEXT -> ߸ lstrcpyA ߴ ɸ鼭 SoftICE ̴. ̹ ߴ , Ʊó ɸŭ ܰ INSHELPȿ , EDI ߴ Ѵ !!! ׷ Ȱ dll ̴ ; ) ٽ ѹ ڵ ҽ ̴. ٽѹ ó 4ڸ ּҰ Ͱ Ʒ Ͱ ٸ ִٴ ֱ ٶ(relocation). SoftICE 10001377 ߴܵ ̴!!! Start of this routine: :10001350 83EC34 sub esp, 00000034 ӽ :10001353 53 push ebx ebx :10001354 56 push esi esi :10001355 57 push edi edi :10001356 E8D5FCFFFF call 10001030 ʱȭ Ǿ°? :1000135B 85C0 test eax, eax ok ? (Ƹ ׷ ̴) :1000135D 750B jne 1000136A ׷ٸ 1000136A б, ƴϸ :1000135F 33C0 xor eax, eax eax=0 . !!! :10001361 5F pop edi edi :10001362 5E pop esi esi :10001363 5B pop ebx ebx :10001364 83C434 add esp, 00000034 ӽ :10001367 C20400 ret 0004 Ret CD-CHECK ó ⼭ EAX=0 ϴ Ͱ. ܼ κ(10001350 ϴ) ణ ִ ͸ε CD-KEY ũ ִ. ̷ KEY-protection ũϴ ؼ ڼ ˰ ʹٸ ũ . : :10001350 83EC34 sub esp, 00000034 ӽ :10001353 53 push ebx ebx :10001354 56 push esi esi :10001355 57 push edi edi :10001356 E8D5FCFFFF call 10001030 ʱȭ Ǿ°? ٲٱ : :10001350 33C0 xor eax,eax eax=0 :10001352 40 inc eax eax=eax+1=1 :10001353 C20400 ret 0004 Ret Hex editor INSHELP.DLL  "83EC34535657" ã´. Ѱ( 750) ã ִ. κ "33C040C20400" Ѵ. _SETUP.LIB . ׳ "icomp inshelp.dll _setup.lib" ϸ ȴ. INSHELP.DLL . ʿϴ. ƹ ȣ ᵵ ̴, =) CD-KEY protection ؼ ˰ ? ƴ϶ ׳ (SERIAL) Ѿ!!! , ׷ ؼ κ . * Referenced by a Jump at Address:1000135D(C) | :1000136A 8B5C2444 mov ebx, [esp + 44] ebx 츮 ȣ Ų :1000136E 8D4C240C lea ecx, [esp + 0C] ecx ο ּҰ :10001372 8BC3 mov eax, ebx eax=ebx=츮 ȣ Ű :10001374 803B00 cmp byte ptr [ebx], 00 (9) KEY=NULL ? :10001377 741B je 10001394 κ ũϱ ؼ κ 10001467(24) ؾ ̴. eax=edx ٷ Ϲȣ̸ װ E7B37(15) ̴. (23) E7B38 (eax/edi) , (eax/12D6E1) ִ. (22) , κ ̴. κ ݺǸ鼭 (eax) ִ ġ ̴. 츮 ִ eax 4ڸ ̶ ̴. ֳϸ, 30*40*40*40+30*40*40+30*40+30=C30C30 > 12D6E1 ̱ ̴. 츮 KEY(seed KEY) "3xx6x1yyyyyyy" ̴. x ƹ ڶ , y ־ ϴ ̴. 켱, Setupα׷ ư KEY . "3006010000000" KEY . ε KEY(vaild KEY) 켱 İ(Brute-Force-Crack) = ) ƴ, α׷ Ϲȣ ª Ǵ ð ɸ ̴. Ϲȣ E7B37 񱳵Ǵ 100013C1(15) ܰ躰 . 100013C6 ͼ κ ڵ带 ణ . * EBX ϱ, īͷ . "r ebx=0"̶ Ѵ. * "a" ؼ 츮 κп ν(procedure) ־ Ѵ. ν Ϲȣ ã ̴. Ʒ ּҰ ּҰ ° ־ Ѵ. * "JNZ GO_ON" KEY ƴ, GO_ON б * FOUND: "NOP" ǰ ⼭ 缭 캼 ̴ * GO_ON: "CMP EBX,1312CFF" 0-19999999 ̿ ִ Ȯ * "JZ FAIL" ׷ ʴٸ FAIL б * "MOV ESI,[ESP+C]" ESI 츮 KEY Ű ִ * "MOV EAX,EBX" EAX=EBX * "MOV ECX,A" ECX=A=10d * CONVERT_DEC: "XOR EDX,EDX" EDX=0 * "DIV ECX" EAX=EAX/ECX, EDX=(EAX/ECX) * "ADD DL,30" EDX=EDX+"0" * "MOV [ESI+C],DL" ڸ KEY * "DEC ESI" ESI ٷ ڸ Ű ִ * "CMP EAX,0" ? * "JNZ CONVERT_DEC" CONVERT_DEC б * "JMP 100013B7" κп KEY Ȯ! GO_ON 񱳴 α׷ ID(App-ID) ջ ʾҴ ȮѴ. * , ڵ带 Էߴٸ ; ) ݱ ߴ ߴ ְ "BC *" * ο ߴ FOUND . ׸ SoftICE ٸ..... SoftICE FOUND ̴, 켱 EAX Ȯ. E7B37 ̴ * ׷ Դٸ KEY "D [ESP+C]" Ȯ ִ. Ʊ ־ KEY(seed KEY) ؼ "3006010147046" KEY(vaild KEY) . = ) * 츮 ν ؼ EIP 1000142D ٲ ־ Ѵ "r eip=1000142D" ׸ ߴ . , SoftICE ͼ, Setup ư. ġ ϰ ٽ Ʊ  KEY ־. : - KEY ݵ 13ڸ ڸ Ѵ. - KEY 4 ڰ ִ. "3xx601yyyyyyy". װ ٷ α׷ ID(3601), ׷ϱ Twelve Tone Systems ٸ α׷ ϱ ̴ ̴. Setup α׷ ID INSHELP Ѱش. - yyyyyyy (Brute-Force-Cracking)  ִ. κ protection ũǾ, Ѿ... ------------------------------------------------------------------------------- (SERIAL) KEY ũ ణ Ӽ ־, ·ư , Ϲȣ ϴ Դ Setup α׷ ̸(User-Name), ȸ(Company), Ϲȣ(Serial) ´. ׳ ƹ ų . ̸ "NaTzGUL", ȸ "REVOLT", Ϲȣ "1234567890" . KEY ũ ߴͰ Ȱ ϸ, SoftICE ̴. Ϲȣ Ȯϴ ڵ尡 ̱. ߴ!! push, pop ׸ call ʹ ʹ ִ. ϰ, ñ! κ ũϱ ؼ ο ʿϴ. ------------------------------------------------------------------------------- E) ι° : ù° ణ̶ о ð, α׷(INSHELP) ״ ִٰ Ѵ  : ZEN!!(ZEN ׳ ״ ZEN̶ ϴ. ñ е +ORC (HOW TO CRACK) о -+kurt) ׷, 츮 ʿ ٷ װŴ = ) ù° ؼ ϸ鼭 , InstallSHIELD ġ ߿ ϰ ִ SETUP.INS̴. SETUP.INS ϵ ũƮ̴. ̰ ϴ° ϴ, DZ ⺻ ɵ ϰ ־ ̶ ̴. - "IF,THEN,(ELSE)" - "GOTO" - "CALL" - "RETURN()" - "LOAD","OPEN","CLOSE" - "MESSAGEBOX" - etc. α׷ ũϴ · ǵ ʿ Ŷ ߴ. ߿ "IF, THEN" ̴. ũƮ Ƹ ̸, ̴: IF 񱳱 THEN ..... 񱳱 = (μ1) (arg2) μ1 ̰, μ2 Ǵ ̴(翬 ϴ ȵȴ!) 񱳱 6 ϳ ̴: : ׿ б: LOWER-EQUAL JLE GREATER-EQUAL JGE LOWER JL GREATER JG NOT-EQUAL JNE EQUAL JE Ÿ ̴: Compare_mnemonic,result,Byte_A, arg1, Byte_B, compare_type, Byte_C, arg2 Byte_A arg1 Ű ְ, Byte_B compare_type ´. Byte_C arg2 Ű ְ, arg2 ش. * Referenced by a Jump at Address:0043C89F(C) | :0043C7B2 8B45F4 mov eax, [ebp-0C] eax=arg1 :0043C7B5 3945F8 cmp [ebp-08], eax arg2 arg1 :0043C7B8 0F8E0C000000 jle 0043C7CA ۰ų ? 1 !!! :0043C7BE C745FC01000000 mov [ebp-04], 00000001 1 [ebp-4] :0043C7C5 E907000000 jmp 0043C7D1 end б * Referenced by a Jump at Address:0043C7B8(C) | :0043C7CA C745FC00000000 mov [ebp-04], 00000000 0 [ebp-4] * Referenced by a Jump at Address:0043C7C5(U) | :0043C7D1 E906010000 jmp 0043C8DC end б * Referenced by a Jump at Address:0043C8A9(C) | :0043C7D6 8B45F4 mov eax, [ebp-0C] :0043C7D9 3945F8 cmp [ebp-08], eax :0043C7DC 0F8D0C000000 jnl 0043C7EE ũų ? 2 ! :0043C7E2 C745FC01000000 mov [ebp-04], 00000001 :0043C7E9 E907000000 jmp 0043C7F5 * Referenced by a Jump at Address:0043C7DC(C) | :0043C7EE C745FC00000000 mov [ebp-04], 00000000 * Referenced by a Jump at Address:0043C7E9(U) | :0043C7F5 E9E2000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C8B3(C) | :0043C7FA 8B45F4 mov eax, [ebp-0C] :0043C7FD 3945F8 cmp [ebp-08], eax :0043C800 0F8C0C000000 jl 0043C812 ? 3! :0043C806 C745FC01000000 mov [ebp-04], 00000001 :0043C80D E907000000 jmp 0043C819 * Referenced by a Jump at Address:0043C800(C) | :0043C812 C745FC00000000 mov [ebp-04], 00000000 * Referenced by a Jump at Address:0043C80D(U) | :0043C819 E9BE000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C8BD(C) | :0043C81E 8B45F4 mov eax, [ebp-0C] :0043C821 3945F8 cmp [ebp-08], eax :0043C824 0F8F0C000000 jg 0043C836 ū? 4! :0043C82A C745FC01000000 mov [ebp-04], 00000001 :0043C831 E907000000 jmp 0043C83D * Referenced by a Jump at Address:0043C824(C) | :0043C836 C745FC00000000 mov [ebp-04], 00000000 * Referenced by a Jump at Address:0043C831(U) | :0043C83D E99A000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C8C7(C) | :0043C842 8B45F4 mov eax, [ebp-0C] :0043C845 3945F8 cmp [ebp-08], eax :0043C848 0F850C000000 jne 0043C85A ? 5! :0043C84E C745FC01000000 mov [ebp-04], 00000001 :0043C855 E907000000 jmp 0043C861 * Referenced by a Jump at Address:0043C848(C) | :0043C85A C745FC00000000 mov [ebp-04], 00000000 * Referenced by a Jump at Address:0043C855(U) | :0043C861 E976000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C8D1(C) | :0043C866 8B45F4 mov eax, [ebp-0C] :0043C869 3945F8 cmp [ebp-08], eax :0043C86C 0F840C000000 je 0043C87E ? 6! :0043C872 C745FC01000000 mov [ebp-04], 00000001 :0043C879 E907000000 jmp 0043C885 * Referenced by a Jump at Address:0043C86C(C) | :0043C87E C745FC00000000 mov [ebp-04], 00000000 * Referenced by a Jump at Address:0043C879(U) | :0043C885 E952000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C8D7(U) | :0043C88A C745FC00000000 mov [ebp-04], 00000000 :0043C891 E946000000 jmp 0043C8DC :0043C896 E941000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C7AD(U) | :0043C89B 837DEC01 cmp [ebp-14], 00000001 , ؼ : 񱳸 : ǥ: Ǵ б: (dword): LOWER-EQUAL = JGE 2 LOWER JG 4 NOT-EQUAL != JNE 5 EQUAL = JE 6 MESSAGEBOX Լ Ʈ : 2A,0,61,length(word),text Ư text(ڿ) ִ ۻ(messagebox) ȭ鿡 Ÿ. IF-THEN 񱳺κ 츮 ˰ ;ϴ κ̾Ƿ, ٷ Ʒ ִ START κ . ׷ ٸ ɵ ɵ  Ǵ ⿡ ϰڴ. = ) IF-THEN ´ ̴: COMPARE, BRANCH_TO location IF !(result - arg_x) (result - arg_x) 񱳵Ǵ ٸ 0 ǰ, ׷ 쿡 0 ƴ ȴ. 񱳿 ؼ Ǹ arg_x ̰ų ִ. IF-THEN ڵ尪 : COMPARE-structure,BRANCH_TO_mnemonic,l_index, SUB, Byte_A,result,Byte_C,arg_x BRANCH_TO_mnemonic = 22,0,70 SUB = 95 (in an IF-THEN instruction!) Byte_A="B"=0x42 ε ȴ. Byte_B="A"=0x41 arg_x IF-THENɿ ̴. l_index=(ε) result = (ε ) arg_x = () = IF-THENɿ 0x00000000 BRANCH ġ ũƮ ȿ ̸, Ŀ . location=dword[l_index*6+Branch-Table-Offset+2] Location-Table-Offset=Offset "_EWQ" ; ũƮ 14546̴ ׳ "_EWQ" ڿ ȿ ãƺ ã ̴(ũƮ ũǾ ִ. GOTO Ʈ ڵ : 2C,00,70,l_index ˾Ƴ ɾ , ¿ ʿ ƴϴ. ̷ ̿ؼ Decompiler ̴. Setup ǰ ִ ּҰ ˰ ִٸ, mnemonic κ  ϰ ִ κΰ ϴ ˾Ƴ ƴ ̴. ̷ ¿ ٷ ƴ ƴ϶, ° ʹ ȴ. , 츮 ù° Script-Cracking . = )... START: (CD-CHECK) 켱, CD-CHECK ũƮ   ƾ Ѵ. Ƹ ̴: arg1=CALL(INSHELP,CD-CHECK) IF arg1=0 THEN MESSAGEBOX "Setup must be run from the original CD":END ELSE RETURN(1) Ǵ... arg1=CALL(INSHELP,CD-CHECK) IF arg1 != 0 THEN RETURN(1) ELSE MESSAGEBOX "Setup must be run from the original CD":RETURN(0) ڵ带 ϰ , Ʈ ڵ ̴. 28,01,32,"B",arg1 (word),"A",6 (dword),"A",0 (dword),...,2A,0,61,27 (word),"Setup must be..." or this... 28,01,32,"B",arg1 (word),"A",5 (dword),"A",0 (dword),...,2A,0,61,27 (word),"Setup must be..." ⿡ SETUP.INS κ ...( 8D70) arg1_ε_() 5!!! _ε_() κ 5̶ ˾Ƿ, ׳ 6 ٲ ⸸ ϸ CD-CHECKDκ ũ ̴. ! ׷, ġ INSHELP ϰ ־ Ѵ. ߴ ġ INSHELP ϰ ִٸ, 츮 ϴ Ͱ ݴ밡 ̴. (CD-KEY) SETUP.INSϿ 2A,0,61̶ Ʈ ڵ带 ãƼ, CD-KEY κ Ȯϰ ִ κ ˾Ƴ. 8FD0̾. 8FD0 42 00 00 28 01 32 2E 00 42 2D 00 41 02 00 00 00 B..(.2..B-.A.... KEY- ! 904C 6 ٲָ KEY-Protection ̴, !! ƹ ̳ ־ Ϲȣ ȴ. , ࿡ 4 Ѵٸ Ϲȣ ƹ ͵ ʾƵ ȴ (Serial) , Serial-Check ũ . κ INSHELP ʰ, ٸ DLL ʴ´. ũƮ ̿Ѵ. ۻڸ 5 6 ̶ ̴. 