Tutorial on how to crack 5 or More                               8th/07/97
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Name:5 or More
Version:v2.0
Operating System:Windows 95
Cracker:Manson69 [ME'97/C4N]
Level:Beginner
Where:http://www.midstream.com
Size:170,008 bytes
Type:Name/Serial Number Where Serial Number is built in.
Description:A fairly simple game.  The object is to line five objects of the
		same color up in a row and they will disappear resulting in a 
		gain of points.  The smiley faces act as wild.
Tools:To crack this program you will need Soft-Ice
Encrypted/DLL:No
Method:hmemcpy, bpm

				The Cracking

Step1:Start the program, get through the nag screen, choose register from 
	the help menu and enter a serial and name.  DO NOT HIT ENTER YET!
Step2:Go into Soft-Ice and set a break point on hmemcpy.  What is hmemcpy
	you ask?  Well if you had a Windows API referance handy it would more 
	or less say this: It is the point at which a string is copied into 
	high memory [In our case our name and serial].  So now lets set that
	breakpoint by typing "bpx hmemcpy" (without quotes.)  Now leave S-Ice
	and hit enter.
Step3:You will be immediatly back in S-Ice.  This first hmemcpy break is
	where the name you entered is being copied to himemory.  Exit 
	Soft-Ice again and you will immediatly be back in S-Ice.  You have
	just caught the program copying your serial number to himemory.  
	This is where you want to be.
Step4:Now you can, if your too lazy to trace through the code or in my case
	to make this tutorial longer, scan and break on the points at which
	your code is being compared, manipulated, etc.  To do this scan for
	your code using the syntax "s 0 l ffffffff 'yourcodehere'" (without
	quotes).  After finding out where in memory our code is stored we need
	to set a bpm on it or breakpoint on memory.  To do this use this
	syntax "bpm XXXX:XXXXXXXX" where XXXX:XXXXXXXX is the location in
	memory.
Step5:Once you have done this exit Soft-Ice.  Now when I set a breakpoint
	I usally keep letting it break by exiting Soft-Ice until I get near a 
	CMP or a conditional jump function.  If I don't reach one then I will
	repeat the process already covered and start tracing through the code
	of each break.  This may or may not be a good method or one that you
	would use, but this is what I use.  The first time you break back into
	Soft-Ice and look around Soft-Ice you don't see and CMP functions so
	exit Soft-Ice and let it break again.  This time when it breaks you
	will see many CMP's and conditional jumps.  This looks suspisous so
	lets take a look at it.  DO NOT START TRACING THROUGH THE CODE YET.
	READ THE NEXT STEP FIRST!
Srep6:You should be in code similar to this:(long)
	MOV EAX, [ESP+04]
	TEST EAX,EAX
	JE 00405F31   <--This is the line that you will break in on
	CMP BYTE PTR [EAX],31
	JNE 00405F31
	CMP [EAX+01],36
	JNE 00405F31
	CMP [EAX+02],31
	JNE 00405F31
	CMP [EAX+03],33
	JNE 00405F31
	CMP [EAX+04],35
	JNE 00405F31
	CMP [EAX+05],35
	JNE 00405F31
	CMP [EAX+06],31
	JNE 00405F31
	CMP [EAX+07],30
	JNE 00405F31
	CMP [EAX+08],00
	MOV EAX,00000001
	JE 00405F33
	XOR EAX,EAX
	RET
	DO NOT TRACE THROUGH THIS CODE.  We can get the correct registration
	number by just ctrl-up or down so we can see the CMP's.  If you do a
	"d eax" (without quotes. which stands for display what is contained
	in memory at EAX.) we will see that the code we entered is contained
	there.  So it is probable that this is where your code is compared
	with the right code.  Now if you look at the line like this:
	CMP BYTE PTR [EAX],31
	it shows the first byte of eax or your code to the hex value 31.  This
	means that nomatter what the first character of the correct
	registration code will always be the hex value 31.  Now how do we get
	the value 31h to what we should enter as the first character of our
	code.  Well we do it like this.  First type "? 31" (without quotes)
	to evaluate the hex value 31.  It should respond with a line similar
	to this.
	00000031 0000000049 "1"
	Hmmm, what do you think this could mean.  Well know that the value
	we entered was 31h we can assume the first colomn shows the hex value
	Now if you know how to convert hex then you know the second column is
	the decimal value.  The third column contained within the quotation
	marks is the ascii value.  Now since what you enter in the name
	and serial number fields are ascii characters then you should be able
	to figure out that the third column is the one we are interested in.
	So from the above example we can conclude that the first number of
	the correct registration code is 1.
	Now if you continue to do that for all the compares down the line you
	will see that the correct code is 16135510.
Final Notes:That about covers this program.  As always please contact me on
		Efnet in #cracking4newbies or e-mail me at
		bryanwarner@geocities.com if you have a problem with one of my
		tutorials or with a keygen or patch I have made.  I also take
		requests on programs to be cracked.  
									Manson69 [ME'97/C4N]<FONT SIZE=+2>About this protection system</FONT></FONT></CENTER>