Welcome to Cracking Tutorial #23! Ah, what a *good* birthday I had yesterday! :) Not too sick to work on this 2 versions! (#22 and #23) Like I said earlier, nothing is gonna stop me now! :) Anyway, enjoy it! :) Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.25 W32Dasm 8.93 Hacker's View 6.04 SmartCheck 6.03 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://catalyst.intur.net/~Iczelion/tools.html http://www.suddendischarge.com or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1: ~~~~~~ HOW TO CRACK Swapper 3.00,08-02-98 bY dAvid/nIgHtMaRe'1 on April 1999 Welcome to my 9th Cracking Tutorial This time i'll teach you to how crack Swapper 3.00,08-02-98 Sorry for my bad grammatic, but i hope u will under stand it anyway... Tools Used: W32Dasm 89.3 Far 1.52 or any other Norton Commander like clone 1 or more cups of coffee (A Pot will usualy do) you can also drink tea 1 or more ciggys (A Pack will usualy do) (Smoke em baby Smoke em) he he Where www.golbesoft.com Protection Type serial Crack Type Correct serial Start Swapper 3.00,08-02-98 you'll notice thats it shareware and you should register and a text box in the mittle of this app go there and enter 123454 press register you'll get an error telling you to contact company to get valid registration Key yeah right remember the message cuse you'll need it goto far copy swapper.exe to swapper.w32 for use whit w32dasm start w32dasm and dissamble swapper.w32 when done goto Strn Ref Button Click it and down until you see successful registration double click it and close down the Strn Ref Windows and you'll be here * Possible StringData Ref from Data Obj ->"Successful Registration!" | :004013B3 68D8E14300 push 0043E1D8 * Possible StringData Ref from Data Obj ->"You now have unlimited access " press the up arrow till you see | :0040139B 68F4E14300 push 0043E1F4 :004013A0 51 push ecx :004013A1 E8FAF10000 call 004105A0 :004013A6 83C408 add esp, 00000008 :004013A9 85C0 test eax, eax :004013AB 0F8587000000 jne 00401438 :004013B1 6A40 push 00000040 * Possible StringData Ref from Data Obj ->"0492710223" hey whats this no it can't be that easy can it ? well try it well when Swapper 3.00,08-02-98 start enter 0492710223 you'll get a message telling you success full registration and you have access to all fetures of Swapper 3.00,08-02-98 cool you cracked it! this one is way easy too easy there are still proggy like this if you got any comments or questions send em to me if i got enough time i'll send you an e-mail back you might find me on irc/EFNET in the channel #c.i.a under the nick dAvId_nM1 if i got time i'll chat anyway i'hope you sea you in tutor #10 Cracking Tutorial #9 Written bY dAvid/nIgHtMaRe'1 On April 1999 wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net PART 2: ~~~~~~ HOW TO CRACK Blueprint Web Scripting Editor 1.03 On April 1999 Welcome to my 10th Cracking Tutorial This time i'll teach you how to crack Blueprint Web Scripting Editor 1.03 Sorry for my bad grammatic, but i hope u will under stand it anyway... Tools Used: W32Dasm 89.3 Far 1.52 or any other Norton Commander like clone 1 or more cups of coffee (A Pot will usualy do) you can also drink tea 1 or more ciggys (A Pack will usualy do) (Smoke em baby Smoke em) he he Where http://www.blueprintsoftware.com.au Protection Type serial Crack Type Correct serial start program you'll notice a nag screen and a register goto the box enter name dAvId/nIgHtMaRe'1 or any name you like enter company nO fEaR or any company you like enter code 123454 or any code you like you'll get an error telling you this <-you have entered the wrong registration key-> note it goto far copy webse.exe to webse.w32 for use whit w32dasm start w32dasm and dissamble webse.w32 when