SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING. GIF Movie Gear v3.0x A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM GIF Movie Gear is a tool for building GIF animations. A GIF animation is nothing more than an ordered list of separate GIF images, much like a slide show, with instructions on how long to delay between images. The original GIF 89a specification was extended by adding the ability to loop, paving the way for anima tion on the World Wide Web that is simple to build and quick to download. The end result is what looks like a plain old GIF file (i.e. "filename.gif") but actually contains a small animation. An animation is inserted into an HTML page using an tag, just like a "normal" GIF. WHERE TO DOWNLOAD Author : GAMANI Production Copyright : GAMANI Production Homepage : http://www.gamani.com URL : http://www.moviegear.com Size : KB as of ,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run MOVEGEAR.EXE, click HELP/REGISTER submenu, in the registration dialog box type these below information : Name : Pirates Order Code : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : bpx HMEMCPY [enter] Press X or F5 to return to the main program 3. Now it's time to click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11 once then press F12 several times until you see these below snippet codes : ______________________________________________________________ 015F:00431865 FFD3 CALL EBX <== break here 015F:00431867 8D8424C4000000 LEA EAX,[ESP+000000C4] 015F:0043186E 8D4C2460 LEA ECX,[ESP+60] ==> d eax 015F:00431872 50 PUSH EAX 015F:00431873 51 PUSH ECX 015F:00431874 E8F7FBFFFF CALL 00431470 ____________________ MOVGEAR!.text+00030864 ___________________ Break due to BPX #015F:00431865 Press F10 2 times - stop at 015F:00404CE5 - and display EAX register : : d eax [enter] ==> at virtual address 0167:006BF4A8 did you see your fake code ? Create new breakpoint where the fake code appear : : bpr 0167:006BF4A8 0167:006BF4A8+10 rw [enter] : X or F5 to let SoftIce break in the new location 4. If nothing goes wrong you'll break at the location as you instructed and verify these below snippet codes : 015F:00431478 807D006D CMP BYTE PTR [EBP+00],6D 015F:0043147C 0F85A0000000 JNZ 00431522 (JUMP) !!!! break HERE 015F:00431482 807D0167 CMP BYTE PTR [EBP+01],67 015F:00431486 0F8596000000 JNZ 00431522 015F:0043148C 807D0233 CMP BYTE PTR [EBP+02],33 015F:00431490 0F858C000000 JNZ 00431522 015F:00431496 807D0337 CMP BYTE PTR [EBP+03],37 015F:0043149A 0F8582000000 JNZ 00431522 015F:004314A0 BBBCE44400 MOV EBX,0044E4BC 015F:004314A5 8B13 MOV EDX,[EBX] 015F:004314A7 83C9FF OR ECX,-01 ==> d edx 015F:004314AA 8BFA MOV EDI,EDX 015F:004314AC 33C0 XOR EAX,EAX 015F:004314AE F2AE REPNZ SCASB 015F:004314B0 F7D1 NOT ECX 015F:004314B2 49 DEC ECX 015F:004314B3 8BFA MOV EDI,EDX 015F:004314B5 8BF5 MOV ESI,EBP 015F:004314B7 33C0 XOR EAX,EAX 015F:004314B9 F3A6 REPZ CMPSB 015F:004314BB 7465 JZ 00431522 015F:004314BD 83C304 ADD EBX,04 015F:004314C0 81FBC0E44400 CMP EBX,0044E4C0 015F:004314C6 7CDD JL 004314A5 015F:004314C8 807D0473 CMP BYTE PTR [EBP+04],73 !!!! 015F:004314CC 7501 JNZ 004314CF 015F:004314CE 45 INC EBP 015F:004314CF 83C507 ADD EBP,07 015F:004314D2 55 PUSH EBP 015F:004314D3 E8A4DD0000 CALL 0043F27C 015F:004314D8 8B542418 MOV EDX,[ESP+18] !!! 015F:004314DC 83C404 ADD ESP,04 015F:004314DF 8BFA MOV EDI,EDX 015F:004314E1 33C9 XOR ECX,ECX 015F:004314E3 8A12 MOV DL,[EDX] 015F:004314E5 BEDF0B0000 MOV ESI,00000BDF 015F:004314EA 84D2 TEST DL,DL 015F:004314EC 7426 JZ 00431514 _____________________ MOVGEAR!.text+00030478 ______________________ Break due to BPMB #0167:006BF4A8 RW DR3 You break at 015F:0043147C exactly, but, hold a minute, don't you get strange break at a JNZ instruction ? Look at one line above and below ... a byte(s) compare, let's check it out what the hell is that : :? 6D [enter] 0000006D 0000000109 "m" :?67 [enter] 00000067 0000000103 "g" :? 33 [enter] 00000033 0000000051 "3" :? 37 [enter] 00000037 0000000055 "7" I just guess if our fake code does not containing or start with " mg37 " then we will throw away to 015F:00431522 ... ouch too bad. Let's disable your breakpoint, and change your fake code 73881050 into mg37105088. Enable again your breakpoints , and you're back again at 015F: 0043147C .... yeah this time you didn't see JUMP indicator at this memory location .... right ? 5. Press F10 - stop at 015F:004314A7 - display EDX register : : d edx or d ebx [enter] ==> at virtual address 0167:0044E4C0 did you see mvg21951736 ? Press F10 - stop at 015F:004314C8 - do these followings : : d EBP+04 [enter] ==> did you see 105088 at 0167:006BF4AC ?? : ? 