Small post and a twitter account.

So ProfNetwork as whole was closed for long time, blog especially. Reason for that is pretty sure unknown (even we who maintain the blog don’t know reason for that). So why even bothering with that?! Let’s talk about what’s happening in my life lately.

A whole new level. I got into blackmarket too much. Acutally so much, I can’t even get around to be on public forums, I’m always into private one. I hope you don’t mind thus there are some new projects working on.

About projects? Well, let these project be secret for now. In meantime I’m also busy with my real-life job. Family and stuff you know? I’m old. So projects are secret for now (Yes, I know you are angry, sorry), but what is something that is not secret?! I guess it’s a ProfNetwork twitter account!

Who will maintain it? Me. Of course, the one and only. dn5!

Finally, I would like to thank you for still visiting my blog even If I’m not online as much as I’ve been.

Regards,
dn5.

Check me:

/profnetwork

Killing the CS1.6 mutex.

Here is something that is rarely availible.. I succesfully reversed CS 1.6 (better say hl.exe without parameters) and “killed” mutex that is rejecting oppening multiple instances of the game.

Result of that is next:

The whole tutorial is very interesting and you can download it in PDF format. It worth of reading when you catch a time (it’s simple patching with JMP but is indeed very interesting) ;) By the way, this is first time that I found something like this for CS 1.6 so be ready for a patch soon or later (steam, non-steam and offline version) and for that you will be noticed soon.

Download:
http://www.2shared.com/document/ayrn7WTo/Killing_the_CS_mutex.html

All the best ;)

Autor: dn5
Website: profnetwork.wordpress.com
Date: 31/08/2011

Keygenning Ziggy’s Keygen me #1

From now on I will post as much as I can tutorials but in PDF format so it could be easily readable.

In this tutorial you will learn:

• Getting into project

• Invastigate project/target

• Deeper invastigation

• Reversing algorithm

• Coding a keygen (Delphi)

Tools included: PEiD; CrackersTool.

Download the tutorial from:

http://www52.multiupload.com:81/files/6908BFB9B590B4A78705FC1F176F0208A6A12DE15586C5A8DC3C392CB3A93ACACEBD9BDA5B3D56C64A0F2999FBFE3ABCA0C36BC5F91167B7860CDDDE3F0B243A64C8CBB79465D9E2E97E40F08ED3DBFFCFC8C1/Ziggy%20KeygenMe_tutorial%20by%20dn5.rar
http://www.megaupload.com/?d=CDRA5ZTO
http://www.uploadking.com/5YC14JFPI8
http://www.uploadhere.com/FQH76K1TMR
http://depositfiles.com/en/files/go164bre2
http://hotfile.com/dl/128590030/d91a35e/Ziggy_KeygenMe_tutorial_by_dn5.rar.html 

Rad graficke, komunikacija sa OGL i Vrhovi

Autor : dn5
Email : ...
Website : ...

-

Note: Ovo je jako start tekst, ne sjecam se kad sam ga napisao ali sam ga nasao u teci, moja profesija je 3D konstruktor (lol jasta je), i moguce da mi je ovo bilo nesta sto sam trebao da znam za skolu.

[ Komunikacija graficke kartice i OpenGl-a ]

Rad graficke:
Nekad se desava da OpenGl salje rendering komande do GPU, ali to e izbjegava jer usporava 3D aplikaciju. Aplikacija nkomunicira sa GPU, ali prije toga salje komande drajveru koji ih cita a zatim prosljedjuje na GPU. 3D graficki drajveri implementiraju OpenGl funkciju direktno da bi se izbjegle nepotrebne rendering funkcije. Interfejs OpenGl-a se zove HAL (Hardware abstract layer) koji sadrzi set funckija za rendering scena.

Shema: Komunikacija i proces komunikacije izmedju CPU i GPU

Graficka kartica ima svoju memoriju zvanu VRAM (Video random access memory). GPU moze staviti bilo kakve podatke u VRAM, ali sto je najvaznije VRAM ima prednje (front) i zadnje (back) bafere. Prednji baferi sadrze pixele vidljive na view portu (velicina rendering scene), dok zadnji bafer sadrzi rendering scenu GPU-a (vidi skicu). Zadnji bafer nam sadrzi slike koje su preradjene prije nego sto su prikazane korisniku. Kada je slika spremna nastavlja se proces te se zadnji i prednji bafer razmjenjuju. To se zove ‘Buffer swap’. Bafer svap je najcesce povezan sa refresh frekvencijom, da bi se izbjeglo ‘Treptanje’. To treptanje se desava kad se bafer swap pokrene u toku osvjezavanja (trenutnog refreshinga). U VRAM smjesten je ‘Depth buffer’ ili ‘Z-buffer’ koji sadrzi displej dubine. Dubina se mjeri kao udaljenost od virtualne kamere kroz scenu koja se trenutno prikazuje (vrsi rendering).

VRAM sadrzi i bafer koji sadrzi maske za svaki piksel u image baferu:

U novije vrijeme primjer za to su sjene. Texture maps dominiraju VRAMom. One sluze za preslikavanje nekog dijela teksture na objekat i tako ga vizuelno poboljsamo.

[ Transformacija vrhova ]

Geometrijski podaci poslani su na graficku u 3 dimenzionalnom prostoru. Jedna od uloga graficke kartice je da transformise geometrijske podatke da bi se mogle prikazivati u dvodimenzionalnom prostoru. Vrhovi modela su stavljeni u ‘Object Space’, pozicije i orjentacija modela su stavljeni u ‘World space’. Prije nego se objekat moze renderovati njegovi vrhovi se moraju transformisati u ‘Camera space’, to je prostor gdje stoje ose X i Y te paralelna osa vidljivosti Z. Kada se objekat transformise u camera space, stvara se perspektiva, tako na primjer sto je kamera dalja od objekta, objekat je manji i obrnuto. Projekcija je prikazan u 4 dimenzionalnim homogeno koordinatima, a taj prostor se zove Homogeneous clip space. U tom prostoru vratice imaju normalizirane uredajne koordinate. Nakon transformacije vrhova, pozicije su prikazane na ‘Window space’.