done disambling goto the Strn Ref button click it now go down until you see <-you have entered the wrong registration key-> double click it and close down the Strn Ref Window you'll be here * Possible StringData Ref from Data Obj ->"You have entered the wrong registration " ->"key" now keep pressing up and you'll end here * Possible StringData Ref from Data Obj ->"BRG00027BLUE" wow that easy huh ?? well lets try it | start Web Scripting Editor 1.03 goto the register box enter name dAvId/nIgHtMaRe'1 or any name you like enter company nO fEaR or any company you like enter as code BRG00027BLUE you'll now get the thank you for registering WOW to Easy Huh ? Cool you Cracked Web Scripting Editor 1.03 if you got any comments or questions send em to me if i got enough time i'll send you an e-mail back you might find me on irc/EFNET in the channel #c.i.a under the nick dAvId_nM1 if i got time i'll chat anyway i'hope you sea you in tutor #11 Cracking Tutorial #10 Written bY dAvid/nIgHtMaRe'1 On April 1999 wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net PART 3: ~~~~~~ HOW TO CRACK BVS Solitare Collection 2.2 On April 1999 Welcome to my 11th Cracking Tutorial This time i'll teach you how to crack BVS Solitare Collection 2.2 Sorry for my bad grammatic, but i hope u will under stand it anyway... Tools Used: W32Dasm 89.3 Far 1.52 or any other Norton Commander like clone Hiew 6.04 1 or more cups of coffee (A Pot will usualy do) you can also drink tea 1 or more ciggys (A Pack will usualy do) (Smoke em baby Smoke em) he he Where Protection Type serial Crack Type *PATCH* Start BVS Solitare Collection 2.2 you notice a in title bar unregistreted and you can't play all solitare games sux goto help:register as in enter 123454 you'll get a message telling you Sorry, but Your Registration code is invalid. goto far copy cards.exe to cards.w32 for use whit w32dasm and copy cards.exe to cards.exx just in case you fuck up he he fire up w32dasm and dissamble cards.w32 when done goto the Strn Ref Button Click it and go down until you see <-Sorry, but Your Registration code-> Double Click on it and close down the Strn Ref Window and you'll land here * Possible StringData Ref from Code Obj ->"Sorry, but Your registration code " ->"is invalid." :00499F2C B9BC9F4900 mov ecx, 00499FBC * Possible StringData Ref from Code Obj ->"Invalid registration code" * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00499EE6(C) :00499F2A 6A00 push 00000000 | | follow the (U)nconditional or (C)onditional Jump press shift + F12 And enter 004499EE6 press enter and you'll land here :00499EDF E8BCB7FDFF call 004756A0 <- remember this call :00499EE4 84C0 test al, al <-is it regged ? :00499EE6 7442 je 00499F2A <-no goto bad cracker :00499EE8 6A00 push 00000000 * Possible StringData Ref from Code Obj ->"Congratulation" | :00499EEA B9589F4900 mov ecx, 00499F58 * Possible StringData Ref from Code Obj ->"Thank You for registering BVS " well if you change the je 74 to jne 75 it will register right ? try it fire up hiew cards.exe press F4 select decode mode press F5 enter 99E26 press F3 change 74 to 75 press F9 to update file start BVS Solitare Collection 2.2 goto help:register enter any key you'll get the thank you message now restart BVS Solitare Collection 2.2 is it still regged nO! oH FUCK what now do you remember the call i told you to ? i bet you do right oh well back to w32dasm press the search button search enter 004756A0 search up you'll find it here :00478E0C E88FC8FFFF call 004756A0 <-the call cool :00478E11 84C0 test al, al <-is it regged ? :00478E13 7546 jne 00478E5B <-no bad user fire up hiew cards.exe press F4 select decode mode press F5 enter 78213 press F3 change 75 to 74 press F9 to update file