Xzan_Cah_Depza

Everyone encounters the UPC nowadays. You know, it’s that set of black bars
you see on virtually every product whenever you go to the grocery store, to
buy a book or a magazine, or even to buy software (assuming that you do,
indeed, BUY your software). Have you ever though of what fun you could have
by altering that little set of black bars? If you were lucky enough, you might
be able to slip a box of industrial size laundry detergent by that dizzy 16-
year-old girl at the Safeway and have the computer charge you the price of a
pack of Juicy Fruit, or some other such mischief. Well, to help you in your
explorations of How To Screw Over Others In This Grand Old Computerized World
of Ours, I proudly present HOW TO CRACK TO UPC CODE. Use the information
contained herein as you will. You will need the file UPC.PIC, hopefully
available from the same place you found this file. And so, let’s begin:
When the lady at the corner market runs the package over the scanner (or
whatever it is they do in your area), the computerized cash register reads
the UPC code as a string of binary digits. First it finds the “frame bars” – a
sequence of “101″ (see A on picture). There are three sets of frame bars on
any given code…one on either side, and one in the center. These do nothing
but set off the rest of the data, and are the same on any UPC code. Next is
the “number system character” digit, which is encoded in leftside code (see
later). This digit tells the computer what type of merchandise is being
purchased. The digits and their meanings are:
0 – Ordinary grocery items. Bread, magazines, soup, etc.
2 – Variable-weight items. Meats, fruits & veggies, etc.
3 – Health items. Aspirin, bandaids, tampons, etc.
5 – Cents-off coupon. (Not sure how this works).
The next cluster of digits is the manufacturer number, again stored in leftside
code. THere are five digits here all the time. Some numbers include 51000 for
Campbell’s Soup, 14024 for Ziff-Davis publishing (Creative Computing, A…),
and 51051 for Infocom. The next five digits (after the frame bars) are the
product/size id number. The number for “The Hitchhiker’s Guide to the Galaxy”
from Infocom is 01191. These digits are stored in rightside code. Finally
there is the checksum, in rightside, which will be discussed later.
Now, why are there two types of codes, leftside and rightside? That’s so
the person at the checkout counter can slide the thing by the scanner any way
she pleases. By having different codings for either side the computer can
tell the right value no matter how the digits are read in. Here are the
codes for the digits 0 through 9:
Digit Leftside code Rightside code
0 0001101 1110010
1 0011001 1100110
2 0010011 1101100
3 0111101 1000010
4 0100011 1011100
5 0110001 1001110
6 0101111 1010000
7 0111011 1000100
8 0110111 1001000
9 0001011 1110100
The more observant among you may have noticed that Rightside code is nothing
more than logical-NOTed Leftside code, i.e., a 0 in Leftside is a 1 in Rightside,
and vice versa. Later on we will discuss another type called Reversed
Rightside, in which the binary values in Rightside are reversed, meaning that
1110100 (9) in Rightside would be 0010111 in Reversed Rightside. RR is used
only when there is an extra set of codes off to the right of the main code
bars, as with books and magazines.
Now we see the hard part: how the checksum digit is encoded. Let’s try working
out the checksum for “Hitchhiker’s Guide”.
First, notice the Number System Character. Software is considered a Grocery
Item by UPC, so the NSC is 0 (zero). Next, Infocom’s Manufacturer’s Number
is 51051, and the game’s id number is 01191. Good enough. Set together,
these numbers look like this:
0 51051 01191
Now, take the digits of the code and write them on alternate lines, odd on one
line, even below, giving this:
0 1 5 0 1 1
5 0 1 1 9
Now add each set of numbers:
0+1+5+0+1+1 = 8
5+0+1+1+9 = 16
Multiply the first number (the ones created by adding the first, third, etc
digits) by three:
8×3 = 24
And add that to the result of the other number (second, fourth, etc digits
added together):
24+16=40
Subtract this from the next higher or equal multiple of 10 (40 in this case)
40-40=0
And the remainder, here 0 (zero), is the checksum digit.
