How to update a crack yourself using a pattern search, ANYONE INTERESTED ???

Quote:

Hi Folks, Is anyone interested in "How to update a crack yourself using a pattern search" ???

I considered a rewrite of my Pattern search that would allow members to update a crack themselves ! A tutorial would also be
needed explaining how to replace memory offsets with ?? to do a search for code to patch.
Considered using Spriter v11.0 as an example since the code has changed very little since I cracked v7 I included a Search
and Patch in the Recent Release of v11 Activation that I just posted.

Don't know whether this should be posted here, or in the Reversing section ? I think a lot of members would like to be able to
update cracks themselves, but don't have access to the Reversing Section.
This is just a feeler post to get opinions, and see if members are interested. ANYONE INTERESTED ???

Have a great day, countryboy

Quote:

Ok, it looks like a lot of members are interested. I have received a lot of P.M.s from members wanting to
learn, but don't have access to the Reversing Section.
EvilEngineer has already created a short Tutorial on this in the Reversing section, but I will try to keep it simple, use
examples, and also include detailed Instructions on How to Crack.
I think members should have access to Tutorials, but section for crackers to work on cracks should remain
private to prevent developers access.

Lets get cracking. I request that you share, and post a release for other members after testing as that's what it's all
about.
Forget the you stole my crack bullshit, as neglected crack updates are open game for someone else to crack. The thrill is
gone after the 1st time anyway, move on.
I also request that you mention Credit to original Cracker, If you are updating a Crack then post your release on the
Original Crackers Thread as a Crack Update. Teamwork !

I have several cracks that members have updated themselves, and seem to be working OK without me having to do a update
unless members report problems with the crack update.
I try to provide Pattern Search and Patch for future releases, so I don't have to update the crack, unless the search pattern
eventually doesn't work, and needs to be updated.

TUTORIAL WILL BE DONE IN SECTIONS, AND UPDATED AS TIME PERMITS !

LESSON 1 : How to update a Crack : Reverse

Engineering by countryboy

Lets get cracking :

If you think it's too hard to understand then you will probably give up and fail, but
if "a dumb olcountryboy like me" can learn How to Crack then you can too !
Confidence, Determination, and Repetition required to Learn : 3rd time is a charm.
Reading a book you don't understand then keep Reading, in chapter
10, you will understand what they were talking about in chapter 3 !
TEACH a MAN to FISH, and he WON'T go HUNGRY. TEACH a MAN to CRACK, and he
canCRACK PROGRAMS he needs, and SHARE with OTHERS !

Tutorial will be kept as simple as possible. Tutorial explains, how to update an existing
Crack To the next version by searching for Hex Code to change, and Patching with Hex Editor.
Video Tutorial : Step by Step how to crack any program, basic understanding of Machine Code, Hex,
Assembly Language used in Debugger, and how to find code to patch using a Debugger.
The Example Program used will be a Crack update from Spriter Version 7 to Spriter Version 11.
A request for Spriter v11. The name was familiar, a search for existing v11 crack was not
found, but v7had been cracked by countryboy.
Surprised, 4 versions had been released without a crack update, or anyone cracking a very easy to
crack program.

While v11 code was being analyzed by IDA, took a look at what was done in Version 7, a partial
sequential byte search found the code quickly.
A excellent example for a Tutorial on how to update a crack to next version, didn't need to run
program in Debugger to find "Code to change" to create a Crack.
The v11 Code was basically the same Code as v7 with only the offsets changed when the Code
was Compiled into a later version.

Tutorial explains, how to locate the same Hex code to Patch in a later release by considering the offset part
of Instructions when searching.
Most programs are Cracked by changing a ( Conditional jump ) to Jump, or not
Jumping. The second part of a jump instruction is how many bytes to jump.
Number of bytes to jump can change when the Program is re-compiled into a later Release. There
are about a half dozen Instructions that use a offset as part of Instruction.
Tutorial covers most used instructions, what to look for, how to update a crack, and how
to find code to change to Crack any Program, any Operating System, Executable, or .dll

I will try to keep it simple. Let's start with our ABC's !

Lessons 2 & 3 : How to update a Crack using a Pattern Search not

in Reverse Engineering : How to Crack Video

A few items needed to do a Crack update.

DOWNLOAD : Hex Workshop + Crack

Link(s):
https://dailyuploads.net/2gcu25alsbor#

DOWNLOAD : Dup - A search, and patch Patchier

Link(s):
https://sourceforge.net/projects/dup-patcher/files/latest/download

DOWNLOAD : HexExplorer

Link(s):
https://sourceforge.net/projects/hexplorer/

DOWNLOAD : Explorer Suite

Link(s):
https://ntcore.com/files/ExplorerSuite.exe

DOWNLOAD : Spriter v7 INSTALLER - Example used

Link(s):
https://www.mirrored.to/files/O4FMEOJ1/Spriter-Pro-7_Setup-Activation.rar_links
Password: countryboy
DOWNLOAD : Spriter Pro v11 - INSTALLER - Example used

Link(s):
https://brashmonkey.com/brashmonkey/spriter/windows/Spriter_r11.zip

DOWNLOAD : Spriter Pro 9.0 : MAC INSTALLER - ( 99 meg ) - Example used ( yes, how to crack the Mac Version will also be
covered ! )Version will also be covered ! )

Link(s):
https://brashmonkey.com/brashmonkey/spriter/mac/Spriter_free_R9.dmg

DOWNLOAD : IDA Pro v6.8 and Hex-Rays Decompiler (ARM/x86/x64)+Tutorials - File Size: 166Mb RAR file with no password ...
Link by : Seezar

Link(s):
https://mega.nz/#!EYpjVTaa!PbBDVPq14iwi3i2aPYMxEG4tOWDlj27lyr1wx5KaRTE

LESSON 2 : HOW TO FIND Spriter v7 PATCHED CODE

in Spriter v11
Before comparing, and searching the Original, and Patched File : Both should be the same File byte size.