[ Vrhovi - opcenito ]

Vrhovi su obavezni u bilo kom 3D enginu. Oni predstavljaju tacke u prostoru kao lokaciju objekata. Oni se takodjer koriste da bi prikazali orjentaciju kamere itd. Za 3D modelere/programera/inzinjera vrhovi su jedno od najvaznijih stvari, pa tako i njihova manipulacija. Manipulacija vrhova vrsi se samo matematickim putem tocnije matricama.

Primjer:

[ 3 4 2 ]
[ 5 1 7 ]
[ 9 6 1 ]

Da bi objasnili matrice isli bi opet dublje u matematicke pojmove, pretpostavicu da znate osnove matrica i racunanje to jest znate vrsiti operacije istih, zato cemo mi odma skociti u primjere racunanja vrhova. U primjeru necemo praviti razliku izmedju vrhova koje predstavljaju tacke niti vrhova koje predstavljaju pravac. Vrhove oznacavamo slovom V. V je vrh a n oznacava broj vrhova. N dimenzionalni vrh moze se oznaciti ovako:

V = [V1, V2, V3, ... , Vn]

gdje su brojevi V nazvani komponente vektora. U ovom primjeru sam koristio brojeve kao komponente medjutim tu inace stoje imena osa koje korespondiraju. Za primjer, komponente 3D tacke P bi mogli napisatio ovako:

P = [Px, Py, Pz]

Nego, zasto su matrice inace potrebne? Pa da bi mogli racunati vrhove:

    [V1]
    [V2]
V = [V3]
    [..]
    [V4]

Vrhove mozemo uvecati kao skalarne velicine da bi producirali novi vrh koje komponente imaju iste relativne proporcije:

aV = Va = <aV1, aV2, ... , aVn>

U slucaju da je a = -1, koristimo notaciju -V da prestavimo negaciju vektora V. Vrhovima se komponente mogu dodavati ili oduzimati:

P + Q = <P1+Q1, P2+Q2, ... , Pn+Qn>

sto je jednako

     [P1]
     [P2]
 P = [P3]
     [..]
     [Pn]

     [Q1]
     [Q2]
 Q = [Q3]
     [..]
     [Qn]

         [P1 Q1]
         [P2 Q2]
 C=P+Q = [P3 Q3]
         [.. ..]
         [Pn Qn]

Ovo je najjednostavniji primjer racunanja vrhova kao matrica, ali stvari mogu doci slozenije kad se tu pojavi vise komponenti u vrhu P i u vrhu Q pa racunanje moze potrajati duze. Danas je to sve lagano ali u starije vrijeme nisu postojala sredstva da vam olaksaju racunanje matrica.

Unlimited nitro (NOS) in NFS:MW

< >
*    Intro
*    Tutorial
*    Main
*    How
*    Outro
< >

=    INTRO    =

Author    :    dn5
Target    :    Need for Speed Most Wanted (1.3)
Website   :    its down there somewhere in text.
Date      :    31/05/2011 - 20:26
Email     :    mhm.. who cares.

=    TUTORIAL    =
Need for Speed – Greates arcade racing game ever; Most Wanted – Best version out there. So what is this tutorial all about? I can’t say it is tutorial, more like reversing trick to get unlimited nitro on any account in NFSMW. And yes, when we are already at NFS:MW, I already coded trainier for it, the source and binary are also included at my blog (profnetwork), so be sure (if you are NFS gamer) to download it and examine it. It has only one option (to change money of specific account) and it uses simple memory editing. On other side, in this ”tutorial” there is no memory editing. I mean, yes there is, but not in way of editing memory but asassembling it. In this tutorial you will need OllyDbg and Cheat Engine (you don’t need it if you don’t want to read “HOW”). You will need basics of ASM knowledge (the reversing one) and of course little time.

So lets go. Create a copy of your speed.exe from your “X:\Dir\SubDir\Need for Speed Most Wanted” and open it up in OllyDbg. Here is a picture for all you great crackers:

How to create backup

Ok, I’m serious from now. So you have your “speed_debug.exe” in your OllyDbg, right? Now go to address 00692B06. So you are here:

00692B05   .  57               PUSH EDI                                 ;  ntdll.7C910208
00692B06      D99E F8000000    FSTP DWORD PTR DS:[ESI+F8]               ;  <- RIGHT HERE :]
00692B0C   .  E8 FF90FDFF      CALL speed_de.0066BC10

I can’t tell you much from now to not blow up your mind but read section “HOW” after I finish the trick tutorial, why we get on this address. So above is line where is says: ‘PUSH EDI‘. Lets say that PUSH EDI is for now the starting point when we click “Alt” or any other key which is in our settings for starting nitro (NOS). Anyway, just remember,  the address 00692B05 is our starting point. At address 00692B0C, we see some strange call. So what is that? Go into that call (navigate address and press F7) but don’t worry we will be back. So we are here, right?

007C4041   .  8BEC             MOV EBP,ESP                                ;  <- Yep, right there

And bellow that some strange lines, I will comment it:

007C4043   .  6A FF            PUSH -1                                    ; <- Push something from stack
007C4045   .  68 A0808B00      PUSH speed_de.008B80A0                     ; <- Step into this is
                                                                            008B809F    00FF               ADD BH,BH    // Adding two same values will result 0 right?
                                                                            008B80A0    FFFF  ???  ; Unknown command    // Really unknown...

