Welcome to Cracking Tutorial #21!

   Well, well.. what can I say? Nothing is gonna stop us now! :)

   Warning, this tutorial is a real mother!  *grin*

   Ok, let's rave!


   You'll need the following tools:

   (I use these tools, I assume you'll use 'em, but it doesn't
   mean that you'll need to use all those tools, so be sure to
   get them handy for the examples in this tutorial!)

   SoftIce 3.25
   W32Dasm 8.93
   Hacker's View 6.04
   SmartCheck 6.01
   TASM 5.00
   Windows Commander 3.53 (I use it coz of easier to multitask)

   Don't ask me where to download all these tools since you had
   a chance to get them when you used my older tutorials. Here
   are a few good cracking sites where you can grab tools from:

   http://surf.to/HarvestR or http://harvestr.cjb.net
   http://catalyst.intur.net/~Iczelion/tools.html
   http://www.suddendischarge.com

   or ask any crackers to get you these tools!

   Are you ready?!

   OK! ;)


PART 1:
~~~~~~

NetBus Pro 2.01
http://www.netbus.org


Tutor by PinguTM (PinguTM@hotmail.com)
      This is my 1st tutorial from one complete newbie to another!

How to enter a random serial\Key!

Tools: W32Dasm Ver 8.93
       Hiew 6.03


1.  When u start the program, u get an message, telling you to register it etc, and
    if you want to get the full pontential of the program it needs registered.

2.  Now go to Help and select Register. Fill out the boxes - Name, Company and Key. Now
    hit Register. Shit! Nothing happens!

3.  Fire up WinDasm and load in Netbus.exe. Now select string data references and select
    "Thanks for registering netbus"

4.  Found it? Cool.. then u will see something like this....

* Possible StringData Ref from Code Obj ->"Thanks for registering NetBus "
                                        ->"Pro and supporting Shareware software."

:004DBA2F B8C8BA4D00              mov eax, 004DBAC8
:004DBA34 E8A3AB0000              call 004E65DC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DBA23(C)

:004DBA39 8B45FC                  mov eax, dword ptr [ebp-04]
:004DBA3C E87F03F7FF              call 0044BDC0
:004DBA41 33C0                    xor eax, eax
:004DBA43 5A                      pop edx
:004DBA44 59                      pop ecx
:004DBA45 59                      pop ecx
:004DBA46 648910                  mov dword ptr fs:[eax], edx
:004DBA49 685EBA4D00              push 004DBA5E

5.  Now scroll up a little till you see this.....

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DBA1A(U)

:004DBA0C 8B45F8                  mov eax, dword ptr [ebp-08]
:004DBA0F E83876F2FF              call 0040304C
:004DBA14 C3                      ret

:004DBA15 E9E67CF2FF              jmp 00403700
:004DBA1A EBF0                    jmp 004DBA0C
:004DBA1C E8FB57FFFF              call 004D121C
:004DBA21 84C0                    test al, al
:004DBA23 7414                    je 004DBA39  <------- Bad Boy
:004DBA25 B940000000              mov ecx, 00000040

* Possible StringData Ref from Code Obj ->"Thanks"

:004DBA2A BAB8BA4D00              mov edx, 004DBAB8

6.  Looks good, load up Hiew and press F4 and select Decode. Now press F5 and type in the offset
    which is "DAE23" Now press F3 for edit mode and type "75" press F9 to save, and F10 to quit.
    Start up Netbus and select register and put in any old shit and hit register. OOOOO YEAH !
    THANK YOU FOR REGISTERING bla bla bla !

7.  Sweet, now close down netbus and reload it. DAMN fucking nag telling us to register! HMMM
    a check to see if it is properly registered. So where can this be checked??? -how about at
    during the nag? -lets see. Take a note of the message on the nag "Please register the software
    if you like it and have use of it" and go back to WinDasm, and back to string refrences.<Sigh>
    and look for "Please register this software" click it and you will be dumped here.

    * Possible StringData Ref from Code Obj ->"Please register this software "
                                        ->"if you like it and have use of "
                                        ->"it."

:004D13E5 BA5C144D00              mov edx, 004D145C
:004D13EA 8B87CC020000            mov eax, dword ptr [edi+000002CC]
:004D13F0 E8EB11F6FF              call 004325E0
:004D13F5 B201                    mov dl, 01
:004D13F7 8B87D8020000            mov eax, dword ptr [edi+000002D8]
:004D13FD E8C610F6FF              call 004324C8
:004D1402 8187E8020000C4090000    add dword ptr [edi+000002E8], 000009C4

8.  Now scroll up a bit till you see this.....

* Reference To: kernel32.GetTickCount, Ord:0000h

:004D136A E8215CF3FF              Call 00406F90
:004D136F 8987E8020000            mov dword ptr [edi+000002E8], eax
:004D1375 E8A2FEFFFF              call 004D121C
:004D137A 84C0                    test al, al
:004D137C 7426                    je 004D13A4   <--------------- Bad Boy
:004D137E 8D45F4                  lea eax, dword ptr [ebp-0C]
:004D1381 E862FDFFFF              call 004D10E8
:004D1386 8B55F4                  mov edx, dword ptr [ebp-0C]
:004D1389 8B87D0020000            mov eax, dword ptr [edi+000002D0]
:004D138F E84C12F6FF              call 004325E0
:004D1394 8B55FC                  mov edx, dword ptr [ebp-04]
:004D1397 8B87D4020000            mov eax, dword ptr [edi+000002D4]
:004D139D E83E12F6FF              call 004325E0
:004D13A2 EB68                    jmp 004D140C

9.  And again load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset
    which is "D077C" Now press F3 for edit mode and type "75" press F9 to save, and F10 to quit.
    Start up Netbus and now the nag has Who it's registerd to and the company name. Now you can
    sit back and relax knowing you have registered the software  :)

-=-=- PinguTM '99 -=-=-


PART 2:
~~~~~~

