School of Cracking

[MasterUploader]

oooo:lol:ok,well ill take a look at the program soon myself:)

[tonyblair]

ok ill look at it:)but where are the hitmanpro.lic and key hidden?:)because i couldnt find them.lol

well it seems to work well:)and if it dosent expire you might aswell remove expiration date

I didn't understand,

Did you test the patch?

What is the result?

(the expiration date is more harder to remove, this is why the patch is in beta version. I will do that)

[MasterUploader]

well i guess it works:)the experation date is still there,but it looks licensed,ill have to install again though totest it again,because ivejust un-installed it:D

[tonyblair]

well i guess it works:)the experation date is still there,but it looks licensed,ill have to install again though totest it again,because ivejust un-installed it:D

The expiration date shown have no impact. This date is encrypted in hitmanpro.lic. But the patch disable its usage.

I will find the way to remove it.

[MasterUploader]

oh brilliant,can i ask you a question?how can you decrypt a lic.file or a reg.file:)?i need to know.lol

[tonyblair]

oh brilliant,can i ask you a question?how can you decrypt a lic.file or a reg.file:)?i need to know.lol

That is why I am requesting a program for encryption and decryption with possibility to choose by the menu the algorithm and cipher mode.

The other way is to write (c++ or other) your own program for decrypt. (some examples are in the net, written in Java).

But still you need the keys. 

[MasterUploader]

ok,did jetico do the job?

[tonyblair]

ok,did jetico do the job?

I am testing it.  :gavel:

[MasterUploader]

@tonyblair ok:)anyways im trying to hack this software:

http://www.blitztools.com/download.html

its called Barcode Blitz :),so it hack it so it shows registered:)and all features are enalbled:)but,when i restart it,it says unregisterdd,and i have to register again and again to keep it registered.i had this problem when hacking malwarebytes,but that was becausea jump was going over the code i hacked and reversing it upon restart,but i tried to fix it that way again but no look.do you think you can take a look:D?and see why it wont stay registered.

[MasterUploader]

hello im back:Dtaking another look at that hitmanpro v3.5.hmm well i can get it to display the goood message easily!but it dosent give me coorporate activation etc!how did you activate the license?and how did you stop it from seeing the lic file?you reverse a jump so it stopped looking at it's info?oh and do you know what the .key file and .bin file are doing?lol,im going to dive deeper into this and take a good look,but just wanted to build on what you had already done!:D

[tonyblair]

hello im back:Dtaking another look at that hitmanpro v3.5.hmm well i can get it to display the goood message easily!but it dosent give me coorporate activation etc!how did you activate the license?and how did you stop it from seeing the lic file?you reverse a jump so it stopped looking at it's info?oh and do you know what the .key file and .bin file are doing?lol,im going to dive deeper into this and take a good look,but just wanted to build on what you had already done!:D

Hi bidibadboi,

1-I didn't stop the program to see the lic file. (as I want to attack lic file)

2- Now the pgm is cracked with the patch. And it works. But the more elegant way is to modify the expiry date inside the lic file.

    the program will be licensed for ever without the patch.

3- .key file contain the crypto key

4- .bin file is for the ads, that ugly Banner for "Caretaker Antispam"

[MasterUploader]

ok cheers for the info,but how can i view the .lic file decrypted then:)?so then i can modify the expirary date:)plus how did you get it to licensed lol?because for me it will say registered,and except the key,but then it dosent change the free license thing:)so share with us your wisdom;)because this is a tougher app to crack:),and has a few things that will test those budding crackers:)such as me.lol.

[tonyblair]

ok cheers for the info,but how can i view the .lic file decrypted then:)?so then i can modify the expirary date:)plus how did you get it to licensed lol?because for me it will say registered,and except the key,but then it dosent change the free license thing:)so share with us your wisdom;)because this is a tougher app to crack:),and has a few things that will test those budding crackers:)such as me.lol.

This app goes through a corridor with 3 gates. If the first door is closed then it lock itself.

if the first door is open but the second is closed then it lock itself and if the 1st, 2nd are open and the 3rd is closed

than it lock itself and finally if all the 3 doors are open than it enable itself.

1st door =  is the lic file available?

2nd door = what type of license does lic file contain (trial, commercial or unknown)?

3rd door = Is the system clock inside the time boundaries defined in lic file (NotBefore time, and NotAfter time)?

              (ps: it is the NotAfter time that is displayed )

So:

1- We open the first door by accepting the trial activation (their server provides us with a lic file) Now the lic file exist

2- We open the second door by forcing the choice of a commercial license type (thanks to a bypass patch where the decision is      made)

3- we open the third door  as follow : the app has two different letters to be posted for the decision maker (one specific for system time is out of boundaries, and one for the system time is inside the boundaries) expired letter and non expired letter. The action here is to make the expired letter the same as the non expired letter. Simply what ever the case it will send the same letter saying it is not expired.

All these actions above do not need to decrypt the lic file (we don't care, we just open the doors)

As I told you decrypting the lic is for a more elegant approach. But needs more knowledge in Encryption/Decryption.

By the way: This app re-based itself in the memory each time you execute it. So the address of the code is always different from run to run.

Now tell me did you succeed in breaking in the app, hook it and land in the app code with your debugger?  

[tonyblair]

@bidibadboi

One more thing, It is very difficult to crack this app in a cold way (sleeping mode).I mean by that, just reading the disassembly

code. This app uses :

1- switching tables (the important calls are made indirectly)

2- it uses things like this :

 mov edx, [eax+28h]

 call edx

So we are unable to know what subroutine is called as the address is inside the register edx (coming from eax).