Now, what if there’s a set of other bars off to the side? These are encoded
in another format which uses Reversed Rightside (as described above) instead
of standard Rightside. For books, the sequence is as follows:
Five digits
Starts with 1011
If (first digit is even) then
sequence is L-RR-L-L-RR
else
sequence is RR-L-L-RR-L
each digit is separated with 01
Therefore, the sequence for 29656 is:
1011 0010011 01 0010111 01 0101111 01 0110001 01 0000101
2L 9RR 6L 5L 6RR
and the sequence for 14032 is:
1011 0110011 01 0100011 01 0001101 01 0100001 01 0010011
1RR 4L 0L 3RR 2L
Naturally, all these bars are run together. There is no checksum.
For magazines, the sequence is even more complex. There are two digits
in each bar, and the numbers usually run from 1-12, signifying the month.
The first digits are encoded thusly:
L if the digit is 1,4,5,8 or 9 and
RR if the digit is 2,3,6,7 or 0.
The second digit is coded in L if it is even, and RR if it is odd. Therefore,
06 codes as:
1011 0100111 01 0101111
and 11 codes as:
1011 0110011 01 0110011
No checksum here, either, and the fields are again separated by 01.
Well, that about does it for this explanation of how to crack the UPC codes.
Use this information as you will, and forward any question to THE SPACE BAR,
xxx-xxx-xxxx, pw:BANZAI. Enjoy!

WEEK 1: WINX-FILES v2.8
NOTE: THIS HAS BEEN COVERED IN A PREVIOUS TUTORIAL. I DIDN’T REALISE UNTIL
WRITING THIS ONE. THIS IS ANOTHER WAY, SOMEWHAT EASIER WAY OF CRACKING IT.
(REF: PC’98 Tutorial
You can download this program from the following address :
http://www.pepsoft.com/wxf32_28.zip
————————————————————————————————————————-
INTRO
In this lesson, we are going to crack this program so you can enter any name and any code to go
with it.
————————————————————————————————————————-
Step By Step
1) Win X-Files , the protection.
Load up Win X-Files (WXF) and notice that the product has *UNREGISTERED* all over it.
Click on the button marked.. ‘Click here to register’
You will be presented with this screen.
Enter a name like :- MR NICK
Enter a key like :- 999999999
You will then get a message saying :-
No Problemo…..
2) Cracking WXF.
Load up WXF into W32Dasm 8.x.
Once this has loaded click on on the toolbar.
This will bring up the following box.
As you can see, if you scroll down the box that popped up for us when we entered the wrong
code, is actually here. What a piece of luck.
Double click on this string and the following will be shown on your screen.
Know this is where I don’t really know what is going on.. But I know enough to understand what is
happening. The line that is highlighted is the box that is called when we enter the wrong code.
Above that, the three lines, is I think, what is happening when we type in the wrong code.
The thing to look for is what called this code. What part of the program actually said “Let’s show a
dialog box saying ‘Invalid Registration Code etc…..”
We trace up to the nearest reference, which is the line that reads.
“This is what we are after”
That is where the call came from for the invalid box to be shown. So we trace upto that line and
we are presented with the following.
The bit highlighted in green is the code that we want.
At the moment, it is going to the invalid code if something is not equal. You can ignore all of the
above for this tutorial, and this crack. This is the first point of call. You try out this first, if it doesn’t
work then you try something else, find out what it does to call that invalid box etc.
So, all we have to do is change the jne to a je …what this will do is if you enter the wrong code, it
will carry on and run the code for the correct code. If you enter the correct code, it will tell you it is
wrong.
This is the most important bit. At the bottom of the screen is a line with the corresponding
postition in hexedecimal.
OK, so the one that we are after is the Offset…. not the Code Data. In my case the number is
00081DC8 (ignore the h at the end, that shows that it is hexidecimal.)
3) Editing the Value, and trying again.
Exit W32DASM. and run HEXEDIT/PSEDIT.
Scroll down to the point where the above code corresponds. i.e. 00081DC8 in my case. You will
see the code that was in W32Dasm. You will see 75 4E.