1. INSTALL SPRITER Version 7, Create a copy of Spriter.exe, and Rename it to : Spriter_7ORG.exe

2. Start Spriter-Pro-7_Activation.exe to Patch Spriter.exe
3. Start Hex Workshop, and Compare the 2 Files to find the Cracked - Patched Hex code !
... OR use Dos Compare ... at Command Prompt :> FC /B "Spriter_ORG.exe" "Spriter.exe" > FC.TXT

This image has been resized. Click this bar to view the full image. The original image is sized 1530x821.

FOUND HEX CODE BELOW :

TOP := v7 ORIGINAL CODE --- BOTTOM := v7 CRACKED CODE ... 74 is the Instruction : jz := ( jump if zero ) the 17,
and 04are number of bytes to jump.
Link(s):
74178D44242868647B940050FFD683C40884C07404 74008D44242868647B940050FFD683C40884C07400
1. Select, and Copy orgional Hex Numbers in Blue above, and paste into a Text File.
2. Rename Spriter Version 7 Folder, Install Spriter version 11, create a copy of version 11 : Spriter.exe, and rename
toSpriter_11-ORG.exe
3. Start Hex Workshop, and open version 11 : Spriter.exe
4. Click on Edit, Click on Find, paste the copied original Blue Hex Numbers into the [ Value ] Box, and Click OK. Note : NO
SPACES in search String.

Surprise : It's not Found ! There seems to be a offset difference. The Next Update will show how to find the Patched
Code.

LESSON 3 : UNDERSTANDING OFFSETS - Finding the

Patched code
Compare Spriter.exe v7 original, and v11 original file : Do the same type of Compare done in v7 to see the differences.
TOP := v7 ORIGINAL CODE --- BOTTOM := v11 ORIGINAL CODE ... The Highlighted middle code [ 68647B9400 ] is a
memory offset Instruction.

Link(s):
74178D44242868647B940050FFD683C40884C07404 74178D44242868C46B960050FFD683C40884C07404

NOTE : All offsets change on Compile ... Highlighted Code: 68647B9400 := IDA - PRO : INSTRUCTION : [ .text:004F403A
push offset dword_966BC4 ]
The instructions pushes the memory offset of the double word at address 966bC4 onto the Stack. The first part of the Instruction
( 68 is push ) the remaining part of the instruction is the offset address.

SEARCH FOR PART OF THE HEX CODE STRING :

1. Start Hex Workshop, open V11 Spriter.exe, Click on Edit, Click on Find, paste the [ 74178D44242868 ] Hex Numbers
into the [ Value ] Box, and Click OK. Note : NO SPACES in search String.
2. FOUND IT, now check the whole string to make sure the 7404 is also in the String, and Click [ Find Next ] to make sure you
found the right one.
The shorter the search string, the more occurrences found. Use a longer search string for less occurrences. I like about 16 bytes, but 32
bytes is even better.
If you have a problem : Search the Previous version, count occurrences until code found. Repeat the same process in the update
version, and count occurrences until code found.
You can load it in a Debugger like IDA, go to the v7 Found offset, look at the Code then load the New Version 11 in Debugger,
go to found offset, and compare to code instructions.

HOW TO PATCH : Always save a backup. Patch it using a HEX EDITOR, and see if it works ...
Place the cursor on the 74 17 - change the 17 to 00, and Place cursor on the 74 04, and change the 04 to 00 ...
Click on save, or save as.

Congratulations, you just cracked a program by changing 2 bytes, and did a successful Crack update !
HOW IT WAS CRACKED, AND WHAT WAS CRACKED :
A Function was cracked. What did the Function do ? It checks the Serial, and returns a 1 for good serial, or 00 for bad
serial.
Windows programs don't provide Debug Information, but most MAC Programs have debug information with Names of the
Procedures, and Functions.
No wandering around in a Maze with NO Landmarks trying to figure out what that guy does for a living.
In Mac version : Function is named : SerialEncoder::checkSerial more on Mac version crack later, and how the compiler
can flip the script requiring a Far jump instead of not jumping to return that needed 1.

The Hex Numbers were changed to prevent jumping over a instruction in list that needed to be run. The Instruction at IDA : Line
Number 004F4049 ( mov bl, 1 ) needed to be run to move a 1 to Register BL,
because Register BL is moved to Register AL at end of Function, before the Function Return. THE FUNCTION NOW RETURNS 1 IN
REGISTER AL := GOOD SERIAL !

