R a g e 9 ' s C r a c k i n g T u t o r i a l
  1 - 2
W r i t i n g  A  P a t c h
T o o l s :
Microsoft Quick Basic V.4.5
On the menu on the left click 'Files', then a new page comes up on the right menu click 'Compilers', then go down to 'Quick Basic'.

A base convertor that can change Decimal into Hexidecimal and vice versa.
D i s c l a i m e r :
I(nor any of my colleagues) take no responsibility for anything you do or use this document for. We will not be prosicuted because of your illegal activities, this document is for educational purposes ONLY!

Also buy good software! If you crack it, that's all well and fine, but if it's a good program bye it! I'm not trying to rip software developers off, just share knowledge.
My last tutorial focused on cracking the program TruView 1.83, this tutorial will focuse on writing a patch/crack for the program.

I would suggest some knowlege of BASIC for this allthough I'll be giving you all the code fully documented.

Start

The first step I would sujest is make a list of what you need in your patch, here's mine:
  1. Error Handler call
  2. Logo & Info text
  3. File open code
  4. File Read code
  5. Test Version code
  6. File Write code
  7. Error Handler code
  8. Sucsess and Failiar text


      9. Lets Go over Each one:
1. Error Handler call
This call will tell the program that if an Error happens, go to this chunk of code to resolve the problem.

2. Logo & Info text
This is your ASCII (text) graphics, and any info you wish to put on there.

3. File open code
Opens the file so that we can (in the next part) read data from it.

4. File Read code
Reads the data we need into the program.

5. Test Version code
Takes the data we read into the program and tests it to see if it's the right version of the program.

6. File Write code
If the tests say it's the right version, go ahead and patch it code.

7. Error Handler code
This is the chunk of code that the Error Handler call tells the program to go to if there is an error, it gets resolved here.

8. Sucsess and Failiar text
This is the text that is displayed telling weather you have the right version and it got patched (sucsess) and if it's not the right version and it did not get patched (failiar).


Let's get coding!

1. Error Handler call
This should be the first thing in your program, so that if anthing goes wrong, the program knows what to do.
    We will use an 'ON ERROR' statement, mine looks like this:


 ON ERROR GOTO trouble

As you can see if there is an error it the program will go to the lable 'trouble' which is where I have my error handling code, we'll get to it later.

Logo and Info text
Now this is the most creative part, put in your ASCII (text) art, logo, ect....
Here's Mine: 

PRINT "                                  _________           "
PRINT "                                 |_  ____  |          "
PRINT "                                 |_ |____| |          "
PRINT "                                 |____ ___ |          "
PRINT "                ___   __   ___   ___  |___ |          "
PRINT "                | _| |__| |  __ |__   |___ |          "
PRINT "                |  | |  | |___/ |___  |____|          "
PRINT "                 +------------------------+           "
PRINT "  +--------------+     TruVeiw 1.83       +----------+"
PRINT "  +              +------------------------+          +"
PRINT "  +  [*] Crack  [] KeyGen  [] Prog  [] Tut  [] Other +"
PRINT "  +     +--------------------+                       +"
PRINT "  +-----+ About:             +-----------------------+"
PRINT "        +     Allows ANY     +                        "
PRINT "        +  Registration Key  +                        "
PRINT "        +   To Be Entered.   +                        "
PRINT "        +--------------------+                        "

It has my ASCII name/logo, it has the title of the program, what it is (crack, keygen, prog, tut, or other) and has what it does.

3. File Open Code
For this we simply use the Open command: 

FILES "trueview.exe"
OPEN "truview.exe" FOR BINARY AS #1

The first command 'FILES' checks if the current file is in the directory, if not an error occures. We'll cover the Error code later.

