
Greetz to you reading this wonderful tutor, stay tuned and you will eventually learn sumthing useful i think. But before i start i have sumthing to announce.

This tutorial is for educational purposes only, i will not accept any responsibility for any damage which may be due to the reading of this material here.

With that out of the way lets start.But one more thing before we start.

Set you screen resolution to "1024 x 768", if it's not. If you don't know how to do that, then you should not be reading this.

		-----------------------------------------------------------------------------------------

- What this tutorial is about ?

Well if you haven't figured that out by now i don't blame you. Anywayz, in this tutorial i hope to enlighten your knowledge in breaking code to gain full access to a password protected program. Hehe, that sounds funky.

-What this tutorial is not about ?

Hmm, well this is hard to classify, but i'll try my best. This is not another cracking tutorial, which explains how to crack a program and stuff. I assume that you have a little bit of knowledge in cracking , that is all you need. :)

- So just what is this program ?

Okay so the program we are goiing to exploit is 'i0pius STARR PC & Internet Monitor', yeah yeah, i know it's a long same.You can download it at 'www.i0pius.com'. I will now give you a brief intro to this program. This program is basically a spy suit, it runs silently in the background eah time you strat up you windowz pc, and records every event, you do ....... keeping a log file of evrything you type , every application you run, every site you visit (xpecially porn sites, hehehe). The best thing i like about this program is that it, allows for the sending of the log file, to an email address after it has reach a certain size. But one feature of it that i will really hate is the fact that it also allows the user to password protect the program, so that you cannot access the control centre if you don't know the password. And that password is wehat we are going to learn to bypass today.

- Who could use this program and why should i bother ?
	
Well let me see now you are, a 14 yrs old dude, and your parents just brought you a pc for as a chritmas gift along with a internet account, hehe you have cool parents .....hehe :), anywayz lately they seem to notice that you are spennding just too much time on the net, so they approach you and you deny doing anything mischeif, "Only looking at this cool game dad !!!", anywayz one day when you are school, they turn on your pc and manage to get to your desktop. Using their so limited computer skills they do sum clicking and found that you were not lying , only good site's appear in the history folder. Still they are not convinced. 
Next day at work, they just happen to be discussing your case with a friend of theirs, and he/she proposes they instal, a spy software to see what you are doing whilw you are online. With happyness in thier eyes, they quicly run home after work, and log on to the net before you arrive, they do sum searching on google, for spy software, and they come up with i0pus software, hmm, they download, it . Fortunaly they don't download it from the official site, but from a dudes site, which also contains the registration key. After instaling the software they register it, and set the settings and close everthing down. Pretending they have not been messing with your stuff. You come back home after school, boot up your PC, and go to your favorite, hack site, hmmmmmmmmm. After sumtime there, you innocently clear the history folder, assuming that you will be safe and log off the net.

Next day dad calls you , infront of the pc, and shows you all the sites you've been visiting, all the conversation in the chat rooms, you went to, every application you run, and so on ........ and you are wondering how your good old dad, got this telepatic gift overnight. You get grounded for 50 yrs and end of story........... (hehe just kidding .......)

- Nice story, but how do i know if dad has installed the monster on my babe ?
	
	Well luckly enought there is simply one easy way to get out of this one. 
	GO TO START,
	CLICK ON RUN,
	TYPE STARRCMD,
	PRESS OK,

Well what do you know a password dialog box pops up, hmmmmmmm, so that's typical of dad, you try sum password but with no luck, but then you realise that dad, will find out what you have been doing,cause everything is being logged right ? So you quickly log on the net, go to astalavista, and you find this cool tutorial and it is just what you need, hehehe. 

		---------------------------------------------------------------------------------------

Now that you get the picture lets rock and roll, 

	Tools needed to exploit the babe !
	--------------------------------

	- W32dasm decompiler (* heart of the rock), easily obtainable from the net.
	- Visual Basic compiler (* why you need this will be explained later)
	- Linking Park "Hybrid theory" album, playing full volume...... (To relax yourself with during the process)
	- A pen 
	- A piece of paper
	- Basic assembly language knowledge (actually just the jmp instructions hehe :))
	- And definitely an iq higher than your age !!. (* hehe, only kidding ....)
	- Off course an installed copy of the software.

	
	Let it rock
	-----------

	Follow the steps above until you get to the password box, type in anything you like, and click oka, if you get 		another small box , complaining about how the password you entered is wrong, copy what it says, 
	(should be sumthing Like - "Wrong password, please restart the application").Using the pen, write down this error 	message, on the paper, you have in fron tof you, and when done click 'ok'.

	Okay so load W32dasm, and browse to the folder "<system root>\system\", and select the file 'startcmd.exe' without 	the ' , :) , click okay and chill while your best friend decompile's the exe. Okay assuming that you have a fast 	pc and it has finished decompling it by now we proceed on....

