....................................................................... .ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ. .Û Û. .Û ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÛ. .Û Û Û Û Û Û Û Û Û Û Ü Û Û. .Û Û ß ÛßßßßßÛ Û Û ßßßßßÛ Û Û ÛÜÜÜÜÛ Û. .Û Û Û Û Û Û Û Û ÜÜÜÜÜÛ Û Û Û Û Û. .Û ÜÜÜÜÜÛÜÜÛÜÜÜÛÜÜÛÜÜÜÜÜÛÜÜÜÛÜÜÜÜÜÛÜÜÜÜÜÜÜÛÜÜÜÛÜÜÜÜÜÛÜÜÜÜÜÜÜÛ ÜÜÜÜÜÛ. .Û Û. .ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ. ....................................................................... ... WE WILL NEVER STOP LIVING THIS WAY ... .................................... -ENJOY THE POWER OF TEAMWORK- ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º PROUDLY PRESENTS º º CD Menu Creator v2.0 º º http://www.drackontech.com º º úÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄú º ÉÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍ» º RELEASE INFORMATION º º º º RELEASE TYPE : [ ] APPLICATION [ ] UPDATE [ ] CRACK [ ] SERIAL º º [ ] KEYGEN [ ] REGFILE [X] TXT FILE [ ] INFO º º [ ] OTHER: º º º º úÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄú º Copyright©2000 - MeTaL [x] Program Name.....CD Menu Creator v2.0 [x] Protection.......Serial [x] Required Tools...W32dasm, Hview, eXeScope (not required) [x] Level............1 The Essay... ~~~~~~~~~~~~ Hello! Time for some patching, our target is CD Menu Creator v2.0. First of all we should gather some information about the program. At startup something really annoyed me, the ugly bitmap picture. In the about box there is a place to enter a serial & name. Well I don't see any disabled function or so. What we know is: 1) The ugly bitmap. 2) Serial & Name We may begin cracking! I think we start to remove the bitmap. Fire up W32dasm, and load "CDMenuCreator.exe" look at the "Imported Functions" What can cause the bitmap to show up?.. CreateBitmapA? LoadBitmapA? I can just see LoadBitmapA at the Imported Functions So we will go for that. Doubleclick on LoadBitmapA, you will be located here: ===========================START CODE========================== * Reference To: MFC42.Ordinal:047A, Ord:047Ah | :0040D1CC E8CF160000 Call 0040E8A0 :0040D1D1 50 push eax * Reference To: USER32.LoadBitmapA, Ord:0198h | :0040D1D2 FF15B4164100 Call dword ptr [004116B4] <----- you are here! :0040D1D8 50 push eax :0040D1D9 8D4E40 lea ecx, dword ptr [esi+40] * Reference To: MFC42.Ordinal:0669, Ord:0669h | :0040D1DC E8B9160000 Call 0040E89A :0040D1E1 85C0 test eax, eax :0040D1E3 7507 jne 0040D1EC :0040D1E5 5E pop esi :0040D1E6 83C418 add esp, 00000018 :0040D1E9 C20400 ret 0004 ============================END CODE=========================== Scroll up a bit and you will see this: * Referenced by a CALL at Address: |:0040D111 Double-Right-Click on 0040D111 and you will be located here: ===========================START CODE========================== * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040D0F9(U) | :0040D0FD 8B4C2414 mov ecx, dword ptr [esp+14] :0040D101 C744240CFFFFFFFF mov [esp+0C], FFFFFFFF :0040D109 51 push ecx :0040D10A 8BC8 mov ecx, eax :0040D10C A314804100 mov dword ptr [00418014], eax :0040D111 E8AA000000 call 0040D1C0 <----------------- you are here now! :0040D116 85C0 test eax, eax :0040D118 7520 jne 0040D13A <----------------- interesting :) :0040D11A 8B0D14804100 mov ecx, dword ptr [00418014] :0040D120 85C9 test ecx, ecx :0040D122 7425 je 0040D149 :0040D124 8B11 mov edx, dword ptr [ecx] :0040D126 6A01 push 00000001 :0040D128 FF5204 call [edx+04] :0040D12B 8B4C2404 mov ecx, dword ptr [esp+04] :0040D12F 64890D00000000 mov dword ptr fs:[00000000], ecx :0040D136 83C410 add esp, 00000010 :0040D139 C3 ret ============================END CODE=========================== If you nop the CALL 0040D1C0 at address; 0040D111 the program will crash. DON'T DO THAT! :) We may try to change the JNE 0040D13A at address; 0040D118 Open Hview and change: JNE --> JE 75 --> 74 Save and exit, try the program now. Ahh...No more ugly bitmap :) ok..Just 1 step left, Open the program and click about. Click the button "Enter Registration" Enter any name & serial. damn...Invalid Registration. Open W32dasm (I hope you didn't close it) and look for the error message we got in the "String Data References" Hmm...I