 //**cracking tut by alpine**//
       //*****and******//
//**the immortal descendants**//


Greetings
This is my second tutor for the Immortal Descendants.  I decided to explain how to remove timetrials and nagscreens in this tutor.  I found a program,which showed all these protections.  After playing a bit with the program, it showed, that it was programmed in VisualBasic.  Instead of cracking the nags and the timetrial i decided to crack the registration, because it is easier.  So this tutor explains how to get the right serial for a VisualBasic5 program.

This tutor is not for real beginners, because i'm not explaining basic things like how to breakpoint and so on...

what we need:
softice
logochanger // i downloaded it from www.cnet.com;search for it, you               
           // will find it.


After starting the program, you will get a nag, telling you could only use it for 30 days.  Then the registration dialog pops up.

I used alpine as the name and 1234565 as the reg. number.  Now set a breakpoint in softice (i used hmemcpy) and then press the x to close the registration window.  Back in softice, we are going to locate the serial-compare routine.

Before that we must know something:

For almost all VisualBasic5 programs, the compare routine is located in a dll which is called msvbvm50.dll.  In the compare routine consists everytime of the same instructions:

56 		PUSH ESI
57 		PUSH EDI
8B7C2410	MOV EDI,[ESP+10] <--here is the real serial stored 
8B74240C	MOV ESI,[ESP+0C] <--here is our fake serial stored
8B4C2414	MOV ECX,[ESP+14]
33C0		XOR EAX,EAX
F366A7		REPZ CMPSW <--compares both
7405		JZ 0F00DA04

What do we have to do?  After softice broke due your breakpoint,you must get into the msvbvm50 by pressing f12 a few times, and the you do a search for the opcodes:

s 0 l ffffffff 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14,33,C0,F3,66,A7	

you don't have to search for all opcodes, just as much as i did.

Now breakpoint on the search result and press f5.  You should be kicked back and find yourself in the heart of the compare routine at push esi.Press f10 till you reach mov esi,[esp+0c] and do a d edi and you will see the real serial.

See you next time to new adventure with alpine and the immortal descendants.oftice now and wait a bit.  You will be kicked back to softice.  Now press f12 till you find yourself in prot 32 mode, should be in mfc42.dll .You are now one line under the call to user32!DestroyWindow.  Now press f10 till you are back to the main exe file called dt-010.  When you look up one line you should find a call: