/------------------------------HellSpawn 2K1-----------------------\ | Author: KahnAbyss | | Target: Kyodai Mahjongg | | 10.21 | | Tools: SoftIce 3.25 | | W32Dasm 8.93 | | Any Prog Soft | | I'll use Visual Basic | | Crack Type: Patch | | Level: Novice | \-----------------------------------------------------------------------------/ I cracked this game for my mother since she like all kind of Japaneese games in 2nd part we gonna find a valid serial and in the 3rd part make a key gen Part 2a: Get a valid serial ==================== Step 1: Launch Kyodai and press F9 then click register you'll have an error message that say: "Sorry wrong password Please check out...." Now make a backup of the file and open it with W32Dasm and in Refs search for your error message You should see that: * Referenced by a (U)nconditional or (C)onditional Jump at Address: :004B9028(C) :004B9050 8D4DF0 lea ecx, dword ptr [ebp-10] * Possible StringData Ref from Code Obj ->"Sorry, wrong password. Please " ->"check out if you entered the user " ->"name and password exactly as I " ->"gave them to you." Ok a little bit higher you have the line "Jump Address 4B9028" so press shift F12 and type 4B9028 and move up a little bit then you will see :004B901A E8DD640300 call 004EF4FC :004B901F 8BC3 mov eax, ebx :004B9021 E8EA1A0000 call 004BAB10 <--- Call that generate Password :004B9026 84C0 test al, al <--- Test Password :004B9028 7426 je 004B9050 <--- Jump if its good :004B902A 8D4DF4 lea ecx, dword ptr [ebp-0C] * Possible StringData Ref from Code Obj ->"Thanks again ! You're now registered." Step 2: Get in SoftIce by pressing Ctrl-D then type bpx hmemcpy now get out of SoftIce by pressing F5 and click on register Boum you get back in softice now in SoftIce press F11 to get to the caller and F12 until you are in the good exe type bc* and bpx 4B9028 then F5 again then Register SoftIce should lock on the conditional jump now we gonna change Z(ero) flag value with r fl z command and press F5 Now you see we are registered so its mean that the call on 4B9021 Generate the serial we gonna put a break point on this line Click register in softice bc* and bpx 4BAB10 Step 3: Press F10 then trace it down until you get on the line 4BAB9C then type d Eax you should have in your data window your serial for me it was KahnAbyss --> 021453960 :004BAB10 55 push ebp :004BAB11 8BEC mov ebp, esp -------Cut------- :004BAB92 8BC3 mov eax, ebx :004BAB94 E83FC7FFFF call 004B72D8 <--- Generate Password :004BAB99 8B45F8 mov eax, dword ptr [ebp-08] <--- Password moved EAX :004BAB9C 8B9338160600 mov edx, dword ptr [ebx+00061638] :004BABA2 E80596F4FF call 004041AC <--- Verify Serial :004BABA7 0F858C050000 jne 004BB139 <--- If not equal goto Error :004BABAD 8B8334160600 mov eax, dword ptr [ebx+00061634] ok thats all for the 1st part now we gonna step into kicks ass stuff and a lot of fun is coming:) We gonna patch the line 4BABAD since its the function called by every protection in the software Part 2b: Kyodai crack sources in VB ============================ (THIS PART ONLY WORKS ON ORIGINAL RELEASE OF KYODAI 10.21) Just make a form with a command button called command1 and paste this code into the code section Private Sub Command1_Click() If Dir(App.Path & "\kyodai.exe") = "" Then 'Verify if crack is in good directory MsgBox "The Crack Must Be " & _ "In The Kyodai Directory", _ vbOKOnly, "Kyodai 10.21 Crack" Exit Sub End If Open App.Path & "\Kyodai.exe" _ For Binary As #1 If LOF(1) <> 1627136 Then 'Verify file size MsgBox "Wrong File Size", vbOKOnly, _ "Kyodai 10.21 Crack" Exit Sub End If Position = &H78AB7 + 1 'Set offset got in W32Dasm Seek #1, Position 'Get offset Input #1, OffSetChk OffSetChk = Left(OffSetChk, 1) If Asc(OffSetChk) <> &H85 Then 'Verify offset before patching MsgBox "Crc Error", vbOKOnly, _ "Kyodai 10.21 Crack" Exit Sub End If Put #1, Position, &H84 'Patch the exe file Close #1 MsgBox "Kyodai 10.21 Successfully Cracked!", _ vbOKOnly, "Kyodai 10.21" 'Successful message End Sub In part 2 we gonna dig further in the software to get the encryption key stay tuned:) KahnAbyss at the Console