츮 SoftICE ϴ ۿ ڴ. Setup ϴ κп ϰ ִ ˾ ؼ ̸(User-Name), ȸ(Company), ׸ Serial ־ Ѵ. "123456789" ־. Ctrl+D SoftICE ҷ, Setup ڵ ȿ ִ Ȯ ؾ Ѵ(ڵâ Ʒ 뿡 "Setup"̶ ־ Ѵ) ࿡ Kernel̳ User API ִٸ Setup ȿ  "F12" ȴ. * 0043C89B ߴ Ѵ "bpx 0043C89B" װ ϴ κ ۵Ǵ ̴. SoftICE ͼ NEXT-> ߸ . SoftICE 0043C89B ̴. ׸ Setup 񱳸 Ѵ. ⿡ : Comparisions: Compare_type: (1) 0 != 1 5 ߿ ʴ (2) 0 >= 3 2 ߿ ʴ(ڿ ġ Ű ?) (3) 9 31 4 ̰ serial ù° (5) 7A 31 4 "a"-"z","A"-"Z","0"-"9" Ȯ (7) 5A 31 4 (9) 39 츮 serial ڸ ϳϳ ϰ ִ . 츮 serial ƴϴϱ, 񱳺κ ӿ (3) κ ڿ ġ Ű ִ Ϳ ϰ ִ . ׷ 츮 serial ڿ ̸ ϰ ִ. κ , Ųٷ κ ̴. ⿡ Ʈ Ÿ. 6240 00 28 01 32 2E 00 42 2D 00 41 02 00 00 00 41 00 .(.2..B-.A....A. κ Serial 6250 00 00 00 22 00 70 D7 00 95 42 2E 00 41 00 00 00 ...".p?B..A... ƹ ڶ ־ 6260 00 B5 00 80 66 00 70 DB 00 62 26 00 21 00 32 2D .?f.p?b&.!.2- Ȯϰ ִ. 6270 00 42 00 00 22 00 70 D4 00 95 42 2D 00 41 00 00 .B..".p?B-.A.. 6280 00 00 21 00 32 9B FF 41 01 00 00 00 2C 00 70 D6 ..!.2?A....,.p? 6290 00 00 00 02 00 3A 00 41 00 00 00 00 2A 00 61 37 .....:.A....*.a7 62A0 00 50 6C 65 61 73 65 20 65 6E 74 65 72 20 79 6F .Please enter yo 62B0 75 72 20 73 65 72 69 61 6C 20 6E 75 6D 62 65 72 ur serial number 62C0 20 74 6F 20 63 6F 6E 74 69 6E 75 65 20 77 69 74 to continue wit 62D0 68 20 73 65 74 75 70 2E 41 01 00 FF FF 00 00 00 h setup.A..??... 62E0 00 00 00 01 00 2C 00 70 D9 00 00 00 06 00 2F 00 .....,.p?..../. 62F0 62 24 00 21 00 32 2D 00 42 00 00 28 01 32 2E 00 b$.!.2-.B..(.2.. 6300 42 2D 00 41 03 00 00 00 41 00 00 00 00 22 00 70 B-.A....A....".p κ ̸ ƹ ڶ 6310 D8 00 95 42 2E 00 41 00 00 00 00 3A 00 41 00 00 ?B..A....:.A.. ־ Ȯϰ ִ. 6320 00 00 2A 00 61 2E 00 50 6C 65 61 73 65 20 65 6E ..*.a..Please en 6330 74 65 72 20 79 6F 75 72 20 6E 61 6D 65 20 74 6F ter your name to 6340 20 63 6F 6E 74 69 6E 75 65 20 77 69 74 68 20 73 continue with s 6350 65 74 75 70 2E 41 01 00 FF FF 00 00 00 00 00 00 etup.A..??...... 6360 01 00 2C 00 70 D3 00 00 00 02 00 01 00 41 32 00 ..,.p?......A2. 6370 00 00 B8 00 00 00 06 00 B6 00 10 00 01 00 02 02 ..?........... 6380 00 00 05 00 00 00 2F 00 62 9B FF 21 00 32 2D 00 ....../.b?!.2-. 6390 42 00 00 21 00 32 9A FF 42 2D 00 21 00 32 99 FF B..!.2?B-.!.2? 63A0 41 00 00 00 00 21 00 32 98 FF 41 00 00 00 00 00 A....!.2?A..... 63B0 00 10 00 29 01 28 01 32 2D 00 42 99 FF 41 01 00 ...).(.2-.B?A.. (3) 翬 !!! 63C0 00 00 42 9A FF 22 00 70 E5 00 95 42 2D 00 41 00 ..B?".p?B-.A. 63D0 00 00 00 7A 00 32 97 FF 52 9B FF 42 99 FF 28 01 ...z.2?R?B?(. 63E0 32 2D 00 42 97 FF 41 04 00 00 00 41 61 00 00 00 2-.B?A....Aa... (4) 63F0 28 01 32 2E 00 42 97 FF 41 03 00 00 00 41 7A 00 (.2..B?A....Az. (5) 6400 00 00 27 01 32 2F 00 42 2D 00 42 2E 00 28 01 32 ..'.2/.B-.B..(.2 6410 2D 00 42 97 FF 41 04 00 00 00 41 41 00 00 00 28 -.B?A....AA...( (6) 6420 01 32 2E 00 42 97 FF 41 03 00 00 00 41 5A 00 00 .2..B?A....AZ.. (7) 6430 00 27 01 32 30 00 42 2D 00 42 2E 00 26 01 32 2D .'.20.B-.B..&.2- 6440 00 42 2F 00 42 30 00 22 00 70 DF 00 95 42 2D 00 .B/.B0.".p?B-. 6450 41 00 00 00 00 28 01 32 2E 00 42 99 FF 41 02 00 A....(.2..B?A.. 6460 00 00 41 03 00 00 00 22 00 70 DD 00 95 42 2E 00 ..A....".p?B.. 6470 41 00 00 00 00 2F 01 B7 00 41 00 00 00 00 00 00 A..../.?A...... 6480 00 00 00 00 01 00 19 01 32 98 FF 42 98 FF 41 01 ........2?B?A. 6490 00 00 00 00 00 00 00 00 00 08 00 28 01 32 2D 00 ...........(.2-. 64A0 42 97 FF 41 04 00 00 00 41 30 00 00 00 28 01 32 B?A....A0...(.2 (8) 64B0 2E 00 42 97 FF 41 03 00 00 00 41 39 00 00 00 27 ..B?A....A9...' (9) 64C0 01 32 2F 00 42 2D 00 42 2E 00 22 00 70 E3 00 95 .2/.B-.B..".p?? 64D0 42 2F 00 41 00 00 00 00 28 01 32 2D 00 42 99 FF B/.A....(.2-.B? 64E0 41 01 00 00 00 41 03 00 00 00 22 00 70 E1 00 95 A....A....".p?? 64F0 42 2D 00 41 00 00 00 00 2F 01 B7 00 41 00 00 00 B-.A..../.?A... 6500 00 00 00 00 00 00 00 01 00 19 01 32 98 FF 42 98 ...........2?B? 6510 FF 41 01 00 00 00 00 00 00 00 00 00 02 00 19 01 ?A.............. 6520 32 99 FF 42 99 FF 41 01 00 00 00 2C 00 70 DC 00 2?B?A....,.p? 6530 00 00 04 00 28 01 32 2D 00 42 98 FF 41 06 00 00 ....(.2-.B?A... (11) Ȯΰ 6540 00 41 0D 00 00 00 22 00 70 E6 00 95 42 2D 00 41 .A....".p?B-.A 6550 00 00 00 00 2F 01 B7 00 41 00 00 00 00 00 00 00 ..../.?A....... (3)(63BE) κ 2 ٲشٸ Ȯ κб ִ. (11) Setup serial 13 ȮѴ. (11)(653D) 5 ٲ ֱ⸸ ϸ Serial Check ũȴ. : Script Cracking ù° ξ ٴ ˾ ̴. 츮 MessageBox ãƼ ũƮ м ֱ⸸ ϸ ƴ. 츮 ؾ ̶ ũƮ ణ ٲ ֱ⸸ ϴ ̾. װɷ ̴. ũƮ ɿ ˾Ƴٸ, Ϲȣ ̴. Decompiler ̴. װ ð ̴. Ͻö, ------------------------------------------------------------------------------- F) ̴ κп InstallSHIELD ġ ؼ ڴ. Setup.exe(InstallSHIELD 2.x) 16Ʈ ̸, װ The Install ation launcher Ҹ. Win32 OS __inst32i.ex_ Ҹ (support file) ʿϴ. ̷ ġ ¿ ġ ణ ٸ ģ. _inst32i.ex_ Ǿ , icompx Ͽ ƴϴ. װ !!! ׸ Ʒ ִ : INSTALL.EXE _INS0432._MP LZWSERV.EXE _INZ0432._MP WUTL95i.DLL _WUTL95.DLL BOOT16.EXE _INJ0432._MP _inst32i.ex_ κп ̸ ִ. Setup ʱȭ Windows ӽ 丮(C:\Windows\Temp) _inst32 i.ex_ Ǭ. ġ ϸ Windows\Temp 丮 ̴. DIR This dir will be created by _ins0432._mp !!! _INS0432._MP 659 KB This is exactly Setup.exe from this Tutorial !!! _INZ0432._MP 20,1 KB This is LZWSERV.EXE (doing the de-compress.) _WUTIL95.DLL 36,0 KB A win95 support file _ISTMP0.DIR content : _SETUP.LIB 151 KB This is exactly the same compressed lib file !!! 1f8584.DLL 89,0 KB Support DLL INSHELP.DLL 23,5 KB Yup, da same DLL !!! UNINST.EXE 292 KB Also da same one ݹ ֵ, 츮 ߴ Ȱ ϵ̴. ٸ ̸ ٲ ̴. ̴!!! ũ ϰ ʹٸ ؼ ̸ ٲָ ȴ. ------------------------------------------------------------------------------- H) ̴ , ŵ ߱ = ) ̰ ̴. ̶ ־⸦ ٶ. ñ ̳ ְų, ƴϸ ׳ ǥϰ ʹٸ.. ϸ ȴ !!! ׸ Ʋ ãҴٸ ˷ ־ ڴ. ΰ ̴ = ) ´ ó ޸ , ߿ ʹ ũⰡ Ŀ, е ٲ. Ⱦ ʾ ڴ (natz-2) html ̸, ʾҴ ׷ ׳ 븸 Ͻö!! ------------------------------------------------------------------------------- I) е Groups: REVOLT, #CRACKING, UCF, PC97, HERITAGE,CRC32 #CRACKING4NEWBIES, CORE, RZR, PWA, XF, DEV etc. PERSONAL: CoPhiber, Spanky, Doc-Man, Korak, lgb, DDensity, Krazy_N, delusion, riches, Laamaah, Darkrat, wiesel, DirHauge, GnoStiC, JosephCo, niabi, Voxel,TeRaPhY, NiTR8, Marlman, THE_OWL, razzia, K_LeCTeR, FaNt0m, zz187, HP, Johnastig, StarFury, Hero, +ORC, +Crackers, Fravia+, LordCaligo, BASSMATIC, j0b ,xoanon, EDISON etc. (c) 1998 NaTzGUL All rights reversed ------------------------------------------------------------------------------- NaTzGUL ű⸸ ٽ ѹ ϴ. Page 5 31. 31. ȳϼ. ̹ ۵ ٸ ũĿ (Frog's Print) ű ǵ, Frog's Print ̹ ű ֽϴ. ﳪ W32dasm7 ũϴ ε. ƹư ̷ ũĿ (?) ʽϴ. DOS α׷ ũϴ ÷ ޶ ż ÷ȴµ, ʺ ׷ . DOSα׷ ũϴ Windowze α׷ ũϴ ξ ƿ. DOSα׷ ũϷ ͷƮ ؼ ˰ ־ ״ϱ. ƴѰ? 帰 ִ ,  ۿ оµ. DOSα׷ ũϴ ü δ Ϳ, Windowze α׷ ũϴ Ǫ Ϳ ִٰ ϴ ־. 츮 ° ٸ, DOS α׷ ٵ, Windowze α׷ ΰ? ª ε, ͷƮ  ̳ å ø ſ. Sourcer α׷ ſ. DOS ư disassemblerε. ҽ , ڵ忡 ּ, ׷ϱ ڵ, ϴ ־ִ ɵ ִ α׷̿. ׷ α׷ ϴ ְ, α׷ Ⱦϴ ִٰ մϴ. , ׷ ּ ÷ Ƽ ʽϴ. ׸ ε. ׻ ܱ 뷡 ٿµ, ̹ 츮 뷡 ٿ þ. ̿ ɸ ʰ(?) 뷡濡 ⵵ Ⱦϰ, ٰ ص θ 뷡 ȣ 4ڸ .. ô뿡 ڶ ̶󼭿. 뷡 𸣴µ, 쿬 뷡 ƴµ. . ó ôµ, ϱ.^^(mp3  鼭 ־) ------------------------------------------------------------------------------- SOURCER 7 (DOS BPINT ) by Frog's Print - Sourcer 7.0(V Communications ) Ǹ DOS disassembler ̴. α׷ ó  ϴ Ȥ ϰ, ̱ , ʿ 츮 ӿ Ʋ. ͳݿ ̴.  ƴϱ , ͳݿ ߴٸ zip ȿ, ʿ н尡 Բ ̴. 츮 ũĿ . Ϲȣ 'ũĿ ' Sourcer 7.0 ũ. 켱 ڴٸ OS ũ ½½ ο SoftICE 3.21 ũѴٴ . DOS α׷ ũϴ . ⼱ Sourcer 7.0  ̶ ִ. ũߴ. INSTALL.BAT Ű ´ : Please enter the product serial number from the Sourcer diskette label (i.e. SX123456-ABCD). S/N:_ -------------------------------------------------------- [[Sourcer ⿡ ִ ǰ Ϲȣ ּ]] [[( : SX123456-ABCD) ]] ⼭ "S/N:" ٷ ִ "_", ̴ Ŀ̴. α׷ Ϲȣ ְ Ű ⸦ ٸ ִ ̴. ƹ /ڳ ִ´ٸ, Ŀ ĭ δٴ ̴(츮 ؽƮ 忡 ִ ̴ :-) ׷ Է ڿ ׻ Ŀ ٴ ̴. Dos ͷƮ ߿ Ŀ ĭ ̰ ϴ ִ. Int 10h Լȣ 02h Ah = 02h Dh = (Rows, 0..24) Dl = (Columns, 0..79) Sourcer 7.0 Ŀ ó 14(0x0e) 36(0x24) ġ ִ. ̰ Ȯϱ ؼ, ġ α׷ Ű(ctrl-c) Int 10h Լ ȣ 02h, =14, =36 ߴ : BPINT 10 IF Ah==02 &Dh==0x0e &Dl=0x24 DO "rs" "rs" ʿ ƴϴ. ָ α׷ SoftICE ȭ ʰ α׷ ȭ ̴. α׷ DZ ̷ θ ʾƵ 츮 ϴ ã ̴( ̴). ٽ INSTALL.BAT . Ŀ ̴ 3 ߴ ̴: -ù° ߴ : Please enter the product serial number from the Sourcer diskette label (i.e. SX123456-ABCD). S/N: -ι° ߴ : Please enter the product serial number from the Sourcer diskette label (i.e. SX123456-ABCD). S/N: (+ ڰ ) -° ߴ : Please enter the product serial number from the Sourcer diskette label (i.e. SX123456-ABCD). S/N: (+Ȳǥٿ ڸ ) -׹° ߴ( ߴ ̴ Ŀ ̴ ߴ̴) Please enter the product serial number from the Sourcer diskette label (i.e. SX123456-ABCD). S/N:_ 츮 Ȯ ͷƮ ġߴٴ ˾Ҵ. ߴ , Ӱ . ̹ ׳ INT 10, AH=02hθ . BPINT 10 IF Ah==2 ƹ / ᵵ SoftICE ̴. ٽ ߴܵ ̴. ߴ ϰ ; . ׷, SRIN.EXE ߰ κп ̴: 00011447: 9A04006E12 call 0126E:00004 ; 츮 ãƿ ̴. 0001144C: 83C406 add sp,006 0001144F: 16 push ss 00011450: 8D46EE lea ax,[bp][-0012]; Է ͵ Ax 00011453: 50 push ax 00011454: 9A7F360000 call 00000:0367F 00011459: 83C404 add sp,004 0001145C: 16 push ss 0001145D: 8D46EE lea ax,[bp][-0012] 00011460: 50 push ax 00011461: 90 nop 00011462: 0E push cs 00011463: E8A100 call 000011507 00011466: 83C404 add sp,004 00011469: 8BF8 mov di,ax 0001146B: 0BFF or di,di ; н尡 ǰ? 0001146D: 7429 je 000011498 ; ׷, ٽ_Ȯ κ б 0001146F: 9AA415F31A call 01AF3:015A4 ; ƴ϶.. 00011474: 1E push ds ; _̱. 00011475: 68981F push 01F98 ; "߸ ȣ ϴ.." 00011478: 6A0E push 00E 0001147A: 6AFF push 0FF 0001147C: 6A11 push 011 ... ... 