CD-R Diagnostic Version 1.4.4
http://www.cdrom-prod.com


Tutor by PinguTM (PinguTM@hotmail.com)
      This is my 2nd tutorial from one complete newbie to another!

How to enter a random serial\Key!

Tools: W32Dasm Ver 8.93
       Hiew 6.03


THIS IS ONE SIMPLE PROGGIE TO CRACK :)

1.  When u start the program, u get the usuall shit telling u to register and if u dont the
    proggie will soon run out, and, well we dont want that.

2.  Go to Help and Enter Registration. Fill out the boxes - Name and Code. Now
    hit OK. Nothing happens and we are brought back to the main program screen

3.  Load WinDasm and decomplie CDRDIAG.exe. Now select string data references and select
    "Registration: %s Thank you for registering."

4.  You will now see something like this....

* Possible Reference to String Resource ID=00137: "Registration: %s
                                                  Thank you for registering."

:004012F0 6889000000              push 00000089
:004012F5 51                      push ecx
:004012F6 FFD7                    call edi
:004012F8 8D542460                lea edx, dword ptr [esp+60]
:004012FC 68A0F24200              push 0042F2A0
:00401301 52                      push edx
:00401302 68E0F54200              push 0042F5E0
:00401307 FFD6                    call esi
:00401309 83C40C                  add esp, 0000000C
:0040130C EB17                    jmp 00401325

5. Scroll up a little till you see this.....

* Possible Reference to String Resource ID=00102: "No CD-ROM drive selected."

:004012D5 6A66                    push 00000066
:004012D7 53                      push ebx
:004012D8 FFD5                    call ebp
:004012DA A0A0F24200              mov al, byte ptr [0042F2A0]
:004012DF 84C0                    test al, al
:004012E1 742B                    je 0040130E     <==== Here's tha little bastard !
:004012E3 8B0DE0F74200            mov ecx, dword ptr [0042F7E0]
:004012E9 8D442460                lea eax, dword ptr [esp+60]
:004012ED 6A64                    push 00000064
:004012EF 50                      push eax

6.  load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset
    which is "6E1" Now press F3 for edit mode and type "75" press F9 to save, and F10 to        quit. Re-Load CDRDiags.. and now go back to the register screen and input any old shit     and hit OK, EH... same happens as before.... ahh, but go to Help, About, what do you see
    "Thank you for registering" SWWWWWWEEEEEEEEEETTTTT !

-=-=-=- PinguTM -=-=-=-


PART 3:
~~~~~~

WinPatch 1.2
http://www.artistry.com


Tutor by PinguTM (PinguTM@hotmail.com)
      This is my 3rd tutorial from one complete newbie to another!

How to enter a random serial\Key!

Tools: W32Dasm Ver 8.93
       Hiew 6.03

I know this is an old program, but a goodie. This is still the latest version !

1.  When u start the program, u get a few nags telling you to register, BLA BLA BLA.

2.  Click on About, then click Register. Fill out Name, Reg ID and Organization, then hit
    OK. Just as i thought.... Invalid Reg ID!

3.  Load WinDasm and decomplie winpatch.exe. Now select string data references and select
    "Invalid Registration ID!."

4.  You will now see something like this....

* Possible StringData Ref from Data Obj ->"Invalid Registration ID!"

:00412F5F 685CCB4400              push 0044CB5C
:00412F64 E8541D0200              call 00434CBD
:00412F69 E957030000              jmp 004132C5

5. Dont close the string data references yet. Click "Invalid Registration ID!" again and you
   should arrive here....

* Possible StringData Ref from Data Obj ->"Invalid Registration ID!"

:00413223 685CCB4400              push 0044CB5C
:00413228 E8901A0200              call 00434CBD
:0041322D EB5E                    jmp 0041328D

6. Now close string data references and scroll a littleup till you see this......

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413161(C)

:0041320B 8B07                    mov eax, dword ptr [edi]
:0041320D 8B542414                mov edx, dword ptr [esp+14]
:00413211 50                      push eax
:00413212 52                      push edx
:00413213 E8DE930000              call 0041C5F6
:00413218 83C408                  add esp, 00000008
:0041321B 85C0                    test eax, eax
:0041321D 7410                    je 0041322F    <---- Bad Boy
:0041321F 6A00                    push 00000000
:00413221 6A00                    push 00000000



6. load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is
   "1321D" Now press F3 for edit mode and type "75" press F9 to save, and F10 to quit. Now
   Re-Load WinPatch, and now what happens..... A nag saying Invalid ID, and still the other
   nags (SHIT!) Now what?, i hear you say... well back to string data references.

7. Once again select "Invalid Registration ID!" you should be brought here.....

* Possible StringData Ref from Data Obj ->"Invalid Registration ID!"

:00416E50 685CCB4400              push 0044CB5C
:00416E55 E863DE0100              call 00434CBD
:00416E5A EB0A                    jmp 00416E66

8. Now close string data references and scroll a littleup till you see this......

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00416D73(C), :00416D87(C)

:00416D98 8B4500                  mov eax, dword ptr [ebp+00]
:00416D9B 50                      push eax
:00416D9C 8B442420                mov eax, dword ptr [esp+20]
:00416DA0 50                      push eax
:00416DA1 E850580000              call 0041C5F6
:00416DA6 83C408                  add esp, 00000008
:00416DA9 85C0                    test eax, eax
:00416DAB 0F84AB000000            je 00416E5C  <------ Bad boy #2  :)
:00416DB1 6890EA4400              push 0044EA90
:00416DB6 8D4C241C                lea ecx, dword ptr [esp+1C]
:00416DBA E81F8E0100              call 0042FBDE

9. load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is
   "16DAB" Now press F3 for edit mode and type "0F85" press F9 to save, and F10 to quit.
   Now Re-Load WinPatch again. Click on About, then click Register. Fill out Name, Reg ID and
   Organization, then hit OK. Yeeehaaaa, it takes anything. Now WinPatch is Fully registered
   and nag free :)

-=-=-=- PinguTM -=-=-=-


PART 4:
~~~~~~

