Cracking for Newbies - by Dahood Target: AD Killer Version 1.14 Tools used: W32dasm Hview ProcDump32 or ASPackDie 1.4 by YODA can be downloaded from http://www.protools.cjb.net/ Protection: 1.Serial (be automatically registered) NOTE: This tutorial is not totally for newbies so i excpect that u know 1.how to use w32dasm 2.how to use hview (change,search,etc...) 3.Assembly Disassemble the program Right its packed and im not going to go into details i hate packed programs when u tried to disassemble or in hview u see ASpack.....Ok so we know what is it packed with for most of the packed programs i use ProcDump open procdump and click on unpack , pick a file , pick aspack or u use ASPackDie 1.4 anyways unpack it and save the unpacked to a different name like Killer or AK.exe check the properties of both files and see is they different try to disassemble the unpacked file k good... disassemble it look at the strings.. at this point i assumed u check the program and u know what the registered version should look like ex. the tittle bar SHould not have unregistered. look for unregistered cant find it ok well maybe its the whole thing like AD - Killer Unregistered the first thing i found was AD - Killer Unregistered and i know thats what it should look like u should be here its very very obviuos.... if u didnt get it ill tell u u should be here |:0047B01A(C), :0047B064(C) | :0047B08F C645D300 mov [ebp-2D], 00 :0047B093 E898CAFFFF call 00477B30 :0047B098 3C01 cmp al, 01 :0047B09A 0F85AD000000 jne 0047B14D ----->jmp if not equal otherwise continue * Possible StringData Ref from Code Obj ->"AD Killer - Registered" | :0047B0A0 BAC4B64700 mov edx, 0047B6C4 :0047B0A5 A1243D4800 mov eax, dword ptr [00483D24] skip (scrol down) a few lines and u should see this :0047B0D9 B101 mov cl, 01 * Possible StringData Ref from Code Obj ->"\SOFTWARE\AD Killer" | :0047B0DB BAE4B64700 mov edx, 0047B6E4 :0047B0E0 8B45F4 mov eax, dword ptr [ebp-0C] :0047B0E3 E89084FEFF call 00463578 :0047B0E8 8D4DF8 lea ecx, dword ptr [ebp-08] * Possible StringData Ref from Code Obj ->"reguser" | :0047B0EB BA00B74700 mov edx, 0047B700 a lil more * Possible StringData Ref from Code Obj ->"This copy has been registered " ->"to " | :0047B11D 6810B74700 push 0047B710 :0047B122 FF75F8 push [ebp-08] :0047B125 683CB74700 push 0047B73C :0047B12A 8D45BC lea eax, dword ptr [ebp-44] :0047B12D BA03000000 mov edx, 00000003 :0047B132 E82197F8FF call 00404858 :0047B137 8B55BC mov edx, dword ptr [ebp-44] :0047B13A 8B45FC mov eax, dword ptr [ebp-04] :0047B13D 8B80D0030000 mov eax, dword ptr [eax+000003D0] :0047B143 E8D40BFCFF call 0043BD1C :0047B148 E9CD020000 jmp 0047B41A * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0047B09A(C) | :0047B14D B201 mov dl, 01 **** the jne 0047B14D lands here :0047B14F A174334600 mov eax, dword ptr [00463374] in conclusion jne 0047B14D jmps over all the good stuff and lands after registered to " so that means when the ppl or person at softcows.com lol wrote this lil program they made a mistake ( a tiny bug ) and we are going to fix it change :0047B09A 0F85AD000000 jne 0047B14D to :0047B09A 0F84AD000000 je 0047B14D and start ur progarm easy ehhhh i hope i didnt confuse u and if u have any question, comments my icq# is 69518421 or u can e mail me at webcrawler28@hotmail.com i would like to say thanks to all the crackers 2 many 2 list , for helpin me also for there tutorials also a big thanks to krobar's site http://zor.org/krobar Cracking for Newbies - by Dahood (this function is often used to handle inputs such as pwd, SN...). Now we can press OK. We land right into the function, which is called from code location CS:4212D1 (module Mkstrate):