0001148A: 6A0E push 00E 0001148C: 6AFF push 0FF 0001148E: 6A12 push 012 00011490: 9AB502F31A call 01AF3:002B5 00011495: 83C40A add sp,00A 00011498: 0BFF or di,di ; н尡 ٽ_Ȯ!! 0001149A: 7403 je 00001149F ; _ 0001149C: E96CFF jmp 00001140B ; _ κ ũϱ ؼ ù° "or di, di" "xor di, di" ٲ ֱ⸸ ϸ ġ ̴. ҵ, α׷  ư ð 鿩 ణ ϰ, DOS ͷƮ ؼ ˰ ִٸ ʹ ̴. BPINT  DOS α׷̶ ũ ִ.ֳϸ *.COM̳ *.EXE ϵ Ƿ ͷƮ ݵ ʿϱ ̴. Frog's Print October 1997 - (c) Frog's Print, 1997. All rights reversed. ------------------------------------------------------------------------------- Frog's Print 츮 ű ٽ 帳ϴ. Page 5 ʺ ũĿ ʺ ũĿ _ ũ Ϸ ʺ ũĿ е б⿡ ÷ ڽϴ. ʺ̴ ϱ, ̷ ýϴ. Ȩ ִ а ٸ е Ȱ ũ ϴ Դϴٿ. , ׷ DZ ٶ鼭 . , ׷ ũ ߴٸ '' ʿ ? ũ ִ α׷ ʰ ũ ̿. ׷, 켱, Ȩ ۿ ũ ִ α׷ ణ ýϴ. ôµ, ߿ ٿ . _ hear the echo PicaView ũ ̾߱ ߴ ε. sice ̿ؼ ũϴ , ޸  κп Ϲȣ Ǿ ֽϴ. ܼ κ sice d ɵ ̿ؼ , Ϲȣ ˾Ƴ Դϴ. , ũ ִ α׷̶ ٸ ε ũ ִ ٽ ʿ䰡 . , 98 ũ ߽̿ϴ. WinZip 7.0 Winzip hear the echo ũѴٸ, ũϴ ߿ ϳ '̸' ؼ 3 ٸ Ϲȣ ã ſ. Brick Layer 2.5a α׷  в ˷ ֽ α׷ε, ״ ױ̿. ̰͵ hear the echo ̿ϸ ϰ ũ ֽϴ. Virtual CDROM 1.0 α׷ Logicraft Information Systems α׷ε, α׷ Ƹ ٵ ƽ ſ. α׷ PC ڷǿ µ, ȿ patch(keygen) ִ. 츮 ũĿݾƿ. hear the echo ũ ֽϴ. Ž ö󰡱 K.Ƿϰ TurboGo ũϴ ؼ ۿ Դϴ. ޽ ̿ؼ Ϲȣ ó ãư Դϴ. κ α׷ ũϴ ֽϴ. , ̷ ũϸ ϰ, ƹ ȿ ϴ 쵵 ֽϴ. ٷ Opera ũ ׷ ε, ׷ α׷ ٸ ũϴ ϴ. 츮 ͳ 2.0 α׷ ġ 60ΰ ۿ ϴ. Ⱓ ѱ ¥ θ Ѵٸ ' ޽' ɴϴ. ٷ ۻڸ ̿ؼ '߿' κ ã Ž ö󰡴 ϴ. , dialogboxԼ ߴ ؼ Ž ö󰡱⸦ ϼ. Taku Chan α׷ Ϻ б б簡 ٴ ٵ α׷Դϴ. ǻͿ 뱹 ִ ٵ α׷ε, ǻ (?) ܰ ۿ ȵǰ, 50 Ǵ 100(ǻ ؿ ) ̻ մϴ. Ž ö󰡱 Ǵµ, sice ̿ϴ disassemble ҽ ̿ ξ մϴ. б ٲٱ ⺻(?) ̴ Դϴ. ̷ ̿. Ϲȣ Էϸ  κп Ϲȣ ´ Ȯմϴ. Ϲȣ ´ٸ eaxͿ 1 ְ, ׷ eaxͿ 0 ݴϴ. ׸, 'Ȯ' ȣ test eax Ȯ Ǻб θ մϴ. ׷ϱ, call Ϲȣ_Ȯ_ test eax, eax jnz /_ȵ ̷ ġ ſ. ̴ ε, ߵ, ũϱ ϴ. ܼ jnz/jz Ǻб⸸ ٲ ִ ͸ε ũ ֽϴ. ߿  NoteWorthy Composer 1.55b (32bit) α׷ Ǻ ׸ α׷ε, Ǻ ̵ Ϸ ְ, ִ α׷Դϴ. , Ǻ μ , Ͽ(Register Form) ϰ, Ǻ 10 ۿ մϴ. Ϲȣ ִ Protection Schemeε, 'Ǻб' ã ſ.
LviewPro 2.1 α׷ ׸ ׸ α׷̿. 21 ֽϴ. α׷ ũϴ ִ Ž ö󰡱 , GetLocalTime Լ ߴ , '߿' κ ãƼ б⸦ ٲ ִ ϰ ֽϴ. GetLocalTime(Ǵ GetSystemTime)Լ ߴ ϴ ƽ ſ. _*to beginners*_ Ȩ Page 1 Page 1 _1. Intro_ _ũ ʿ Ұ_ _2. About A Girl_ _W32Dasm7.exe ũϱ_ -w32dasm̿ - Ƚ ֱ -ҽ ְ ϱ -(Ʋ κ ƽϴ -99.3.16) _3. The Man Who Sold The World_ _PicaView.dll ũϱ(1)_ -SoftIce̿ -PicaView Ϲȣ -Ϲȣ α׷(KeyGen) ϴ. __4. The Unforgiven_ _WinRAR95 (ver 2.0) ũϱ_ _-SoftIce̿ -WinRAR95 ũϴ 캾ϴ. -Little-John ű Դϴ. _5. Lithum_ _PicaView.dll ũϱ(2)_ -SoftIce̿ -PicaView Ϲȣ -Ϲȣ α׷(KeyGen) ϴ. _6. Until It Sleeps_ _Add Web 1.23 ũϱ_ -W32Dasm̿ -Add Web 1.23 ũϴ Űϴ. - û protection (1997) -Tristan ű Դϴ. _7. Yellow Submarine_ _HexWorkshop (ver 2.53) ũϱ_ -W32Dasm̿ -HexWorkshop ũϴ Űϴ. -߱ڿ(ʺڴ ٸ а оּ) -Heres ű Դϴ. _1_ ------------------------------------------------------------------------------- Ȩ ڷ(tools/links) mail to +kurt Page 2 Page 3 Page 4 Page 5 *pluskurt@hanimail.com* Page 2 Page 2 _8. Come As You Are_ _PicaView.dll ũϱ(3)_ -SoftIce̿ -PicaView Ϲȣ -Ϲȣ α׷(KeyGen) ϴ. -Ϲȣ ù° κ 캸ҽϴ. _9. Eight Days A Week_ _Filo v1.7, WhoSock v1.91, ExIcon v1.9a, Horas v2.1 ũϱ_ -SoftIce̿ - (+8) α׷ ũϱ - Դϴ. -Plushmm[PC'97] Űϴ. _10. Year Of The Boomerang_ _AddLinkũϱ_ -SoftIce̿ - (NAG Screen) keygen ٲ - ڼ Դϴ. -Jon Űϴ. _11. Dumb_ _PicaView.dll ũϱ_ -SoftIce̿ -PicaView Ϲȣ -Ϲȣ α׷(KeyGen) ϴ. -Ϲȣ ι° κ 캸ҽϴ. -PicaView ̾߱⸦ ƽϴ. _12. Revolver_ _Arjshell32 ũϱ_ -W32Dasm, SoftIce̿ -Arjshell (save) ְ ϱ. -Flag ̿ϴ ũ Դϴ. -Rundus Űϴ. _13. Something In The Way_ _ 98 ũϱ_ -SoftIce̿ - û protection scheme(1998) ĺ : ) _14. Imagine_ _Visual Basic ũ_ -Hex Editor̿ -Visual Basic α׷ ũϴ ߽ϴ. -+Sync Űϴ. -ʺ _2_ ------------------------------------------------------------------------------- Ȩ ڷ(tools/links) mail to +kurt Page 1 Page 3 Page 4 Page 5 *pluskurt@hanimail.com* Page 3 Page 3 _15. Heart-Shaped Box_ _HexWorkshop (ver 2.54) ũϱ_ -SoftIce̿ - ũ߽ϴ. -ũ, 3п OK _16. Nothing Else Matters_ _޸(Notepad) ũϱ_ -W32Dasm̿ - ۰ '' Դϴ. -޸(Notepad) ۲ ٲٴ ũ Դϴ. -Mammon_ Űϴ. -ʺ ũĿ Դϴ. _17. Battery_ _ȭ麸ȣ йȣ ũ_ -SoftIce̿ -йȣ ɸ ȭ ȣ ũ -Mammon_ Ϻθ Űϴ. _18. Walk!_ _ȣȭ(encryption) _ -Jon Űϴ. -(How to reverse engineer encrypted files) -(ȣȭ ũϱ) _19. In Dreams_ _ڹٽũƮ ۻ(JavaScript MessageBox) ֱ_ -SoftIce̿ -ڹٽũƮ ۻڰ ʵ Netscape ũմϴ -+YOSHi Űϴ. _20. In My Life_ _PolyView 3.00 beta 9 ũ_ -W32Dasm̿ -ʺ Դϴٿ -ũ , ٽ ΰ? -The_RudeBoy_[PC] Űϴ. _21. Por Una Cabeza_ _Rhino32 ũϱ_ -W32Dasm/SoftIce̿ -¥ ũ(Time Trial Crack) -Sojourner Űϴ. _3_ ------------------------------------------------------------------------------- Ȩ ڷ(tools/links) mail to +kurt Page 1 Page 2 Page 4 Page 5 *pluskurt@hanimail.com* Page 4 Page 4 _22. Love Buzz_ _ Ÿ98 IMF ũϱ_ -SoftIce̿ -¥ ũϱ -ʺڿ _23. Roll Right_ _Window$98 Ϲȣ ũϱ_ -M$ ٺ : ) -IH8U Űϴ. _24. Beautiful People_ _Netscape ũϱ_ -Borland Resource Workshop ̿ -ݽ ߸ ְ ٲٱ -Mammon_ Űϴ. _25. Stairway To Heaven_ _Disassembly _ -cRACKER's nOTES ߿ Űϴ -Disassemble ҽ Ͽ Լ/μ/ ˾Ƴ -Rhayader Űϴ. _26. All Apologies_ _K.Ƿ() ũϱ_ -W32DASM̿ -Ÿ Է ũ _27. FAGET_ _SoftICE ũϱ_ -SoftICE ̿ -SofTICE ġ ϱ -+OCHE SATRIANI +OBLLEK Űϴ. _28. I Hate Myself And Want To Die_ _SoftICE ũϱ_ -SoftICE ̿ -SoftICE KeyGen _4_ ------------------------------------------------------------------------------- Ȩ ڷ(tools/links) mail to +kurt Page 1 Page 2 Page 3 Page 5 *pluskurt@hanimail.com* Page 5 Page 5 _29. Serve the Sevants_ _TurboGo for window$95 v4.01 ũϱ_ -SoftIce̿ -'flag' ̿ α׷ ũϱ -ʺڿ _30. Mondschein Sonate _ _InstallSHEILD ũϱ_ - ̿ -InstallSHEILD ũ -NaTzGUL Űϴ. _31. _ _Sourcer 7.0 ũϱ_ -SoftICE ̿ -DOS ͷƮ(interrupt) Ἥ DOS α׷ ũϱ -Frog's Print Űϴ. _5 ------------------------------------------------------------------------------- Ȩ ڷ(tools/links) mail to +kurt Page 1 Page 2 Page 3 Page 4 *pluskurt@hanimail.com* +kurt page _ _+kurt page_ _ _ Ӹ _ ũ ̾߱⸦ ߽ϴ. ó Ÿ Ÿ ƴϿ. Ÿ Ż ƴ Դ, װ ƹ ͵ ƴ ó ǵ ó Ÿ ϸ鼭 ư ʾҳ. Ÿ ó , (?) ϸ鼭 . ڿ ƺ ָ鼭 ݾƿ. ƺ Ƽ ε, Ͽư ׷ ׿. ü  Ѿ ʰ ִ ذ ƾ. ũ̶ Ϳ ó ˾ƺ ϴ. 켱, ũ ã ͺͰ ̾ϴ. , ۵ κ Ҵٰ ϴ ͵鵵 Դ ʹ . Ƶ Ӹ ſ ־, ''ʺ ׷ ʾҴ ͵ ϴ. ׷, ũ̶ ŷ ̾ϴ. ׷ ͳ ƴٴϸ鼭 оϴ. ߿ ܿ +ORC (_HOW TO CRACK, by +ORC, A TUTORIAL_) ū Ǿµ. ׷ п  ְ,  α׷ ʰ ȥڼ ũ ְ Ǿ. ó ũ ϸ鼭 Ȩ ϴ. ⿡ ۰, ٸ ũĿ 츮 ű ֽϴ. ۿ, а ִ е ũ ؼ 𸣰 ִٰ ϰ ϴ. ù°  α׷(PicaView32) Ϲȣ ڼϰ 鼭, ũ ʿ  SoftIce Ÿ ⸦ ַ ߽ϴ. ׸, ٸ ũĿ ű ̳ Ʈ ִ ״θ ű ߽ϴ. , 翬 ϴ. ܱ ũĿ , Űϴ. ʺ ߱ ٸ 'Ǹ' ũĿ ű ͵ ʿ ϰԴϴ. ۰ ٸ ũĿ ű ۿ ε ſ. *1999 3 11 +kurt pluskurt@hanimail.com* *_preface_* __ Page 1 W32Dasm ver 7 (demo) Picaview32 ver 1.3 WinRAR95 ver 2.0 AddWeb ver 1.23 HexWorkshop ver 2.53 ũ ù° ̾߱. ũ ʿ 鿡 . PicaView ũ ̾߱ Page 2 Filo ver 1.7, WhoSock ver 1.91, ExIcon ver 1.9a, Horas ver 2.1 AddLink Picaview32 ver1.3 ArjSell32 98 ver 2.32, Visual Basic Crack α׷ ũϱ (NAG Screen) key-gen PicaView ũ (11. Dumb) Flag ̿ ũ(ArjShell) û protection scheme ĺ(1999 :) 98 v2.32 Visual Basic α׷ ũϱ Page 3 Hex Workshop v2.54, ޸(Notepad),ȭ ȣ(Screen saver), ȣȭ(encryption)ڹ ũƮ ۻ ֱ(Netscape), PolyView 3.00 beta 9, Rhino32 Hex Workshop v2.54 3и ũ ޸(Notepad) ۲ ٲٱ(By Mammon_) ȭ ȣ йȣ ũ(By Mammon_) ȣȭ (By Jon) ڹ ũƮ ۻ(JavaScript MessageBox) ֱ ũĿó ϱ(ʺ) ¥ ũ(GetLocalTime) Page 4 Ÿ98 IMF , Window$98 Ϲȣ Ȯ, Netscape Navigator, Disassembly , K.Ƿ, NuMega SoftICE ¥ ũ Window$98 Ϲȣ Ȯ ũ ݽ ٲٱ Disassembly ҽ Ͽ Լ/μ/ ˾Ƴ(By Rhayader, *excerpt from cRACKER's nOTES*) Ÿ Է ũϱ SoftICE ġ ϱ SoftICE KeyGen Page 5 TurboGo for Window$95 v4.01 InstallSHIELD ũ(By NaTzGUL) Sourcer 7.0 ũ flag ̿ ũ InstallSHIELD Script Cracking DOS Interrupt ũ(BPINT) _*index*_ ڷ(tools/links) mail to +kurt ħ ʺ ũĿ FAQ == ˸ == 'ũ'ϴ ϴ , ̹ ġ, Ϲȣ ̸ ¦ δ ƴϿ. ׷ ͵ ã ⿡ ̴ٸ, ٸ ã ſ. (This site contains no crackz/warez/serialz at all. So, if you'd been searching for them, try other pages.) , .. ̷ ϸ ʹ â , ִ '' ؼ ּ(߱ ڸ ϴ ''̶ ǥ ). ϰ Ʈ  '' '' ũϴ ƹ ٰ մϴ. ׷ ũ ް Ǵٸ װ protectionist ٸ . Ǿ Ѵٰ , ׷ â ͱ 𸣰ڰ,   __ α׷ ִٸ װ 񰡸 ִ Ǵٰ մϴ. Ϻδ Micro$oft Internet Explorer ѱ ֽϴ(׸ ׷ Ǵ _ǵ_ ̱). M$-IE е鿡Դ ˼մϴ. ۿ ؼ ̷ '__' Ƽ ̿.  '_ȸ_' Ⱦϴ ݾƿ Ȥó M$-IE ƴ ٸ ѱ ̴ 찡 ˷ ֽø ھ. (*CORPORATE MAGAZINES STILL SUCK - _Kurt Cobain_*). (*CORPORATE PROGRAMMERS STILL SUCK - _+kurt_*). _*notice*_ ڷ(tools/links) mail to +kurt ħ ʺ ũĿ FAQ *pluskurt@hanimail.com* FAQ FAQ _׵ в ׺е麸 ˰ ִ Ŷ ߸ ϰ(?), ̴ּµ. δ 帰ٰ ߴµ, ϴ. ⿡ ýϴ. ʺ ũĿ в Ǿ ڽϴ. , FAQ ߿ Ʋ ˷ ּ. 1. crack ? 2. ڰ 3. α׷ sice  ؾ ϳ? 4. siceȭ ̻ؿ 5. sice 6. Ȩ ũų ֳ? 7. ڵ, , disassembler, hex editor.. ü ̰ ϴ ſ? 8. w32dasm ִ ſ? ãھ 9. symbol not defined Ϳ 10. Ƽ ϴ Ƽ? 11. Ȩ Ѳ ٿ ֳ? 12. , ũ 13. Ŀ Ƿ  ؾ ϳ?/Ȩ ŷ  ϳ? ------------------------------------------------------------------------------- _Q_ũ ? ũ ? _A_ ũ(__crack__) __Reverse Engineer__ Խϴ. ũ ǹ̷ Ƽ, __Reverse Engineer__ Ѵٰ ڴ ſ. ũ ã ϱ, __crack__ _8_ to discover the secret of (a CODE1 (1)) ...[Longman Contemporary Dictionary, p. 238] ־ϴ. ȣ, ֳ׿. __Reverse Engineer__ ״, Ųٷ ϴ ϾԴϴ. ׷ϱ ̹ ִ α׷ ڽ ϴ Ųٷ ٲ ִ ϴ. ó Fravia+ Ȩ __Reverse Engineer__ ؼ ̷ ϰ ֽϴ. __Reverse Engineering__ , i.e individuating and gathering "hidden" or "lost" data in a "backwards" approach: from finished phenomena back to its hidden "code". ------------------------------------------------------------------------------- _Q_ڰ Ȩ ּż մϴ. ׷ .. IE 5.0 ϴµ.  ϸ ȭ ̴ ..  𸣰 Ƹ ĥ ִٰ մϴ... 