007C404A   .  68 E4D57C00      PUSH speed_de.007CD5E4                     ;  SE handler installation which step into is
                                                                            007CD5E4  /$  55               PUSH EBP     // Something new... Uhm.. Forget it.
007C404F   .  64:A1 00000000   MOV EAX,DWORD PTR FS:[0]                   ;  Whoop, what is this? Moving first byte of FS to EAX!
007C4055   .  50               PUSH EAX                                   ;  And lets push it INTO stack and decrease EAX.

So, assume that the call at begining (00692B0C) was only call for renewing scene and everything in it. So, why did we assume this? Because it jumps to progam entry point (007C4041). And every new operation that happenes jumps to that entry point. Where did we stop? Oh, yes, so if you remember bellow address 00692B06 (which we will discuss later) is that call. So it goes like this:

Address    :    00692B05    -    Pressing button for nitro
Address    :    00692B06    -    MAIN (talk after this)
Address    :    00692B0C    -    The call we discussed about

=    MAIN    =
Main is from my view where it decrement size of health. I’m sure 100% because (I’ve already reverse it) I get pointer. If we actually assemble that process MAIN where the nitro decrement we could only do renewing the scene.

Here the fun starts. We will left PUSH EDI where it is, so we won’t do anything at address 00692B05, but lets do a normal jump to call where is (like I said) scene renewing (which is not true). We will work with MAIN, so double click that disassembly at address 00692B06 and fill in it normal jump to call bellow that:

Disassembling

What we did here is that we jump over value decrementing/incrementing and just do a call which was need to be called after the decrementing/incrementing function.

“FSTP DWORD PTR DS:[ESI+F8]” to “JMP 692B0C”

If we would just “NOP” the address 00692B06 we would do nothing. The address would be still useable and you will only do restarting because you didn’t do any call. The point of this is simple, do not destroy address 00692B06 but use it as resource for next move (jumping to the call). The only thing left to you is to understand what is happening after this movement. So, you jump to call address and this is result:

00692B06       /EB 04            JMP SHORT speed_de.00692B0C                        ; Where we set to jump
00692B08       |F8               CLC                                                ; forget it
00692B09       |0000             ADD BYTE PTR DS:[EAX],AL                           ; ADD value of AL to byte pointer of EAX
00692B0B       |00E8             ADD AL,CH                                          ; Add value of CH to AL
00692B0C        000              Go into next address                               ; Direction

and that was what was happening into the 00692B06 before we disassemble it, am I right? Let’s take a look at address before we disassemble it:

00692B06 “FSTP DWORD PTR DS:[ESI+F8]“

and after disassemble:

00692B06 - //
00692B08 - CLC is probably the F8 for adding to ESI           (FSTP)
00692B09 - Add value from AL to EAX but in one byte           (DWORD PTR DS:[ESI+above line (F8)]
00692B0B - Add value from CH to AL                            (Don't have any idea what is this, but CH is FF and AL is 00)

Result =                                                      FSTP DWORD PTR DS:[ESI+F8]

Uh… I hope you get it. If you didn’t then, read it again. After all, try to run your NFS:MW (F9) from Olly, and choose any account and any car with nitro and when you use your nitro, It will last forever. That is it.

=    HOW        =
Now, lets get all to beggining, the point where we say about address we need to navigate, the one that we talk about in whole lesson, the famous 00692B06 that we disassemble. So, you may ask yourself how did I found this address?
The secret is in Cheat Engine.

Open up your NFS:MW, and drive any car with nitro. Open your Cheat Engine and choose speed.exe, and lets do a little scanning. For scan type choose “Unknown initial value“, value type 4 bytes and press “First scan“. You will get with billions of result. Go and use a nitro for a little bit, press escape, navigate your cheat engine, but this time, choose “Decreased value” in scan type, press “Next Scan” and let it finish. Now use your nitro again, but not all. In Cheat Engine just press “Next Scan” and don’t change anything. The results will get smaller and smaller. Now, let your intro goes up a little, don’t use it at all. Navigate your Cheat Engine, choose “Increased Value” press “Next Scan“.
Don’t touch other options! After scan is finished, repeat this steps again and again until you left with at least 20 addresses (Need some time but pay off). If you get up with none results just press “Undo Scan” in Cheat Engine (the newest version 6.0 have it).

After you got at least 20 addresses and at most 30, add all of them into the addresses list bellow. This time, you need to freeze address one by one. Try with first one.

- Freeze the address
- Go into the NFS:MW
- Use nitro: If you can use it and it goes down then it’s not that address

Do that for every address until you found right address that when you freeze it, the nitro bar stays where it is when you are using it. For me this time, it’s address: 01356118, whole line bellow:

Active                Description                Address                Type                Value
[x]                   No description             01356118               4 Bytes             1057120574

It’s activated, I active it. The address won’t be as same as yours for sure, and value too. Values are sometimes in games so diffrent then what HUD’s show so don’t let you get values as wrong. This is pretty strange at first look tho’. Now at address you found go right click and click “Found out what writes to this address“. This is good if you look for pointers. The result will be, of course none because nothing at the moment didn’t use this address. Navigate your NFS:MW and use nitro. You may get something like this, but something, doesn’t mean you will get with same:

00692B06 – D9 9E F8000000  – fstp dword ptr [esi+000000F8]

Whoa, that’s what I got at first, remeber the address 00692B06 we use to disassemble, well, here it is. Thats how I get it. If you didn’t get same line, you may need to navigate yours in olly, it may be like this:

00692B3E – D9 9E F8000000  – fstp dword ptr [esi+000000F8]

so be careful, don’t miss something. You can use this address too, but look up and down in Olly, you will for sure find address we disassemble somewhere.

