HOW TO CRACK, by +ORC, A
Lesson 8.2: How to crack Windows, a deepr approach
[SNAP95] [WINZIP] [WINCAT]
SPECIAL NOTE: Please excuse the somehow "unshaven"
character of the windows lessons... I'm cracking the
newest Windows '95 applications right now, therefore
at times I had to add "on the fly" some corrections to
the older Windows 3.1 and Windows NT findings.
"homines, dum docent, discunt".
-> 1st THING TO REMEMBER
If you thought that DOS was a mess, please notice that windows
3.1 is a ghastly chaos, and windows 95 a gruesome nightmare of
ill-cooked spaghetti code. Old Basic "GOTO" abominations were
quite elegant in comparison with this concoction... One thing is
sure: This OS will not last... it's way too messy organised,
impossible to consolidate, slow and neurotic (but I must warn
you... I thought exactly the same things about DOS in 1981).
The most striking thing about windows 95 is that it is neither
meat not fish: neither 16 nor 32... you could call it a "24 bit"
We'll never damage Microsoft interests enough to compensate for
this moronic situation... where you have to wait three minutes
to get on screen a wordprocessor that older OS (and even old DOS)
kick up in 5 seconds. I decide therefore, hic et nunc, to add an
ADDENDUM to this tutorial: Addendum 1 will be dedicated to teach
everybody how to crack ALL Microsoft programs that do exist on
this planet. I'll write it this sommer and give it away between
the "allowed" lessons.
Anyway you can rely on good WINICE to crack everything, you'll
find it on the web for free, I use version 1.95, cracked by [The
Lexicon] (do not bother me for Warez, learn how to use the search
engines on the web and fish them out yourself). Learn how to use
this tool... read the whole manual! Resist the temptation to
crack immediatly everything in sight... you 'll regret pretty
soon that you did not wanted to learn how to use it properly.
A little tip: as Winice is intended more for software developers
than for crackers, we have to adapt it a little to our purposes,
in order to make it even more effective: a good idea is to have
in the *.DAT initialization file following lines:
INIT = "CODE ON; watchd es:di; watchd ds:si;"
TRA = 92
This way you'll always have the hexadecimal notation on, two very
useful watch windows for passwords deprotection and enough buffer
for your traces.
WINDOWS 3.1. basic cracking: [ALGEBRAIC PROTECTIONS]
The most used windows protections are "registration codes",
these must follow a special pattern: have a "-" or a "+" in a
predetermined position, have a particular number in particular
position... and so on.
For the program [SHEZ], for instance, the pattern is to have a
14 bytes long alphanumeric sequence containing CDCE1357 in the
first 8 bytes.
The second level of protection is to "connect" such a
pattern to the alphanumeric contents of the NAME of the user...
every user name will give a different "access key". This is the
most commonly used system.
As most of these protections have a "-" inside the answering
code, you do not need to go through the normal cracking procedure
(described in the next lesson):
* load WINICE
* hwnd [name_of_the_crackanda_module]
* choose the window Handle of the snap, i.e, the exact
"FIELD" where the code number input arrives... say 091C(2)
* BMSG 091C WM_GETTEXT
* Run anew
* Look at the memory location(s)
* Do the same for the "Username" input FIELD. (Sometimes
linked, sometimes not, does not change much, though)
* BPR (eventually with TRACE) on the memory locations (these
will be most of the time FOUR: two NUMBERCODES and two
USERNAMES). The two "mirrored" ones are the most important
for your crack. At times there will be a "5th" location,
where the algebraic play will go on...
* Look at the code that performs algebraic manipulations on
these locations and understand what it does...
* Disable the routine or jump over it, or reverse it, or
defeat it with your own code... there are thousand
* Reassemble everything.
Uff... quite a long cracking work just to crack some miserable
program... isn'there a quicker way? OF COURSE THERE IS! Actually
there are quite a lot of them (see also the crack of Wincat Pro
below): Look at the following code (taken from SNAP32, a screen
capture utility for Windows 95, that uses a pretty recent
XOR EBX,EBX ; make sure EBX is zeroed
MOV BL, [ESI] ; load input char in BL
INC ESI ; point at the next character
MOV EDI,EBX ; save the input character in EDI
CMP EBX,+2D ; input char is a "-" ?