Change the 75 to a 74.
Exit and save.
4) Running the program, and seeing if it all has worked.
As before goto the registration and enter all the details, as you did before..
Here we go………. are you ready……………
Click on O.K.
BINGO
You did it.. the program is now registered.
BUT
I have come across programs, that do this, but once you load it up again, it needs you to register.
This is becuase you are just stopping the box from coming up. This program will actually place all
your details into the registry office, so it saves it.
You now have a free copy of Win X- Files. Please though pay for the product, as it is good, and
this is only for educational purposes.
————————————————————————————————————————-
Week 2 : How to make a Patcher for this product
Week 3 : How to crack Nuts and Bolts ‘97
Week 4 : Don’t know……

Chapters:
1). About, Programs needed … etc.
2). The easy protection.
3). Finding the right file – and the right error.
4). Finding the right line number.
5). Editing the line.
6). Testing.
7). Quick order list.

Chapter I: About, Programs needed … etc.
It is the
second part of my first tutorial: RiPPing
Tutorial, that explains all about RiPPing except how to crack the CD
protections… so here is the other part – how to finish the RiPPing by cracking
the protection. This will help you w/ the most basic system of protection,
called C- dilla, that is the most usual one…
The programs we will use are 2: first, and decompiler – the files we will
work with are in ExE format, and we need a program that will HeX them (transfer
to 16 base, hexa, form) and locate the orders given in the code, then we will
find the line we need and change it to remove the protection with… – the
second program: we need a program that will *edit* the files, and fetch the
right line number we got using the first program… all those action are easly
done w/ the programs: Win32Dasm (the disassembler – decompiler program, added in
the dir [root/Win32Dasm]), and Hiew (the editing program added in the dir
[root/Hiew]). The programs are added to the tutorial, because I’m not so sure
you can find then on a stable location on the net, in the dir [root/programs].
Chapter II: The easy protection.
Okay! To save you from reading this entire tutorial for nothing you’re not going
to use I made this chapter, because there is a good chance you won’t be needing
it! Some games comes w/ protection as a files in the [/Setup] dir (or root
dir) called: [00000001.TMP], [CLCD16.DLL], [CLCD32.DLL] and most important
[CLOKSPL.EXE]… if you see any of them delete it and the protection should
disappear (Important! delete them after making a mirror of the game on your HD,
using the info in the next chapter) … if you are still getting an error message
just keep on reading.
Chapter III: Finding the right file – and the right error.
The files we are going to work w/ will be the main ExE of the game: you will
find it on the CD, in a dir called [/Setup] or [/data], but the easy way to find
it is just installing the game, and the ExE that starts the game – will be the
ExE we need! … once you’ve got it make some room on your HD, because we are
going to copy the hole CD to it… before you do that: some games have am option,
when Installing, to Install the full game to the CD (but still needing it to
play), use it if possible, The files you need to copy are all the game files,
in some games it is the root dir of the CD, in others it is the [root/data] dir…
the worst case is when the game is inside a CAB file, then you have to use a CAB
extractor (WinZip 8 should do the job), and if it is protected a different
program that can compile CAB format (I’ll try to put it on the tutorial as
well). Once you’ve done all that – press the ExE, and if the game opens close it
and exit the CD, then press again- you will get an error window! … usually the
line goes like: “Error, please enter CD to run game” or “CD error” or “Error
reading CD-ROM” .. what ever error you get – write it down and remember it, we
are about to look for it in the ExE code, and change it!
Chapter IV: Finding the right line number.
