How to crack the new version of Cheet!,another aproach.... www.addon-factory.com by +DzA kRAker (Regele Piratilor) /TNT TNT!Crackers : http://kickme.to/tnt http://warez.at/tnt Well,in this new version of cheet the ppl from Addon-Factory included some more anti-debugging procedures...looks like they wannt to have all the anti-debugging procedures collection. But this time there r some anti debugging procedures i didn't knew of... i tried to mask softice, by disabling bchk, using r!sc's proggie, called bang (very usefull some imes), frog's ice loaded to easily skip some meltice ,int68 and sice registry keys acces... The old version of cheet! works by doing this, but the new version doesn't... i must say that i couldn't make it run with softice, even if i "manually" tried for about 1 hour. But...like in the previous tutorial on cracking cheet!, Liu Tao Tao's TRW2000 comes to the rescue!... Most of the known anti-debugging procedures out there are in fact anti-softice procedures... Using another debugger will bypass them. But i have the feeling that this will not last to long... Run TRW2000, now run cheet!.exe...oops cheet exits...don't worry... TRW2000 is sending some revealing code when faults=on (default) Just enter in TRW with ctrl+n and type faults=off Now cheet! should run normaly.... The registration dialog pops...saying us crap like "cheet will not run until it's registered" -heh,stupid afirmation. As u probably now from my previous tut on cracking this proggie, cheet! generates a "ID code" wich u should send to them (if u are mad or something:)...and they will gentily give u a reg code in 1-2 weeks if they aren't to busy. This ID code is generated by manipulating your windowze product id code from the registry .... HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\productid\ If u change the product id in registry,next time u start cheet! he will change your ID code toO.. Last time i showed how patching a single byte can reverse a decent and hard worked protection scheme...sure thing that method still worx...putting a bpx regqueryvalueexa ...then finding the right jump...but i don't like this method 2 much, it takes alot of time... so i decided 2 patch cheet! so it will accept any code.... and i made it...after only 5 minutes... The cheet! reg routine is not big deal...maybe next time i will make a keygenerator (if the protection does not change to much) Ok,let's go cracking.... We will use r!sc's process patcher too...it will do our work much easyer. Enter your e-mail adress...i entered dzakraker@yahoo.com... and a stupid reg code...i entered ILOVETOCRACKCHEET Now enter TRW2000 with CTRL+N ....put a breakpoint on hmemcpy (bpx hmemcpy). Leave TRW2000, now press ok.. and TRW2000 pops...now press F12 several times until u are in cheet! now press F10 several times,u will be kicked back to kernel by the call at 47464A (CALL 0042F6F0)...press F12 several times until u are back in cheet...now contiune perssing F10 until we find this piece of suspicious code: 474652 CALL 00403E88 474657 CMP EAX,00000020 -is the code lenght 33? 47465A JL 00474917 -nope, code lenght not 33 jump to the exit proggie routine. So we will have to nop that jl ... After noping the jl (ifu have a demo version of TRW 2000, like i do, use the edit memory command to nop the jl) contiune to press F10 until u see this VERY suspicious conditional jump: 4746DB JNZ 0047490E---heh,this is were the dirty work is done... Now just reverse in TRW2000 that jump,exit the debugger,and the nice cheet! splash screen pops...and cheet is cracked? not permanently...remember that check in the registry...so when you exit and restart the proggie,u are no more registered... TRW2000 rulez.... ready. see you in my next tut