How to crack Net Gin Rummy 3.01 by dAvId/nIgHtMaRe'1

Welcome to my first Cracking Tutorial i'have been cracking for a while and read some great
tutorials by tkc and some other ppl thats why i dicided that i wood be a good idea to give
a little back so that every body can enjoy the wonderful world of cRaCkInG since this is my
1 Tutorial dont expect to mutch i made i very easy to follow saying that if you gets lost in it.
DON'T BLAME ME he he

Please excuse my bad english, it's not my motherlanguage... I'm Danish is it  Really that bad?

if you like this Tutor #1 please e-mail and tell me what you think about it
i wood be very very happy to get some response about
well anof foreplay  lets crack

Where http://www.netintellgames.com/

TOOLS Used
 a cup of coffee - you can also drink tea
 a Ciggy
 W32DASM 8.93
 HIEW    6.03
 FAR     1.52

Install the program and run it to see whats going on you'll get a
 message saying this

{
This is a fully-functional shareware copy of Net Gin Rummy
You can play and evaluate our games free of charge over a trial peroid
of 30 days or 100 sessions - wichever lasts shorter. after that you must register Net Gin Rummy
if you wish to continue playing

  Trial peroid remaing 100 sessions remaning 30 days

   We apologize for the incovenience of this notice this notice
    Will not appear after you register Net Gin rummy
            Enjoy our games! }


hmm that sux only 100 sessions or 30 days not anof of time

 press Ok and enter anything for your name pick As game server but we are not
  going to play only crack this baby

Ok goto register don't enter anything just press enter you'll get a message
  saying this (Sorry,your personal registration key is uncorrect)
  press Ok

 goto far 1.52 copy gin.exe to gin.w32 for use whit w32dasm and copy
  gin.exe to gin.exx as backup file (just in case you fuck up) he he

Open w32dasm and start dissambling gin.w32 when done goto Strn Ref
  keep going down until you'see  "Thank You for support NetIntellGames "
   double click on it and close Strn Ref

you will be here

* Possible StringData Ref from Data Obj ->"Thank You for support NetIntellGames "
                                        ->"shareware authors!"

:00407896 6810014300              push 00430110


press up until you see

:00407875 6848014300              push 00430148
:0040787A 6A02                    push 00000002
:0040787C E8FF180000              call 00409180
:00407881 8BCE                    mov ecx, esi
:00407883 E8681D0000              call 004095F0     <- serial check
:00407888 83F801                  cmp eax, 00000001 <- is it equal
:0040788B 7541                    jne 004078CE      <- no goto bad boy
:0040788D 8B8E80010000            mov ecx, dword ptr [esi+00000180]
:00407893 6A00                    push 00000000
:00407895 51                      push ecx

                                  |
so its pretty obius that if you change jne to je you'll et the thank you message
make sure the green bar is on top of the je line and note the offset at the bottom of
the screen. @offset -> 00006C8B

run hiew gin.exe press f5 enter 6C8B change  jne <-> (85) to je <-> (84)
run Net Gin Rummy  goto register enter any key you'll get the message thank you for
registering this software exit Net Gin Rummy run it again does it work no he he why not ?
 well its becuse that program also check at startup
 back to w32dasm look at the call 04095F0 goto search enter 04095F0 mark
    the seek down button press search it will find it at