PATTERN SEARCH USED IN Spriter version 11 Search, and Patch Activation Setup Release
Link(s):
83 C4 08 84 C0 74 17 8D 44 24 28 68 ?? ?? ?? ?? 50 FF D6 83 C4 08 84 C0 74 04 B3 01 EB ?? 8D ?? ?? ?? 50 51 8B CC 50
Search Pattern starts before code to change at IDA : ( .text:004F402F add esp, 8 ). The ?? after 68 is offset explained above.
The ?? after the EB is short jump to Function End, and actually too far,
because the compiler may change compiled code length, and search may not find code due to a 1 byte difference. The ?? after 8D is
for Instruction ( lea eax, [esp+20h+arg_4] )

I wrote the code for the Pattern Searcher. It first searches for the Pattern, and then searched the found pattern for code to
change: 7417 I would normally ?? the 17 in jump, but it's a very short jump.
Search Pattern of about 16 to 32 bytes finds code with no problem, but recently I rewrote the search code to allow selection for
occurrences of duplicate patterns found.
If pattern changes then I update pattern, but it still searches for old, if New isn't found. Hit Film has gone through a half dozen versions,
and it's still finding the pattern, and code to change.
In my Releases : I always say with minor code changes !

I will do a short section on DUP at Tutorial end. DUP does a pattern search & patch. DUP is also a loader as I looked at it, but
it didn't do what I wanted, so I wrote the code for the Loader I use.

LESSON 4 : REGISTERS, INSTRUCTION OPCODES, AND

ASSEMBLY ... Terminology, what's in a name ??

Questions : Why was the Numbers changed ? How did you find what to change to crack it
?What is an offset ? What is a Opcode ? What is a Register ??

I will try to keep it simple. Let's start with our ABC's !

This image has been resized. Click this bar to view the full image. The original image is sized 1325x827.

TOOL ABOVE IS A NICE TOOL TO HAVE IN YOUR CRACKING TOOLKIT ... View Machine Code Instruction - Opcode +
Assembly

REGISTERS : What are they ?

The ABC's of the Computer. A register is a part of the CPU that can store any instruction,
number, data, or address for the processor. Click : more information
Registers are named AX, BX, CX, DX, SP, BP, SI, DI, IP, and Flags.
AX – Is the accumulator. 16 bits, and two 8-bit registers AH and AL. A General purpose Register,
used for arithmetic and logical instructions, and used as Return for Boolean Function Return Results.
BX – Base register. 16 bits, and two 8-bit registers BH and BL, and used to store the value of a offset.
CX – Counter register. 16 bits, and two 8-bit registers CH and CL. The CX, and CL Register are used
for loops.
DX – Data register. 16 bits, and two 8-bit registers DH and DL : Multiplication an input-output port
addressing.
SP – Stack pointer. 16 bits, and Points to topmost item on stack. BP – Base pointer. 16 bits, and
access variables passed on stack.
SI – Source index register. 16 bits, and used in pointer addressing of data and as source in string
operations. It’s offset is relative to data segment.
DI – Destination index register. 16 bits, and used in the pointer addressing of data and as destination
in string operations. It’s offset is relative to extra segment.
IP - Is the Instruction Pointer Register, and points to current Instruction being run in the code
Segment, and accessed as CS : IP.
Flag Registers are set by decision making Instructions like compare, test, or, shl, shr then
Conditional Jump Instruction Act on condition of the flags. Click : more information

Registers listed above are 16 bit Registers for 32 bit Registers : add a E to Name,
and AXBecomes EAX, BX becomes EBX. For 64 Bit : add a R to Register Name,
and AX becomes RAX.
SHL is Shift Left, and act directly on registers by rotating the Bits left as a Multiply by 2 per
shift. SHRis Shift Right, and a divide by 2. Shift is faster than multiply, and divide.
An old saying is multiply if you must, but never ever divide. Worst error is divide by zero.
The andinstruction, and or instruction work on bits, and not Instruction flips bits, as 1 becomes
0, and 0 becomes 1.
Item of interest to a Cracker is the Instruction XOR used to zero a Register, and when changing
code to set a register to zero, it's a shorter instruction than using move 0 to a Register.
Registers can be substituted, and used in place of other Registers, but need to keep in mind that
some Instructions like movsb, or movsw Increment Registers like SI, and DI. Click : more
information

MEMORY SEGMENTS, BIT SIZE, MAGIC HEX NUMBERS :

Early Computers needed to use combined Registers to access large memory sizes, because
a Register is limited to the Largest Number it can hold.
A byte/8 Bits max number size is 256 unsigned from 0 to 255, or signed -128 to +127 ... 2
bytes/16 bits max number size is unsigned 65535, signed -32,768 to 32,767 := max value for a
Integer.
4 bytes/32 bits Max size is -2,147,483,648 to +2,147,483,647 could this be why Windows xp can
only access 2 gig Hard Drives.
8 bytes/64 bits Max number size signed is -9,223,372,036,854,775,808 to
+9,223,372,036,854,775,807Click : more information

SEGMENTS : Memory is divided into Segments for easy access.