	Arrh !, what is all these cracky words and letters. Hmm that is not important for now, since this tutorial is not 	about that. :) , maybe sum othertime. Okay so in W32Dasm, click on the "string data reference" menu label under the 	"Ref", menu, 
	Hmmm a new box pops up with all sort of lines in it, fortunately you can read these lines. Now in this box scroll 	down until you see a line that is exactly the same as "Wrong password, please restart", yeah that is half the text 	you wrote on the paper,hehe. Double click on this line and you find yourslef in another place in W32Dasm, with a lot 	of asm code. But wait a sec, isn't that the lines you wrote on the paper, Yup!, that's it 101 %, wow, u just 		discovered, a whole new world in computers. You can now close the string data "reference dialog box"

	Okay you should see the lines, 

* Possible Stringdata Ref from Data obj ->"Wrong Password - Please restart "
					->"the application"

:0040737C 6808C24700	PUSH 0047C208
:00407381 E819400500	CALL 0045B39F
:00407386 8945C8	MOV DWORD PRT [EBP-38],EAX

'
'		and the code continues :)
'
'
'


OKay so gently scroll upwards, until you see sumthing like this

* Referenced by a (U)nconditional or (C)ondiional Jump at Address:
|:00407358 (c)
|
:0040735E 8B55E8	MOV EDX,DWORD PRT [EBP-18]
:00407361 81E2FF000000	AND EDX,000000FF

'
'  code continues hehe :)
'
'


	Okay from this information we can see that there has been a jump to the address 0040735E from the address 00407358, 	wow, that must have been after the result of a comparison, hehe :),now aint that cool. What we can point out by now 	is that,

		After the comparison at address 00407358, if the password is wrong then we are taken to the address 0040735E, 		which will continue with program execution till we get to the error messege. Wow, aren't computers cool, and 		dum.

	So now lets go the address 00407358, click on the GOTO menu, and select 'Goto Code Location', a new box should pop 	up, and you should see a white text box with a bunch of numbers in it, Type 00407358 in this box and click 'ok', you 	should be magically transported to the address you requested, it is marked with a green bar. You should see sumthing 	like this.

	Wow what is this i see
	
		:00407358 7404	je 0040735E

	Yes my dear friend this is the jump, which is executed each time you type in this stupid password, to get the ugly 	error message. I hope you see that the 'je', if you are much into programming, thenyou should know that after the 	test eax,eax instruction above, if the two passwords doen't match then you jum 'je' to the error box. So if we could 	change this 'je' to a 'jne' so that it would jump if to the error messege if the password was correct, but continue, 	with execution of the codes which will get you to the command centre. Now ain't that coolllllllll...... hehe

- An added knowledge about offsets !!!

	Well before we can write a patch program we need to know where the 'je' is located in the exe right. And this is were 	offset comes in. It is just a number, which represents the address at which a particular instruction can be located. 
	In this case we need to know ere the offset of the 'je 0040735E' is located. So we place the green bar over the 'je'  	instruction (if it's not already there), and look at the bottom of the compiler, just above the taskbar, so should 	see a long line with numbers and letters in it. Observe the line carefully and look for sumthing like 
	(@Offset 00007358h), yeah you guessed it, the 00007358h is our offset value for the 'je' instruction, so write this 	down later on as we are going to need it to write a patch program.


 Changing the 'je' to 'jne'
 -------------------------

Okay so to change the instruction code, click on the menu 'Debug' still in W32Dasm, and select load process.Just click on load in the next little box that pops up hehe :), Now you have three windows in front of you, and you feel like GOD, when you see all these numbers, and crazzzzzzy letters. And you can;'t wait to impress you low level friends.

So now in the third window, the one that has only one white big box, with a lot of instrcutions in it, and has a darkerblue colored bar, and it has sum button on it. Yeah you see it don't you, okay amoung these buttons, you should see on labeled, 'Go To Adress', click on it and enter the address 00407358, you should now see the je 0040735E, instruction again.

Now click on "Patch Code", you should get a new window, with 4 text boxes, one is labeled "Enter new instruction below", type in the box :- jne 0040735E, and hit enter, you should see your new instruction in big text box below, the one you just typed in to. Click once on the new instruction, and then click on the  "Apply Patch" button, ignore any messeges given to u by the W32Dasm,close the patch window, and press F9 to run the application.

Wow you get the password box again right. Hmm, let me see, type in anything you wish and click on 'ok'.

Well ain't that sumthing, you are now in the command centre of STARR, hehe, you can stop the logging engine, delete the logs, change the password to access the command centre, or even change the email address of were the log file is to be sent. Browse the command centre and see what you get into....... be imaginative. :)

- Okay so now what ?

Well now that we know where to patch the program, in the debuger, we need to write a patch program to patch the STARR control center, and unpatch it as neccessary well u might be saying that you already patched the code, and i say you are wrong, see in the debugger you patched the code, only to see if the address was right, when you terminate the process using the debugger then the patches you applied are all removed.So we need to write the new instructions permanently in the exe, so that we need not debug the program each time we need to get to the control centre. so that you're dad doesn't know that u have been messing around with the program, and what you've been up to on the net.

This is were a Visual Basic compiler comes in. I have written a program in VB6 to patch and unpactch the commander. And included the source in this archive, 

- But i don't have a Visual Basic compiler ?

So you are not into programming huh ?, well if you don't have a vb compiler, that is cool, cause i got news for you. You can write a program using Microsoft Word, Yeah, but how ?, if you don't really know then send me a mail and i'll write a tutor on it.


And this ends this long tutor. With these last words i leave you be ........ good luck with your dad !!!!.


Kimera
23/03/2002
email : kimerarulez@hotmail.com