go back to w32dasm better check if there any more good/bad reg check right? press f3 in w32dasm it will keep searching up heh one more sux here :00478CE5 E8B6C9FFFF call 004756A0 <-the call cool :00478CEA 84C0 test al, al <-is it regged ? :00478CEC 7535 jne 00478D23 <-no bad user fire up hiew cards.exe press F4 select decode mode press F5 enter 780EC press F3 change 75 to 74 press F9 to update file go back to w32dasm better check if there any more good/bad reg check right? press f3 in w32dasm it will keep searching up heh one more sux here fuck what is this crap another one :00477E31 E86AD8FFFF call 004756A0 <-the call cool :00477E36 84C0 test al, al <-is it regged ? :00477E38 7511 jne 00477E4B <-no bad user fire up hiew cards.exe press F4 select decode mode press F5 enter 77238 press F3 change 75 to 74 press F9 to update file go back to w32dasm better check if there any more good/bad reg check right? press f3 in w32dasm it will keep searching up heh one more sux here fuck again wow fucking many fucking check points :00477489 E812E2FFFF call 004756A0 <-the call cool :0047748E 84C0 test al, al <-is it regged ? :00477490 7521 jne 004774B3 <-no bad user fire up hiew cards.exe press F4 select decode mode press F5 enter 76890 press F3 change 75 to 74 press F9 to update file go back to w32dasm better check if there any more good/bad reg check right? press f3 in w32dasm it will keep searching up it only find the procedure Start BVS Solitare Collection 2.2 no unregged string in title you can select and play all games there no refrence to the help:register box any more its just regged good that what we wanted wow i never seen that many check points before what is this crap anyway you cracked BVS Solitare Collection 2.2 cool huh ?? yes its cool but we are not done yet don't waner change that many bytes just to register this game are we ???? NO NO NO there must be a easier way right ? restore the orginal exe copy cards.exx to cards.exe you'll now have the unregged exe back good lets find an easier way lets look at the procedure press shift + F12 and enter 004756A0 you and you'll end up here :004756A0 55 push ebp :004756A1 8BEC mov ebp, esp :004756A3 81C4ECFDFFFF add esp, FFFFFDEC :004756A9 33D2 xor edx, edx :004756AB 8995ECFDFFFF mov dword ptr [ebp+FFFFFDEC], edx :004756B1 8955F8 mov dword ptr [ebp-08], edx :004756B4 8945F0 mov dword ptr [ebp-10], eax :004756B7 8B45F0 mov eax, dword ptr [ebp-10] :004756BA E8D1E6F8FF call 00403D90 :004756BF 33C0 xor eax, eax :004756C1 55 push ebp :004756C2 68C45A4700 push 00475AC4 :004756C7 64FF30 push dword ptr fs:[eax] :004756CA 648920 mov dword ptr fs:[eax], esp :004756CD C645FF00 mov [ebp-01], 00 <- hey whats this ?? he he :004756D1 8D45F8 lea eax, dword ptr [ebp-08] ah fire up hiew cards.exe press F4 select decode mode press F5 enter 74ACD press F3 change 00 to 01 press F9 to update file run BVS Solitare Collection 2.2 hey look its full regged cool i think its better and faster just to change one byte next time you crack a program try to follow the procedure its usualy a loot faster well cool you cracked BVS Solitare Collection 2.2 again i hope you learned something from this tutorial sea in Tutor #12 if you got any comments or questions send em to me if i got enough time i'll send you an e-mail back you might find me on irc/EFNET in the channel #c.i.a under the nick dAvId_nM1 if i got time i'll chat anyway i'hope you sea you in tutor #12 Cracking Tutorial #11 Written bY dAvid/nIgHtMaRe'1 On April 1999 wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net PART 4: ~~~~~~ Target: Nba Live '98 Cracked by: Cloud [StarGazer] Things you need: HIEW 6.04 W32Dasm 8.93 Any drink will do... I prefer Fanta Note! This is my first doc, so I apoligize