Open the first program – Win32Dasm, by unzipping it and clicking on
[/w32dsm89.exe], now we have to load the file we know is the main ExE of the
game, so click on “Disassembler“ in the main menu, then “Open File to
Disassemble…” (Important! Make sure you got 50-100MB free on your HD) before
then pick the file from the clone game dir you made in your HD (Important! make
a backup of the ExE) … after you’ve success fully w8ed while the program
disassembled the file, you will see *a lot * of gibberish… don’t worry! You
don’t have to understand what is says (I don’t, and I’m not so sure ne1 does…
except the programs of course) … (Important! If you can’t read and the font
shows only numbers and bizarre letters, click on “Disassembler” in main menu,
then “Font…” then “select Font” then pick Arial or something in English) … now
you have to find the exact line number out of the 2 million in the file that has
the error message in it, do that by clicking the “String Data references”
button, from the buttons menu (under the main menu) – the second one from the
right (-your right)… now you get a list of all the lines in the ExE that refers
to actions, and you have narrowed the lines from 2 million – to 2 thousand… to
find the error message click the first letter it started w/ (for example, if the
message was “Error reading CD-ROM” click E) then search ‘till you find the
error line you are looking for! … once you’ve found it… it will mark the title,
pick the first line, and it should change color to green (that means the line
can be edited and is important)… to be sure you have taken the right line: if
there is a line like:
“:0044XBCK EB08 ….. (lots of spaces) …. Jmp 0044EBD8” or:
“:0044XBCK EB08 ….. (lots of spaces) …. Call 0044EBD8” or:
“:0044XBCK EB08 ….. (lots of spaces) …. Push 0044EBD8”
you at the right line, it says the command is a function, effected by the user,
and probably the protection we are looking for (notice the words: Jmp = Jamp,
Call = Call, Push = Push)… now that we got the right line we have to find her
number! That is done by looking at the bottom of the program window and in the
line, that should look similar to this one:
“Line:*** Pg *** of *** Code Data @:0045821 @Offset 00045821h in file:***.exe“
notic the number that comes after the word „Offet“ in this line: 00045821h that
is the line number! But notice the letter „h“ at the end of it – you don’t need
it, and don’t forget to remove it from the number, now – the only thing left to
do is changing the line and removing the protection!
Chapter V: Editing the line.
After writing down the line number you can minimize Win32Dasm, because for now
we have finished using it. Open the second program: Hiew (added in the
tutorial), this is an editor that will work bad for searching the right line,
but will do if you know the line number and just wanna change it…
Open again the same game ExE you have processed in Win32Dasm. When you enter you
see a lot of gibberish, that’s the code, and you need to change it to the
decoded language… do that by pressing the F4 key and then pick the option
“Decode“ .. heh! Alot better now… now click F5 key, to search the right line,
you will see the line numbers at the left end of the screen is gray, enter the
line number you got from Win32Dasm and it will jump you to the right loction in
the file… now, this is the difficult part, not hard to do – but hard to
explain, near the line number (just at the right) you will see the command in
HeX form, it should be something like BC1BB3D2D1 that is in HeX code (base 16)
which means a number (=byte) is represented by 2 letters/number, so that the
group (BC1BB3D2D1) is made of 5 bytes: BC – 1B – B3 – D2 – D1 … (10 numbers =
5 bytes, 8 numbers = 4 bytes and so on…), we are about to change evrey byte
from D1 or BC to 90 this is done by pressing the key F3 (activates Editing
option) and pressing, for every byte, the number 90 (90 is the noop number, that
will disable the action)… and in our case, the command will change from
BC1BB3D2D1 to 9090909090 … once it is done click the key F10 to save the
offset, and exit.
Chapter VI: Testing.
Now that you have an ExE w/out the error line, activate it from the same clone
dir of the game you made to test it, if its working – congratulation! You have
just cracked a CD protection! … if you are getting another error message redo
the same steps you have do w/ the first error message (in chapters 3-5) to
change it as well (Important! Do it on the same ExE you have edited, and backup
this one as well) and then test it again. You might be needed to do it several
number of times, until you are getting no error message and the game runs!
Chapter VII: Quick order list.
- Start without Cd then look at the error message and write it down.
- Search the msg in Win32Dasm referance and copy nmber w/out the H at the end!.
- Open Hiew, F4 to Decode, F5 to seach the line, and change the command – 90 for
every 1 byte.
- F10 to save and then get out, don’t forget to test!
Good luck CraCKing!