뵵 ڱ.. ÷ ֽô° .. ˰ ִ Ŀ ϴ ̶ ˰ ֽϴ. ׷ 鿡 Ȩ ̽ϴ. ؿ.. _A_ Ȩ Ϻδ ͽ÷η ѱ ֽϴ. Ȩ ù ȴµ ߿ 뿡 ؼ , Ǵ , (?) Ͻô ҽϴ. ó ׷ ؼ ȴµ, ļ ׷ ϰڽϴ. ׸ ֽô е鲲 Ŀ Ͻ θմϴ. Ƹ Ȩ Ϻ ˻ 'Ŀ ' з Ǿ ־ ׷ θô 𸣰ڴµ, ׷ з ǵ ƴϾ, Ŀ ʽϴ. ǻ Ͻô Ŀ е鲲 Ŵٸ ſ. ------------------------------------------------------------------------------- _Q_α׷ sice  ؾ ϳ? ȳϼ. ޾ҽϴ. pluskurt ʹ  𸥴ٴ å 缭 ֽϴ. ο ֽ pluskurtԲ 帳ϴ. ׷ ϴ. κ ۵ о sice ؾ ϴ sice  ϴ 𸣰ڽϴ. ׷ϱ  picaview siceȭ鿡  ؾ ϴ ̴ϱ? κ sice ̰ſ ؼ ʴ. װ ⺻ΰ. ׷ ⺻ 𸣰ڽϴ. β Ƽ ұ ̴ٰ ֺ ̷ ƴ ؼ մϴ. ׷ ð ƴ ŵ ֽø ϰڽϴ. _A_ũ ̶ ˰ ̶ ̷ 鸮 ſ. ó о ũ '' ̷ ʾϱ. ũ̶ ó ̰Ͱ Ȱ ߽ϴ.  ˰ھ? sice  ۵ϴ ؼ ƴ ٰ ϴ. ׷ϱ sice ڼ 帮 ϱ. ۿ 'sice ȭ ' ǥ µ, ׷ ´ 𸣰ڽϴ. ƹư sice () Ǿ ־ մϴ. ׷ϱ autoexec.batϿ sice Ѿ ϴ ſ. ׷ ؼ ,  α׷ ϴ ¿ sice  Ű(Ctrl+D) , ڸ α׷ siceȭ ҷ ִ ſ. ȭ鿡 α׷ ܰ辿 ְ, Ͽư ִ ſ. ƴ ٸ Ŵ , ٸ ſʹ 繵 ٸ ̶ մϴ. ------------------------------------------------------------------------------- _Q_siceȭ ̻ؿ ũ ó ϰ ư մϴ. ڷḦ Ʈؼ 鼭 ۾ ϴµ ߻ ߾. 1.softice:ġ ȭ ȣ ũ ϴ ctrl+D ƴ ĥ 帰 ȭ ִµ F12 ȭ ״ 2~3 ϴ ȣ ȣâ ȭ ɴϴ. ذ Ź մϴ. * win98 ֽϴ. 2.w32dasm7: α׷ ü ũϴ κε ⼭ ٿ hexworkshop ver2.54 ϴ κп ex)ff0028101 ̷ ڵ ׳ 001234̷ ڵ常 ֽϴ. ذ Ź մϴ. θ µ ⺻ ̷ ɸϴ. ̷ α׷ 𸧴ϴ.  α׷ ۾ ֽǶ Ž⼳ ϴ κ file.save.ok ̷ Ź 帳ϴ. 2 ذ hex edit α׷ ڵ带 ȭ Ű ȴٴµ  ͵ ״ ʺν ū ˴ϴ. c ؼ м 밭 ذ µ ڵ带 ȭ Űų ̷ ũ ۾ α׷ κ ֽϴ. ſ ; ǵ ̷ κ ϴ. ֽʽÿ. ׷ λ 帮ڽϴ. _A_ 1 sice ġ ̹ ߸ ؼ ׷ ϴ. sice ڽſ ˸ ī(Display Adapter Setup) ϴ ֽϴ. ׽Ʈ ϸ鼭 ־ մϴ. ̹ ġ Display Adapter Setup ̿ؼ ٽ ϱ, ڽ ī尡 ˰ ָ ˴ϴ. ˱ SoftICE Ϻ ׷ ī带 ʴ´ٰ ϴ. ٲ Ǵ е ̷ . Display Adapter Setup ؼ Display Adapter Selectionȭ , Manufacturer Standard VGA , Ʒ ִ üũ ư ߿, Universal Video Driver[SoftICE appears in a "window"]-We recommend that you set the video adapter type to Standard VGA üũմϴ. ̷ ϸ ſ. δ sice â(window) Ÿٰ մϴ. в 2 𸣰ڽϴ. Ͻ . ũ ڵ带 ٲ ϴ , ڵ , װͰ 谡 ִ , Ƹ ù° (1. Intro) , ۿ ҽϴ. ------------------------------------------------------------------------------- _Q_sice ȳϼ? +kurt ϰ ִ Դϴ. +kurt Ʈ ̽ غҴµ, â ʴ±.. ׷ Ӷ wc alt+r ġ ֽϴ. ٸ ٹٲ.. ߸Ѱ.. 亯Źմϴ. ! ׸ Ȩ +kurt Ȩ ũ Ű ϴµ ٸ ּ.. _A_ °(3. The Man Who Sold The World) sice winice.datϿ INIT= ؼ ⸦ ߽ϴ. INIT="lines 60;color f a 4f 1f e;wd 22;wc 22;wr;code on;X;" INIT ε, ϸ,(Mammon_ Page ϴ) + _lines_ : ȭ鿡 Ÿ մϴ. + _color_ : ȭ մϴ. 4Ʈ 16 ǥõ˴ϴ(0 : , 1 : Ķ, 2 : , 3 : , 4 : , 5 : £ , 6 : , 7 : ȸ, 8 : ȸ, 9 : Ķ, A : , B : , C : , D : ȫ, E : , F : Ͼ). ̷, ڻ Ÿϴ.  0f(Ǵ f) Ͼ ڻ մϴ. ִ ͵, (normal), (bold, highlighted text), (reverse-display), (help), ׸ (line, â â ִ ) ֽϴ. _color f a 4f 1f e_, ڴ Ͼ ڷ, ڴ ڷ, ڴ Ͼ ڷ, Ķ Ͼ ڷ, ׸ â â ִ ϶ Դϴ. + _faults on|off_ : General Protection Faults ߻ , sice ̸ ó(?) մϴ. + _wc _ : ڵ â(code window) Ȱȭ(toggle)ϰ, â ũ⸦ μ մϴ. + _wd _ : â(data window) Ȱȭ(toggle)ϰ, â ũ⸦ μ մϴ. + _wl _ : â(local variable window) Ȱȭ(toggle)ϰ, â ũ⸦ μ մϴ. + _wr _ : â(register window) Ȱȭ(toggle)ϰ, â ũ⸦ μ մϴ. + _ww _ : â(watch window) Ȱȭ(toggle)ϰ, â ũ⸦ μ մϴ. + _hst=_ : ɾ 뷮 մϴ. + _X_ : siceȭ ͼ ̴ α׷ Ű Դϴ. INIT ־ մϴ. Ȩ ũ ֽðڴٴ, Ȳ Դϴ. βԵ, ݵ Ȩ ũ ֽ е 輼. в ũֽ ũ Ȩ , Ȩ ũ Ǿ ִ ִϴ. ------------------------------------------------------------------------------- _Q_ ڵ, , disassembler, hex editor... ü ̰ ϴ ſ? ٵ ũŷϷ  ַ ˾ƾ Ѵ ̴ϴ. ׸ Ҿ ϰ w32ds ̿Ѵٰ ߴµ.. α׷ 𸣰ھ.. .. 𽺾 ҽ ٵ ڱ ͷ ġ,. ذ Ȱ. 亯ּ.. _A_ ũ Ϸ ϳ ó ߽ϴ.  ۿ ̷ Ծµ, ' , ũ Ҽ ִ'. ׷  ϱ ߽ϴ. ũ ϱ ؼ 簡 ʿ ϴ. Ȯ  ϴ ũ ϴ ˴ϴ. ó ũ '' ǹ 'ü ̰ Ҹ ϰ ִ ǰ?'ϴ. '' ɾ, ''ϴϱ, ⼭ r fl z ~~, r fl z İ? 𸥴. ͷ װ , ãƼ 90909090 ٲ ...... ü װ ϴ Ű, '' ׷ ؾ ϴ ߽ϴ. ׷, ù° Ϳ ؼ ⸦ ߴµ, ̷ Ͻô ϴ. ⼭ ٽ 帱. ڽϴ. ̷ α׷ ִٰ . ׷ϱ, Ű忡 Ư ڿ Էµ ƹ ϵ ʰ, Է ٸ α׷ ֽϴ. ϱ ؼ α׷ Ű忡 Ư ڿ,  passwd սô, ԷµǸ α׷ ˴ϴ. ̷ α׷ ־. ǻͰ α׷ Ű ֽϴ. α׷ ̸ PASSWD.COM̶ սô. α׷ ҽ Ʒ ϴ. :α׷__κ(100) mov ah, 7 int 21h cmp al, 70 jne α׷__κ int 21h cmp al, 61 jne α׷__κ int 21h cmp al, 73 jne α׷__κ int 21h cmp al, 73 jne α׷__κ int 21h cmp al, 77 jne α׷__κ int 21h cmp al, 64 jne α׷__κ :α׷__κ(126) int 20h 츮 sice ڵ â ִ ҽԴϴ.  α׷ ϵǸ ٲ ϴ. ٽ 帮, α׷ Ű忡 passwd ڿ Էµ ٸ, ԷµǾ߸ α׷ ˴ϴ. 츮 α׷ Ӱ Ѵٸ, ׷ϱ, ƹ ڿ̳ Էص α׷ ǵ Ѵٸ  ؾ . 켱 sice ŷ α׷  ̷ ֳ Ȯ մϴ. ׷ϱ siceȭ ڵâ α׷ ҽ Ȯմϴ. ׷ ؼ α׷  ۵ϴ ˾ƺ,  ľ 츮 ϴ ۵ ϴ. ҽ , int 21h 7 Լ ϰ ֽϴ. ̰ Ű忡 Էµ ڸ о ̸, ^C ޾Ƶ ʽϴ. ׷ ؼ о ڴ, cmp al, 71 ϴ ڿ ˴ϴ. ڰ Ǿٸ ϰ ׷ ʴٸ α׷__κ ǵưϴ. ׷ ϴ cmp al, 71Դϴ(⼭ 71 'p' ascii ڵ Դϴ, 'passwd' ù° ڸԴϴٿ). ׸ б(, α׷__κ б , ) ϴ jne α׷__κ Դϴ. jne Jump If Equal(̰ JNZ, Jump If Zero ϴ) ϸ, 񱳰 (, zero flag Ǿ ), Jne ּҷ б϶ Դϴ. 츮 Ƿ jne α׷__κ ٸ ٲ ٸ 츮 ϴ 𸨴ϴ. ׷ϱ,  jne α׷__κ ƹ ǹ ٲ ֽϴ.  'ƹ ǹ ' nopԴϴ. ׷ϱ, ҽ jne α׷__κ Nop ٲ ſ. α׷ debug(DEBUG.COM/DEBUG.EXE) ̿ؼ ǵ, α׷__κ ּҴ 100Դϴ. ׷ jne α׷__κ jne 100 Ÿϴ. 츮 jne 100 nop ٲ ϴ ſ.  ؾ ٲ ? 츮 jne 100 , ǻͰ ⿡ jne 100 0111 0101 1111 1000 Ÿϴ. 0111 0101 1111 1000 ٷ ڵԴϴ. 2 Ÿϴ. ̷ 2 ڸ Ÿ ϴ ſ. 򰥸ݾƿ. ׷ 16 ϴ. 2 16 Ÿ, 4ڸ(4bit) ڸ 16 Ÿ ֽϴ. , 0111 0101 1111 1000 75F8 Ÿ ִ ſ. 0111 0101 1111 1000ٴ 75F8 ʳ? _hex_ editor ̷ ڵ带 츮 16(_hex_adecimal) Ÿ ִ մϴ. 75 F8 75 JNE ڵ̰ F8 б ּҸ Ÿ ݴϴ. ̷ ϴ ڵ尡 ֽϴ. JNE 75 ϰ, JE(Jump Equal) 74 ϴ ڵ带 ϴ. ׸ NOP ڵ 90Դϴ. , 90̶ ڵ ƹ ǹ̰ ſ. ׷ Ʊ 츮 Ϸ ߴ , jne 100( ڵ 75F8) nop ( ڵ 90) ٲپ ִ hex editor PASSWD.COM , 75F8̶ ڵ带 ã, κ 9090̶ ٲָ Ǵ ſ. 90 ƴϰ 9090 ʾƵ ƽ ſ. ڸ jne 75F8̶ 츮 nop/nop ٲ ſ. ̷ ҽ jne α׷__κ ãƼ nop ٲָ(̷ NOPing̶ մϴ), PASSWD.COM 츮  ڸ Էϴ, ڿ ̰ 6ڰ Ѵ´ٸ α׷ ų ſ. ̷ ؼ ҽ ڵ, ׸ hex editor , ׸ Ű ʿ ؼ ߽ϴ. , ׸ W32DASM disassembler ʿϳ ϸ, disassemble̶ о 鿩 װ ҽ մϴ. ׷ϱ, ҽ ؽƮ ʿ ſ. ڸ, Ʊ PASSWD.COM ũ 츮 jne α׷__κ noping ִ ߴµ, ׷ ٴ ó ִ jne α׷__κ jmp α׷__κ ٲ ִ ξ ſ. jmp(Jump, б) ڵ ַ EBԴϴ. ------------------------------------------------------------------------------- _Q_w32dasm ִ ſ? ãھ ĿƮ, Ϸ ͳ ƴٳϴ. ȵǴ. Ϸ . ũ ¸ Ե ϸ鼭 θ Ϸ ߴµ ̰ ϱ? w32dasm 7 ƴϸ ٸ µ Ʈ ׾ ٿ ȵǿ. ó PC ͼ ̷ ݾƿ. ȵſ. ٳ 8.6ΰ 8.9ΰ Ͽư ȹ ޶ٰؼ ʴ. ּ. Ϸ Ⱦ ~~~~~~~! 7 Ϸ ּ.(ϴٸ ٸ ͵). Ʈ ̽ ֱ. ʹ õȿ ־. w32dasm õȿ 1.0ۿ . ׷ٰ ؼ ٸ 7.0 ִ ͵ ƴϱ. Ͽư Ϸ ͳ ƴٳµ ãҾ. ּ!!!! _A_ڷǿ W32DASM7 ũ ÷ Ҵµ, ȵǾ . ũ . ϴ ã ߿ . ̸̶ մϴ. w32dasm7 ̸ w32dasm7.zip ǰ. ƴϸ w32dasm7.exḛų ̿. ƴϸ ׷ϱ ϰ FTP Search ̿ϸ w32dasm7 ã ֽϴ. FTP Search Lycos FTP SearchԴϴ. FTP Search ٸ ͵ ֽϴ. Web ã ƴٴϴ ڼ +ORC ¿ Խϴ. . ------------------------------------------------------------------------------- _Q_symbol not defined Ϳ ȳϽʴϱ? Ȩ Ͽ Դϴ. ũ Ȩ ٴϴٰ ʺ Ȩ ŷ θ ϰ ֽϴ. sice ƮϿ ġϿ θ ϰ ̴µ Pica View32(Ver 1.3) ߿ ô bpx getdlgitemtexta ɾ ϱ Symbol not Defined (GetdlgItemteatA) ޼ ߻ŵϴ. Դϱ? ɾ Źմϴ. ׸ 𸣴 ö 帱 ϰ ɰ  Źմϴ. ε Źմϴ. ֿ.... _A_ Ͻô Ͻñ. Symbol not Defined κ winice.datϿ ־ ϴ ʾұ Ͼ ϴ. ̿ ù° (1. Intro) и ߴµ, е鲲 ̷ Ͻô 𸣰ھ. ------------------------------------------------------------------------------- _Q_Ƽ ϴ Ƽ? kurt а ر(^-^;) ޾ҳ׿... ٸ ƴϰ...Ƽ ϴ¹ ˷ֽø ϱ( ˷ּžؿ!) _A_Ƽ Ϸ .. ׷׿. ϰ 帱. 켱 config.sys ľ մϴ. , Ʈ ̽ , , Ʈ ̽ ̷ Ƽ ޴ ʹٰ ϰ 鲲. [menu] menuitem=norm, windoze menuitem=sice, sice95 menuitem=dos, dos menuitem=sicedos, sicedos menudefault=norm, 3 ̷ [menu] ùٿ , menuitem = ޴ , ޴ ̸ ϴ ޴ ݴϴ. Ÿ ó ù° ޴ ̸ windozḛ ̰ normԴϴ. menuitem=dos, dos ó ޴ ޴ ̸ Ƶ ϴ. menudefault=norm, 3 ڰ ⺻ norm ϵ ϰ, ڰ ϴ ٸ ð 3ʷ Ѵ ǹԴϴ. [norm] device=C:\WINDOWS\biling.sys dos=high,umb [sice] rem nothing to do [dos] device=c:\windows\himem.sys /NUMHANDLES=100 device=c:\windows\emm386.exe H=100 dos=high,umb,noauto shell=c:\4dos\4dos.com c:\4dos\ /p [sicedos] dos=high,noauto device=c:\si\s-ice.exe /EMM 2048 device=c:\4dos\himem.sys device=c:\si\umb.sys shell=c:\4dos\4dos.com c:\4dos /p ̷ Ƽ ޴ ޴ ̿ؼ 쿡 ˴ϴ. ׳ ͸ ذ ǽð? autoexec.bat ڽϴ. goto %config% :norm loadhigh C:\WINDOWS\nlsfunc.exe C:\WINDOWS\country.sys set path=%path%;c:\util\a;c:\tc;c:\util\pkzip;c:\perl\bin set .pl=c:\perl\bin\perl.exe alias ~ = cd home goto end :sice loadhigh c:\windows\nlsfunc.exe c:\windows\country.sys set path=%path%;c:\util\a;c:\tc;c:\tghp;c:\util\pkzip;c:\perl\bin c:\progra~1\numega\softic~1\winice.exe goto end :dos set path=c:\;c:\bat;c:\util\a;c:\tc;%path%;C:\PROGRA~1\ULTRAEDT SET CTCM=C:\CTCM SET BLASTER=A220 I5 D1 H5 P330 E620 goto end :sicedos SET PATH=C:\HNC;C:\;C:\BAT;%PATH%;C:\PROGRA~1\ULTRAEDT goto end :end ó ִ goto %config% ʿմϴ. %config% config.sys õǾ ޴ Ÿ ֽϴ. ׸ autoexec.bat о goto %config% ؼ õ ޴ κ ̵ϰ Ǵ ſ. config.sysϿ [] ޴ autoexec.batϿ ٸ ġ ϰ ݷ : ޴ մϴ. ׸ ޴ goto end ־߸ ٸ ޴ ʰ end޴ ϴ. ׸ end޴ մϴ. Ƽ ÿ ִ ٸ ͵, ׷ϱ ޸𸮿 õ ɷ ̴ϱ 帮 մϴ( 뵵 ̰). ------------------------------------------------------------------------------- _Q_ Ʈ¸ Ѳ ٿε ? _A_ϴ. ۵ ׷ ġ ִٰ ʾƼ, ׷ Ѳ ٿ ִ ʾҽϴ.  е WebZipΰ ϴ α׷ ° ٿ ޾ưô , ׷ غôµ, ׿. ׸ Ǹ ƴ϶󼭿. ------------------------------------------------------------------------------- _Q_ , ũ _A_ǿܷ ̷ Ź( ɿ ) Ͻô е ôµ,  е Ź ,  е Ź ʾҽϴ. , α׷ ũ ִ, Ĵ ƴϾϴ.  ̷ ̽ϴ. ȸ翡 Ͽ  ȣ ɾ Ƽ , IMF ô뿡 © ִ,  ϸ ڴ°.. ̷ п  Ź ϰھ. ƹư ' ' ϴ. ε ǵ̸ ̷ Ź մϴ. ׸ ǵ ű. ũϼ. е ũĿݾƿ. ------------------------------------------------------------------------------- _Q_ 13. Ŀ Ƿ  ؾ ϳ?/Ȩ ŷ  ϳ? _A_𸨴ϴ. USENET ̷ . 'ΰ '̶  ְ ſ. ٽ 帮, Ŀ ƴմϴ. ׸ Ȩ ̶ о ̶ ̷ ʾ Ŷ մϴ.  е ϰ, ׸ ڼϰ, ׸ Ἥ ϴ. 'Ŀ Ƿ  ؾ ϳ' Դϴ. ׷ е鲲 ݱ ּ ؼ ƴ ڼ  ڷᰡ , ϴ ؼ , Ƹ ʾ ſ. Ŀ ƴϴϱ. ׷, ׷ ּ. _ _*faq*_ Ȩ ħ Ʋ κ ģ ģ ֽ 22. Love Buzz ҵŸ98 IMF xor eax, eax ٲ mov al, 00 ƴ϶ mov al, 01 Դϴ.