CS Register is the Code Segment as it holds the list of Instructions being Run.
IP is the Instruction Pointer, and current Line Number of Instruction being run, and
the offset Register within the Segment as Current Instruction is accessed as CS : IP.
DS Register is the Data Segment, and SS is the Stack Segment. The move of strings in memory
usually use Registers DS : SI as source, and ES : DI as Destination with the
ES = Extra Segment being set by the LEA Instruction, and the CX Register used to keep count
of the loop. The MovStringByte, MovSW Instructions do this automatically, & assume
DS : SI is source, and ES : DI is destination. There are many more Registers like Floating Point, 64
bit Registers like R8, R9, R10, etc, but the ones listed are ones of interest to crackers.
Compilers usually use same Registers on next compile, but may sometimes use different
Registers, and may affect a next version pattern search. Click : more information

Data : it's information, and facts

Data is unchanged stored constant information, both Write only, and GLOBAL Initialized Variables
that can be changed. Text message Strings displayed in Menus, and Msg Boxes are stored in Data
Segment.
A Is_Trial variable may be preset to 1 = true in data segment. It is easier to change data message
strings using a Hex Editor. Example: I changed Activation Menu Instructions in DragonFrame 4 for the
keygen.
Data is accessed using the DS Data Segment Register. IDA also displays text strings in the code
display, and very useful as Landmarks, and Debug Information when cracking a program.

ON CRACK START IN A DEBUGGER :

SEARCH for text strings like : Serial, Activation, License using list all occurrences, place a Break-
point, and on run Debugger breaks on Break-points of code that may need to be cracked.
Crack update : Pattern Search ... changed message strings can be very large, and should
be ignored, and edited later with a Hex Editor. Click : more information

Code : a numbered list of instructions.

Instructions is a list of things to do. Offset is a numbered position, or line number from start of
list. Computer is a dumb Machine that executes list of Instructions.
Label is a line number of the list. Decision making is jumping over, or skipping lines in the list.

Instruction list is divided into reusable smaller easier to manage lists :

Procedure : list of instructions that does a job. Function : same as Procedure, but returns a value,
or result in a Register : Success, or Failure.
A Functions Success, or failure return is Boolean. Boolean is True = 1, or False = 00. The most
common Function is a Boolean Function that returns a 1, or a zero.
A Function can also return a Memory Pointer to data like a String of text, or any Data as a Memory
Address Pointer in the Computer Registers.

CALL is a Instruction in the list that calls a separate list of instructions : Procedure,
or Functionthat does a job, and returns to the next line in the list. Click : more information
The instruction in the list after a call can check if Called Function succeeded, or failed, and jump, or
skip lines by checking if returned result in Register AL is a 1, or a 0.
How does it know what line number to return to when job is finished ? Before Call to
separate list, the ( line number := Instruction Pointer := IP Register ) is saved by pushing it
onto the stack.

What is the stack ? It is a separate segment of memory for storing stuff, like a stack of papers
on your desk. L.I.F.O is last one in, first one out, or only take items off top of stack. No shuffling the
stack.
Before the Call, Variables, Constants, Offsets, or Numbers needed by the Procedure, or Function are
pushed onto the Stack. Variables can also be passed to the called Function in the Registers.
The Function saves Registers used at top of list by push onto stack, and can access Variables on the
Stack by using the Base Pointer Register [ BP ] and [ SP ] = Stack Pointer Register.
After job is done before Return the saved Registers used by the Function, or Procedure are popped off
the Stack, and restored.
When last instruction in the list ( Ret, short for Return ) is executed the IP := or line number
is popped off the stack, and returns to line below where it was called. Click : more information

OPCODES : What are they ? ... What is Hex ?

Opcodes are numbered Instructions + offsets, or a value. The Computer is a dumb calculator
machine, and only understands Machine Code := numbers.
A Computer uses binary math based on base 2, using bits with rollover at 4 bits, 8 bits to a byte, 2
bytes to a WORD, DWORD (32 bits/4 bytes) and QWORD (64 bits/8 bytes). There's that
Terminology again.
Binary may be converted to hexadecimal more easily. Hexadecimal is based on 16, and when count
is above 9 then A is used, and count proceeds with B, C, D, E, F.
Hexadecimal max limits per bit size, Magic Hex Numbers are 16, 64, 128, 256, 512, 1024, 2048,
etc. Use Windows Calculator to convert Hexadecimal to decimal. Click : more information

Opcodes contain Hexadecimal numbers, some are basic numerical numbers, or values, some are
keyboard characters as #13 is the Carriage Return, or the Enter Key, #27 is the Escape Key.
Machine Code : Opcodes are also Instructions with each number representing a Instruction +
value, or what the instruction works on.
Hex number 74 is a Instruction : number 74 is jz ( Jump if Zero ) to line number = count of bytes, or
offset to line. Second part of Instruction is number of bytes to jump. Click : more information

All Operating systems, Computers only understand Machine Code : Numbered Instruction
Opcodes, and it doesn't matter if File is a Executable .exe, or dynamic link library .dll
x86, x64 Assembly Language provides a English Name for the Instruction Opcode, but Net
Assembly uses Opcodes with different numbers, and Instructions.
Opcodes are used in Dynamic Link Library .dll Files that contain the same Code as .exe Files
with Library Functions provided by Language used, and Windows System to be called by Executable
Files.

ALL FILES CAN BE OPENED with a Hex Editor. Files containing Opcodes .exe and .dll can be
opened in a Debugger. IDA opens Mac, Linux, Net, and even opens code used by Electronic Chips.
The CFF Explorer program ... DOWNLOAD link provided, also opens .dll and .exe Files. After
Install, Right click on a file, and open with CFF Explorer. See CFF Explorer image.