:004093C7 8BCE                    mov ecx, esi
:004093C9 E822020000              call 004095F0       <- serial check
:004093CE 83F801                  cmp eax, 00000001   <-is it squal
:004093D1 750B                    jne 004093DE        <- no goto bad boy
:004093D3 8986F4010000            mov dword ptr [esi+000001F4], eax
:004093D9 E99C010000              jmp 0040957A

so we found the check at startup well what now i'll tell you don't panic

make sure the green bar is on top of the je line and note the offset at the bottom of the screen.
@offset -> 000087D1

run hiew gin.exe press f5 enter 8D71 change jne <-> (85) to je <-> (84)
run Net Gin Rummy again does it Yeah no more nags and no more expire shit
   Cool you cracked Net Gin Rummy


note this also Works 4 Net Poker / Net Preference and probberly all other
  Net Shit at http://www.netintellgames.com/ cool huh ?


       Tutor #1 Written bY dAvId/nIgHtMaRe'1 on 7 April 1999
        wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net


PART 5:
~~~~~~

How to Crack Disk Cleanup 3.5 bY dAvId/nIgHtMaRe'1

Welcome to my second Cracking Tutorial did any one read my first ?
tell me :)

since this is only my 2 Tutorial dont expect to mutch i made i very easy to follow
saying that if you the (Reader) gets lost in it Tutorial
DON'T BLAME ME he he

Please excuse my bad english, it's not my motherlanguage... I'm Danish is it  Really that bad?

if you like this Tutor #2 please e-mail and tell me what you think about it
i wood be very very happy to get some response about
well anof foreplay  lets crack

Where http://www.execpc.com/~sbd

TOOLS
  Soft-Ice 3.24
  A Cup of coffee - You can also drink Tea
  a Ciggy

start program and goto register and enter

 Name dAvId/nIgHtMaRe'1 or any name you like
 Company nO fEaR        or any company you like
 serial enterd 123454

goto into soft-ice ctrl+d Do a bpx on getdlgitemtexta

  soft-ice popps an your are in User32 ok press F11 to leave user32

   remember there are 3 boxes so press F11 F5 F11 F5 F11

 you should now be looking at this

:00407DC1 FFD5                    call ebp
:00407DC3 8D442410                lea eax, dword ptr [esp+10]
:00407DC7 50                      push eax

now keep pressing f10 until you see

:00407E17 3BC5                    cmp eax, ebp
:00407E19 741E                    je 00407E39
:00407E1B 68CFEA0000              push 0000EACF
:00407E20 6888130000              push 00001388

 do a ? ebp you should see your dummy code 123454
 do a ? eax you should see your'll real code in my case 3831551994

 ok do a bd * (Disable All Break Points)
  and Press f5 or ctrl+d to leave s-ice you'll get the message
(
  An invalid software registration number was detected
   Please double Check the spelling and capitalization
     of your user name and organization or re-enter the
      registration number that was provided to you.
				                    )

 press ok and goto register and enter

  Name dAvId/nIgHtMaRe'1
  Company nO fEaR
  Serial 3831551994

   You should now get the message

        Software registration was successfully completed.
            Thank you for registering Disk CleanUp for Windows
              Your name and organization will now be listed
               as the registered user in the program splash box

              *Boom* **Regged** voila you cracked Disk CleanUp 3.5


       Tutor #2 Written bY dAvId/nIgHtMaRe'1 on 7 April 1999
        wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net


PART 6:
~~~~~~

=========================
How to crack WinZip v7.0
=========================

In this tutorial I'll show u, how to patch WinZip7 so that u can enter
any name and
any serial number to register it.


Used Tools
==========

W32Dasm v8.93
SoftICE v3.2
Hiew v6.00
(if u don't have these programs, get 'em here: http://surf.to/HavestR)


Target
======

WinZip v7.0 (1260)  (http://www.winzip.com)


How to patch it
===============

After u have installed the program, start it and click 'Enter
Registration Code...'.
When u type your name and the correct serial it will be registered. So
type something
for Name and Registration # und click 'ok'. 'Incomplete or incorrect
information.'

