Name      : Gamespy 3D

Version   : 2.16

Editor    : Spy Software

Target    : gamespy.exe

Tools     : Softice 4.00
	    W32Dasm 8.93
	    Hacker's View 6.01
	    PE-Sniffer 1.06
	    DeShrink 1.5
           
Cracker   : LW2000

Tutorial  : No.4

http://www.gamespy.com


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---


Please excuse my poor english, its not my mother language....



1.	Load Gamespy. *BOOM* "GameSpy - Un-Registered Version   GameSpy 3D is unlimited use 		shareware." 

2.	mhmm, lets try to register. Be sure that you are offline!
	Press Register and enter the following:
	Name  :  LW2000
	Email :  LW2000@GAMESPY.COM
	Key   :  [LW2000]
	Now press OK.

3.	*BOOM* The Dail-Up Network is opened. It seems to be a kind of Internet
	protection as well. Click cancel. *BOOM* 
	"The registration server is not responding.  Try again later." Quit Gamespy.

5.	Lets crack this bitch of a program. Load Softice and start the program again.
	Press Register and enter the following:
	Name  :  LW2000
	Email :  LW2000@GAMESPY.COM
	Key   :  [LW2000]
	Don't press OK! First change to Softice with [Ctrl]+[d].
	And set with "bpx getwindowtexta" a breakpoint.
	Then press F5 to go back to Gamespy.



6.	Click on OK.
	Softice pops up, because of the first text field (name). Press F5 to return to Gamespy.
	Softice pops up, because of the second text field (EMail). Press F5 to return to Gamespy.
	Softice pops up, because of the third text field (key). Press F5 to return to Gamespy.
		

7.	Now we see the Dail-Up Network. Press cancel. Softice appears again. Press F12 to get the 	Caller. Now be patient and trace through the code (F10) until you get a Call that takes a 	*very long* time to finish. Wait, it will be worth.


8. 	When the call is finished, trace a bit more until you come to the following code:

	:00462F76 3BC5                    cmp eax, ebp
	:00462F78 0F846F010000            je 004630ED    <<--- BAD BOY
	:00462F7E 85C0                    test eax, eax
	:00462F80 0F843C010000            je 004630C2	 <<--- BAD BOY
	:00462F86 8B864C010000            mov eax, dword ptr [esi+0000014C]	<- Your reg no.
	:00462F8C 8B4C240C                mov ecx, dword ptr [esp+0C]	<- Correct reg number


9.	We want to remove the two jump-equal and see the right serial number.
	Trace on the first je. Enter "a" to edit the code.
	Type "nop"  and then enter. Do this five times more. Now we had six nop's.
	NOP means no opperation, the computer will do nothing, instead of checking the serial.
	Why 6 times? The hex code for "je 004630ED" is "0F846F010000" this are 12 divided with 2
	we've got 6. Trace on the second je and do the same. Yeah, NOPe it out.

	
10.	Trace just past the lines I have included.
	Type "d eax" to show your reg number.
	Type "d ecx" to show the correct serial number.
	Your serial is: 3Cd5-425G-g973-eh32

11.	Type "bd *" to disable the breakpoint. Press F5 to exit Softice.
	A new messagebox shows tell you that your regcode ([lw2000]) is not correct.
	But you here nothing like server is not responding. You can now enter the correct serial 	numer to register gamespy, before(!) you exit gamespy.

12.	Let's make this shit permanent. I think I've seen the word shrink in the code,
	this means that the program is compressed by shrinker. Let's look if i am right.

13.	Load Pe-Sniffer. Click on the "..." Button and browse to gamespy. Now click on
	Shrinker 3.3 and Shrinker 3.4, to scan this file for shrinker.

14.	The result ist that the file is packed with shrinker 3.4. Let's unpack it!
	Load DeShrink 1.5. Check the "unpack Shrinker 3.4" checkbox.
	Load the Gamespy.exe as input. Save it to unpacked.exe as output. Then press decompress.

15.	Exit the program. Load unpacked.exe in W32Dasm. Goto Code Location "00462F76".
	Remember, this is the location we've got from Softice.

	:00462F76 3BC5                    cmp eax, ebp
	:00462F78 0F846F010000            je 004630ED    <<--- BAD BOY
	:00462F7E 85C0                    test eax, eax
	:00462F80 0F843C010000            je 004630C2	 <<--- BAD BOY
	:00462F86 8B864C010000            mov eax, dword ptr [esi+0000014C]	<- Your reg no.
	:00462F8C 8B4C240C                mov ecx, dword ptr [esp+0C]	<- Correct reg number
	
	mhhmm, i think i've seen this before ;)

16.	Place the bar on ":00462F78 0F846F010000    je 004630ED". In the statusbar you see the 		Offset "62F78h" write it down. 
	Place the bar on ":00462F80 0F843C010000    je 004630C2". In the statusbar you see the 		Offset "62F80h" write it down. The h is for hex, forget it, so our offsets are 62F78 and 	62F80.

17.	Exit W32Dasm and load hiew with unpacked.exe.
	Press Enter twice to go to decode mode.
	Press F5 to go to codelocation 62F78. Press F3 to edit the file and type
	six times "90" this means nop in hex.
	Press F9 to update. F5 and go to 62F80 and do the same as at 62F78.
	Press F9 to update and F10 to quit.

	Run Gamespy and enter the details.
	Congratulation! You are an registered user!


FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----

I'd like to thank tKC for his tutors!
I started with tutor 1 and i still read them... they are the best!