ASSEMBLY LANGUAGE : ABBREVIATED SHORT NAME OF THE INSTRUCTION OPCODE :

What is Assembly Language ? Assembly is the English basic Abbreviated short Instruction for each
Hexadecimal number Instruction, and easier to understand, and use than numbers.
jmp is short for jump = Hex Number EB. NOP = Hex 90, it's the do nothing Instruction, and
means NO OPERATION POSSIBLE. Click : more information
cmp is short for compare, a decision making Instruction, as compare, and test instructions set
flagRegisters, and jz = ( jump if zero ), or a conditional - jump instruction skips lines of Instructions.
If you are Single stepping the code in a Debugger, and want to, or don't want to jump then set
the IP : Instruction Pointer to Line Number Label where you want to go.
Instruction like or also set Flag Registers for decision making conditional jumps. Can you guess
what these conditional jump instruction do ? [ je, jne, jg, jge, jl, jl, jle ] Click : more
information

INSTRUCTIONS USING OFFSETS :

The lea Instruction = LOAD EFFECTIVE ADDRESS is one of the Instructions, along with move that
works with offsets that need to be taken into consideration when doing a crack update.
Call Instructions contain a offset, but 1st part of a call the E8, or E9 never change, because it's a
Hex Opcode Instruction. Other Call Instruction start with FF. See CFF Explorer image.
When doing a crack update dealing with offsets : 1, 2, and 3 byte Instructions usually don't
include offsets as part of the Instruction, 1 byte instructions never, but 2 byte jumps do.
Compilers convert programs written in languages like c++ into Hex Opcodes, and
sometimes usedifferent registers, or Flip the scrip when compiling into Hex Opcodes. Click :
more information

How to Patch :
The majority of
cracks are done by changing a jump after acmp,
or test Instructions. There are 2 types of jump instructions,
the 2 byte jump Instruction is a short jump less than 128 bytes.
There's that magic hex number again. The Far Jump is a 6 byte
jump with the 1st 2 bytes being the Instruction, and the
last 4 bytes being the number of bytes to jump.

Short conditional jumps can be changed to jump by changing

the 1st Hex Number to ( EB + Number of bytes ) to
jump. Example: 7417 changed to EB17.
To not jump : the 2nd byte of the Instruction can be changed
to 00, to jump zero bytes, or next line of code. Some
crackers NOP out both bytes of the Instruction := 90 90.

Far conditional jumps, 6 byte Instructions can

be changed to jump by changing 1st two numbers to 90 E9. This
is jnz [ 0F 85 E0 00 00 00 ] from Mac crack & can be changed
to [ 90 E9 E0 00 00 00].
To not jump : the last 4 bytes of the Instruction can be changed
to 00 = [ 0F 85 00 00 00 00 ], or some crackers do : [ 90 90 90 90
90 90 ] = nop, nop, nop, nop, nop, nop.

Point of interest, if you want to change Jump location

address ( line number ) then the memory offset is backward with
high value on right, and low or least significant value on the left.
Easier to change the jump address in Debugger, by creating a
label for new address, and using the build in Assembler to Jump to
Label, instead of using a Hex Calculator for backward offsets.
No need to remember all of those Hex opcodes as Debuggers
has a Hex View. CFF Explorer also shows Assembly Instructions,
and Opcodes. See Image above.

Another way to crack the code : change the ( mov al, bl ) at

Function End to : ( mov al, 01 ) The move is backward as the move
is from right to left.
Hex opcode for ( mov al, bl ) is : ( 8A C3 ) The Hex Code is
changed to ( BO 01 ) Or you can use the Build in Assembler in the
Debugger.
Another option is skip all the code by changing Instruction list at top
to ( B0 01 C3 ) to Return 1 in Register AL. The C3 is Opcode
for Return. Keep in mind, Variables may need setting in Function.

HOW TO CHANGE INSTRUCTIONS : How to make sure it stays

cracked, and other things crackers do : The cmp instruction can be
changed to a Move instruction.
xStream watermark was duplicated dozens of times, and the best
way to make sure Watermark stayed disabled was
change cmpinstructions into move Instructions to set it equal 0.
Example : R5 InitRender ... Instruction : [ cmp byte ptr [rax],
0 ]Opcode ( 80 38 00 ) is changed to [ mov byte ptr [rax], 0 ]
Opcode ( C6 00 00 ) Turn checks if 0 into set it equal 0.
Instruction checked memory pointed to by Offset in Register [rax].
If instruction is Word ptr then opcode is C7, but may not have
enough bytes to set a word cmp, but can set low byte of
word using C6.
When replacing Instructions, use exact bytes only, if less then
add a nop, but if not enough space for a larger instruction then it
can't be done, or next instruction will be destroyed := crash.

BY HOOK, OR CROOK, OR ANY MEANS : Drastic measures are needed ! There's no

other way to crack it ! Have to create, and Write New Code !
PROBLEM : Have to find unused space to Write New Code ! The
Compilers Paragraph align section padding using
Opcode CC between Functions End, and Next Function Start is one
choice.
Another choice would be the unused bytes between a Far Jump that
definitely jumps leaving unused bytes. I have done this many times
to create entire Functions.
The problem with using the align section is limited size of about a
dozen bytes, and having to jump from one align to another align to
get enough bytes to write New Code.
HOW TO CREATE NEW CODE :
Create a New Label. Select code to change to jump to New align
Label. Restore changed destroyed jump code, create the New code,
and jump back to line below changed destroyed code.
In one crack, I had to move a License in memory by writing New
Code using align section to call the memcpy Library Function to do
the copy as this was only way to defeat the Hash Encryption.
Usually use the built in Assembler in IDA to create the New Code,
but it's a pain, because it doesn't handle some Instructions well,
and they have to be created using Hex Opcodes.
The point is that crackers sometime do this, and cracks
with New Code added don't work with Pattern Search
updates as they have to be created, and Written on every update,
because of Offsets.