=    OUTRO    =
And that would be that. It’s heck long tutorial and my legs hurt of sitting in front of computer, trying to write something good. This tutorial is written by dn5, and will be posted at Ljuska, ic0de, GameDeception, MPGH and of course my blog. If I find it somewhere else, screw your self poster, I don’t want my name on some stupid forum! Credits for this tutorial goes to Don Gibson as lead director of NFS:MW, Oleh, and Dark Byte. Special credits to respected users from ic0de and respected users from ljuska.

CS.NET & botprofile.net explanation

No, this has nothing to do with .NET. In fact, I hate so much .NET that you shouldn’t mention it ever to me. This is Counter-Strike tool. Another one. But this tool does not include playing with D3D and addresse injection like I used to do with my other tools (for example CS1.6 Sidebar). The CS.NET will be used and can be used to change default names of bot in CS:S. Not the prefix, I mean real names that bot uses.

The whole concopet is completed on generating ‘botprofile.db’ from ‘..\CSS\cstrike\’ folder. In botprifle.db types are defined them selfs: The name of bot, reaction time, agression, type of a bot, is it normal, or hardcore bot and so on, including some other settings like guns. The example of botprofile.db can be found here:

http://pastebin.com/rbijAJdJ

At the moment I’m exploring what function do what in botprofile.db. There are many of them in it and explaining all will be hard, trust me. For now, let me only explain some of the funtions of CS.NET and then let me explain botprofile.db and some of its structure.

CS.NET is free, just like any other tool that I created. CS.NET is easy to use, and what is best CS.NET do its job. But that kind of job for now is pretty lame. For now you can only set names of experts bots. There are 10 names in every section of bots in botprofile.db, 10*4 = 40. It won’t be hard but its 3AM and I’m too tired to code that so I will code it other day. Let’s see first a screenshot of CS.NET:

Main window

Let me explain the art. You can either click ‘Random‘ and generate random (pre-defined names) and get new names like in picture, or you can set it on your own by clicking on some name and then enter name you want. After that you can click ‘Compile‘ and it will ask you for ‘cstrike‘ folder. It’s normal because botprofile.db is stored there and you just can’t search all over some drive to find that file, instead lets user choose it. When you click on OK after you look your folder up it will automaticly generate botprofile.db and edit the lines it need to get right results. I’ve also wrote another software, because if I didn’t I would need to write whole day just a simple Initialize_bots() function to compile this. Total lines of botprofile.db is 840 and if I wrote for every line like: ‘blabla’ + #13#10 ‘blabla’ +#13#10 and repeat that 840 I would just die. I’m serious. Why not create simple tool that will do that all alone. I did that and the result was great. So I just edited some lines and get a perfect easy tool.

What I want to add in future is sections in list like:

Easy
 -------------------------------------------------------------------
BotName 1                                                                        Easy
 ...
 BotName 4                                                                       Easy
Normal
 -------------------------------------------------------------------
 BotName 1                ...
 ...
 ...

And so on so you can change every name to every type of bot. This tool is created so you can create your own botprofile.db settings easy.

Now lets talk more about botprofile.db. The botprofile.db is database file (more like its a text file) splited into small parts of types. Something similar to INI file. Every types has its own sections. This picture will explain everything so read it carefuly (Click on image to resize it).

Explanation of botprofile.db

Thats it. I hope you learn something new, tomorow will be first release of the tool, I hope so. It’s 3:44 now and I’m going to sleep. Good night.

dn5.

= Serial-phishing tutorial | Coding a keygen =

 Author    :    dn5
 Website   :    www.profnetwork.wordpress.com
 Email     :    loltroll@cjb.net
 Team      :    I'm not member of any group (remember that)
 Date      :    19.04.2011 / 19:42
-
 / Intro
 / Tutorial
 / Outro
 * Resources
 -

-= Intro =-
If you fallow step by step my last tutorial (Serial-phishing) about phishing an register me application from crackmes.de you know that I promise I’ll write tutorial about coding a keygen of that register me. If you didn’t read older tutorial, don’t read this one either. This is just like Part 2 of the first one, so 1st go and read the part 1 on my blog: www.profnetwork.wordpress.com (or search it on net). For coding a keygen I will use Delphi. Every language is same except it syntax, so you can actually fallow tutorial comments and create own keygen in any language you want.

-= Tutorial =-
I used to code in Delphi 7, but week ago or so I switched to Delphi 2009. It was hard move but I am familier with Delphi so It wasn’t big deal. Let we see what we got last time from the “Explanation” section.

...thats the trick of creator. He maybe wants to trick us so it will be harder to code keygen, but we fucked him up (no we didn't) and phish the serial. Let's virtually back all up:
DS:[009B3F28]=64 ('d')        <-    First char                (1) | Hex: 64
DS:[009B3F29]=6E ('n')        <-    Second char               (2) | Hex: 6E
DS:[009B3F2A]=35 ('5')        <-    Thirdh one                (3) | Hex: 35
DS:[009B3F2B]=69 ('i')        <-    Fourth for fuck sake      (4) | Hex: 69
DS:[009B3F2C]=73 ('s')        <-     And the last one         (5) | Hex: 73
The whole serial should be: "646E356973" but the correct one was this "356473696E". Why?
1. The thirth char goes to 1st place.             35->1 = 35
2. The first char goes to 2nd place.              64->2 = 35 64
3. The last char goes to 3th place.               73->3 = 35 64 73
4. The char before last one goes to 4th place.    69->4 = 35 64 73 69
5. The second char goes to last place.            6E->5 = 35 64 73 69 6E
6. The SUM of all these is                              = 356473696E            <- Which is correct answer!...

There is whole explanation of what we will do in Delphi too. We will first get 5 first chars of name (because it looks for it) and then I will read hex of every value there and of course do steping, first to second, second to last, and so on. Lets start by opening your famous IDE (Its Delphi for me :]) and create new GUI (or w/e, it could be console too) project.