We issue the command 'OPEN' and then the name of the file 'trueview.exe' (this must be in quotes unless the name is being held in a string), after that we must clarify which mode we wish to open the file as, the choices are:
  1. Input - Can only bring info into your program.
  2. Output- Can only send things out of your program. (NOTE: Be carfull with this command, if you output to a file with this command the whole file will be erased and then it will output info! If you don't want this to happen use the next command.)
  3. Append- Can only send things out of your program, but with this command it will start writing to the end of the file you are writing to, much better.
  4. Random- Allows you to 1. Read/Write; 2. Read; 3. Write, not a very commonly used command.
  5. Binary- Allows you to Read and Write from a file at binary level, using Dec or Hex (Dec and Hex will be explained in the next section.) We will be using this command.

And that final part 'AS #1' is saying that the file is called as #1 this is very important, or else we wouldn't be able to read or write to a file.

4. File Read Code
First things first things first to make reading binary information in Quick Basic easyer lets convert our Hex address to Dec (decimal) form. Remember our address we used in Hackers Veiw? It was 340DD, that converted to Dec is 213213, but because Quick Basic patches the file backwards we must add one (1) to it, so 213213 becomes 213214. Now we have the starting address to read from.

Lets create some variables, I used getbytes%, getbytess%, getbytex%, and getbytexx%.

When we read the info from the file using the 'GET' command, we will be reading 2 bytes of information.

What's a byte? Well a Bit is one binary number (zero (0) or one (1)) and 8 bits (binary numbers) is equal to one byte.

One byte consists of two Hexidecimal numbers (1 to 9 and a to f) so for example 1a (26 Dec) is one byte, so Quick Basic reads two such Hexidecimal numbers.

Now back to the variables:
getbytes% will hold the Dec information from 213214 (850F)
getbytess% will hold the Dec information from 213215 (CC85)
getbytex% will hold the Dec information from 213217 (0000)
getbytexx% will hold the Dec information from 213218 (0000)

How the hell did I figure that out? Guess and check, with a little logic.
After you read from those locations and print out the variables you get a Dec number, This is what you get:
getbytes% has the number -31473
getbytess% has the number -13179
getbytex% has the number 0
getbytexx% has the number 0

If you convert them to Hex,
-31473 yeilds ffff850f
-13179 yeilds ffffcc85
And of couse 0 yeilds 0 :)

But there's two bytes of 'ff' in there you must be screaming, thats ok all we care about is the last two bytes and so does Quick Basic.

If we put the whole thing togeather our Hex string looks like:
000000CC850f
Remember getbytex% and getbytexx% both held zeros this ment they read 0000 & 0000.

Ok I bet some of you are frustrated and that this makes no sence, I'll try to explain what we just read.

My first point is Quick Basic reads things backwards so remember from the last tutorial the string of Hex we changed was 0F85CC000000, that's exactly what we have, just backwards.
So now our Hex string 0F85CC000000 changes and has the equivelent to 000000CC850F.

So now the 'GET' command will read from the back forward, so the frist read grabs the last two bites in 000000CC85OF, which is 85OF.

Now the second 'GET' command will grab CC85, why 85 again? Because we only moved down one byte so now its focused on CC85.

The third 'GET' will get 0000, notice this time we moved two bytes this time, if we only moved one we would have read 00CC.

Finally the fourth 'GET' will get 0000, we moved one byte this time so we grabbed one of the 00 bytes in the last one but that's ok.

Why did I read 85 again, when I could have easaly read 00CC? That's simple enough to answer, because if I would have 00CC I would have only gotten back the decimal equivelent of CC because 00 has no value it wont work, I tryed.

Wow that took a while, here's the code:


GET #1, 213214, getbytes%                      
GET #1, 213215, getbytess%                     
GET #1, 213217, getbytex%                      
GET #1, 213218, getbytexx%

The first column includes the file in which we are getting the information from, the second column is the Dec address from the file at which we are reading from, and the third column is the variable that stores the information read.

5. Test Version code
This section I promise is much easyer to understand the the last one!

Ok we have to have a way to make sure this is the right version of the program we just opened and read from. How do we do this? Simple, test each variable that we used to read in information and test it against what it should contain, if it fails the test it will jump to the Failiar text (later on) and end and if it passes the test it will go on and test the next variable, if they all check out they jump the the patch code (next section.)