LESSON 5 : THE DEBUGGER

The Debugger was created as a Tool, using Assembly to find Bugs in any Program, any operating
System, and the Number 1 Tool used by Crackers to find Code to change to Crack Programs !

TUTORIAL : Step by Step how to : Use a Debugger - your choice, how to go about finding
Code to change, how to change, and save changes to create a Crack !
I have used many different Debuggers, but IDA Pro is my preferred choice. I recently used IDA as it
was originally intended to find the Color Bug in ToonBoom Harmony 16 Crack.
IDA disassembles & Debugs many Files : .exe, .dll, etc, many operating systems, Windows, Dos, Mac,
Linux, Android, Nintendo, Sony Playstation, Electronic Chips, SNES ROM, Motorola, MOS Technology.
Currently using IDA v7, but v7 has a BUG as Hex Code Window is not
synchronized with Main IDA-View-A Assembly Code Window as it is
in IDA v6.8, beginners should start with v6.8

Lets get cracking : If you have a understanding of basics covered then you are ready
for Easy to Learn Part : Learn by doing, Cause and Effect, by watching Program Run 1 line at a
time.
Debugger runs Instruction List : 1 Line at time := F7, or jumps over Calls := F8, or Run
until it hits Break-point Set by User := F9, Run to cursor := F4, Ctrl + F7 =: break on Ret.

LOAD FILE IN DEBUGGER : CRACKING EXAMPLE : Spriter version 11 <(:-)> 1. Save a

backup of Spriter.exe as Spriter_ORG.exe 2. Start IDA PRO 32 bit Debugger : idaq.exe, and
open Spriter.exe
Select : [ Local Win32 debugger ] for IDA idaq.exe If Debugging a 64 Bit
Program with idaq64.exeselect [ Remote Windows debugger ]. Before running Click on
[ win64_remotex64.exe ] in dbgsrvFolder.
Set Host, and start the Debug Server for 64 bit. Difference between 32 bit, and 64 bit is Register
names have a R, and a few more Registers like R8, R9, etc, and some extra, and different
Instructions.
IDA Disassembles the File, and converts it to Assembly, and creates References for Code, and
Data. After IDA if finished Analyzing, you may need to Hit Space Bar to change Display View
Mode.

Press semicolon ; key in IDA to label Procedures as to Job : Checks License, Imports called, or
data variables referenced. Label references are seen throughout program so Label the Labels.
Label the calls that calls the call that Calls the Check Serial, or Check License function. Data
labelsalso work great for data variables as you can see where it is jumping before the jump.

SEARCH for [ text ] strings : Serial, Activation, License, using [ Find all occurrences ] Data &
Code. Click to jump to item, and Right Click [ add Break-point ] to break when run.

WANDERING AROUND IN A MAZE WITH NO LANDMARKS : Create Landmarks by

Labeling the found Serial, License, Activation, Success, or Invalid Serial messages for Debug
Information.
Right click, and select add Break-point on found Items. Copy the items Name, and Scroll up
to nearest Line Label. Click ; semicolon Key, and Paste into the box to create a Label.
Place mouse over [ CODE XREF: ] use mouse wheel to view Code at that Location. Left Click to go
to that Location, and Label any Names found at location. Click <- at Top of Window to GO BACK.

WHAT DOES THAT GUY DO FOR A LIVING ? Before running program in debugger
create familiar landmarks by labeling Procedures, Functions, and set breakpoints.
Top of Procedures [ sub_ proc near ; CODE XREF: sub_ ] Click ; Semicolon, Enter Name for
Procedures like [ "CHECK SERIAL" ] Click [ CODE XREF: ] Called by Reference, andgo to those
Procedures.
At the top of that Procedure for Call to "CHECK SERIAL" Click ; Semicolon key, and enter
Label ["CALLS CHECK SERIAL" ] repeat the process, and [ add Break-points ] at each Location.
By creating Landmarks for the maze of Procedures, you will see familiar Labels as you run the
code in Debugger. Important code locations : conditional jumps can be labeled as yes, or no = didn't
jump.
At cmp before jump : Create comments as to value of register, or variables value [ =1 YES it
jumps, or =0 NO ] Label jumps of interest that jump, as you may go through dozens of no jumps
before a jump.
This will give you insight into what the program is going to do the next time you run
through the code.
PLAN AHEAD : Before starting, consider type of program, and what you are looking for. If Trial then
it will open a File, or check a Registry key for Trial expired date before starting, or put up Activation
Box.
Trial Expired : Program opens File, or checks Windows Registry . Click Imports menu :
Search for File Open, Read, and Seek Functions, Click XREF: go to Calling Function, Label & add
Breakpoints.
Search for Registry Functions : RegQueryValue, RegCreateKey, RegSetValue, SHDeleteKeyW,
RegCloseKey, Click References, go to Calling Functions, Label as "Check Trial Expired", and set
Breakpoints.