1) Load SoftIce and set a breakpoint on 'getdlgitemtexta' (bpx
getdlgitemtexta).

2) Switch back to the WinZip Registration Menu and click 'ok' again.

3) Now SI appears and u r in the 'getdlgitemtexta' function. Use F11
to get out of it.


   :0040800B 6A29                    push 00000029
   :0040800D 53                      push ebx        << the value
stored in ebx is
   :0040800E 68800C0000              push 00000C80      address of
your name
   :00408013 57                      push edi

   * Reference To: USER32.GetDlgItemTextA, Ord:00F5h
                                  |
   :00408014 FF150C844600            Call dword ptr [0046840C]
   :0040801A 53                      push ebx           << Here u r
after pressing F11
   :0040801B E822160200              call 00429642
   :00408020 59                      pop ecx
   :00408021 53                      push ebx
   :00408022 E844160200              call 0042966B

   When u type 'd ebx' u can see that this function was responsible
for getting your
   name.

4) Press 'Ctrl+d' to get to the next 'getdlgitemtexta'. SI stops in
the function again,
   so press F11 to get out of it again.

   :0040802D 6A0B                    push 0000000B
   :0040802F 56                      push esi           << the value
in esi is the
   :00408030 68810C0000              push 00000C81
memory-address of your serial
   :00408035 57                      push edi

   * Reference To: USER32.GetDlgItemTextA, Ord:00F5h
                                  |
   :00408036 FF150C844600            Call dword ptr [0046840C]
   :0040803C 56                      push esi           << After
pressing F11 u r here
   :0040803D E800160200              call 00429642
   :00408042 59                      pop ecx
   :00408043 56                      push esi
   :00408044 E822160200              call 0042966B
   :00408049 803D18D9470000          cmp byte ptr [0047D918], 00
   :00408050 59                      pop ecx
   :00408051 745F                    je 004080B2
   :00408053 803D48D9470000          cmp byte ptr [0047D948], 00  <<
checks if serial

is equal to 0
   :0040805A 7456                    je 004080B2   << if yes, jump to
error message
   :0040805C E8EAFAFFFF              call 00407B4B  << calculates
serial and compares
                                                       to the given
serial.
                                                       if your serial
is incorrect, eax
                                                       is 0
   :00408061 85C0                    test eax, eax  << test if eax=0
   :00408063 744D                    je 004080B2  << if yes, jump to
error message
   :00408065 53                      push ebx

   U can trace through the code by pressing F10 (F8 to get into the
calls).
   Then the annotations above will become clear.
   There are various possibilities to patch the file. One way is to
modify the
   calculate/check function (call 00407b4b) so, that EAX is not 0 when
leaving the call.
   (Only to change the three 'je's to nop or something like that, is
not a good idea,
   because the check-function is probably used in another part of the
program, for
   example every time it starts or ends.)

5) Trace through the code until the coursor is at 'call 00407b4b', go
into the call
   using F8 and press F10 until u have reached the 'ret' (ret='go back
to the call').

   :00407CA6 682C010000              push 0000012C
   :00407CAB 8D85C0FEFFFF            lea eax, dword ptr [ebp+FFFFFEC0]
   :00407CB1 6A00                    push 00000000
   :00407CB3 50                      push eax
   :00407CB4 E837E40400              call 004560F0
   :00407CB9 A16CB04700              mov eax, dword ptr [0047B06C]  <<
!
   :00407CBE 83C40C                  add esp, 0000000C

   :00407CC1 5F                      pop edi
   :00407CC2 5E                      pop esi
   :00407CC3 5B                      pop ebx
   :00407CC4 C9                      leave
   :00407CC5 C3                      ret

   U should see something like the code above. EAX should be different
from 0, to
   register the program successfully. And u can see a command that
modifies the EAX
   register (mov eax, dword ptr [0047B06C]).
   So u only have to change this line to 'mov eax,1' to make this
function to always
   returns a '1'.

