-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+


               00000              00000000            0000  0000      
      377O    00000      J77t    30000000  O7J  t7W   000Q 0000      H0000
   d00000000  00000    00000000  0000;    0000000000  000 J000       0000
   0003 0000 00000   W0000 0000  0000    W0000 00000  000W000        
  0000   ,0  0000O   0000 c0000 0000000d 0000  0000  c000000    0ZZ 0000
  000000    00000   0000000000  0000000  0000 0000U  200000   0000000000
    W00000  0000Q   0000       00000    0000  0000   U0000   00000 0000
 W    0000 00000   0000d 0000 :0000    00000 0000Q   0000;  00000    
0000t 000; 0000St0 0000 3000  00000 0d 0000  0000   t0000   0000Q  0000
000000000 00000000 00000000, 00000000 S000000000    00000  c0000  00000
  HZZH    00ZZZZ0    HZWZ    00ZZZZZH 0000  QQ,    :0QW0   U0000000000 
                                     t077H                  H0000U   


Cracking Tutorial #10:
CrAcKiNG Nettrace 1.0a
[cracked bY:] sLeEpY [FWA/NWA/FTPR8Z] iN 02/2002
[difficulty:] beginner
[where:] http://www.davecentral.com/browse/209/?offset=1320
	 http://www.clearskyinc.com/nettrace.html

                                                                                       

Nettrace utility provides ping, trace, netstat, whois query info, dns query info, and 
local adapter and system info. 
Added: 22-Jan-2002 
Updated: 28-Jan-2002 
   
Language :: C/C++
License :: Time Limit Demo
Platform :: Windows 2000
Platform :: Windows 95/98
Platform :: Windows ME
Platform :: Windows NT 4.0
Platform :: Windows NT 5.0
Platform :: Windows XP
Price :: Between $10 and $40 

                                                                                       

tOOLz: w32dasm, Hiew or hex editor of your choice...
       filemon
       resource hacker -optional

                                                                                       

[WHAT A CAKE PROGRAM TO CRACK]

This program is what makes cracking kinda fun, an easy crack...

Ok well to start with you know the normal routine, 3 copies, ect, if not get the older
tutorials.

I start the program and get this overbloated nag asking me for a regcode and well, it
is annoying. At least the program was coded in C...Looks like VB though, sad...
Well after keying sLeEpY  i get this error msg:

nettrace
Incorrect key value. Hit ok to try again.

Ya, how about instead of hitting ok i tell you we have what we need to know =0)

Lets go into W32dasm with this prog decompiled.

Under string references i find 2 things I like:

"Key Validated. Thank you for your"
and
"Incorrect key value. Hit ok to"

So I go to where that text is loaded, disassembled is this:

:00404EAB 84C0			test al, al
:00404EAD 6A00			push 00000000
:00404EAF 751D			jne 00404ECE   <---reg code good, blah thanks!
:00404EB1 6A01			push 00000001
* Possible StringData Ref from Data Obj ->"Incorrect key value. Hit ok to "
					->"try again."
: a couple trees in the codewoods
:
:00404ECE 6A00			push 00000000
* Possible StringData Ref from Data Obj ->"Key Validated. Thank you for your "
					->"Purchase."

So this simple protection can be defeated at the offset: 4EAF
change this:
:00404EAF 751D			jne 00404ECE
to this:
:00404EAF EB1D			jmp 00404ECE

well we are validated, but when the program restarts we are back at crap uncracked.

on we go...
first i fired up registry monitor but i'll skip some time because  that will get ya
nowhere, reg code isn't in the registry...
So next we will fire up filemon!
Start the program and you will see a bunch of dlls called ect but wait , what is 
this?? yksraelc in C:\Windows\System32??? What is yksraelc? not even an extension.

