ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ Û Û Û ÛÛÛÛÛ ÛÛÛÛÛ ÛÛÛÛÛ Û Û Û Û Û Û Û Û ÛÛÛÛ ÛÛÛ Û Û ÛÛÛ ÛÛÛÛ ÛÛÛ Û Û Û Û ÛÛÛÛÛ Û Û Û Û Û ÛÛÛÛÛÛÛ Û Û Û ÛÛÛ ÛÛÛÛÛÛ Û Û Û Û Û Û Û Û Û Û Û ÛÛÛÛÛÛÛ Û Û Û Û Û Û Û Û ÛÛÛÛ ÛÛÛ ÛÛÛ Û Û Û Û Û Û Û Û Û Û ÛÛ ÛÛÛ Û Û Û Û Û Û Û ÛÛÛÛ Û Û Û ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ HOW TO CRACK API SPY Version 2.4 by ®ErAzEr® ApiSpy 2.4 can be downloaded at www.crackstore.com After the Installation and starting the Programm you can see a window with the text UNREGISTERED. Then a with a stupid RegistrationInfo MSGBOX pops up and you are in the Programm. In the Title of the Programm you can see UNREGISTERED and if you click on ABOUT you can see it too. Now i will describe the way i cracked the Prog. But the first Step isnt required. 1.Your are in the Prog and now you have to click on Register. Then we give the Programm any Name and Code und press OK.OHHH a window pops up within the text: The Registration Information you provided is incorrect..... After doing this we start W32DSM (look at crackstore) and begin searching a String looking like the MSG, but w cant find!!! The Programm is packed/crypted and can only be found unpacked/decrypted after starting in you RAM. What to do now... Let`s take a programm called WIN32INTRO (crackstore.com or protools.cjb.net) After starting WIN32INTRO you have to open Apis32.exe (APISPY) und click on DUMP. When W32INTRO is finished quit it and copy/rename the file Dumped.exe (can be found in the directory of W32INTRO;its the unpacked APISPY) in the dir of APISPY (renaming is not necessary). Now open the unpacked file with W32DSM and search for the STRING: The Registration ... You will land here.. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401774(U) | :00401777 0AC0 or al, al :00401779 7402 je 0040177D //Here the Prog shouldnt jump or it will continue at 40177D :0040177B EB2C jmp 004017A9 //the prog should jump here then everything is ok :) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401779(C) | * Possible StringData Ref from Data Obj ->"The registration information you " ->"provided is incorrect. Please" | :0040177D BFE8904000 mov edi, 004090E8 //Here edi gets filled with the String :00401782 BAE0D14000 mov edx, 0040D1E0 :00401787 83C9FF or ecx, FFFFFFFF :0040178A 33C0 xor eax, eax :0040178C F2 repnz So I think that we have to jump over this part.Upper this Text there are 2 jumps which seems to be interesting. So we want to jump to 4017A9 in every case we start Hview, -open the file -click on MODE or press F4 and change decode then we click on GOTO (or press F5) and put in the adress of the first jump (.401779 the DOT is important) then click on EDIT (or press F3) and move your cursor over 7402 (the HEXCODE for JE 0040177D) and replace it by 9090 (the HEXCODE for NOP=NO OPERATION = DO NOTHING) If you`ll start APISPY now you can enter every Registrationcode you want you are always registered. But if you restart APISPY you are unregistered again because it checks you Registrationcode in the Registry. So we search the UNREGISTERED String again.You should find it 4 times. Here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004015D1(U) | :004015D4 0AC0 or al, al :004015D6 7402 je 004015DA //This should be replaced by 2 NOPs :004015D8 EB35 jmp 0040160F * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004015D6(C) | * Possible StringData Ref from Data Obj ->"UNREGISTERED" | :004015DA BFC8904000 mov edi, 004090C8 :004015DF BAE0D14000 mov edx, 0040D1E0 :004015E4 83C9FF or ecx, FFFFFFFF So you have to start Hview and overwrite 7402 with 9090 at 004015D6 (dont forget the DOT) and 2. here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401D1F(U) | :00401D22 0AC0 or al, al :00401D24 7402 je 00401D28 //This has to be NOPed out too :00401D26 EB09 jmp 00401D31 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401D24(C) | * Possible StringData Ref from Data Obj ->"UNREGISTERED" | :00401D28 C745D0C8904000 mov [ebp-30], 004090C8 :00401D2F EB61 jmp 00401D92 The JE 00401D28 at 00401D24 has to be replaced by 9090. and 3. here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401F3E(U) | :00401F41 0AC0 or al, al :00401F43 7402 je 00401F47 //the same procedure again :00401F45 EB35 jmp 00401F7C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401F43(C) | * Possible StringData Ref from Data Obj ->"UNREGISTERED" | :00401F47 BFC8904000 mov edi, 004090C8 :00401F4C BAE0D14000 mov edx, 0040D1E0 :00401F51 83C9FF or ecx, FFFFFFFF :00401F54 33C0 xor eax, eax :00401F56 F2 repnz You have to replace 7402 by 9090 again. If you`ll start APISPY now, there is only a Registration Info : This Copy of APIS32 is unregistered Search in W32DSM: This copy.. Voila: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004025F0(U) | :004025F3 0AC0 or al, al :004025F5 7402 je 004025F9 //That is the enemy *g* :004025F7 EB70 jmp 00402669 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004025F5(C) | * Possible StringData Ref from Data Obj ->"This copy of APIS32 is" | :004025F9 BF08924000 mov edi, 00409208 :004025FE BAE0D14000 mov edx, 0040D1E0 :00402603 83C9FF or ecx, FFFFFFFF :00402606 33C0 xor eax, eax Start Hview, replace JE 004025F9 at adress 4025F5 by 2 NOPs (9090) And you cracked it! And dont forget: Press F9 to Save/Update in Hviw :) Hview can be downloaded at www.crackstore.com too. ®ErAzEr® greetz Darth Sidious For Questions please mail to ErAzEr@gmx.at Greetings go out to all other crackers and to all newbies like me tryin to learn to crack. Translated by tHe_rÈbEll...if you find Mistakes please mail the_rebell_alz@gmx.de THX