After you press OK, lets design the form. What we need is 2 textboxes, and button. Call the first edit: “txtName” and the second “txtResult“. Name of the button should be “btnGen“. Don’t forget to edit caption of form it self as long with caption of button. Name of the form should be “frmMain“. You can also add other controls like TImage, panel etc. but thats just for estetic look.

Design is finished. Probably mine is different then yours (It’s stupid when there are two same GUI’s lol), but lets start coding! For this tutorial, I wrote a small function (which is all over the net) that convert string to hex. Here it is:

function StrToHex(txtName: string): string;
var
    i: Integer;
    s: string;
begin
    for i := 1 to 5 do            // To first five chars
       begin
        s := s + IntToHex(Ord(txtName[i]), 2);
       end; Result := s;
end;

So, drop this function somewhere in code before everything like this.

What we need to do next is to store name somewhere, use this StrToHex function to get ascii coverted to hex and take 2 chars by 2. Lets declare public(for this unit) variable vName as string. This vName will store name we inputed.

As I explain [x] hold x chars to that variable. So if our name is “MYNAMEE” it will be “MYNAM“. Below that variable lets declare another one like this:

  vHex   : String   ;   // This will store hex of our vName

The vHex will store our result from StrToHex function of vName. In event of button click we will declare these variables.

var
 result:string;
 a:string;         // This will store first two hex value
 b:string;         // This will store second two hex value
 c:string;         // This will store 3
 d:string;         // and this  4 two hex value
 e:string;         // This will store 5th two hex value

NOTE: We will code a function for generating but this is only for explanation. The result is final serial that we get by storing a,b,c,d and e in correct order. Let see whats between 1st “begin” and last “end“:

This will set and keep our already defined variable vName to name.

 vName := txtName.Text;

This will keep hex of our name(vName). vHex is predefined variable, and StrToHex is our function, the vName is line before this one.

 vHex  := StrToHex(vName);

This is easy part. The variable a will hold first two hex values. So if the username is dn5is(dn5iscool) it will hold only “d” and its hex: 64.

 a := Copy(vHex, 0, 2);

This is same as with variable a. The b will hold our second two hex values from char “n” for example which is 6E.

 b := Copy(vHex, 3, 2);

Same as previous.

 c := Copy(vHex, 5, 2);

Same as previous – previous.

 d := Copy(vHex, 7, 2);

The last one from last char(5).

 e := Copy(vHex, 9, 2);

This will generate result. You remember the explanation, first go to second place, second to last etc. – well here it is.

 result := c + a + e + d + b;

Printing our result:

 txtResult.Text := Result;

This is how it should look like:

But hey. This code looks like mess to me even if it works, here is example of name: “Keygened“.

The good thing would be to make function for getting keys (serials). If you get it how we did this then move on reading, else read it again from top. I find it very useful to read more even If I knew something. So, create new function called GetSerial(). I will write function and comment everything with “//“, if you don’t understand something google it, but as I said this is same as previous example just sorted in function.

function GetSerial(vHex:String):String;// Function it self
 var
 vChars:Array[1..5] of String[2];      // Imagine this as five places, every place has space for two characters.
                                       //  |       |       |       |       |       |
                                       //      ..      ..      ..      ..      ..
                                       // 5 places is array, and the 2 are places. These two "places"
                                       // will hold two hexidecimals
 begin                                 // Begin the block
 vChars[1] := Copy(vHex, 0, 2);        // Function copy will return a substring of a string or a segment of a dynamic array.
 vChars[2] := Copy(vHex, 3, 2);        // Here copy starts at position 3 and cut next two hex
 vChars[3] := Copy(vHex, 5, 2);        // Here copy starts at position 5 (3 from 2nd char+2 hex = 5) and cut next two hex
 vChars[4] := Copy(vHex, 7, 2);        // And here (5+2=7)
 vChars[5] := Copy(vHex, 9, 2);        // The last one (7+2hex=9)
 Result := vChars[3] + vChars[1] + vChars[5] + vChars[4] + vChars[2];    // Ordering
 end;                                  // End of block

The function is ready-to-past as it’s completed. Delete all codes from “btnGen” and use this:

 if txtName.Text = '' then                                        // Check if txtName is blank
 begin                                                            // If it is begin
 MessageBox(0, 'Your name can not be blank', 'Error', mb_OK);     // Show error
 exit;                                                            // Exit event
 end else begin                                                   // Else if not begin
 if Length(txtName.Text) < 5 then                                 // Check if txtName has less then 5 chars
 begin                                                            // If yes begin
 txtResult.Text := 'Your name must have at least 5 chars';        // Display an error
 exit;                                                            // Exit event
 end;                                                             // End block
 end;                                                             // End block
                                                                  // If everything is ok
 vName := txtName.Text;                                           // Set vName to our name
 vHex  := StrToHex(vName);                                        // Set vHex over our function
 txtResult.Text := GetSerial(vHex);                                // Display result using function.

Thats end of the tutorial. Now, this was very easy tutorial, with easy instructions and easy register me. Easy programming language and everything was easy (except writing). I won’t give you whole project but compiled one (in resource section) so you can see how it looks like. Other than that, you have this tutorial, so write your own keygen ;)

-= Outro =-
I feel tired atm, and I need to study some math for tomorow. Credits to Madboy this time.