For this we will use a simple 'If...Then' statement:


 IF getbytes% <> &H850F THEN GOTO badversion    
 IF getbytess% <> &HCC85 THEN GOTO badversion   
 IF getbytex% <> 0 THEN GOTO badversion         
 IF getbytexx% <> 0 THEN GOTO badversion

This tests each variable. In all of them you see the 'IF' part of it and then the variable.
<> means Greater Than or Less Than, and then we have what it should be. This time we will not change Hex to Dec to save time.

What's up with &H850F and &HCC85? The '&H' just tells the compiler that its a Hex value and not a Dec value and of couse following the '&H' is the Hex values.

Well then why don't the zeros have an '&H' in front of them? Because the 0000 that you read is equal to 0!! It has no value so no need for a Hex value to be put in. (The variables getbytex% and getbytexx% will also have the Dec value of 0 also, so there is some logic in it.)

And last but not least if there not the same we have the 'THEN' command that says to 'GOTO' the lable 'badversion', which is where the Sucsess and Failiar code is. (later on)

6. File Write code
Allright now if everything checks out then we want to patch the file. We first need to create a variable that holds what we will be putting into the file with the 'PUT' command.

Well what did we change 0F85CC000000 to in the last tutorial? That's right we changed it to 909090909090!
Well now we know that we have to put a 90 (nop) at each byte we read. But because we read 2 bytes we will have to use 9090 (2 nops, also 2 bytes).

The variable I am using this for I named it byteput% and gave it the value of &H9090.

Remember because it's still in Hex form we need the '&H' in there.

Now we just do the same thing we did with the 'GET' command with 'PUT'.
PUT file_number, DecAddress, variable.

In this case file_number is #1 and the variable is byteput% and the DecAddress are the Dec Addresses we read, 213214, 213215, 213217, 213218.

Here's the code:


  byteput% = &H9090                    
        PUT #1, 213214, byteput%          
        PUT #1, 213215, byteput%          
        PUT #1, 213217, byteput%          
        PUT #1, 213218, byteput%          
 Close #1
End


'Close #1' closes the current open file that is #1. and 'END' ends the program.

You will probably want to add add a message saying that the patching was sucsessfull. Just a thought. ; )

7. Error Handler Code
What else do we need, we need a way to make sure that the file is in the current directory, if it's not we will get an error. Now you see why you put the Error Handler in there.

This time we will use the ' SELECT CASE ERR' command. What is the ERR number for a file not being there? 53 it is.

Here's the code:


trouble:
CLS
SELECT CASE ERR      
CASE 53     
PRINT "                Can NOT find 'truveiw.exe'!"            
PRINT "          Make sure you run this from the directory"
PRINT "                      That it is in!"

END SELECT 

PRINT
PRINT "                      Patching Failed! "         
END


'trouble' is our code lable which if there's an error the program goes to, refer to section '1. Error Handler call'.

Next comes the 'CLS' command, which Clears the screen so that it doesn't print out the current path directory because of the 'FILES' command.

Then we have our 'SELECT CASE ERR' command and then our 'CASE 53' command. Remember 53 is that you can open the current file because it's not there!

Then we pop the Error Message up saying it's not there.
The 'END SELECT' command just ends trying to find an error number. Finally we print out that the 'Patching Has Failed!' and end.

8. Sucsess and Failiar text
There's not much to this section, just places where the program is instructed to jump to. Code: 

PRINT "        +-----------------------------+"
PRINT "        +Program Patched sucsessfully!+"     
PRINT "        +-----------------------------+"     

badversion:
PRINT "                      Bad Version!"               
PRINT "               Make sure you have version"        
PRINT "                          1.83!"
PRINT
PRINT "                     Patching Failed! "           
END


The first 3 lines I put one line befor the 'Close #1' command in the code of section 6. Just says that the Program was Patched Sucsessfully.

The last 7 lines I put at the very end of the code, it has the lable badversion (refer to section 5) and it just puts out that you have the wrong version of the program.