NOT FOUND : What else can I do to break ? Search imports for Network Functions,
or http: Links, If it checks with their Web Site. Place Breakpoints on Menu, and Msg Box
Functions, Hash Functions.
Still not found : Click Debugger/Debugger Options, set Break on Start, or Tread start/exit, Library
Load/unload, Debug message, or Click [ Exports ] set a Main Function Break, and use F8 to step the
Code.
To Find a deliberate Exit, or a Time Bomb : Search Imports for Exit, or Quit Functions, Click on
Reference, add Break. Search for Library Event setup Functions, or do a partial search of Time Value
in Hex.
The only way to crack Buildbox's memory CRC crack protection was to re-write the Library Core Timer
Event Function. When a 2 minute Timer Event was requested, it was changed to FFFFFFFEh
:= 14days.
Events can be a bitch, because they run behind your back . C++ Quick Time Library, events
are handled by Core.dll, and best way to break out in Calling Function is by using Ctrl + F7 to break
on Return.
Events are set while Initializing by using offsets to Subs & Functions. Click on Sub Offsets being setup
to go to the Sub, and set break-points, and add Labels. Getting way too far ahead for BEGINNERS.

IS CODE TO CRACK IN .EXE OR .DLL ? To find Code : Follow the Code in the Debugger !
To step into a .dll use the F7 Key. IDA provides a [ Module - .dll ] Window on Right near Bottom.
The .dll has not been Analyzed, and some code may be scrambled, Select scrambled Code, and Right
Click : Select Analyze Code, or QUIT, Start IDA : Load the .dll, and Debug the .dll
To Debug a .DLL : Click [ Debugger ], and Click [ Process Options ]. Select Executable .exe that
starts the Program. Start Process := F9, or Start Program, Click Debugger, and Click Attach to
Process.

LANGUAGE ISSUE : Translator needed ! COMPILER was the Translator when it took
the Programmers Instruction List, and converted it to Opcodes, and Assembly is the interpretation of
those Opcodes.
If Check Serial's real Name is Good_Serial , and Original Instruction is
: If Good_Serial thenmessage Thank you
" ", and set Is_Pro to True, Else show message
"Invalid Seria l" and set Is_Pro to False.
Another Guy in Program may ask : If Is_Pro then do this else do that. Maybe they just
ask : If Good_Serial to answer Yes or No . The cmp, test, or, and conditional jumps are
the if, then elsedecision makers.

DECISIONS, DECISIONS, DECISIONS : The Path not taken . Searches may have found
Thank you for purchasing Invalid Serial
messages like " " or " " where Labels, and Breakpoints
were created.
TheKey to cracking the program is taking the right Path at the Decision points by changing
Thank you for purchasing
code, and we definitely want to change the Code to go to " ".

TO GO THERE, OR NOT TO GO THERE ? That is the Question ! IDA displays Arrow, on left at
jumps to Location, to not jump : move cursor to desired Location, Right Click to
change IP := Instruction Pointer.
To go to code at another location, or change data, or variable : Click on it [ make sure Hex view is in
Sync with IDA code View ] To return to Current IP: click on IP Register in Registry Window, and select
jump.

CAUSE and EFFECT : Let it run the 1st Time : watch where it goes, messages displayed. Only
inareas of Interest : Create Labels : at Jumps - cmp - test : List what's in Registe, = 0 Yes, =1 no it
didn't jump.
Insight into what it will do next time it's run . Tochange path taken : change IP Register, or
Click on Registry Window, and change Register value, and watch Path, and messages displayed.

didn
WINDOWS : IDA VIEW-A : Assembly View for Debug . JUMP MENU : Enter address. Hex View-
1 : Right Click select synchronize with IDA VIEW-A Columns Select 32, Right Click to Select Edit.
Debugger/Breakpoints/BreakpointList := View/enable/Disable ... Data/Stack/memory
Breakpoints sometimes cause problems as Stack memory is popped, re-assigned & used by another
Procedure.
Search : Text Search : frequently used, Tick Find all occurrences box. Sequential byte search is
very fast, need spaces in Hex String. Partial Hex Pattern Found V7 Patch code in V11 quickly.
Imports : [ Library .dll's & Windows .dll's ] ... Spriter uses QT5 Library. EXPORTS : .exe very
little, lots for .dll's. FUNCTIONS Window : Search by NAME in programs with Debug Information.

DEBUG WINDOWS : Change on Run . Resize to View : IDA View-EIP, Output, Registers, and Hex
View-1 : Right Click select synchronize with IDA VIEW-A Columns Select 32, Select EIP Register.
Register Window : Registers can be zeroed, value changed, or Right Click Register with offset, and
select Jump. Right Clip IP Register to jump back. Mouse Pointer over a Register Displays value in
Register.
Patch Hex Window : Right Click on Hex code in Hex View-1 to change code synchronized with IDA
View-EIP, Edit, Right Click, Select Apply changes, and watch Instruction change in IDA View-EIP.
Output Window : Very useful. Displays Search Results, etc. In Debug Run Mode displays Debug
Information Messages, Loading messages as to Loading of .dll's, and Error messages.
Assemble Window : Click Edit /Patch Program/Assemble : Enter, or Edit Instruction.
To Create or change Jumps. 1st Create Label by selecting Location, Right Click &
select Rename.
Apply Patches to File : Click Edit/Patch Program/Apply patches to input file ... SAVE THE
CRACK !