found these: Invalid Registration! Invalid Registration. But we didn't got the message with the exclamation mark? Well nevermind. Doubleclick on the string and you will see this: ===========================START CODE========================== :004065D4 E847660000 call 0040CC20 :004065D9 C644243C03 mov [esp+3C], 03 :004065DE 8D4C241C lea ecx, dword ptr [esp+1C] :004065E2 EB4F jmp 00406633 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406595(C) <-- here is our boy! | * Possible StringData Ref from Data Obj ->"Invalid Registration." | :004065E4 68FC724100 push 004172FC ============================END CODE=========================== Right-Double-Click on; 00406595 and you will see this code: ===========================START CODE========================== * Reference To: DTCommon.?GetRegistration@RegCode@@QAE?AVCString@@AAV2@@Z, Ord:0031h | :0040656D FF1524104100 Call dword ptr [00411024] :00406573 8B00 mov eax, dword ptr [eax] :00406575 8B4C2414 mov ecx, dword ptr [esp+14] :00406579 50 push eax :0040657A 51 push ecx :0040657B FFD5 call ebp :0040657D 83C408 add esp, 00000008 :00406580 8D4C241C lea ecx, dword ptr [esp+1C] :00406584 85C0 test eax, eax :00406586 0F94C3 sete bl <-- hmmm * Reference To: MFC42.Ordinal:0320, Ord:0320h | :00406589 E8C47C0000 Call 0040E252 :0040658E 84DB test bl, bl :00406590 5B pop ebx :00406591 6A00 push 00000000 :00406593 6A00 push 00000000 :00406595 744D je 004065E4 <-- hmmm * Possible StringData Ref from Data Obj ->"Registration accepted." ============================END CODE=========================== Ok.. to be registered we can do 2 things! 1. Change the SETE BL at address; 00406586 to SETNE BL 2. Change the JE at address; 00406595 to JNE Either you change: SETE BL --> SETNE BL 0F94C3 --> 0f95C3 or JE --> JNE 744D --> 754D I chose the first way. but it doesn't matter! Ok change the shit in hview and try to register! yeah!!...we have registered successfully! Our name is in the about box too! Well restart the program and you will be suprised! hehe A nagscreen is telling us that our registration is Invalid! "Invalid Registration!" This message is familiar :) Once again, start w32dasm (you didn't close it, right?) Look at the "String Data References" and look for "Invalid Registration!" Doubleclick on it and you will see this code: ===========================START CODE========================== * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040CB09(C) <-- our boy! | :0040CB12 6A00 push 00000000 :0040CB14 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Invalid Registration!" ============================END CODE=========================== Scroll up a bit and you will see this: ===========================START CODE========================== :0040CAFA 8D4DEC lea ecx, dword ptr [ebp-14] :0040CAFD 85C0 test eax, eax :0040CAFF 0F94C3 sete bl <-- :) * Reference To: MFC42.Ordinal:0320, Ord:0320h | :0040CB02 E84B170000 Call 0040E252 :0040CB07 84DB test bl, bl :0040CB09 7407 je 0040CB12 <-- aha :0040CB0B BE01000000 mov esi, 00000001 :0040CB10 EB10 jmp 0040CB22 ============================END CODE=========================== And once again, change: JNE --> JE or SETE BL --> SETNE BL Run the program and see if it works YES!!...We are registered! The button "Enter Registration" is still in the about box If you wanna remove that just read on, otherwise stop reading because this is not necessary. Open eXeScope and load "CDMenuCreator.exe" Scroll to: Resource\Dialog\100 Here you will find the stuff that is in the about box. Like buttons, text etc Do you see: PushButton: Enter Registration Highlight this and UnTick "Visible" Save Update and exit. Start the program and check the about box, No Button....Good! Where is our registration information stored then? Well Im not gonna tell you how to find out where it's stored becuase it doesn't matter that much anyway. Search for a file called "cmcfile.dll", it should be in you C:\Windows\System\ Open it and you will see your name and serial that you registered the program with! See ya! MeTaL Greetings goes to... ~~~~~~~~~~~~~~~~~~~~ Bluesman C_DKnight MagicMike Mantana Maria SHeeP Stimpy The eMINENCE Team ---------------- END OF TUTORIAL ----------------

:0040496B C3