Cac bac oi! Day la Crack cua FolderGuard, gip tui voi! Tieng Anh cui tui kem qua!

target Folder Guard 4.11 - FGKey.exe - FGuard32.dll
about the program Folder Guard is a software-only security solution for personal or publicly accessible computers running the Windows 95/98 operating system
about the tutorial In this tutorial we will see how to patch a packed dll the FGuard32.dll (packed with aspack) without unpacking it. Folder Guard is protecting files from accessing,Our aim is to crack the password code check made in the FGKey.dll, useful for those that forgot their passwords or they want to access files and they don't know the password

tolls needed softice 3.x-4,a hex e***or(I use Ultra E***)







Run FGKey.exe set a bpx getdlgitemtexta
put a password (or don't put anything) and press ENTER
F12 once
at the second JN make a "R FL Z"
that's all

In the same way you can unlock the locked files
In the same way you can toggle the protection
Yes,in the same way it is checking all the real with the wrong passwords
As you see we mast patch the location
100089D3 in the FGuard32.dll 0F84B1000000 (NO JUMP) to 0F85B1000000 (JUMP) next step is to make this permanant


--------------------------------------------------------------------------------


Lets see how we can patch the packed dll that checks the real with the wrong password without unpacking. The idea it's like this :Before the program its unpacked in the memory we have to add a bit
of code that says : make the JN ,JNZ .

Load the FGKey.exe into the softice loader ,but before load it in ProcDump32 and with the PE E***or change in Sections the .text from C0000040 into E0000020 .Softice will break here ,in the beginning of the unpacking code:


Break due to Symbol Loader
015F:0040B000 60 PUSHAD
015F:0040B001 E800000000 CALL 0040B006
015F:0040B006 5D POP EBP
015F:0040B007 81ED0A4A4400 SUB EBP,00444A0A
015F:0040B00D BB044A4400 MOV EBX,00444A04
015F:0040B012 03DD ADD EBX,EBP
015F:0040B014 2B9DB1504400 SUB EBX,[EBP+004450B1]
015F:0040B01A 83BDAC50440000 CMP DWORD PTR [EBP+004450AC],00
015F:0040B021 899DBB4E4400 MOV [EBP+00444EBB],EBX
015F:0040B027 0F8517050000 JNZ 0040B544 (NO JUMP)


since we are looking for a place to write our patching code lets make
the 015F:0040B027 0F8517050000B JNZ 0040B544 (NO JUMP)
into 015F:0040B027 0F84C35EFFFF JZ 00400EF0 (JUMP)


if you wonder why ,I'm gona tell you that into 00400EF0 I'll write the patching code and when it will run it will return to 0040B02D to continue the unpacking code.How did I find that 00400EF0 is the correct place to write the code ?With a Hex e***or (Ultra E*** e.g.) you can see that the offset EF0 it is empty ,enter "I AM BON JOVY" there and run FGkey.exe with the symbol loader and search for s 0 l ffffffff "I AM BON JOVY" you found it at 00400EF0 this place it is not modified by the packing-unpacking in the memory .Now make the changes at 0040B027 and press F10 ,at 00400EF0 press "a" and add the
code :



015F:00400EF0 8D05D4890010 LEA EAX,[100089D4] this is the adress of the dll we want to patch
015F:00400EF6 C60085 MOV BYTE PTR [EAX],85 this is the byte we want to patch
015F:00400EF9 8D0500B04000 LEA EAX,[0040B000] we set EAX in its original value
015F:00400EFF E929A10000 JMP 0040B02D and we jump back to the unpacking code

--------------------------------------------------------------------------------

LETS PATCH

---------------------------------------------------------------
OFFSET - Original File Bytes Patched File Bytes
--------------------------------------------------------------
00000EF0 - 00 00 00 00 00 00 00 00 --- 8D 05 D4 89 00 10 C6 00
00000EF8 - 00 00 00 00 00 00 00 00 --- 85 8D 05 00 B0 40 00 E9
00000F00 - 00 00 00 00 00 00 00 00 --- 29 A1 00 00 00 00 00 00
00005828 - 85 17 05 00 00 8D 85 D1 --- 84 C3 5E FF FF 8D 85 D1
COOL we patch a packed program without unpacking it in case we want to make a crack there are allot of patcher producers ,this will be useful in case we don't have softice in the computer that is protected by the Folder Guard.


--------------------------------------------------------------------------------

MAKING A CRACK

Using the Flu[X] Byte Patcher Version 2.61 the following asm code it's created to compile do: tasm patch.asm tlink /t patch.obj

file: patch.asm

.model Tiny
.code
.386
ORG 100h

start:
mov ah,9
mov dx, offset WelcomeMessage
int 21h
mov ah, 4eh ;get fileinfo to memory
mov cx, 10h
mov dx, offset Filename
int 21h
mov ah, 2fh ;get address from above int 21 call
int 21h
mov eax, dword ptr es:[bx+1ah]
cmp eax, [FileSize]
jne FailTest
mov ax, 3D02h ;open file
mov dx, offset Filename
int 21h ; return file handle to ax...
mov bx,ax
mov ax, 4200h ;seek
mov cx,0
mov dx, 500
int 21h
mov [newdata], 32
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 503
int 21h
mov [newdata], 224
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3824
int 21h
mov [newdata], 141
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3825
int 21h
mov [newdata], 5
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3826
int 21h
mov [newdata], 212
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3827
int 21h
mov [newdata], 137
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3829
int 21h
mov [newdata], 16
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3830
int 21h
mov [newdata], 198
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3832
int 21h
mov [newdata], 133
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3833
int 21h
mov [newdata], 141
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3834
int 21h
mov [newdata], 5
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3836
int 21h
mov [newdata], 176
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3837
int 21h
mov [newdata], 64
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3839
int 21h
mov [newdata], 233
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3840
int 21h
mov [newdata], 41
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3841
int 21h
mov [newdata], 161
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 22568
int 21h
mov [newdata], 132
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 22569
int 21h
mov [newdata], 195
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 22570
int 21h
mov [newdata], 94
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 22571
int 21h
mov [newdata], 255
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 22572
int 21h
mov [newdata], 255
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 3e00h ; close file
int 21h
mov ah,9 ;print
mov dx, offset Success
int 21h
jmp PassTest
FailTest:
mov ah,9 ; print
mov dx, offset FAIL
int 21h
PassTest:
mov ax,4c00h ;exit
int 21h
newdata db 090h
Filename db 'FGKEY.EXE',0
FileSize dd 27136
WelcomeMessage db '',0dh,0Ah
db 'Program Name: Folder Guard 4.11 - PASSWORD CRACK ',0dh,0Ah
db 'Company: WinAbility(R)',0dh,0Ah
db 'Size: FGKey.exe 27.136 b',0dh,0Ah
db 'Date: September 26 1999',0dh,0Ah
db 'Cracker: cupofcoffe',0dh,0Ah
db '',0dh,0Ah
db 'Description: This file is cracking the FGKey.exe-FGuard32.dll',0dh,0Ah
db ' So you can access files protected with ',0dh,0Ah
db ' Folder Guard 4.11',0dh,0Ah
db '$'
Success db 'Patch Successful',0dh,0Ah,'$'
FAIL db 'Patch Failed.. Wrong Version',0dh,0Ah,'$'
Cre*** db 'FluX - PhrozenCrew98',0dh,0Ah,'$'
end start







[size16][golden]
Long

neu ranh thi mail cho minh cai huong dan tren, roi minh se dich cho
imeo: nttranbao@yahoo.com
nttranbao

Rat la cam on su giup do cua cac ban!
[size16][golden]
Long