PREPARE & SAVE : Save Debug information ... create a text File Named
: DEBUG_Spriter_v11.txt : Select and Copy Function Patched Assembly code from start to Ret into
the text file.
Copy 32 bit Hex String starting at Patch Position, Paste under Instruction Patched 3 Times : Top
Line := Original Hex, 2nd Line spaces removed for Search in Hex Editor, 3rd Line := New Patched Hex
Code.
Save File for Future Reference Next version
... . Add Reference section at bottom, copy paste
Functions used to Find. IDA Database can be saved for Future use for hard to Crack Programs.

First Run : Select

Menus.
: [ debugger ] Click F9 ... May need to resize, and position the

Click OK at 1st loading box unless you are loading a packed file. If packed then uncheck
imports as they will need to be fixed.
Unknown Exception : Click Ok. Exception Handling : Click [ Change exception
definition ], uncheck Suspend program, Change Warn to Silent, do not warn, Click OK & Click
YES (pass to app).
Exceptions are common to loading, and starting, and all you need to do is [ CLICK
OK := YES ] - Pass it to the Application, don't bother me.

Let it run := F9 Hopefully, we have a Break set to catch it

: , but if not then Enter
[ Email, Serial, and Click Activate ], hope it breaks, F8 to Step, watch Path Taken, and
Messages displayed.
A jump after Function Call with [ cmp al, 0 ] or [ test al, al ] that jumps, but doesn't go to "Thank
you for purchasing", probably a CHECK SERIAL Function, and needs cracking to
return 1 in Register al.
Re-run, and Click F7 to go into Function, Function inside does actual Check. F7 to go in, While
stepping, If mouse pointer placed over Stack Variables, and Registers the Entered Email is displayed.
Entered Serial also displayed in Stack Variables, and Registers, and compared in a
loop with idiv & addInstructions normally seen in Serial compares, along
with toUpper@QString & left@QString Calls.
Function that Calls Function was chosen for cracking. A GLOBAL Data Variable may also be set to
1 as Pro Version check for other parts of program, but Function Cracked, checks Serial before menu
display.
If a GLOBAL Data Variable, Is_Pro needs to be set to [ 1 := True ] then change Path Taken to
set it, or change the 0 being set to a 1, or change a cmp to move Instruction to set it to 1 :=
true.

END LESSON 5 : THE DEBUGGER

HOW IT WAS CRACKED, AND WHAT WAS CRACKED :

A Function was cracked. What did the Function do ? It checks the
Serial, and returns a 1 forgood serial, or 00 for bad serial.

Hex Numbers changed to prevent jumping over instruction in list that needed to be run. The
Instruction at IDA : Line Number 004F4049 ( mov bl, 1 ) needs to run to move a 1 to
Register BL,
because Register BL is moved to Register AL at end of Function, before the Function Return. THE
FUNCTION NOW RETURNS 1 IN REGISTER AL := GOOD SERIAL !

HOW TO PATCH : Save a backup. PATCH in IDA, or use a HEX EDITOR, and see if it works ...
Place cursor on the 74 17 - change the 17 to 00, and Place cursor on the 74 04, and change
the 04 to 00 ... Click on save, or save as.

IDA : Patch Hex Window : Right Click, Select Edit : Instruction length is High-lighted : Do not
exceed. If shorter add a nop := 90
IDA : Assemble Window : Click Edit /Patch Program/Assemble : Enter, or Edit Instruction.
IDA : Apply Patches to File : Click Edit/Patch Program/Apply patches to input file ... SAVE
THE CRACK !
Congratulations, you just cracked a program by changing 2 bytes, and did a successful
Crack update !

SPRITER A UNFINISHED Crack Me !

SPRITER A UNFINISHED Crack Me !
What the Hell is : "Welcome To Top Secret Mode" ???
Cracked in less than 15 minutes the First Time, It says it's Pro, Did I
miss something ? Features missing ?
Want to find what I may have missed ?
?Where is the MATH Code that could be used to create a KEYGEN ??
... Where is the IS_PRO Variable

Math code done on Serial is basic code seen regularly, used in most Programs, and can be used to
create a KEYGEN.
Do you know how the code is doing Math on the Serial, and Email ?? Can you explain How to
create a KEYGEN from this Code ??
The program can be cracked in many ways, and even used to create a simple KEYGEN ! Explore
the many different ways this program can be cracked !

Can you find Answers to the Questions ?? Video provides information needed
for many Answers, but Questions remain !
Can you find the key to solve the puzzle to enable
Super Secret Mode, and finish the Crack Me ??
Dozens of pop up clues included in Video for the dozens of
different ways the Crack me can be cracked ...
Test is to finish the Crack me, and enable Super Secret
Mode !

Up to the challenge of wandering in a Maze, Looking for keys to solve the

puzzle for a feeling of accomplishment by Cracking a Program ?
Have a great day, countryboy

UPDATE : WORKING ON THE VIDEO - MAKING - EDITING - ADDING MUSIC - ETC - THIS WILL TAKE A LITTLE TIME !

IF YOU NOTICE THE TUTORIAL BEING SCRAMBLED : IT'S BECAUSE I'M CAPTURING IMAGES OF TUTORIAL TO INCLUDE
IN VIDEO !

NEED A TYPING BREAK, MORE TO COME ! too be continued ...

More to come !

UPDATE 6 : How the MAC version was cracked

UPDATE 7 : DUP - A search, and Patch ... Patcher

Working on writing it, Capturing, or uploading images to

post as part of Tutorial.
It's coming, Stay tuned, and check back.

Have a great day, countryboy

__________________