The way to crack here is the in live way (I mean the program is running, so we can read the content of the registry).

[MasterUploader]

okok:)now we are going to dive deeper,thankyou for the help,hopefully ill return with a working crack:D

[MasterUploader]

ok well i dont understand what you mean:)i have landed in olly in these to places,were tthe badboy is generated,and somewhwere else im not sure of,somewhere i guess just were it is calculating the registration pattern!hmm can you explain further?

[tonyblair]

This calculate the number of days remaining :

.text:009F4B69

.text:009F4B69                                  loc_9F4B69:

.text:009F4B69 55                             push ebp

.text:009F4B6A 8B EC                       mov ebp, esp

.text:009F4B6C 83 EC 08                  sub esp, 8

.text:009F4B6F 83 E4 F8                   and esp, 0FFFFFFF8h

.text:009F4B72 DD 1C 24                  fstp [esp+0Ch+var_C]

.text:009F4B75 F2 0F 2C 04 24        cvttsd2si eax, [esp+0Ch+var_C] .................. eax= number of remaining days

.text:009F4B7A C9                               leave

.text:009F4B7B C3                              retn

.text:009F4B7B sub_9F4B60             endp

Here it checks the number of days remaining:

.text:00DA6A61 E8 FA E0 0C 00            call      sub_E74B60

.text:00DA6A66 89 45 A0                     mov    [ebp+var_60], eax

.text:00DA6A69 8D 8D 24 FF FF FF        lea      ecx, [ebp+var_DC]

.text:00DA6A6F E8 BC A5 FB FF            call      sub_D61030

.text:00DA6A74 83 7D A0 1F                cmp     [ebp+var_60], 1Fh        31 days     

.text:00DA6A78 7D 7F                         jge     short loc_DA6AF           if more than 31 days than bad boy

As you see the address is changing for each run. but you can find the code by searching with the bytes (E8 FA E0 0C 00 ..) ULTRAEDIT is good for that

[tonyblair]

This is a patch to have 29 days not counting down:

.text:00DA6A61 E8 FA E0 0C 00      call sub_E74B60

.text:00DA6A66 B8 1D 00 00 00      mov eax, 1D                        fixed 29 days (1D in hex = 29 decimal)

.text:00DA6A6B 89 45 A0              mov [ebp+var_60], eax

.text:00DA6A6E 8D 8D 24 FF FF FF lea ecx, [ebp+var_DC]

.text:00DA6A74 E8 B7 A5 FB FF     call sub_D61030

.text:00DA6A79 90                      NOP

Tell me when you found these codes

[tonyblair]

All your work should be around this main routine which is the heart of Hitman pro :

[MasterUploader]

i have to go to bed now,but ill be on tomorrow afternoon:)then ill crack this;)

[tonyblair]

i have to go to bed now,but ill be on tomorrow afternoon:)then ill crack this;)

ok, it is the time to sleep too.

:sleep:

[box]

I'm learning as well just by reading what you two wrote. Thanks again for sharing. I have met the master and he is named Tonyblair. :dance2:

To tell the truth, I'm a little scare now knowing that nothing is safe from Tonyblair's cracking skills. :rolleyes:

[CODYQX4]

I'm learning as well just by reading what you two wrote. Thanks again for sharing. I have met the master and he is named Tonyblair. :dance2:

To tell the truth, I'm a little scare now knowing that nothing is safe from Tonyblair's cracking skills. :rolleyes:

I kinda want to see box and tonyblair face off, as well as crack some of the most challenging softwares.

[elohelomg]

  @elohelomg

You want to learn and have a help and guide to crack hitman pro yourself. You are welcome and this is the good place.

I will give you tasks to achieve (step by step approach). we will move to the next task only if you pass the actual.

Don't mind if I will call that Lessons.

1st Lesson :

As you know this program is a Win32 application (windows based, in contrary to a console base). The heart of this type of application is the "Message Loop".

Microsoft definition:

The system does not send input directly to an application. Instead, it places all mouse and keyboard input from the user into a message queue, along with messages posted by the system and other applications. The application must read the message queue, retrieve the messages, and dispatch them so that the window procedure can process them.

Simply this means, you will interact with Hitman application through an interface, the  "window"  you see on you monitor. This window is an interface executed by your operating system and not by the application . If you break with your debugger when this interface is running you will land inside the code of your OS ( NTDLL.DLL, USER32.DLL ..). This is not what we want.

We want to hook the code of the application itself with our debugger (after giving a dummy activation code and click the button "activate").

Your first task is : Hook and stop Hitman application after it displays the following window. (you should land in Hitman codes)

Tell me when you succeed to do this. 

Tony, i have NO idea what that means, and the sad part is, i read it like 15 times. I think im supose to load my debugger (im using ollydbg) on the window, not the app itself.

[tonyblair]

I'm learning as well just by reading what you two wrote. Thanks again for sharing. I have met the master and he is named Tonyblair. :dance2:

To tell the truth, I'm a little scare now knowing that nothing is safe from Tonyblair's cracking skills. :rolleyes:

@Box

Thank you for your warm words.

One thing is above all for me and that is respect. You are the master and I respect you and your wonderful work. So nothing to be scare about. I follow your rules "I do what I do for fun. And when I stop having fun, that's the day I pass the torch." :flowers:

You will never find me in the net. This is the only place (NSANE.FORUMS) were I find fantastic friends (even if behind screens and keyboard).