-= Resources =-

Register Me (from the tutorial) = http://www.megaupload.com/?d=Z2WMYLW3
Delphi09/D7/Pascal/Visual Basic/.NET/Java/C++ or any other IDE.
Brain
Hands                                                                                                                                    
Compiled project = http://www.multiupload.com/DQBANU092K

= Serial-phishing tutorial =

Author     :    dn5
Website    :    www.profnetwork.wordpress.com
Email      :    .?*~@cjb.net
Team       :    I'm not member of any group (remember that)
Date       :    18.04.2011 / 21:10
-
 / Intro
 / Tutorial
 / Explanation
 / Outro
 * Resources
-

-= Intro =-
In this tutorial, I’ll teach you how to phish serial. Phishing serial is easy method to get serial of tool. This is example, so I won’t use any commercial softwares but some “Register me” that I download from crackmes.de. I will add download and resource you’ll need at bottom of post (If I don’t forget). I bet there is no tutorial on this crack me so it’s not stolen (who will create tutorial on so easy crackme). You will need basic knowledge of programming
(or wont), and knowledge in OllyDbg as I will use it this time.

-= Tutorial =-
Here we go. What we need to do is to open up OllyDbg and open crackme in it (I know you did already) and run it.

I guess you already know how to run it, otherwise leave the tutorial and go read over the basics first. You will now get “Register Me” been executed and get window like this:

What we need to do at first is write false info, check for error type, search for that error, and phish the serial. Lets go one by one. Enter false info into “Register Me” and press Register. Note, the Name must be at least 5 chars, otherwise you will get up with other error we don’t need. This time, I will use name: dn5iscool(orly) and password 123456.

Ok, so the error at false input is: “Invalid Registration Name or Serial“. Lets go back to Olly (Don’t close fuck*ng Register Me) and go right click then Search for -> All referenced text strings.

Really, If you don’t know how to search for referenced text strings, press F1 -.- Anyhow, when you get all referenced text strings find the one that we need (Invalid Registration Name or Serial) double click it.

You will automatically be transformed to main thread and to address $453A53. That is the address which holds that error. Scroll a bit up untill you see “Push EBP” (will talk about it later).

The address where Push EBP is $45391C (note $ is 00 or 0x). Now let’s see whats happening there, put break-point on Push EBP (use F2 to set breakpoint). Now the address of Push EBP will be red. That means that operation will break if pointer comes to breakpointed address. Lets run the “Register Me” again like first time and press “Register” button. BUM!!! You see, the operation break and cursor is set to the last event (pressed button or Push EBP), thats why you don’t see error came up. Navigate OllyDbg(without closing register me) and press F8. The selection will be moved forward.

As you can see there is nothing interesting in info box. Here is Info box of Push EBP:

The info box of address below Push EBP is:

ESP=0012F62C
EBP=0012F76C

and the command is MOV EBP, ESP. MOV register copies the value from source to destination and source stay where it was. Press F8 again and again and again until you see something interesting (username, serial, some ascii etc.).

...
...
...
...
...

And BUM!!! Once again. At address 00453967 I’ve seen that in infobox it shows my name:

Ok, that is my name. But I’m looking for serial, right? Ok, let’s move on. Press F8 again and again, and again until you find something useful(like I mention).

...

And BUMMMMM!!! For the 3rd time. Ok. This is the last time -.-. On the address 0045398A in info box is shown next text:

 Stack SS:[0012F604]=009B3994, (ASCII "123456")

This is my false serial. Who cares about it. (Btw. Stack is place were we store some data which we can read later) Press F8, again and again bla bla. You know already what you have to do.

...
...
...

After showing my username 3 times more into info box I’ve seen something strange. This was on address 004539CE:

 DS:[009B3F28]=64 ('d')
 EAX=009B3F28, (ASCII "dn5iscool")

So what does it do? First the DS is getting the value of first character which is “d” in this case, and get it’s hexidecimal number. How did I know that? I’ve check it :].

As you can see the Hex of Ascii “d” is 64. Thats why that line show number

64:    DS:[009B3F28]=64 ('d')

Now after we know it encrpyts char “d” with hex lets press F8 again and again.

...

Wohaa, this time, it took my char “n” from the name:

DS:[009B3F29]=6E ('n')                <- Here
EAX=009B3F28, (ASCII "dn5iscool")

I check the ASCII “n” and it came up that its really 6E in hex. So, lets get press F8 some more time.

DS:[009B3F2A]=35 ('5')
EAX=009B3F28, (ASCII "dn5iscool")

…

DS:[009B3F2B]=69 ('i')
EAX=009B3F28, (ASCII "dn5iscool")

…

DS:[009B3F2C]=73 ('s')
EAX=009B3F28, (ASCII "dn5iscool")

But after awhile, I got that it takes only first 5 chars (Thats why it look for 5 chars all at beggining). So press F8 all up to address: 00453A2E. What we got here is all this hex numbers. Let’s press F8 some more time (maybe we will catch something).

...

At the address 00453A49 there was this text: Stack

SS:[0012F60C]=009B2468, (ASCII "356473696E")
EDX=00140608

I bet that is my serial. Let me try it. Oh ye. We forgot to remove old breakpoint from address $45391C at start of the tutorial so remove it if you didn’t (select the address and press F2 to remove breakpoint). Ok try it now.

Yes! Finally! It’s cracked. The serial was that. Ok, you indeed crack it, let me explain what have you done.

-= Explanation =-

In the tutorial I explain most of the things, but let me review it :]. First what is Push EBP.

* Push EBP
In the programming we code in either english sintax (high-level) or mehanical sintax (low-level) language. One of the low-level language is ASM. There are no fancy words in ASM like include this, uses this, loop this and that, but using registers (predefined variables) we acutally create program. The compiler transform logical code like C++ one to mehanical code which is ASM. In ASM the EBP stands for Extended Base Pointer or BP – Base pointer. EBP has mostly to do with stack and stack frames. In this case where stack is pointer event of pressing a button, we “run” that event. It’s little hard to explain but:

Imagine that EBP is some box. In that box we can put toys, computer, book, anything. If we want to break some toy that is some event. So if actually push banana we squeeze it. Banana in this case is EBP and push event is our hand.