CMP EBX,+2B ; input char is a "+" ?
XOR EBX,EBX ; EBX is zeroed
MOV BL,[ESI] ; recharge BL
INC ESI ; point to next char (do not check - or +)
XOR EBP,EBP ; zero EBP
CMP DWORD PTR [boguschecker], +01
even if you did not read all my precedent lessons, you do not
need much more explications... this is a part of the algebraic
check_procedure inside the SNAP32 module... you could also get
here through the usual
Windows wretched and detestable APIs used for copy protections,
as usual with WINICE cracking, and as described elsewhere in my
The above code is the part of the routine that checks for the
presence of a "+" or a "-" inside the registration number (many
protections scheme requires them at a given position, other need
to jump over them).
Now sit down, make yourself comfortable and sip a good Martini-
Wodka (invariably very useful in order to crack... but be aware
that only Moskowskaia russian Wodka and a correct "Tumball" glass
will do, do not forget the lemon)... what does this "-" stuff
mean for us little crackers?
It means that we can search directly for the CMP EBX,+2B
sequence inside any file protected with these schemes... and
we'll land smack in the middle of the protection scheme! That's
amazing... but you will never underrate enough the commercial
programmers... the only really amazing thing is how simpleton the
protectionists are! You don't believe me? Try it... you 'll get
your crack at least 4 out of 5 times.
Yes I know, to find this code is not yet to crack it... but for
this kind of copy protection (that's the reason it is so
widespread) there is no single solution... each makes a slightly
different algebraic manipulation of the alphanumeric and of the
numeric data. It's up to you to crack the various schemes... here
you can only learn how to find them and circumvene them. I'll not
give you therefore a "debug" crack solution. You'll find it
yourself using my indications (see the crack of the Wincat Pro
WHERE ARE THE CODES? WHERE ARE THE MODIFIED FILES? WHERE DO THE
PROTECTIONS KEEP COUNT OF THE PASSING DAYS?
Most of the time the protection schemes use their own *.ini files
in the c:\WINDOWS directory for registration purposes... at time
they even use the "garbage sammler" win.ini file. Let's take as
example WINZIP (versions 5 and 5.5), a very widespread program,
you'll surely have one shareware copy of it somewhere between
In theory, winzip should be registered per post, in order to
get a "NEW" copy of it, a "registered" copy.
This scares most newby crackers, since if the copy you have
it's not full, there is no way to crack it and make it work,
unless you get the REAL stuff. The youngest among us do not
realize that the production of a real "downsized" demo copy is
a very expensive nightmare for the money-infatuated commercial
programmers, and that therefore almost nobody does it really...
nearly all "demos" and "trywares" are therefore CRIPPLED COMPLETE
PROGRAMS, and not "downsized" demos, independently of what the
programmers and the protectionists have written inside them.
Back to Winzip... all you need, to crack winzip, is to add a
few lines inside the win.ini file, under the heading [WinZip],
that has already been created with the demo version, before the
line with "version=5.0".
I will not help you any further with this... I'll leave it to
you to experiment with the correct sequences... inside win.ini
you must have following sequence (these are only template to
substitute for your tries inside WINICE... you'll get it, believe
The *important* thing is that this means that you DO NOT NEED
to have a "new registered version" shipped to you in order to
make it work, as the protectionist sellers would like you to
believe. The same applies most of the time... never believe what
you read in the read.me or in the registration files...
This brings me to a broader question: NEVER believe the
information they give you... never believe what television and/or
newspapers tell you... you can be sure that the only reason they
are notifying you something is to hinder you to read or
understand something else... this stupid_slaves_society can only
subsist if nobody thinks... if you are really interested in what
is going on, real information can be gathered, but surely not
through the "conventional" newspapers and/or news_agencies (and
definitely NEVER through television, that's really only for the
stupid slaves)... yes, some bit of information can be
(laboriously) gathered... it's a cracking work, though.
