-->Tutorial number 6--< Name : RKS Visual Labels Version : 3.2g Target : VL.exe Size : 1.298 kb Tools : SoftICE : Brain Cracker : KlimaX Get it at, http://www.rkssoftware.com ...---===This tut is best viewed in full screen===---... ==>DISCLAIMER<== For educational purposes ONLY! I hold absolutely NO responsibility for the misuse of this material! _____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____ ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== I'd just aswell start with saying that this is a strange prog, but you'll see when you get to the end of this tut;) ----====The cracking part====---- 1. Start Visual Labels, and a screen will appear with three choises for you. As we won't buy the prog (yet..), select "Enter Serial Number" and fill in the empty boxes. Your name: KlimaX Your s/n : 12345 Now before you press "OK", press ctrl+d and set a breakpoint on HMEMCPY in SICE BPX HMEMCPY Exit SICE (F5) and now you may press "OK" 2. SICE breaks, but not where we want it to break, so press F11, F5, F11. Now we're close to the calculating part, so press F12 six times, and notice the EAX=00000005 in the top-left corner of SICE (5= the number of digits in our fake serial ;) Now press F10 21 times to get past all the RET's, and you should end up here: :0048FF59 CALL 0041502C :0048FF5E MOV EAX, [EBP-0C] <=-YOU LAND HERE :0048FF61 MOV ECX, [EAX+000001D0] :0048FF67 MOV EDX, [EBP-08] :0048FF6A MOV EAX, [EBP-04] :0048FF6D CALL 004962F8 <=-TRACE INTO THIS CALL (F8) :0048FF72 TEST AL, AL :0048FF74 JZ 0048FF88 When you land at :0048FF59, press F10 4 times to get to the CALL at :0048FF6D. Press F8 to trace into this call, and you'll end up here: :004962F3 SUB EAX, 00000000 :004962F8 PUSH EBP <=-YOU LAND HERE :004962F9 MOV EBP, ESP :004962FB PUSH 00 Now press F10 14 times to get here: :0049630C PUSH ESI :0049630D PUSH EDI :0049630E MOV [EBP-0C], ECX :00496311 MOV [EBP-08], EDX <=-PRESS D EDX (you'll see our fake code 12345) :00496314 MOV [EBP-04], EAX :00496317 MOV EAX, [EBP-04] :0049631A CALL 00403910 :0049631F MOV EAX, [EBP-08] If you press D EDX, you'll see our fake serial, and in some progs you just need to press F10 one more time and press D EAX, to reveal our real serial. But not in this case, it'll just show our name (KlimaX). So what do we do now?. Well instead of tracing any further, take a look at the Data Window, and write down the virtual address for the fake serial (mine is 0167:00C934DC and may differ from yours) 3. Type BC* to clear all breakpoints, and set a BPM on the virtual address you just wrote down, like this: BPM 0167:00C934DC Press F5 to exit, and SICE pops again around here: :00405DA2 MOV EDX, EBX :00405DA4 CALL 00403A8C <=-TRACE HER (F8) :00405DA9 MOV EDX, ESI ; :00405DAB MOV ESI, [EDI] ; scroll :00405DAD TEST EBX, EBX ; up :00405DAF JZ 00405DC6 ; here :00405DB1 MOV AL, [EDX] ; :00405DB3 CMP AL, 61 <=-YOU LAND HERE :00405DB5 JB 00405DBD :00405DB7 CMP AL, 7A Press ctrl+up till you reach the first coming CALL (like the in snippet just above this line of text) When you get to the CALL, press BC*, and set a new breakpoint on the address of the CALL (bpx 00405DA4) 4. Now press F5 to exit SICE and it will pop again, this time at our requested CALL. Press F8 to trace into this CALL and you'll land here: :00403A89 LEA EAX, [EAX+00] :00403A8C PUSH EBX <=-TYPE D EBX AND SEE IF ANYTHING'S HERE :00403A8D PUSH ESI <=-TYPE D ESI AND TAKE A LOOK HERE :00403A8E PUSH EDI :00403A8F MOV EBX, EAX Look in the Data Window when you've typed D ESI and the serial should be there (RKS-1268470). Done!!! I have gone through the prog a couple of times, and sometimes the serial changes, so the above written serial may not be the same as yours, even though you use the same name! Another funny thing about the prog is, that sometimes the serial doesn't show when you type D ESI at :00403A8D. If it doesn't, try pressing F5 to get back to the CALL at :00405DA4, press F8 to trace into it again, and try step 4 once more. Repeat this till you see a serial like mine;) You may also have to press F10 about 13 times to get to this part, which could also contain the real s/n: :00403AC0 JMP 00403AEA :00403AC2 MOV EAX, EDX :00403AC4 CALL 004036A4 :00403AC9 MOV EDI, EAX <=-TYPE D EAX :00403ACB MOV EAX, [EBX] :00403ACD TEST EAX, EAX "I know it's tricky, but it has to be done"! Remember to put the RKS- in front of the number, as this is a part of the valid serial!!!!! _____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____ ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ________________ ----====Before you leave====---- --==>Please bear in mind that shareware programs are a commercial benefit, because it gives YOU the opportunity to "Try before you Buy". Therefore, if you like a shareware program, please be sure to pay the authors/makers, so they won't stop manking them. -=>LAST WORDS: If you have any comments on this tut, feel free to mail at KlimaX_v2000@mail.com _ _ _ _ _ _ _ _ Special thanks to: 1- The TNT Crack Team, as they have the ultimate cracking site, you simply have to try it!!!! 2- tKC for releasing those great tut's, keep on making 'em!. They are the BEST!!! 3- Astaga (the "Tutorial Machine":), keep on producing those excellent tuts!! 4- All the NewBies in the world;)!