(5 21) -------- ݱ в а Ʋ ּ̽ϴ. е鿡Դ ٴ ۿ 帱 ϴ. ׷ ߸ ֽ ߴµ, ׷ ϸ ̹ ٸ е ߸Ǿٴ 𸣽 Ƽ ϴ. ε ּ. ׸ δ ߸ ġ Ǹ ̰ ߸Ǿ ,  ƴ ڽϴ. ĭ ִ ڸ Ʋ κ ãư ֽϴ. +kurt ø _*acknowledgement Ȩ Author : NaTzGUL [REVOLT 7] Email : natzgul@hotmail.com InstallSHIELD Script Cracking (best viewed under 800x600 with WordPad) CONTENTS: A) INTRODUCTION (It only an Intro) B) TOOLS YOU WILL NEED (Well i think most of ya got these Tools) C) WHAT WE ARE DEALING WITH (I recommend that you read this before D) D) FIRST APPROACH (The Alternate way) E) SECOND APPROACH (Script Cracking !!!) F) ADDON (Common InstallSHIELD Installation) G) WIN32.HLP (Descriptions that will help you) H) LAST WORDS (Maybe ya dont need to read this) I) GREETINGS (Don miss this Part, hehe !!!!!) _____________________________________________________________________ A) INTRODUCTION I welcome you to my first Cracking Tutorial and I will try to write more Tutorials in the Future. I could have made more in the past, but i was afraid if anybody could read my BAD English ;) so please excuse me and just try to follow me. LEVEL : Well, I will try to give you all Informations and document all my Steps and Listings, so maybe also a Beginner will understand this Tutorial (maybe ;). As I told you the only Problem you will maybe have is my bad bad English ,hehe. TARGET : Our Target is Cakewalk HomeStudio from Twelve Tone Systems , I have got it from Kirk_Hamm in #Cracking(EFNET) THANX !!! =) - a Person I dont really know ,he was just req the Crack. The File contains not the whole App by the way, just all the neccessary Files to get the Installation running. The compressed File size is only 536 KB, so if you want it just msg me on Efnet or Email me and i will send ya the File if iam not busy =). PROTECTION : This App has 3 Protections. 1.CD-CHECK 2.CD-KEY 3.SERIAL __________________________________________________________________________ B) TOOLS YOU NEED You will need the following Tools: - SoftICE 3.x from Numega (The best Debugger, point. Big Thanx to Numega) - W32Dasm 8.9 from URSoft (I love References) - Hex-Workshop or any other Hex-Editor (Yeah, gimme the Bytes location) - Icompx the InstallSHIELD de/compressor (Thanx to Lord Caligo that he has put it on his Page) - A Martini/wodka if ur a +Cracker and/or a cigarette ;) You can get all these Tools from Lord Carligo Web-Page. One of the best Cracking Resource i ever have seen before by the way !!! http://cracking.home.ml.org/ ________________________________________________________________ C) WHAT WE ARE DEALING WITH After unziping the File into C:/TEMP there are the following files: _SETUP.LIB 151 KB SETUP.EXE 659 KB _SETUP.DLL 5,98 KB SETUP.INS 89,5 KB SETUP.PKG Not important (There are a lot more files in the complete App) Let me first explain what we got here. These are the typical Files from a InstallSHIELD Installation. _SETUP.LIB is a compressed Data-Base from InstallSHIELD. It can contain exe and dll supporting the Installation. Sometimes these Support Files are in the same dir like SETUP.EXE (unlikely), but in our case they are compressed into _SETUP.LIB (You will see later). What that person from #Cracking didn send me was the compressed Data-Base Files (xxx.1-x,xxx.z) containing the App Files and so they can be very big ;). Don mind it, because we dont need them anyway for cracking. A compressed Data-Base File allways begins with "13 5D 65 8C 3A 01 02 00", so if you cant find any xxx.z or xxx.1-x then just look for these bytes. At the End of every compressed Data-Base File you can see all the File Names by the way. SETUP.PKG contains all the File-Names in the App Data-Base which we dont need and so we dont need SETUP.PKG either. InstallSHIELD uses SETUP.PKG to refer the Files in the App Data-Base in the copying process i believe. Anyway, we dont need it, so lets go on. _SETUP.DLL is a InstallSHIELD Resource DLL and its not important for us, because its only a Support File which is supplied with any InstallSHIELD Installation. SETUP.INS is the compiled Installation Script and its the most important Part in a InstallSHILED Installation Process !!!. In Win95 it has got a globe connected to a phone as icon. This File Controls any Action and has got most of the messages of the Installation and it will play a major Role in our SECOND APPROACH. SETUP.EXE is the head of all, its the Installation Engine and executes the Script and does all calls to DLL and Disk-Access (32 Bit !!!). So far so good, now we know much more about InstallSHIELD =) Lets start with the.... ______________________________________________________________________ D) FIRST APPROACH (CD-CHECK) ASSUMPTION : I assume the following things under SoftICE : F5="^x;" F7="^here;" F8="^t;" F9="^bpx;" F10="^p;" F11="^G @SS:ESP;" F12="^p ret;" Also the winice.dat File in your SoftICE dir should contain : EXP=c:\windows\system\kernel32.dll EXP=c:\windows\system\user32.dll HINT : "*" in Front of the Text coming up means, that the text into brackets must be typed under SoftICE! START : Ok, now lets get to business and start our cracking session. First we just start the Istallation (SETUP.EXE) and see whats happening. Well, a MessageBox tells us, that "Setup must be run from the original CD". Our next logical step now should be setting a Breakpoint on GetDriveTypeA ("A" coz SETUP.EXE is a 32 Bit App). Have a look at part G) WIN32.HLP of this tutorial to get more info about GetDriveType !!! * We press Crtl+D and SoftICE pops up and then we type in "BPX GetDriveTypeA" * Pressing "Crtl+D" ("F5") gets us back to Windows, where we start Setup.exe again. Ok, we are in SoftICE before the MessageBox appears. We are in the Kernel32 at GetDriveTypeA, so lets get out of here * by pressing "F11" one time. And now we are in INSHELP, damn !!! whats that ? it wasnt in our dir !! * Well i typed in "MOD INSHELP" to get more info about this file and SoftICE shows me, that its located in : C:\TEMP\_ISTMP0.DIR\INSHELP.DLL Now we see that it a DLL and that IstallSHIELD has created a Temporary directory called _ISTMP0.DIR and then it puts the file INSHELP.DLL in there. But where this File comes from ? Ok, maybe you dont have forgotten what i told you in C) about compressed Data-Bases ? Yes ? Then you should read it again now !!!! So this DLL must be in _SETUP.LIB, but how should we patch it ? Well we got ICOMPX the InstallSHIELD de/compressor ;) Let decompress _SETUP.LIB ("ICOMP _SETUP.LIB *.* -d -i") These Files we will get : INSHELP.DLL UNINST.EXE _ISRES.DLL The last two files are only support Files and not important for us. What we know now is that INSHELP.DLL makes the CD-CHECK and that it is in _SETUP.LIB which we can decompress and then compress again. By the way you may just type in "ICOMP" to get the full usage. Now that we got all infos about this File and how to patch it lets go on with SoftICEng ;). We are still in INSHELP.DLL, so let me give you the listing first: Your adresses may differ in the first four diggits! (relocation) And SoftICE pops up at 100011A0 (0), so go there now!!! DWORD TABLE: :10001308 BA120010 DWORD 100012BA These are the DWORDS for the indirect jmps :1000130C C7120010 DWORD 100012C7 I have place them here coz it will be :10001310 D4120010 DWORD 100012D4 easier for you to follow me ;) :10001314 E1120010 DWORD 100012E1 :10001318 EE120010 DWORD 100012EE :1000131C B0110010 DWORD 00011B0 :10001320 FB120010 DWORD 100012FB Start of this routine: :10001160 81ECE8020000 sub esp, 000002E8 Create a tempprary Stack-Frame :10001166 B9FFFFFFFF mov ecx, FFFFFFFF ecx=FFFFFFFF (counter) :1000116B 2BC0 sub eax, eax eax=0 :1000116D 56 push esi Save esi :1000116E 57 push edi Save edi :1000116F 8BBC24F4020000 mov edi, [esp + 000002F4] edi points to "C:\TEMP\" :10001176 F2 repnz :10001177 AE scasb Scan String for 0 (end) :10001178 F7D1 not ecx ecx=lenght+1=9 :1000117A 2BF9 sub edi, ecx Adjust edi back :1000117C 8BC1 mov eax, ecx Save lenght in eax :1000117E C1E902 shr ecx, 02 Divide lenght by 4 =2 :10001181 8BF7 mov esi, edi esi=edi=ptr to "C:\TEMP\" :10001183 8D7C2448 lea edi, [esp + 48] "CWHS_601" | :100011ED B938600010 mov ecx, 10006038 * Referenced by a Jump at Address:1000120C(C) | :100011F2 8A10 mov dl, [eax] Here it compares my Volume Name "HD_C" :100011F4 3A11 cmp dl, [ecx] with "CWHS_601" :100011F6 751A jne 10001212 (5) Bad jmp ! :100011F8 0AD2 or dl, dl :100011FA 7412 je 1000120E :100011FC 8A5001 mov dl, [eax+01] :100011FF 3A5101 cmp dl, [ecx+01] :10001202 750E jne 10001212 (5) Bad jmp ! :10001204 83C002 add eax, 00000002 :10001207 83C102 add ecx, 00000002 :1000120A 0AD2 or dl, dl :1000120C 75E4 jne 100011F2 * Referenced by a Jump at Address:100011FA(C) | :1000120E 33C0 xor eax, eax All OK ! :10001210 EB05 jmp 10001217 To continue our tracing session you have to nop out the Bad jmps ! * Trace to the jmps "F10" and then "a" with two "nop". (4) This jmp will only occure if Setup is running from the original CD-Rom. It then just bypasses the Volume and Filetype Check. I also suggest that you read part F) of this Tutorial to get more and detailed infos about GetVolumeInformation (FileSytemFlags) !! Ok, now comes the part the (5) Bad jmps will jump to.... * Referenced by a Jump at Addresses:100011F6(C), :10001202(C) | :10001212 1BC0 sbb eax, eax eax=0 :10001214 83D8FF sbb eax, FFFFFFFF eax=1 * Referenced by a Jump at Address:10001210(U) | :10001217 85C0 test eax, eax if eax=0 then :10001219 740D je 10001228 goto 10001228 GOOD BOY ! :1000121B 33C0 xor eax, eax otherwise return :1000121D 5F pop edi with eax=0 BAD BOY ! :1000121E 5E pop esi :1000121F 81C4E8020000 add esp, 000002E8 :10001225 C20400 ret 0004 * Referenced by a Jump at Address:10001219(C) | :10001228 8D4C2414 lea ecx, [esp + 14] ecx points to my File System Name "FAT" * Possible StringData Ref from Data Obj ->"CDFS" | :1000122C B848600010 mov eax, 10006048 * Referenced by a Jump at Address: |:1000124B(C) | :10001231 8A11 mov dl, [ecx] here my File System Name "FAT" :10001233 3A10 cmp dl, [eax] will be compared with "CDFS" ! :10001235 751A jne 10001251 (6) Bad jmp ! :10001237 0AD2 or dl, dl :10001239 7412 je 1000124D :1000123B 8A5101 mov dl, [ecx+01] :1000123E 3A5001 cmp dl, [eax+01] :10001241 750E jne 10001251 (6) Bad jmp ! :10001243 83C102 add ecx, 00000002 :10001246 83C002 add eax, 00000002 :10001249 0AD2 or dl, dl :1000124B 75E4 jne 10001231 * Referenced by a Jump at Address:10001239(C) | :1000124D 33C0 xor eax, eax All OK ! :1000124F EB05 jmp 10001256 Again we have to nop out the (6) Bad jmps to continue !! Otherwise we will land here...