HOW TO CRACK INFORMATION [WHERE WHAT]
In the middle of the hugest junk collection of the planet, some
real information can be laboriously gathered if you do learn how
to use well the search engines (or if you do build your ones...
my spiders are doing most of the work for me... get your robots
templates from "Harvest" or "Verify" and start your "spider
building" activity beginning from Martijn Koster's page). As
usual in our society, in the Internet the real point is exactly
the same point you'll have to confront all your life long: HOW
TO THROW AWAY TONS OF JUNK, HOW TO SECLUDE MYRIADS OF USELESS
INFORMATION and HOW TO FISH RARE USEFUL INFORMATION, a very
difficult art to learn per se. Internet offers some information,
though, mainly BECAUSE it's (still) unregulated. You want a
proof? You are reading it.
* SOME (RARE) NEWSPAPERS.
The newspaper of the real enemies, the economic powers that
rule this slaves world, are paradoxically most of the time the
only ones worth studying... somewhere even the real rulers have
to pass each other some bits of real information. The "Neue
Zuercher Zeitung", a newspaper of the Swiss industrials from
Zuerich, is possibly the best "not_conformist trend analyzer"
around that you can easily find (even on the web). These
swissuckers do not give a shit for ideology, nor preconcerted
petty ideas, the only thing they really want is to sell
everywhere their ubiquitous watches and their chocolates... in
order to do it, a land like Switzerland, with very high salaries
and a good (and expensive) social system, must use something
brilliant... they found it: a clear vision of the world... as a
consequence this newspaper is very often "against" the trend of
all the other medias in the world, the ones that are used only
in order to tame the slaves... If the only language you know is
english (poor guy) you could try your luck with the weekly
"Economist"... you'll have to work a lot with it, coz it has been
tailored for the "new riches" of the Tatcher disaster, but you
can (at times) fish something out of it... they do a lot of
idiotic propaganda, but are nevertheless compelled to write some
truth. American newspapers (at least the ones you can get here
in Europe) are absolute shit... one wonders where the hell do the
americans hyde the real information.
On the "non-capitalistic" side of information there is a
spanish newspaper "El Pais" that seems to know about what's going
on in South America, but it's so full of useless propaganda about
irrelevant Spanish politics that it's not really worth reading.
The monthly "Le Monde diplomatique" offers something too... this
one exaggerates a little on the pauperistic "third world" side,
but has a lot of useful information. See what you can do with all
this information (or disinformation?)
[BELIEVE THE COUNTRARY]
Another good rule of thumb in choosing your medias is the
following... if all medias around you assure, for instance, that
"the Serbians are evil"... the only logical consequence is that
the Serbians are not so evil at all and that "the Croats" or some
other Yugoslavian shits are the real culprits. This does not mean
at all that the Serbians are good, I warn you, it means only what
I say: something is surely hidden behind the concerted propaganda
you hear, the best reaction is to exaggerate in the other
direction and believe the few bit of information that do say the
countrary of the trend. This rule of thumb may be puerile, but
it works somehow most of the time... if somewhere everybody
writes that the commies are bad then THERE the commies must not
be so bad at all and, conversely, if everybody in another place
writes that the commies are all good and nice and perfect (like
the Soviet propaganda did) then THERE the commies are surely not
so good... it's a matter of perspective, much depends on where
you are, i.e. whose interests are really at stake. There is NEVER
real information in this society, only propaganda... if you still
do not believe me do yourself a little experiment... just read
the media description of a past event (say the Vietnam war) as
written AT THE MOMENT of the event and (say) as described 10
years later. You'll quickly realize how untrustworthy all
newspapers and medias are.
* SEMIOTICS You'll have to study it (as soon as you can) to
interpret what they let you believe, in order to get your
bearings. A passing knowledge of ancient RHETORIC can help quite
a lot. Rhetoric is the "Softice" debugger you need to read
through the propaganda medias: concentrate on Periphrasis,
Synecdoche, Antonomasia, Emphasis, Litotes and Hyperbole at the
beginning... you'll later crack higher with Annominatio,
Polyptoton, Isocolon and all the other lovely "figurae
Enough, back to software cracking.