+-------+
|  EBP  |
+-------+

Now I messed it even more but w/e.

* Getting the serial
Most part of getting the serial is explained in tutorial, but what is not explained is why the chars arent in correct order. Well thats the trick of creator. He maybe wants to trick us so it will be harder to code keygen, but we fucked him up (no we didn’t) and phish the serial. Let’s virtually back all up:

DS:[009B3F28]=64 ('d')        <-    First char              (1) | Hex: 64
DS:[009B3F29]=6E ('n')        <-    Second char             (2) | Hex: 6E
DS:[009B3F2A]=35 ('5')        <-    Thirdh one              (3) | Hex: 35
DS:[009B3F2B]=69 ('i')        <-    Fourth for fuck sake    (4) | Hex: 69
DS:[009B3F2C]=73 ('s')        <-    And the last one        (5) | Hex: 73

The whole serial should be: “646E356973” but the correct one was this “356473696E“. Why?

 1. The thirth char goes to 1st place.             35->1 = 35
 2. The first char goes to 2nd place.              64->2 = 35 64
 3. The last char goes to 3th place.               73->3 = 35 64 73
 4. The char before last one goes to 4th place.    69->4 = 35 64 73 69
 5. The second char goes to last place.            6E->5 = 35 64 73 69 6E
 6. The SUM of all these is                              = 356473696E

And the SUM is correct answer (our serial).

I bet you get it. It’s long shit I write and I’m sick :[ (yes, I can be sick too!). Next time I will write tutorial (InsAllah) about creating keygen of this tool in Delphi (and maybe but maybe Visual Basic 6).

-= Outro =-
Why outro even exists? Anyway, I would like to say thanks to: Register me author, n0p-6o-n0p, Oleh, whole AT4RE group, Mr Paradox, ICU (starzboy), whole demoscene and greetz to all reversers as long with fallowing websites: ljuska, leetcoders, ic0de, google, crackmes, RE and other!

-= Resources =-

Notepad++ = http://notepad-plus-plus.org/
OllyDbg by Oleh = http://www.ollydbg.de/
RegisterMe from tutorial = http://www.megaupload.com/?d=Z2WMYLW3
And FastScanner(optional) = http://www.mediafire.com/?zunqyifyjr5

That would be that!

All the best (Oh God Im tired),
dn5.

Santex NA closed? Nah…

No, it’s not yet over. I didn’t close it, I just started coding new options ^^
Ok, it has the it-self client, but… mhm. Well, I started new design, but after awhile I get that it’s better to be runed on VPS, by C&C on IRC. So what I did is convert all the old code to new one which connects to IRC. Connecting
to IRC will be better. First, the connection uses IRC protocol, the IRC can retrieve more handles that will be alive, and of course you will feel 1337 (oh noez, im just kiddin’). The connection is based on my own SDK (which I code long time ago) that connects on IRC server and channel. Now I’m working on getting information inputed by controller (Sending from C&C to server).

I also coded PHP panel, yes, thats right, now It will be Builder->Server->PanelToIrc and NO, you won’t be able to control any of bots, you will just get information about it. Like when it’s connected, what is victim IP and so on. There will be configuration which you will need to setup, and of course login to panel it self. Here is the screenshot
of login:

When you login, you will get informations of bots that will be listed in nice listview that Is not mine (yes, I only steal the CSS /me leechr). Here is how that actually looks like:

The idea of flag displaying is by Xhash so thank you Xhash <3. So, if I create this, why don’t I create whole controller? First, I have no idea how to send request from server to victim to be honest, and the second is that I have no
idea how to get request from server to victim. Wait. Thats same -.- Well, I just don’t have time, and it won’t be that easy. Instead, I start coding the reader of PHP. You login, you read values, values being showed, you finish. The reader
will help you to read info from PHP to it. To login you will need to input login username, password, and login URL.

After login is completed (is successful) it will show you list with info from server.

Thats it I guess. Enough info, I just blink and it’s already 23:45, g2g sleeping time. Need to wake up early.

All the best,
dn5.

[BiH] Simple patching tutorial – by dn5

= Greetz =
Jedino cu se zahvaliti dj-siba sa AT4RE, te Olehu (OllyDbg autoru), buduci da su oni jedini doprinjeli nesta u tutorialu, ostalo sto je ostalo ide Office Jesusu za example

= Tutorial =
Recimo da sam randomly uzeo neki keygenme (u ovom slucaju KeyGen Me Office Jesus #1). Pa… ovaj trazi da napravimo keygen, medjutim ja cu ga samo patchat, buduci da za pravljenje samog keygena niste dovoljno porasli. Ili je to jednostavno pretesko za vas (cast pojedincima). Mozda nekad dodje tutorial I na cisti ASM te Inline ASM da napravite keygen u Pascalu. Evo pravila ovog keygen me:

RULES:
==========
1) Phishing is ALLOWED
2) Patching is NOT ALLOWED                         <- NIJE DOZVOLJENO
3) Self-Keygen is NOT ALLOWED                    <- NIJE DOZVOLJENO
4) Stand-alone Keygen is ONLY SOLUTION

Kao sto vidite jedine 2 stvari koje su dozvoljene je fisanje seriala(sto nemam namjeru da vas ucim) te pravljenje keygena. Self-keygen (odnosno inner keygen) nije dozvoljen, pa tako ni patching. Anyway, who cares (except the author). Da javim da mozete preuzeti filove na kraju posta, te resource koji su vam potrebni.

Sta ce vam trebati:
-    FastScanner v3.0 (od AT4RE)
-    OllyDbg (Ja koristim verziju v1.10 – ne modovana)
-    Notepad (Ili bilo koji tekstualni editor)

Prvo cemo provjeriti da li je file packed. Ako jeste onda cemo ga morati unpackati. Pa krenimo tako sto cemo upaliti FastScanner i prenijeti Keygen me na sam window FastScannera, ili kliknuti Open pa izabrati file (Keygen me) koji nam treba.

