Name : CrackTips for Newbies Cracker : LW2000 Tutorial : No.8 --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... Advanced crackers, don't laugh and remember the titel 'CrackTips for Newbies'! --- You can place the green bar in W32DASM with a doubleclick on a line. --- Hiew can be started automaticly in decode mode. Simply open hiew.ini and change the 'StartMode' value from 'Text' to 'Code'. --- An easy way to defeat Nagscreens: Load your program and wait till the Nag is shown. Write down the caption of this window and the first words of the message. Open the exe (or sometimes dll) in a hexeditor and search for the noted string. If you have found the string, scroll up and search for the hexstring 'FF FF FF 80'. If you found it replace it with 'FF FF FF 90'. Usually this way won't work if you have to press a button. --- When you get your offset in W32DASM, you see in the statusbar something like 'Offset E346Ah'. The 'h' means only hex - don't write it in Hiew, too. Your Offset is E346A! --- OK, i answered this question a dozen of times, so read this! ... and tell all your friends (if you have any *g*). In nearly all types of INI or CFG Files the ';' and '//' means the line is disabled!!! This is used for comments! Yeah, you check it! In the winice.dat is the ';' for comments, too. And i swear, the next one which is asking me something like: "I have added this line to the winice.dat, why does it not work? ;EXP=c:\windows\system\vbrun300.dll" must spend me a new PC! --- Try to understand the code! --- By serial catching always use the same serial number, so that you know what it looks like in hex. I prefer 123789. In hex it is 1E38D. What a serial you ever choose, try to avoid something like 123456789. --- Learn assembly! Learn assembly! Learn assembly! Learn assembly! --- If you step over a Call, check the content of any changed register. You may find the serial number here. --- Don't give up to fast, learn to crack needs time! --- In W32DASM, always look, if your reference exists more than once. You search for your message in the SDR window, you doubleclick your message and W32DASM goes to this location. Finish? NO! Doubleclick again on your string in the SDR window, to be sure this is the only reference! --- Most programmers are lazy. Whenever a task must be done, the write a procedure or function. They call them when the task must be done. Usually programs that use the serial/name check, perform this tasks twice. Once when the serial is entered and the second one when the program is fired up. So patch the function and save a lot of work. To patch a function is often from advantage by CD-Checks, Nag Screens, Time or Date Checks, too. --- In W32DASM can all Call and Jump Cross Reference Addresses jumped by simply double right clicking on the reference address. To return to the reference, press F12. --- If a function returns as a value -1 by a registration check, this means normally not registered. 1 (and sometimes 0) means usually check passed. --- Read all of tKC's Tutorials !!! --- A program allows you i.e. a 20 days trial. Remember: most programmers are lazy! And lazy programmer might check the trail period like this: CMP DWORD PTR register, 14 <<-- 14 is 20 in hex JLE/JGE address <<-- usually one of these conditional jumps Lets thing in hex *g*: what we've got is 83 for CMP, only several likely register options, 14 for the 20 days and 7E for JLE or 7D for JGE. Load you favorite Hexeditor and do a little search. You may find this on one or more locations. Lets make the JLE (7E 33) that we've found into an unconditional jump (EB 33). I would check it, but normally it is cracked... --- Most crackers say: read all you can get about cracking if you want to become a real cracker! But my tip is: first read only the best tutors (newbie releated), the others will only confuse you in the beginning. Going this way you'll save a lot of time! So, as I said befoe, read all tKC's tutors! Otherr very nice tut's are from BuLLeT, Tornado, HarvestR, The Saint Man and Acid Brun. --- Never, i said never, use NOP unless it is totally necessary. There are usually many better ways! For example you could write instead of 2x NOP better INC ECX, DEC ECX, or something like this. --- So, you read the tips? OK! Another tip from me is, to use specialized tools. It saves a lot of time, and when they exists, why do not use them??? Here are the tools I prefer: W32DASM 8.93 (in two Versions, one with SDR Enabler for VB Apps and one without, because of the problems by some non VB Apps) SmartCheck 6.03 (cracking VB apps is fun with this tool!) Softice 4.0 (no explanation required!) Hiew 6.16 (because this is the best hexeditor in the world) PE-Sniffer 1.06 (fine proggy to identify compiler/packer) THE CUSTOMISER (the tool for playing with windows) ProcView 3.1.1.2 (to trough apps perfect out of memory, sometimes your crack was &%$#! and the app is death... much better than [ctrl]+[alt]+[del]) RegMon (to controll registry entries) FileMon (to controll files) GetType (to identify files) Opcodes (knowledge is power!) ProcDump 1.5 (cool tool for unpacking / pe header plays) BlindRead (good to read crippeled files from cd's) OpenList (take a look at the shit windows loads up, nice to find trojans!) Snooper for Windows (get the text out of files) ... it looks like a lot, but most of this tools are quiet small. FINISH! Get everything? If not, read again *g*. cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!