HOW A REGISTRATION CODE WORKS [WINCAT]
Let's take as an example for the next crack, a Username-
algebraic registration code, WINCAT Pro, version 3.4., a 1994
shareware program by Mart Heubel. It's a good program, pretty
useful to catalogue the millions of files that you have on all
your cd-roms (and to find them when you need them).
The kind of protection Wincat Pro uses is the most utilized
around: the username string is manipulated with particular
algorithms, and the registration key will be made "ad hoc" and
depends on the name_string. It's a protection incredibly easy to
crack when you learn how the relevant procedures work.
[WINCAT Pro] is a good choice for cracking studies, coz you
can register "over your registration" one thousand times, and you
can herefore try for this crack different user_names to see all
the algebrical correspondences you may need to understand the
In this program, when you select the option "register", you
get a window where you can input your name and your registration
number (that's what you would get, emailed, after registering
your copy). If you load winice and do your routinely hwnd to
individuate the nag window, and then breakpoint on the
appropriate memory ranges you'll peep in the working of the whole
bazaar (this is completely useless in order to crack these
schemes, but it'll teach you a lot for higher cracking, so you
better do it also with two or three other programs, even if it
is a little boring): a series of routines act on the input (the
name) of the user: the User_name_string (usn). First of all the
usn_length will be calculated (with a REPNZ SCASB and a following
STOSB). Then various routines store and move in memory the usn
and the registration_number (rn) and their relative lengths. In
order to compare their lengths and to check the correct
alphanumeric correspondence between usn and rn, the program first
uppercases the usn and strips all eventual spaces away.
Here the relevant code (when you see an instruction like
SUB AL,20 you should immediately realize that you are in a
uppercasing routine, which is important for us, since these are
mostly used for password comparisons)... here the relevant Winice
unassemble and my comments:
253F:00000260 AC LODSB <- get the usn chars
253F:00000261 08C0 OR AL,AL <- check if zero
253F:00000263 740F JZ 0274 <- 0: so usn finished
253F:00000265 3C61 CMP AL,61 <- x61 is "a", man
253F:00000267 72F7 JB 0260 <- not a lower, so loop
253F:00000269 3C7A CMP AL,7A <- x7A is "z", what else?
253F:0000026B 77F3 JA 0260 <- not a lower, so loop
253F:0000026D 2C20 SUB AL,20 <- upper it if it's lower
253F:0000026F 8844FF MOV [SI-01],AL<- and hyde it away
253F:00000272 EBEC JMP 0260 <- loop to next char
253F:00000274 93 XCHG AX,BX
The instruction MOV [SI-01],AL that you see here is important
at times, coz it points to the location of the "pre-digested"
usn, i.e. the usn formatted as it should be for the number
comparison that will happen later. In some more complicated
protection schemes the reasoning behind this formatting is the
following: "Stupid cracker will never get the relation algorhitm
usn <-> rn, coz he does not know that usn AND rn are slightly
changed before comparing, ah ah... no direct guessing is
possible". Here is only "polishing": you have to "polish" a
string before comparing it in order to concede some mistakes to
the legitimate user (too many spaces in the name, upper-lower
case mismatch, foreign accents in the name etc.) You just need
to know, for now, that this checking is usually still 5 or 6
calls ahead of the real checking (it's what we call a "green
You should in general realize that the real checking of the
algebrical correspondence follows after a whole series of memory
operations, i.e.: cancelling (and erasing) the previous (if ever)
attempts; reduplicating the usn and the rn somewhere else in
memory; double checking the string lengths (and saving all these
values somewhere... be particularly attentive when you meet stack
pointers (for instance [BP+05]): most of the programs you'll find
have been written in C (what else?). C uses the stack (SS:SP) to
pass parameters or to create local variables for his procedures.
