-->Tutorial number 8--< Name : RKS Symbol Selector Version : 2.23 Target : Symbols.exe Size : 488 kb Tools : SoftICE : Brain Cracker : KlimaX Get it at, http://www.rkssoftware.com ...---===This tut is best viewed in full screen===---... ==>DISCLAIMER<== For educational purposes ONLY! I hold absolutely NO responsibility for the misuse of this material! _____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____ ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== I'd just aswell start with saying that this is also a strange prog from RKS, but you'll see when you get to the end of this tut;) This tut is very much alike Visual Labels (also RKS product), so the procedure in this tutorial will be quite the same as my previous tut (tutorial number 6)!! ----====The cracking part====---- 1. Start Symbol Selector, and a screen will appear with three choises for you. As we won't buy the prog (yet..), select "Enter Serial Number" and fill in the empty boxes. Your name: KlimaX Your s/n : 12345 Now before you press "OK", press ctrl+d and set a breakpoint on HMEMCPY in SICE BPX HMEMCPY Exit SICE (F5) and now you may press "OK" 2. SICE breaks, but not where we want it to break, so press F11, F5, F11. Now we're close to the calculating part, so press F12 six times, and notice the EAX=00000005 in the top-left corner of SICE (5= the number of digits in our fake serial ;) Now press F10 21 times to get past all the RET's, and you should end up here: :0046CA29 CALL 00414708 :0046CA2E MOV EAX, [EBP-0C] <=-YOU LAND HERE :0046CA31 MOV ECX, [EAX+000001D0] :0046CA37 MOV EDX, [EBP-08] :0046CA3A MOV EAX, [EBP-04] :0046CA3D CALL 00472CFC <=-TRACE INTO THIS CALL (F8) :0046CA42 TEST AL, AL :0046CA44 JZ 0046CA58 When you land at :0046CA2E, press F10 4 times to get to the CALL at :0046CA3D. Press F8 to trace into this call, and you'll end up here: :00472CF7 SUB EAX, 00000000 :00472CFC PUSH EBP <=-YOU LAND HERE :00472CFD MOV EBP, ESP :00472CFF PUSH 00 Now press F10 14 times to get here: :00472D10 PUSH ESI :00472D11 PUSH EDI :00472D12 MOV [EBP-0C], ECX :00472D15 MOV [EBP-08], EDX <=-PRESS D EDX (you'll see our fake code 12345) :00472D18 MOV [EBP-04], EAX :00472D1B MOV EAX, [EBP-04] :00472D1E CALL 004036D4 :00472D23 MOV EAX, [EBP-08] If you press D EDX, you'll see our fake serial, and in some progs you just need to press F10 one more time and press D EAX, to reveal our real serial. But not in this case, it'll just show our name (KlimaX). So what do we do now?. Well instead of tracing any further, take a look at the Data Window, and write down the virtual address for the fake serial (mine is 017F:00C13D18 and may differ from yours) 3. Type BC* to clear all breakpoints, and set a BPM on the virtual address you just wrote down, like this: BPM 017F:00C13D18 Press F5 to exit, and SICE pops again around here: :004059D6 MOV EDX, EBX :004059D8 CALL 004037F4 <=-TRACE HER (F8) :004059DD MOV EDX, ESI ; :004059DF MOV ESI, [EDI] ; scroll :004059E1 TEST EBX, EBX ; up :004059E3 JZ 004059FA ; here :004059E5 MOV AL, [EDX] ; :004059E7 CMP AL, 61 <=-YOU LAND HERE :004059E9 JB 004059F1 :004059EB CMP AL, 7A Press ctrl+up till you reach the first coming CALL (like the in snippet just above this line of text) When you get to the CALL, press BC*, and set a new breakpoint on the address of the CALL (bpx 004059D8) 4. Now press F5 to exit SICE and it will pop again, this time at our requested CALL (:004059D8). Press F8 to trace into this CALL and you'll land here: :004037F1 LEA EAX, [EAX+00] :004037F4 PUSH EBX <=-TYPE D EBX AND SEE IF ANYTHING'S HERE :004037F5 PUSH ESI <=-TYPE D ESI AND TAKE A LOOK HERE :004037F6 PUSH EDI :004037F7 MOV EBX, EAX Look in the Data Window when you've typed D ESI and the serial should be there (RKS-2862918). Done!!! I have gone through the prog a couple of times, and sometimes the serial changes, so the above written serial may not be the same as yours, even though you use the same name! Another funny thing about the prog is, that sometimes the serial doesn't show when you type D ESI at :004037F5. If it doesn't, try pressing F5 to get back to the CALL at :004059D8, press F8 to trace into it again, and try step 4 once more. Repeat this till you see a serial like mine;) You may also have to press F10 about 13 times to get to this part, which could also contain the real s/n: :00403828 JMP 00403852 :0040382A MOV EAX, EDX :0040382C CALL 00403468 :00403831 MOV EDI, EAX <=-TYPE D EAX :00403833 MOV EAX, [EBX] :00403835 TEST EAX, EAX "I know it's tricky, but it has to be done"! Remember to put the RKS- in front of the number, as this is a part of the valid serial!!!!! _____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____ ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ________________ ----====Before you leave====---- --==>Please bear in mind that shareware programs are a commercial benefit, because it gives YOU the opportunity to "Try before you Buy". Therefore, if you like a shareware program, please be sure to pay the authors/makers, so they won't stop manking them. -=>LAST WORDS: If you have any comments on this tut, feel free to mail at KlimaX_v2000@mail.com _ _ _ _ _ _ _ _ Special thanks to: 1- The TNT Crack Team, as they have the ultimate cracking site, you simply have to try it!!!! 2- tKC for releasing those great tut's, keep on making 'em!. They are the BEST!!! 3- Astaga (the "Tutorial Machine":), keep on producing those excellent tuts!! 4- All the NewBies in the world;)!