(10001251) BAD BOY * Referenced by a Jump at Addresses:10001235(C), :10001241(C) | :10001251 1BC0 sbb eax, eax Old soup, look back (10001212)! :10001253 83D8FF sbb eax, FFFFFFFF * Referenced by a Jump at Address:1000124F(U) | :10001256 85C0 test eax, eax :10001258 740D je 10001267 GOOD BOYS jmps to 10001267 :1000125A 33C0 xor eax, eax :1000125C 5F pop edi :1000125D 5E pop esi :1000125E 81C4E8020000 add esp, 000002E8 :10001264 C20400 ret 0004 * Referenced by a Jump at Addresses:100011E0(C), :10001258(C) | :10001267 8A442448 mov al, [esp + 48] ;al=Drive Letter "C" 43h :1000126B 8D8C24D8010000 lea ecx, [esp + 000001D8] :10001272 51 push ecx :10001273 A250600010 mov [10006050], al ^-------------"X:\Cakewalk\_setup.lib" * Possible StringData Ref from Data Obj ->"C:\Cakewalk\_setup.lib" | :10001278 6850600010 push 10006050 :1000127D E8EE010000 call 10001470 Button SoftICE pops up, this is easy hehe ;) * We are in GetWindowTextA so lets get back to the App and press "F11". I looked at EAX, because it always contains the Text lenght GetWindowTextA returns, but hell !!!! this isnt the lengh of my Text and so this cant be my Text =(, brb. Dont worry, this is just a little trick to prevent Beginners to crack it. There are lotta other App out there using this trick btw ! Setup uses GetWindowTextA to retrieves our input, but it dont wait for the user pressing NEXT->, it just gets the text anytime we type in a single letter, * so lets first disable our Breakpoint : "BD 0", and then we type in "12345678901234" and then we enable our Breakpoint : * "BE 0".(dont forget to leave SoftICE) So, now comes the truth. I just deleted the last number with back-space and BOOM !!! yeah we are in GetWindowTextA again so lets leave here * again by pressing "F11". Well, this looks much better, because EAX=0D=13, yeah our Key-lenght ;) We are in Setup by the way. Right after the Call GetWindowTextA there is a "LEA EAX,[EBP+FFFFFBF4]" which will let EAX points to our Text, * so trace over it with "F8" or "F10". * Do a "D EAX" and you will see our text "1234567890123" !! * ok lets delete our Breakpoint, because we got what we wanted: "BC *". And now we set a Breakpoint on Memory Access on our text location: * "BPM EAX". Ok, exit SoftICE and it will fast pop up again. SoftICE will break into different locations, but the one that is important for us is the lstrcpyA. You will land in there at the following instructions : ... ............ REPNZ SCASB and you will break into lstrcpyA several times again, but now dont delete the old Breakpoints, just set the new ones on EDI after the 2 MOVS like before, until you are in INSHELP !!!! yeah its the same dll ;). Let me give you the listing first and consider again that the first four digits of the adresses may differ from yours under SoftICE (relocation). SoftICE will break in at 10001377 !!! Start of this routine: :10001350 83EC34 sub esp, 00000034 Create a temporary Stack-Frame :10001353 53 push ebx Save ebx :10001354 56 push esi Save esi :10001355 57 push edi Save edi :10001356 E8D5FCFFFF call 10001030 Was this routine initialysed ? :1000135B 85C0 test eax, eax Check ok ? (It will be) :1000135D 750B jne 1000136A then goto 1000136A, else :1000135F 33C0 xor eax, eax Set eax=0 BAD BOY !!! :10001361 5F pop edi Restore edi :10001362 5E pop esi Restore esi :10001363 5B pop ebx Restore ebx :10001364 83C434 add esp, 00000034 Delete temporary Stack-Frame :10001367 C20400 ret 0004 Return Well it seems that EAX=0 stands for BAD BOY again like in the CD-Check !! Cracking this CD-KEY could end here just by patching the instructions at the Start of this routine (10001350)... Dont patch it yet, if you wanna learn how to reverse ingineer this KEY-Protection !!!! Original: :10001350 83EC34 sub esp, 00000034 Create a temporary Stack-Frame :10001353 53 push ebx Save ebx :10001354 56 push esi Save esi :10001355 57 push edi Save edi :10001356 E8D5FCFFFF call 10001030 Was this routine initialysed ? Change to: :10001350 33C0 xor eax,eax eax=0 :10001352 40 inc eax eax=eax+1=1 GOOD BOY :10001353 C20400 ret 0004 Return Search for "83EC34535657" in INSHELP.DLL with your Hex-Editor. You will only find one location (Offset 750). Replace the bytes with "33C040C20400" and save it. Ok, and now compress it back into _SETUP.LIB. Just type in "icomp inshelp.dll _setup.lib" and dont delete INSHELP.DLL, because we will need it again later ;) And now any KEY you type in will be valid, cool heh =) Do you wanna learn how to reverse this CD-KEY Protection ? If not just go over to the (SERIAL) Section below !!! Ok, lets go on with this routine... * Referenced by a Jump at Address:1000135D(C) | :1000136A 8B5C2444 mov ebx, [esp + 44] ebx will point to our KEY ! :1000136E 8D4C240C lea ecx, [esp + 0C] ecx will be the new location :10001372 8BC3 mov eax, ebx eax=ebx=pointer to our KEY :10001374 803B00 cmp byte ptr [ebx], 00 (9) KEY=NULL ? :10001377 741B je 10001394 12D6E1 Thus we can set a seed KEY "3xx6x1yyyyyyy", where x can be any number and y will be the corrections.First go back to Setup and choose a seed KEY !!! I used for example "3006010000000". To get a valid KEY let us Brute-Force-Crack this babe =) Its not the best way, but this code generating part is short, thus it will be executed fast. Trace to the location at line 100013C1 (15) where the code will be compared with E7B37. Trace over it to the next line 100013C6 and then we have to code a little procedure. * EBX is unused, so we will use it as counter. Type in "r ebx=0". * Now type in "a" and let us add a little procedure, which will find a valid KEY for us. Please adjust the adresses yourself, since this will be typed directly into memory !!! * "JNZ GO_ON" Not a valid KEY, goto GO_ON * FOUND: "NOP" This will be our Stop Point * GO_ON: "CMP EBX,1312CFF" Check only numbers from 0-19999999 !!! * "JZ FAIL" Yes, goto FAIL * "MOV ESI,[ESP+C]" ESI points to our KEY * "MOV EAX,EBX" EAX=EBX * "MOV ECX,A" ECX=A=10d * CONVERT_DEC: "XOR EDX,EDX" EDX=0 * "DIV ECX" EAX=EAX/ECX, EDX=MOD (EAX/ECX) * "ADD DL,30" EDX=EDX+"0" * "MOV [ESI+C],DL" STORE NUMBER INTO KEY * "DEC ESI" ESI will point to the previous number * "CMP EAX,0" Conversion completed ? * "JNZ CONVERT_DEC" If not goto CONVERT_DEC * "JMP 100013B7" Check this KEY ! The comparision at GO_ON makes sure that the App-ID will not be manipulated !! * Ok, you typed in all this mess ;) Now you must clear all Break-Points "BC *" * and then set a Break-Point on execution on line FOUND !!!! "BPX ". Now leave SoftICE and wait..... SoftICE will pop up at FOUND, so first check EAX, it should be E7B37 !!! * If yes, you can get your KEY with "D [ESP+C]". I have found "3006010147046" for my seed KEY ,btw =) * To get out of this Loop set your EIP to 1000142D "r eip=1000142D" and clear all Break-Points !!! Then leave SoftICE, and you will be back in Setup. Cancel it and then start it again and use your valid KEY !!! Summarize: - KEY must contain 13 numbers. - KEY has got 4 fixed numbers "3xx601yyyyyyy". Its the App-ID (3601), which may differ in other App from Twelve Tone Systems. Setup handles this App-ID to INSHELP before he calls it. - yyyyyyy can be found with Brute-Force-Cracking. This Protection is defeated, lets go over to the... (SERIAL) Well, the KEY was a little bit tricky, heh ? Anyway you are here now to face the Serial !!! Setup asks for a User-Name, Company and Serial, so lets type in sum crap. I typed in "NaTzGUL" as User-Name, "REVOLT" as Company and "1234567890" as Serial. Please procced with the Serial like in the KEY Section !!!! You will