+ORC Tutorials


Lesson 8.2: How to crack Windows, a deeper approach

How to crack, an approach LESSON 1
How to crack, tools and tricks of the trade LESSON 2
How to crack, hands on, paper protections LESSON 3.1  3.2
How to crack, hands on, time limits LESSON 4.1  4.2
How to crack, hands on, disk-CDrom access LESSON 5
How to crack, funny tricks LESSON 6
How to crack, intuition and luck LESSON 7
How to crack windows, an approach LESSON 8.1  8.2
How to crack windows, tools of the trade LESSON 9.1  9.2  9.3  9.4
How to crack, advanced cracking LESSON A
How to crack, zen-cracking LESSON B
How to crack, cracking as an art LESSON C.1  C.2  C.3
How to crack INDEX

Lesson 8.2
SPECIAL NOTE: Please excuse the somehow "unshaven"
character of the windows lessons... I'm cracking the
newest Windows '95 applications right now, therefore
at times I had to add "on the fly" some corrections to
the older Windows 3.1 and Windows NT findings.
"homines, dum docent, discunt".

If you thought that DOS was a mess, please notice that windows
3.1 is a ghastly chaos, and windows 95 a gruesome nightmare of
ill-cooked spaghetti code. Old Basic "GOTO" abominations were
quite elegant in comparison with this concoction... One thing is
sure: This OS will not last... it's way too messy organised,
impossible to consolidate, slow and neurotic (but I must warn
you... I thought exactly the same things about DOS in 1981).
The most striking thing about windows 95 is that it is neither
meat not fish: neither 16 nor 32... you could call it a "24 bit"
operating system.
We'll never damage Microsoft interests enough to compensate for
this moronic situation... where you have to wait three minutes
to get on screen a wordprocessor that older OS (and even old DOS)
kick up in 5 seconds. I decide therefore, hic et nunc, to add an
ADDENDUM to this tutorial: Addendum 1 will be dedicated to teach
everybody how to crack ALL Microsoft programs that do exist on
this planet. I'll write it this sommer and give it away between
the "allowed" lessons.
Anyway you can rely on good WINICE to crack everything, you'll
find it on the web for free, I use version 1.95, cracked by [The
Lexicon] (do not bother me for Warez, learn how to use the search
engines on the web and fish them out yourself). Learn how to use
this tool... read the whole manual! Resist the temptation to
crack immediatly everything in sight... you 'll regret pretty
soon that you did not wanted to learn how to use it properly.
A little tip: as Winice is intended more for software developers
than for crackers, we have to adapt it a little to our purposes,
in order to make it even more effective: a good idea is to have
in the *.DAT initialization file following lines:
INIT = "CODE ON; watchd es:di; watchd ds:si;"
TRA = 92
This way you'll always have the hexadecimal notation on, two very
useful watch windows for passwords deprotection and enough buffer
for your traces.

The most used windows protections are "registration codes",
these must follow a special pattern: have a "-" or a "+" in a
predetermined position, have a particular number in particular
position... and so on.
For the program [SHEZ], for instance, the pattern is to have a
14 bytes long alphanumeric sequence containing CDCE1357 in the
first 8 bytes.
The second level of protection is to "connect" such a
pattern to the alphanumeric contents of the NAME of the user...
every user name will give a different "access key". This is the
most commonly used system.
As most of these protections have a "-" inside the answering
code, you do not need to go through the normal cracking procedure
(described in the next lesson):
* load WINICE
* hwnd [name_of_the_crackanda_module]
* choose the window Handle of the snap, i.e, the exact
"FIELD" where the code number input arrives... say 091C(2)
* Run anew
* Look at the memory location(s)
* Do the same for the "Username" input FIELD. (Sometimes
linked, sometimes not, does not change much, though)
* BPR (eventually with TRACE) on the memory locations (these
will be most of the time FOUR: two NUMBERCODES and two
USERNAMES). The two "mirrored" ones are the most important
for your crack. At times there will be a "5th" location,
where the algebraic play will go on...
* Look at the code that performs algebraic manipulations on
these locations and understand what it does...
* Disable the routine or jump over it, or reverse it, or
defeat it with your own code... there are thousand
* Reassemble everything.