Ukoliko je file packed u polju „Result“ pisat ce packer za well-known kompresore. EP sekcija je jako znacajna za odredjivanje packera (Ali to je nesta sto ce vas samo zamarati). Kao sto mozemo vidjeti ovaj Keygen me je pisan u Delphi i nije potreban nikakav unpacker, odnosno file nije pakiran. To znaci da cemo ga moci debuggat te izvuci informacije i kasnije assemblovat. Idemo to uraditi redom.

Prvo otvorite OllyDbg te File->Open i izaberite Keygen me. Ako su vam skoro sve opcije po defaultu vidjet cete normalan main thread, odnsono adrese, hex dump, comments, disassembly itd. Sta trebamo uraditi jeste searchat refrenced text strings, a to cemo uraditi tako sto cemo u main windowu ici desni klik pa search for pa All referenced text strings (ye ye, kao da je bilo tesko):

Sada bi vam trebali izaci results tekst stringova. Buduci da ne znamo sta se desava u odredjenim trenucima, otkrit cemo tako sto cemo uraditi false keygening(lol, ovo je moja rijec). To se radi tako sto u program koji zelimo patchat ubacimo pogresne informacije:

Znaci tekst koji trebamo da searchamo je „Keep Trying!“. Sada u starom windowu u OllyDbg, kada smo searchali „All referenced text strings“ pritisnemo na taster End. Obratite paznju na nekoliko zadnjih redova:

Kao sto mozete vidjeti tu je tekst „Keep Trying!“. Meni se cini(ne cini ti se) da je to onaj tekst koji smo maloprije dobili u false keygeningu. Ukoliko ne mozete naci tekst onda idite desni klik na Text string referenced te pritisnite „Search for text“, tu upisite „Keep Trying!“ ili tekst koje je potreban za patching.

NOTE: Nece uvijek biti takav tekst (lol ofc), i necete uvijek moci naci to u main threadu, nekad cete morati pretrazivati kroz ostale module da bi pronasli odgovarajuci window. Ako budete trazili iskljucite opciju Case-sensitive i ukljucite Entire Scope.

Uglavnom, pritisnite dva puta na sljedecu liniju:

OllyDbg ce vas automatski prebaciti na main threadu. Sada ide vazan dio, a to je „bacanje“ adrese na drugu poziciju preko komande MOV. Da vidimo sta imamo ovdje, idite desni klik na liniju na koju vas je OllyDbg locirao te Copy->Copy to clipboard. Ja inace ovo pasteam u Notepad++ te pogledam sta ima:

0045736E |. B8 FC734500 MOV EAX,KeygenMe.004573FC ;  ASCII “Keep Trying!”

Znaci adresa gdje pointer ide nakon sto je pogreasn serial je $45736E (ja dodajem $ da bi znali da je adresa-  navika iz Pascala). U disassembly mozemo vidjeti da pointer mjenja poziciju preko MOV EAX.  MOV je komanda za pomicanje pointera, adresa 4573FC na koju pointer ide je adresa ASCII-a („K“ „e“ „e“ „p“ „ „ „T“ „r“ „y“ „i“ „n“ „g“ „!“, te vracanje na prvobitan window. Sta trebamo uraditi jeste pomjeriti pointer preko MOV, EAX sa 4573FC na adresu koja nam daje result da je serial dobar. Ovo je patching, a za keygening bi trebao da pricam dosta dugo (Od PUSH EBP-a do krajne tacke pa subovi.. Uh neki drugi put ;]).

Da bi smo patchovali adresu kliknemo dva put na adresu 45736E u sekciji  Disassembly.

Izaci ce vam sljedeci prozorcic:

Sada ide vazan dio a to je prebacivanje memorije pointera. Buduci da je adresa na koju moramo da se prebacimo  $457349, onda cemo preko MOV komande pomjeriti pointer na tu adresu. Pa pisemo umjesto:

MOV EAX, 4573FC –> MOV EAX, 457349

Result ovoga je prebacivanje pointera sa jednog mjesta na drugo. Mogli smo koristiti i JMP ali nema logike da pointer skace kad moze da se pomjeri, JMP trazi vise memorije + skakanje unazad moze leadat do necega sto nazivamo unexpected section ili bilo sta unexcpected (nesta ne ocekivano).

Ovaj EAX register je nekakva varijabla koja sadrzi element pointera, nekad je to serial, nekad ovo nekad ono. Buduci da su EAX i EBX i MOV i JMP, i EB i sve komande u ASMu su staticke varijable smjestene u procesoru, znamo  da je odredjivanje naizmjenicno. To bi bilo to. Ako ste sve radili kako treba onda.. nista posebno :>

BTW.
Salio sam se. Necu vam dati isti keygen me, dacu vam malo laksi, samo da testirate sta ste naucili.

Hints za novi keygen me:

• • •    Laksi je ;>
  • •    String nije na kraju filea nego cete morati da pretrazite
  • •    Isto je mjenanje adrese (patching) kao i u primjeru
  • •    Samo su brojevi dozvoljeni u serialu
  • •    Nije packed

References:
-    FastScanner 3 (b Verzija) : http://www.mediafire.com/?zunqyifyjr5
-    OllyDbg : http://www.ollydbg.de/
-    Notepad++ : http://www.notepad-plus.sourceforge.net
-    beBoss Keygen me : http://www.multiupload.com/KNCZJOT2CS

= Outro =
#Atuhor: dn5
#Website: www.profnetwork.wordpress.com
#Email: -.-@-.-.com
#Fuckme: no :]