-----------------i cut some above and below that wernt important--------------
48	5:45:40	nettrace.exe:1696	IRP_MJ_CLEANUP	C:\WINNT\System32\CLBCATQ.DLL
	SUCCESS		
49	5:45:40	nettrace.exe:1696	FASTIO_QUERY_OPEN	C:\WINNT\System32\MFC
42LOC.DLL	FAILURE		
50	5:45:40	nettrace.exe:1696	FASTIO_QUERY_OPEN	C:\WINNT\System32\MFC
42LOC.DLL	FAILURE		
51	5:45:40	nettrace.exe:1696	IRP_MJ_CLEANUP	C:\WINNT\System32\	SUCCE
SS		
52	5:45:40	nettrace.exe:1696	FASTIO_QUERY_OPEN	C:\WINNT\System32\MFC
42LOC.DLL	FAILURE		
53	5:45:40	nettrace.exe:1696	IRP_MJ_CLEANUP	C:\WINNT\System32\yksraelc
SUCCESS		
54	5:45:40	nettrace.exe:1696	IRP_MJ_CLEANUP	C:\WINNT\System32\yksraelc
SUCCESS		
55	5:45:40	nettrace.exe:1696	FASTIO_QUERY_OPEN	C:\WINNT\System32\yks
raelc	FAILURE		
56	5:45:40	nettrace.exe:1696	IRP_MJ_CLEANUP	C:\WINNT\System32\yksraelc
SUCCESS		
57	5:45:40	nettrace.exe:1696	IRP_MJ_CLEANUP	C:\WINNT\System32\yksraelc
SUCCESS	
--------------------------------------------------------------------------------

First before we go on, delete are semi-cracked copy of this program and rename the 
backup file to the original so we have a clean copy again.

ok this looks like fun, start the program again and you will be prompted for the key,
put in anything you like and click ok and cancel to start the program, quit the 
program and open the file C:\WINNT\System32\yksraelc in notepad, you should see 
something like 
this:

3373522201     9999999  

I entered sLeEpY  and thats the code that appeared in my file. Next take the first 
code, 3373522201 and start the program again, it will ask for that keycode, put in
the 3373522201 and it will be accepted and your program is now registered. Restart
...No more nag!

I checked the file again and after i regged it with the correct key this is what 
appears in it:

5504522201     0568144101  

So i deleted the "yksraelc" file and made it unregged again, and pasted in both of 
these codes in the keycode box:
5504522201, 0568144101 one at a time and they worked too!

So basically this program is its own keygen, here are some more:

1693522201     
3373522201   
1133522201     
0568144101   

What a joke protection this was, i could list the codes all day. Just enter any name
or number in the keycode box and then open that file and you will have generated a
valid key for the program.

                                                                                       

Extra Stuff: yup, boring extra crap, I personalized this prog and added a cracked by
sLeEpY  to mine, since we arnt making a crack it doesnt matter but i'll show ya how to
do it anyway.

Open this prog up in resource hacker. Now I went to DIALOG 1033 (the about box)
and modified:
CONTROL "Copyright © 2001 All rights reserved.", -1, STATIC, SS_LEFT | blah blah
to this
CONTROL "CracKed bY: sLeEpY   iN 02/2002.", -1, STATIC, SS_LEFT | blah blah
and saved it, now im in the about box.
There is also a url in there you can change too but you gotta use ultraedit or some
other hex editor for it.

Later all...

                                                                                       

email me if you are bored: sleepy@linuxwaves.com

                           ._Tutorialz_.
[--------------------------------------------------------------------]
[ 1. Cracking Cosmi's Generic Installshield Protection               ]
[ 2. CRACKING(?) MATH WORKSHOP 2.0                                   ]
[ 3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program        ]
[ 4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program]
[ 5. CrAcKiNG n)0(va crackme v3 (crazy approach)                     ]
[ 6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client               ]
[ 7. CrAcKiNG Actionizer 1.4                                         ]
[ 8. CrAcKiNG Tag Wizard 4.3.0                                       ]
[ 9. CrAcKiNG Freecell for Win2k and WinXP                           ]
[10. CrAcKiNG Netrace 1.0a                                           ]
                                                                                       

gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP!

                                                                                       

CopyLeft: 
                              __        ______  __  __ _
                        _____/ /  ___  / ____/__\ \/ /(_)
                       / ___/ /  / _ \/ __/ / __ \  // /
                      (__  ) /__/  __/ /___/ /_/ / / _/_
                     /____/_____|___/_____/ .___/_/\___/
                                         /_/

	                   [all rights reversed] 
                     Boredom causes crackers and babies.