Uff... quite a long cracking work just to crack some miserable
program... isn'there a quicker way? OF COURSE THERE IS! Actually
there are quite a lot of them (see also the crack of Wincat Pro
below): Look at the following code (taken from SNAP32, a screen
capture utility for Windows 95, that uses a pretty recent
protection scheme):

XOR EBX,EBX ; make sure EBX is zeroed
MOV BL, [ESI] ; load input char in BL
INC ESI ; point at the next character
MOV EDI,EBX ; save the input character in EDI
CMP EBX,+2D ; input char is a "-" ?
JZ ok_it's_a_+_or_a_-
CMP EBX,+2B ; input char is a "+" ?
JNZ Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it
XOR EBX,EBX ; EBX is zeroed
MOV BL,[ESI] ; recharge BL
INC ESI ; point to next char (do not check - or +)
CMP DWORD PTR [boguschecker], +01

even if you did not read all my precedent lessons, you do not
need much more explications... this is a part of the algebraic
check_procedure inside the SNAP32 module... you could also get
here through the usual
Windows wretched and detestable APIs used for copy protections,
as usual with WINICE cracking, and as described elsewhere in my
The above code is the part of the routine that checks for the
presence of a "+" or a "-" inside the registration number (many
protections scheme requires them at a given position, other need
to jump over them).
Now sit down, make yourself comfortable and sip a good Martini-
Wodka (invariably very useful in order to crack... but be aware
that only Moskowskaia russian Wodka and a correct "Tumball" glass
will do, do not forget the lemon)... what does this "-" stuff
mean for us little crackers?
It means that we can search directly for the CMP EBX,+2B
sequence inside any file protected with these schemes... and
we'll land smack in the middle of the protection scheme! That's
amazing... but you will never underrate enough the commercial
programmers... the only really amazing thing is how simpleton the
protectionists are! You don't believe me? Try it... you 'll get
your crack at least 4 out of 5 times.
Yes I know, to find this code is not yet to crack it... but for
this kind of copy protection (that's the reason it is so
widespread) there is no single solution... each makes a slightly
different algebraic manipulation of the alphanumeric and of the
numeric data. It's up to you to crack the various schemes... here
you can only learn how to find them and circumvene them. I'll not
give you therefore a "debug" crack solution. You'll find it
yourself using my indications (see the crack of the Wincat Pro
program below).

Most of the time the protection schemes use their own *.ini files
in the c:\WINDOWS directory for registration purposes... at time
they even use the "garbage sammler" win.ini file. Let's take as
example WINZIP (versions 5 and 5.5), a very widespread program,
you'll surely have one shareware copy of it somewhere between
your files.
In theory, winzip should be registered per post, in order to
get a "NEW" copy of it, a "registered" copy.
This scares most newby crackers, since if the copy you have
it's not full, there is no way to crack it and make it work,
unless you get the REAL stuff. The youngest among us do not
realize that the production of a real "downsized" demo copy is
a very expensive nightmare for the money-infatuated commercial
programmers, and that therefore almost nobody does it really...
nearly all "demos" and "trywares" are therefore CRIPPLED COMPLETE
PROGRAMS, and not "downsized" demos, independently of what the
programmers and the protectionists have written inside them.
Back to Winzip... all you need, to crack winzip, is to add a
few lines inside the win.ini file, under the heading [WinZip],
that has already been created with the demo version, before the
line with "version=5.0".
I will not help you any further with this... I'll leave it to
you to experiment with the correct sequences... inside win.ini
you must have following sequence (these are only template to
substitute for your tries inside WINICE... you'll get it, believe
name=Azert Qwerty

The *important* thing is that this means that you DO NOT NEED
to have a "new registered version" shipped to you in order to
make it work, as the protectionist sellers would like you to
believe. The same applies most of the time... never believe what
you read in the read.me or in the registration files...
This brings me to a broader question: NEVER believe the
information they give you... never believe what television and/or
newspapers tell you... you can be sure that the only reason they
are notifying you something is to hinder you to read or
understand something else... this stupid_slaves_society can only
subsist if nobody thinks... if you are really interested in what
is going on, real information can be gathered, but surely not
through the "conventional" newspapers and/or news_agencies (and
definitely NEVER through television, that's really only for the
stupid slaves)... yes, some bit of information can be
(laboriously) gathered... it's a cracking work, though.

In the middle of the hugest junk collection of the planet, some
real information can be laboriously gathered if you do learn how
to use well the search engines (or if you do build your ones...
my spiders are doing most of the work for me... get your robots
templates from "Harvest" or "Verify" and start your "spider
building" activity beginning from Martijn Koster's page). As
usual in our society, in the Internet the real point is exactly
the same point you'll have to confront all your life long: HOW
difficult art to learn per se. Internet offers some information,
though, mainly BECAUSE it's (still) unregulated. You want a
proof? You are reading it.

The newspaper of the real enemies, the economic powers that
rule this slaves world, are paradoxically most of the time the
only ones worth studying... somewhere even the real rulers have
to pass each other some bits of real information. The "Neue
Zuercher Zeitung", a newspaper of the Swiss industrials from
Zuerich, is possibly the best "not_conformist trend analyzer"
around that you can easily find (even on the web). These
swissuckers do not give a shit for ideology, nor preconcerted
petty ideas, the only thing they really want is to sell
everywhere their ubiquitous watch

+ORC contents