Cracking for Newbies  - by Dahood
                

Target: Ghost Keylogger v 3.33

Tools used: W32dasm
	    Hview
	    

Protection:
1.enable the invisible function 


NOTE: This tutorial is not totally for newbies so i excpect that u know
1.how to use w32dasm
2.how to use hview (change,search,etc...)
3.Assembly



disassemble the program

step 1. change the text . now it says Invisible - not available in this demo version

find it and u should be here 



:004173E3 7407                    je 004173EC ********interesting****

* Possible StringData Ref from Data Obj ->"Invisible - not available in this "
                                        ->"demo version."
                                  |
:004173E5 6824324700              push 00473224
:004173EA EB05                    jmp 004173F1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004173E3(C)
|

* Possible StringData Ref from Data Obj ->"Invisible"
                                  |
:004173EC 6818324700              push 00473218

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004173EA(U)
|

* Possible Reference to String Resource ID=01001: "Select this if you want the keylogger to run invisible."
                                  |
:004173F1 68E9030000              push 000003E9


change je 004173EC
to     jne 004173EC

save it and check it ?GOOD

step 2 Enable the function
when u click on the chkbox u get a error message write it down and search for it 
and u should be here

:0041769C FF5010                  call [eax+10]
:0041769F 50                      push eax
:004176A0 8D45C0                  lea eax, dword ptr [ebp-40]

* Possible StringData Ref from Data Obj ->"You can not make this DEMO version "
                                        ->"invisible. To be able to"
                                  |
scroll up a bit till u see what calls this 

:0041765C 0F8499000000            je 004176FB ******
:00417662 53                      push ebx
:00417663 8BCE                    mov ecx, esi
:00417665 899EAC000000            mov dword ptr [esi+000000AC], ebx
:0041766B E8830C0300              call 004482F3
:00417670 8A45F3                  mov al, byte ptr [ebp-0D]
:00417673 53                      push ebx
:00417674 8D4DE0                  lea ecx, dword ptr [ebp-20]
:00417677 8845E0                  mov byte ptr [ebp-20], al
:0041767A E828A9FEFF              call 00401FA7

* Possible StringData Ref from Data Obj ->"Message"
                                  |

Change :0041765C 0F8499000000            je  004176FB
to     :0041765C 0F8599000000            jne 004176FB

now test it out ?? Much better



i hope i didnt confuse u and if u have any question, comments
my icq# is 69518421 or u can e mail me at webcrawler28@hotmail.com

i would like to say thanks to all the crackers 2 many 2 list , for helpin me also for there 
tutorials
also a big thanks to krobar's site http://zor.org/krobar
 
				Cracking for Newbies  - by Dahood