land into Setup !!!, damn the Script is doing the Check, brbrb. I gave up !!! There are just too many push,pop and calls, believe me... else try it out !!! To defeat this Protection we need a new method !!! __________________________________________________________________________ E) SECOND APPROACH ASSUMPTION: I assume that you have partialy read the first Approach and that the App (INSHELP) is unpatched in any way !!!! (Original state !!! you may uncompress the whole App again !). INTRO: Zen !!! yeah, thats what we need =) As i told you in our first approach SETUP.INS is the main part of a InstallSHIELD Installation !!! SETUP.INS is a compiled Script, this means before compilation it may have the following basic instructions : - "IF,THEN,(ELSE)" - "GOTO" - "CALL" - "RETURN()" - "LOAD","OPEN","CLOSE" - "MESSAGEBOX" - etc. To decrypt the whole mnemonic back to its instructions is not necessary to crack this app, so i though that the most important instruction should be the "IF,THEN" one. It should occure very often in the Script and it may have the following syntax: IF cmp THEN.... cmp = (arg1) compare_type (arg2) arg1 is a variable, arg2 can be a variable or a constant (two constants makes no sense ,of coz !). the compare_type can only be one of these six types : Type: Corresponding jmp: LOWER-EQUAL JLE GREATER-EQUAL JGE LOWER JL GREATER JG NOT-EQUAL JNE EQUAL JE A compiled COMPARE instruction could look like this : Compare_mnemonic,result,Byte_A, arg1, Byte_B, compare_type, Byte_C, arg2 Byte_A is refering arg1, Byte_B gets the compare_type and Byte_C is refering arg2 and also says if arg2 is a variable or constant. You maybe have realised, that there are some mnemonic are missing. As i mentioned this instruction should occure very often in SETUP.INS, so i examined the file for this byte structure and I found out : >>>>> COMPARE mnemonic (actualy 128) !!! | | | 28,01,32,result_var,Byte_A, arg1, Byte_B, compare_type, Byte_C, arg2 Byte_A="B"=0x42 means variable_index(word) is following Byte_B="A"=0x41 means constant (dword) is following Byte_C="A"=0x41 if comparing with a constant Byte_C="B"=0x42 if comparing two viriables result_var = type of word (variable_index) arg1 = type of word (variable_index) compare_type = type of dword (1-6) arg2 = type of word (variable_index) or dword (constant) Example : lets say we have found the following bytes . 28,01,32, 03,00, 42, 01,00, 41, compare_type, 42, 02,00 This will compare a variable with index 0x0001 and a varaible with index 0x002 with the specific compare_type and then stores the result (0/1) of this comparision into the variable with index 0x003. Now what we need are the type of comparisions, hmm how should we obtain them ? Setup is executing this Script, so there is the place we have to search for them !!! I W32dasm Setup.exe and searched for the place where compare_type gets compared with 1-6 and i found them at line 0043C89B. * Referenced by a Jump at Address:0043C89F(C) | :0043C7B2 8B45F4 mov eax, [ebp-0C] eax=arg1 :0043C7B5 3945F8 cmp [ebp-08], eax compare arg2 with arg1 :0043C7B8 0F8E0C000000 jle 0043C7CA lower-equal? compare_type_1 !!! :0043C7BE C745FC01000000 mov [ebp-04], 00000001 return result 1 in [ebp-4] :0043C7C5 E907000000 jmp 0043C7D1 jmp to end * Referenced by a Jump at Address:0043C7B8(C) | :0043C7CA C745FC00000000 mov [ebp-04], 00000000 return result 1 in [ebp-4] * Referenced by a Jump at Address:0043C7C5(U) | :0043C7D1 E906010000 jmp 0043C8DC jmp to end * Referenced by a Jump at Address:0043C8A9(C) | :0043C7D6 8B45F4 mov eax, [ebp-0C] :0043C7D9 3945F8 cmp [ebp-08], eax :0043C7DC 0F8D0C000000 jnl 0043C7EE greater-equal? compare_type_2! :0043C7E2 C745FC01000000 mov [ebp-04], 00000001 :0043C7E9 E907000000 jmp 0043C7F5 * Referenced by a Jump at Address:0043C7DC(C) | :0043C7EE C745FC00000000 mov [ebp-04], 00000000 * Referenced by a Jump at Address:0043C7E9(U) | :0043C7F5 E9E2000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C8B3(C) | :0043C7FA 8B45F4 mov eax, [ebp-0C] :0043C7FD 3945F8 cmp [ebp-08], eax :0043C800 0F8C0C000000 jl 0043C812 lower? compare_type_3! :0043C806 C745FC01000000 mov [ebp-04], 00000001 :0043C80D E907000000 jmp 0043C819 * Referenced by a Jump at Address:0043C800(C) | :0043C812 C745FC00000000 mov [ebp-04], 00000000 * Referenced by a Jump at Address:0043C80D(U) | :0043C819 E9BE000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C8BD(C) | :0043C81E 8B45F4 mov eax, [ebp-0C] :0043C821 3945F8 cmp [ebp-08], eax :0043C824 0F8F0C000000 jg 0043C836 greater ? compare_type_4! :0043C82A C745FC01000000 mov [ebp-04], 00000001 :0043C831 E907000000 jmp 0043C83D * Referenced by a Jump at Address:0043C824(C) | :0043C836 C745FC00000000 mov [ebp-04], 00000000 * Referenced by a Jump at Address:0043C831(U) | :0043C83D E99A000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C8C7(C) | :0043C842 8B45F4 mov eax, [ebp-0C] :0043C845 3945F8 cmp [ebp-08], eax :0043C848 0F850C000000 jne 0043C85A not-equal ? compare_type_5! :0043C84E C745FC01000000 mov [ebp-04], 00000001 :0043C855 E907000000 jmp 0043C861 * Referenced by a Jump at Address:0043C848(C) | :0043C85A C745FC00000000 mov [ebp-04], 00000000 * Referenced by a Jump at Address:0043C855(U) | :0043C861 E976000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C8D1(C) | :0043C866 8B45F4 mov eax, [ebp-0C] :0043C869 3945F8 cmp [ebp-08], eax :0043C86C 0F840C000000 je 0043C87E equal? compare_type_6! :0043C872 C745FC01000000 mov [ebp-04], 00000001 :0043C879 E907000000 jmp 0043C885 * Referenced by a Jump at Address:0043C86C(C) | :0043C87E C745FC00000000 mov [ebp-04], 00000000 * Referenced by a Jump at Address:0043C879(U) | :0043C885 E952000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C8D7(U) | :0043C88A C745FC00000000 mov [ebp-04], 00000000 :0043C891 E946000000 jmp 0043C8DC :0043C896 E941000000 jmp 0043C8DC * Referenced by a Jump at Address:0043C7AD(U) | :0043C89B 837DEC01 cmp [ebp-14], 00000001 = JGE 2 LOWER JG 4 NOT-EQUAL != JNE 5 EQUAL = JE 6 MESSAGEBOX byte structure : 2A,0,61,length(word),text will show a messagebox with the specific text! Since the compare part of an IF-THEN instruction is what we really need for our interest you could now go directly to the START further below !!! Otherwise learn more about other instructions and how they are build up =) The structure of a compiled IF-THEN instruction may look like this : COMPARE, BRANCH_TO location IF !(result - arg_x) (result - arg_x) will be zero if they are equal else it will be not zero. The result comes from the comparision and arg_x can be a varible or a constant. Now we come to the IF-THEN byte structure : COMPARE-structure,BRANCH_TO_mnemonic,l_index, SUB, Byte_A,result,Byte_C,arg_x BRANCH_TO_mnemonic = 22,0,70 SUB = 95 (in an IF-THEN instruction!) Byte_A="B"=0x42 result of comparision will allways be a variable_index Byte_C="A"=0x41 arg_x allways will be a constant in an IF-THEN instruction! l_index = type of word (index) result = type of word (variable_index) arg_x = will be a dword (constant) =0x00000000 in an IF-THEN instruction! The branch location will be an offset into the script and it is calculated like this : location = dword [ l_index* 6 + Branch-Table-Offset+2] Location-Table-Offset = Offset "_EWQ" ;in this script it was 14546 !!! Just search for "_EWQ" and you will find it ( Its linked at the end of the script )!!! GOTO byte stucture : 2C,00,70,l_index There are more instructions i have decrypted, but we dont need them for this tutorial. Its quite easy to write a Decompiler with this information and if you have found out the location where Setup is executing the script then its not that hard to see what it is doing depending on the mnemonic, but thats another story and this tutorial is damn big enough !!! Now we can try out our first Script-Cracking attempt =)... START: (CD-CHECK) First think about how this check was written with the Script instructions !! The easiest way may be done like this : (Assume: Return_of_INSHELP=0/1 (BAD/GOOD) !!! ) arg1=CALL(INSHELP,CD-CHECK) IF arg1 = 0 THEN MESSAGEBOX "Setup must be run from the original CD":END ELSE RETURN(1) or this... arg1=CALL(INSHELP,CD-CHECK) IF arg1 != 0 THEN RETURN(1) ELSE MESSAGEBOX "Setup must be run from the original CD":RETURN(0) After compiling this pice of code, the bytes would look like this: 28,01,32,"B",arg1 (word),"A",6 (dword),"A",0 (dword),...,2A,0,61,27 (word),"Setup must be..." or this... 28,01,32,"B",arg1 (word),"A",5 (dword),"A",0 (dword),...,2A,0,61,27 (word),"Setup must be..." I have retrieved this part of SETUP.INS for you....