73 00000073 0000000115 "s" ==> shouldn't you add a 's' between mg37 and 105088 ??? Let's modify your fake code into mg37s105088, and see what happen after you passed JNZ instruction at the 015F:004314CC. Without "s" you'll throw away to 015F:004314CF. 6. Here's what you got upon re-tracing : With your new fake code there is nothing happened at 015F: 004314CC ( see that NO JUMP indicator ). Now you're free to trace to the next line snippet codes. Start from 015F:004314D8 display ECX register, you'll see 088 in the Data Window - it's at virtual address 006BF4B0. Scroll up one line above , that's your last 3 digits from your new fake code. Like what we found at step #5 , this 088 should be replaced with something then our reg code will be accepted. Press again F10 and stop at 015F:0043150C. 7. In the below are relevant snippet codes that i've traced : 015F:0043150C 8A5701 MOV DL,[EDI+01] <== stop here 015F:0043150F 47 INC EDI 015F:00431510 84D2 TEST DL,DL 015F:00431512 75DA JNZ 004314EE ==> ? edx 015F:00431514 3BF0 CMP ESI,EAX 015F:00431516 750A JNZ 00431522 ... 015F:00431522 5F POP EDI 015F:00431523 5E POP ESI 015F:00431524 5D POP EBP 015F:00431525 33C0 XOR EAX,EAX 015F:00431527 5B POP EBX 015F:00431528 C3 RET 015F:00431529 90 NOP ______________________ MOVGEAR!.text+0003050A ________________________ Press F10 again - stop at 015F:0043150C - do these follwings : : d ebp [enter] ==> Pirates Order appear in the Data Window : ? edx [enter] 00000050 0000000080 "P" ==> hmmm ..this routine is trying to verify your first letter from your name. Look at DS register - DS:006BF445=69 Press F10 again - stop at 015F:00431512 - do these follwings : :? EDX [enter] 00000069 0000000105 "i" ==> the content of DS copied into EDX register. That's the 2nd letter of your name. If you dump EDI register you just can see "irates Order" in the Data Window. But, damn, in the next line you faced JNZ instruction to 004314EE I dunno how to better describing this matter in this tute. However, I try my best .... here you go . 015F:004314EE 0FBED2 MOVSX EDX,DL <== RET LOOP 015F:004314F1 41 INC ECX 015F:004314F2 0FAFD1 IMUL EDX,ECX 015F:004314F5 03F2 ADD ESI,EDX 015F:004314F7 81FEBE170000 CMP ESI,000017BE 015F:004314FD 7E06 JLE 00431505 015F:004314FF 81EEBE170000 SUB ESI,000017BE 015F:00431505 83F90A CMP ECX,0A 015F:00431508 7E02 JLE 0043150C 015F:0043150A 33C9 XOR ECX,ECX 015F:0043150C 8A5701 MOV DL,[EDI+01] 015F:0043150F 47 INC EDI 015F:00431510 84D2 TEST DL,DL 015F:00431512 75DA JNZ 004314EE ==> LOOP 015F:00431514 3BF0 CMP ESI,EAX ==> ? esi Trace the above codes ( F10 ) , as long as i remember everytime you passed INC function the EDX register value was also changed in order to verify your user name. Don't forget to always check EDI register. In here the pain just begin, enjoy the loop between 015F:00431 512 and 015F:004314EE . Keep continue pressing F10 until this checking procedures finished. You can noticed this by display ing EDI register, and the last letter ("r") of your name is no longer displayed in the Data Window. And you will no longer see JUMP indicator at 015F:00431512. Finally you'll reach 015F:00431514 and faced a CMP instruction between ESI and EAX. Do these follwing steps : : ? EAX [enter] 00000058 0000000088 "X" This 088 is our suspected last 3 digits that need to be replaced. If you dump EBP register you'll see 088 at 0167:006BF4B0 . : ? ESI [enter] 00000DB4 0000003508 " " Write down this number. Your potential reg code is now mg37s1053508. 8. Disable all breakpoints by typing BD * [enter] Press F5 or X to return to the main program 9. Repeat registration procedure and keyed-in mg37s1053508 as your S/N . Click OK button ..... ouchh! the screen splash and you'll return to the main program's window. Click HELP/ABOUT .... you've ( illegaly ) got a SITE LICENCE! 10. Where the hell is my registration code is stored ?? The correct registration code is stored in the as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\gamani\GIFMovieGear\2.0] "RegName3"="Pirates Order" "RegCode3"="mg37s1053508" 11. How can I practise with my own reg. key ? - I strongly recommended you not to do this ! 12. A valid reg code is in the format mg37sXXXZZZZ. XXX = any number/character you like ZZZZ = value of ESI at 015F:00431514. END NOTES Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [D4C/C4A] tute-GIFMovieGear30.zip [EOF] 12/4/00 11:28:58 AMn length and