The passwords, in particular, are most of the time compared to
data contained within the stack. If inside a protection a BP
register points to the stack you have most of the time fished
something... remember it pupils: it will spare you hours of
useless cracking inside irrelevant routines. Back to our CATWIN:
another little check is about the "minimal" length allowed for
a user name, in our babe, for instance, the usn must have at
least 6 chars:
230F:00003483 3D0600 CMP AX,0006
230F:00003486 730F JAE 3497 <- go to nice_name
230F:00003488 BF9245 MOV DI,4592 <- no good: short
After a lot of other winicing you'll finally come across
following section of the code:
2467:00000CA3 B90100 MOV CX,0001
2467:00000CA6 03F1 ADD SI,CX
2467:00000CA8 2BC1 SUB AX,CX
2467:00000CAA 7213 JB 0CBF
2467:00000CAC 40 INC AX
2467:00000CAD 368B4F04 MOV CX,SS:[BX+04] <- here
2467:00000CB1 0BC9 0R CX,CX
2467:00000CB3 7D02 JGE 0CB7
2467:00000CB5 33C9 XOR CX,CX
2467:00000CB7 3BC1 CMP AX,CX
2467:00000CB9 7606 JBE 0CC1
2467:00000CBB 8BC1 MOV AX,CX
2467:00000CBD EB02 JMP 0CC1
2467:00000CBF 33C0 XOR AX,AX
2467:00000CC1 AA STOSB <- and here
2467:00000CC2 8BC8 MOV CX,AX
2467:00000CC4 F3A4 REPZ MOVSB <- and here!
2467:00000CC6 8EDA MOV DS,DX
2467:00000CC8 FC RETF 0008
This is obviously the last part of the checking routine
(I'll not delve here with the mathematical tampering of it, if
you want to check its workings, by all means, go ahead, it's
quite interesting, albeit such study is NOT necessary to crack
these schemes). The important lines are obviously the MOV
CX,SS:[BX+04], the STOSB and the REPZ MOVSB (as usual in password
protection schemes, you do remember lesson 3, don't you?).
You should be enough crack-able :=) by now (if you have read
all the precedent lessons of my tutorial), to find out easily,
with these hints, how the working of the protection goes and
where dwells in memory the ECHO of the correct rn (passkey) that
matches the name you typed in. Remember that in these kind of
cracks the ECHO is present somewhere (90% of the cases). There
are obviously one thousand way to find such ECHOs directly,
without going through the verificayions routines... for instance
you could also find them with a couple of well placed
snap_compares, it's a "5 minutes" cracking, once you get the
working of it. I leave you to find, as interesting exercise, the
routine that checks for a "-" inside the rn, a very common
In order to help you understand the working of the protection
code in [Wincat Pro] I'll give you another hint, though: if you
type "+ORC+ORC+ORC" as usn, you'll have to type 38108-37864 as
rn, if you usn as usn "+ORC+ORC" then the relative rn will be
14055-87593. But these are my personal cracks... I have offered
this information only to let you better explore the mathematical
tampering of this specific program... you'll better see the
snapping mechanism trying them out (going through the routines
inside Winice) alternatively with a correct and with a false
password. Do not crack Wincat with my combination! If you use a
different usn than your own name to crack a program you only show
that you are a miserable lamer... no better than the lamers that
believe to "crack" software using huge lists of serial numbers...
that is really software that they have stolen (Yeah: stolen, not
cracked). You should crack your programs, not steal them...
"Warez_kids" and "serial#_aficionados" are only useless zombies.
I bomb them as soon as I spot them. YOU ARE (gonna be) A CRACKER!
It makes a lot of a difference, believe me.
Well, that's it for this lesson, reader. Not all lessons of my
tutorial are on the Web.
You 'll obtain the missing lessons IF AND ONLY IF you mail
me back (via anon.penet.fi) with some tricks of the trade I may
not know that YOU discovered. Mostly I'll actually know them
already, but if they are really new you'll be given full credit,
and even if they are not, should I judge that you "rediscovered"
them with your work, or that you actually did good work on them,
I'll send you the remaining lessons nevertheless. Your
suggestions and critics on the whole crap I wrote are also
"If you give a man a crack he'll be hungry again
tomorrow, but if you teach him how to crack, he'll
never be hungry again"