6) The patch: Make a copy of winzip32.exe and load it into w32dasm.
   When disassembling has finished, click on 'Goto Code Location' and
enter '00407cb9'.
   U have got this address from SoftIce (look at the code up there).
Now u can see
   the same code as in SoftIce and u can find out the offset in
winzip32.exe, where
   the code is located ('status bar'). In my case it is '70B9' (the
'h' only indicates,
   that it is a hexadecimal value).

7) Close WinZip. Start Hiew with 'winzip32.exe', press F4 and choose
decode. After
   pressing F5, u can enter an offset. Type '70b9'.  U should see
this:

   .00407CB9: A16CB04700                   mov       eax,[00047B06C]
<< !
   .00407CBE: 83C40C                       add       esp,00C ;""
   .00407CC1: 5F                           pop       edi
   .00407CC2: 5E                           pop       esi

   Now the 'mov eax, [00047B06C]' has to become changed to 'mov
eax,1':
   - type F3 to edit the file
   - type F2 to give an assembler instruction
   - change    mov       eax,[00047B06C]
         to    mov       eax, 1
   - press enter and escape
   - save the file by pressing F9 and close Hiew using F10

8) Now start the program and type your name and a serial u want: and
it worx!


Notice: The addresses above-mentioned can be different on your system.


Remarks? Write me
the_nitehawk@hotmail.com


PART 7:
~~~~~~

-==[NovA]==- Tutor #4

It is very, very easy

Program : WindowBlinds .85 (update) (prob works on other versions)
URL : www.stardock.com

Tolz : 1) Softice

Lets get started...

1)  	Start up windowblinds and it asks for ur reg info.
	CLick "Register"

2) 	Enter your name ( -==[NovA]==- for me) and in the Reg code box,
	type somthing that is different..( bitchass1 for me)

3) 	So, we have 	name:  -==[NovA]==-
			reg code: bitchass1

4)	Press Ctrl + D to goto softice.  Set a bpx on getwindowtexta
					      ( bpx getwindowtedxta )

5)	Then press enter, and softice pops up press "F5" to goto serial code,
	then "F11" to trace.

6)	Now, we will -Search- for our serial number.
	Type 	s 0 l ffffffff 'bitchass1'
		^ ^ ^    ^	   ^

	(search 0 address length 8 search for "bitchass1")
	replace bitchass1 with ur serial.

7)	Then, it should pop up ur reg code, in the top data window.
	look at ur code, then look 2 lines below it..

        see a WB-xxxxxxx <-- yep, that's YOUR reg code!

* If you want to practice doing it urself...
delete the registry entry @

[HKEY_LOCAL_MACHINE\Software\Stardock\WindowBlinds\WB5.INI\INSTALLED]

___________________________________________

Name:  -==[NovA]==-
Registration Code:  WB-7eca067
____________
-==[NovA]==-
十十十十十十
nova@email.com
http://surf.to/nova


   We really hope you've enjoyed this tutorial too much as we did!
   Don't miss Tutor #22 soon! ;)

   And as I said last time: Without knowledge, there's no power! ;)

   Credits go to: 

   [K]in[G] for Splash Logo.
   NovA for providing a tut in this version.
   NiteHawk for providing a tut in this version.
   PinguTM for providing 3 tuts in this version.
   dAvId/nIgHtMaRe for providing 2 tuts in this version.
   tKC/CiA (hey it's me!) for coding this version :)


   All the crackers (non-members of CiA) are welcome to send tutors
   for the next tutorials .. see below for my email address!

   Greetz goto all my friends!

   You can find me on IRC or email me at tkc@reaper.org


   Coded by The Keyboard Caper - tKC
   The Founder of PhRoZeN CReW/Crackers in Action '99

   Compiled on 21 April 1999

   Cracking Tutorial #21 is dedicated to all the crackers...