Apendix A: Final Code
This is not the best format to put it in but hey, it works for me, and hell it's fully commented!


ON ERROR GOTO trouble 'trouble is my error handler

'my intro
PRINT "                                  _________           "
PRINT "                                 |_  ____  |          "
PRINT "                                 |_ |____| |          "
PRINT "                                 |____ ___ |          "
PRINT "                ___   __   ___   ___  |___ |          "
PRINT "                | _| |__| |  __ |__   |___ |          "
PRINT "                |  | |  | |___/ |___  |____|          "
PRINT "                 +------------------------+           "
PRINT "  +--------------+     TruVeiw 1.83       +----------+"
PRINT "  +              +------------------------+          +"
PRINT "  +  [*] Crack  [] KeyGen  [] Prog  [] Tut  [] Other +"
PRINT "  +     +--------------------+                       +"
PRINT "  +-----+ About:             +-----------------------+"
PRINT "        +     Allows ANY     +                        "
PRINT "        +  Registration Key  +                        "
PRINT "        +   To Be Entered.   +                        "
PRINT "        +--------------------+                        "
PRINT

FILES "truview.exe"                                 'Test for truview.exe"
OPEN "truview.exe" FOR BINARY AS #1                 'open file for Binary
    
     GET #1, 213214, getbytes%                      'Grab 2 bytes at decimal
                                                    'position 213214 (850F)
    
     GET #1, 213215, getbytess%                     'Grab 2 bytes at decimal
                                                    'position 213215 (CC85)                                           
    
     GET #1, 213217, getbytex%                      'Grab 2 bytes at decimal
                                                    'position 213217 (0000)
    
     GET #1, 213218, getbytexx%                     'Grab 2 bytes at decimal
                                                    'position 213218 (0000)
      
         IF getbytes% <> &H850F THEN GOTO badversion    'make sure getbytes%                     
                                                        'contains 85 & OF
        
         IF getbytess% <> &HCC85 THEN GOTO badversion   'make sure getbytess%
                                                        'contains CC & 85
        
         IF getbytex% <> 0 THEN GOTO badversion         'make sure getbytex%
                                                        'contains 00 & 00
        
         IF getbytexx% <> 0 THEN GOTO badversion        'make sure getbytexx%
                                                        'contains 00 & 00


     byteput% = &H9090                    'byteput% contains 9090(two nops, 2 bytes)
                                     
        PUT #1, 213214, byteput%          'Put 90(nop) in where 0f & 85 are
        PUT #1, 213215, byteput%          'Put 90(nop) in where 85 & CC are
        PUT #1, 213217, byteput%          'put 90(nop) in where 00 & 00 are
        PUT #1, 213218, byteput%          'put 90(nop) in where 00 & 00 are

PRINT "        +-----------------------------+"
PRINT "        +Program Patched sucsessfully!+"     'say it was patched
PRINT "        +-----------------------------+"     'sucsessfully
CLOSE #1  'close the file
END       'end program

trouble:
SELECT CASE ERR         'get the error number

CASE 53      '53 = no such file found
PRINT "                Can NOT find 'truveiw.exe'!"            'error message
PRINT "          Make sure you run this from the directory"
PRINT "                      That it is in!"

END SELECT  'end error handler
PRINT
PRINT "                      Patching Failed! "         'say it failed
END                                                     'end program

badversion:
PRINT "                      Bad Version!"               'say they have the
PRINT "               Make sure you have version"        'wrong version
PRINT "                          1.83!"
PRINT
PRINT "                     Patching Failed! "           'say it failed
END                                                      'end program


F i n a l :
Wow, that was alot wasn't it?
You can modify this program all you want, and if you don't know basic Learn it, it's very easy and is great as a first computer language.

Remember,
K N O L E D G E  I S  P O W E R
S h o u t s :
A D A M  W A L K E R The Head Honcho at Newbie Hacker who gave me a chance to write this.
E V E R Y O N E  A T  N E W B I E  H A C K E R You guys have been great!
© Rage9, 2000

Writen on: June 7th, 2000