(Offset 8D70) arg1_Variable_index (word) compare_type_5 !!! result_Variable_index (word) . SoftICE will pop up at 0043C89B several times and Setup will perform comparisions ! Here is my history of the comparisions : Comparisions: Compare_type: (1) 0 != 1 5 Not important (2) 0 >= 3 2 Not important (chr-position counter?) (3) 9 31 4 Well, its the first char of our Serial !!! (5) 7A 31 4 between "a"-"z","A"-"Z","0"-"9" (7) 5A 31 4 (9) 39 DIR This dir will be created by _ins0432._mp !!! _INS0432._MP 659 KB This is exactly Setup.exe from this Tutorial !!! _INZ0432._MP 20,1 KB This is LZWSERV.EXE (doing the de-compress.) _WUTIL95.DLL 36,0 KB A win95 support file _ISTMP0.DIR content : _SETUP.LIB 151 KB This is exactly the same compressed lib file !!! 1f8584.DLL 89,0 KB Support DLL INSHELP.DLL 23,5 KB Yup, da same DLL !!! UNINST.EXE 292 KB Also da same one You see now that there are the same files, but only renamed, thats all !!! Copy and rename them if you wanna work with these files. ________________________________________________________________________ G) WIN32.HLP These Desciptions comes from win32.hlp GetDriveType: The GetDriveType function determines whether a disk drive is a removable, fixed, CD-ROM, RAM disk, or network drive. UINT GetDriveType( LPCTSTR lpRootPathName // address of root path ); Parameters lpRootPathName Points to a null-terminated string that specifies the root directory of the disk to return information about. If lpRootPathName is NULL, the function uses the root of the current directory. Return Value The return value specifies the type of drive. It can be one of the following values: Value Meaning 0 The drive type cannot be determined. 1 The root directory does not exist. 2 The drive can be removed from the drive. 3 The disk cannot be removed from the drive. 4 The drive is a remote (network) drive. 5 The drive is a CD-ROM drive. 6 The drive is a RAM disk. _________________________________________________ GetVolumeInformation: The GetVolumeInformation function returns information about a file system and volume whose root directory is specified. BOOL GetVolumeInformation( LPCTSTR lpRootPathName, // address of root directory of the file system LPTSTR lpVolumeNameBuffer, // address of name of the volume DWORD nVolumeNameSize, // length of lpVolumeNameBuffer LPDWORD lpVolumeSerialNumber, // address of volume serial number LPDWORD lpMaximumComponentLength, // address of system's maximum filename length LPDWORD lpFileSystemFlags, // address of file system flags LPTSTR lpFileSystemNameBuffer, // address of name of file system DWORD nFileSystemNameSize // length of lpFileSystemNameBuffer ); Parameters lpRootPathName Points to a string that contains the root directory of the volume to be described. If this parameter is NULL, the root of the current directory is used. lpVolumeNameBuffer Points to a buffer that receives the name of the specified volume. nVolumeNameSize Specifies the length, in characters, of the volume name buffer. This parameter is ignored if the volume name buffer is not supplied. lpVolumeSerialNumber Points to a variable that receives the volume serial number. This parameter can be NULL if the serial number is not required. lpMaximumComponentLength Points to a doubleword value that receives the maximum length, in characters, of a filename component supported by the specified file system. A filename component is that portion of a filename between backslashes. The value stored in variable pointed to by *lpMaximumComponentLength is used to indicate that long names are supported by the specified file system. For example, for a FAT file system supporting long names, the function stores the value 255, rather than the previous 8.3 indicator. Long names can also be supported on systems that use the NTFS and HPFS file systems. lpFileSystemFlags Points to a doubleword that receives flags associated with the specified file system. This parameter can be any combination of the following flags, with one exception: FS_FILE_COMPRESSION and FS_VOL_IS_COMPRESSED are mutually exclusive. Value Meaning FS_CASE_IS_PRESERVED If this flag is set, the file system preserves the case of filenames when it places a name on disk. FS_CASE_SENSITIVE If this flag is set, the file system supports case-sensitive filenames. FS_UNICODE_STORED_ON_DISK If this flag is set, the file system supports Unicode in filenames as they appear on disk. FS_PERSISTENT_ACLS If this flag is set, the file system preserves and enforces ACLs. For example, NTFS preserves and enforces ACLs, HPFS and FAT do not. FS_FILE_COMPRESSION The file system supports file-based compression. FS_VOL_IS_COMPRESSED The specified volume is a compressed volume; for example, a DoubleSpace volume. lpFileSystemNameBuffer Points to a buffer that receives the name of the file system (such as FAT, HPFS, or NTFS). nFileSystemNameSize Specifies the length, in characters, of the file system name buffer. This parameter is ignored if the file system name buffer is not supplied. Return Value If all the requested information is retrieved, the return value is TRUE; otherwise, it is FALSE. To get extended error information, call GetLastError. Remarks The FS_VOL_IS_COMPRESSED flag is the only indicator of volume-based compression. The file system name is not altered to indicate compression. This flag comes back set on a DoubleSpace volume, for example. With volume-based compression, an entire volume is either compressed or not compressed. The FS_FILE_COMPRESSION flag indicates whether a file system supports file-based compression. With file-based compression, individual files can be compressed or not compressed. The FS_FILE_COMPRESSION and FS_VOL_IS_COMPRESSED flags are mutually exclusive; both bits cannot come back set. The maximum component length value, stored in the DWORD variable pointed to by lpMaximumComponentLength, is the only indicator that a volume supports longer-than-normal FAT (or other file system) file names. The file system name is not altered to indicate support for long file names. The GetCompressedFileSize function obtains the compressed size of a file. The GetFileAttributes function can determine whether an individual file is compressed. ______________________________________________________________________ GetWindowText: The GetWindowText function copies the text of the specified window's title bar (if it has one) into a buffer. If the specified window is a control, the text of the control is copied. int GetWindowText( HWND hWnd, // handle of window or control with text LPTSTR lpString, // address of buffer for text int nMaxCount // maximum number of characters to copy ); Parameters hWnd Identifies the window or control containing the text. lpString Points to the buffer that will receive the text. nMaxCount Specifies the maximum number of characters to copy to the buffer. If the text exceeds this limit, it is truncated. Return Value If the function succeeds, the return value is the length, in characters, of the copied string, not including the terminating null character. If the window has no title bar or text, if the title bar is empty, or if the window or control handle is invalid, the return value is zero. To get extended error information, call GetLastError. This function cannot retrieve the text of an edit control in another application. Remarks This function causes a WM_GETTEXT message to be sent to the specified window or control. This function cannot retrieve the text of an edit control in another application. ____________________________________________________________________ H) LAST WORDS Yeah, you made it =) This is the end of this tutorial and i hope i could teach you something, more or less. If you have any questions, suggestions or just wanna gimme some feedback, then just email me !!! Also plz inform me if you have find out any error - i'am only a human being =) This Tutrorial was first written under note-pad, but it got just too big, so that i had to continue writting it with WordPad. I hope you dont mind it ;) The next Tutorial (natz-2) will be in html and i don't exactly know what it will discuss yet, so just watch out for it !!! NaTzGUL/REVOLT natzgul(at)hotmail(point)com _________________________________________________________________ I) GREETINGS Groups: REVOLT, #CRACKING, UCF, PC97, HERITAGE,CRC32 #CRACKING4NEWBIES, CORE, RZR, PWA, XF, DEV etc. PERSONAL: CoPhiber, Spanky, Doc-Man, Korak, lgb, DDensity, Krazy_N, delusion, riches, Laamaah, Darkrat, wiesel, DirHauge, GnoStiC, JosephCo, niabi, Voxel,TeRaPhY, NiTR8, Marlman, THE_OWL, razzia, K_LeCTeR, FaNt0m, zz187, HP, Johnastig, StarFury, Hero, +ORC, +Crackers, Fravia+, LordCaligo, BASSMATIC, j0b ,xoanon, EDISON etc. (c) 1998 NaTzGUL All rights reversed (c) Fravia 1995, 1996, 1997, 1998, 1999. All rights reserved, in the European Union and elsewhere