my spelling mistakes and any other errors I've possibly made. Also my english is not perfect, 'cuz my mother language isn't english. Our target is Nba 98. Be sure to make a full install (everything... audio, movies...) So let's start with launching Nba 98 without a CD in the drive. Screen goes black and tells "please insert... blah blah". We don't wanna see this, do we? So make two copies of Nbawin.exe (nbawin.bak and nbawin.w32). I use .bak to recover the original file if I happen to screw it... .w32 is the one I load on to W32Dasm. Now load nbawin.w32 on to W32Dasm and goto Strn ref. Search for the string "please insert.." (you can use typical search if you want, I prefer checking out the Strings). Found it? Kewl! This is what you should see * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042EDD2(C) <--- Interesting... | :0042F0DF 25FFFF0000 and eax, 0000FFFF :0042F0E4 FF248518E94200 jmp dword ptr [4*eax+0042E918] * Possible StringData Ref from Data Obj ->"Please insert your NBA Live 98 " ->"CD and press ENTER" | :0042F0EB 6848115A00 push 005A1148 :0042F0F0 68C8000000 push 000000C8 :0042F0F5 55 push ebp :0042F0F6 E8D5DF0F00 call 0052D0D0 :0042F0FB 83C40C add esp, 0000000C Assuming you found the place and noticed my interesting tip you have already moved to that location (0042EDD2) :0042EDA3 B8C4855D00 mov eax, 005D85C4 :0042EDA8 E8D3C80F00 call 0052B680 :0042EDAD B8000000FF mov eax, FF000000 :0042EDB2 E8356E0F00 call 00525BEC :0042EDB7 89C2 mov edx, eax :0042EDB9 B8FFFFFFFF mov eax, FFFFFFFF :0042EDBE E8296E0F00 call 00525BEC :0042EDC3 E848CA0F00 call 0052B810 :0042EDC8 66A1806A6100 mov ax, word ptr [00616A80] :0042EDCE 663D0400 cmp ax, 0004 :0042EDD2 0F8607030000 jbe 0042F0DF <--- CD-check? As you can see at 0042EDD2 is our CD check which needs to be removed. JBE should be simply changed to JE. You can do it like this: Go to line 0042EDD2. Write down the @offset code which should be 0002E1D2h Then load NBAWIN.EXE on HIEW. Press F4 to change the mode to DECODE and then press F5 to go to code location (0002E1D2). Now you should be at the right location. Then press F3 to change to EDIT mode. Now you can change 0F8|6|07030000 to 0F8|4|07030000. 86 and 84 are same as 76 and 74. After the change has been made, press F9 and exit HIEW. Now you try if NBA works without a CD... but whatta hell? It doesn't. You can see that you have removed error message, but as you press ENTER it just doesn't seem to load on. I guess there is also this "Real" cd-check which we must remove. So let's go on. Are you able to crack CD check without my help? No? Ok then. Just follow on... We shall use "exe" as a search string on W32Dasm. Press icon representing flashlight and type exe. It takes a little time to search, but hey it found something. This is what you should see... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042EE04(C) <--- hmm? | :0042ED52 68846B6100 push 00616B84 * Possible StringData Ref from Data Obj ->"%snbawin.exe" --- This is what we searched for Nothing interesting for us... except the hmm? remark. So let's check out the address at 0042EE04. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042F0DA(U) | :0042EDFD 833DB8615C0000 cmp dword ptr [005C61B8], 00000000 :0042EE04 0F8548FFFFFF jne 0042ED52 --- Ta-da... A CD Check :0042EE0A E8D5100F00 call 0051FEE4 :0042EE0F 31C0 xor eax, eax :0042EE11 BA871A0000 mov edx, 00001A87 :0042EE16 E845620F00 call 00525060 :0042EE1B E834110F00 call 0051FF54 :0042EE20 E84FA30000 call 00439174 :0042EE25 B8746A5E00 mov eax, 005E6A74 :0042EE2A E861370F00 call 00522590 :0042EE2F BA4A000000 mov edx, 0000004A :0042EE34 B850625E00 mov eax, 005E6250 :0042EE39 BB00030000 mov ebx, 00000300 :0042EE3E E84D370F00 call 00522590 :0042EE43 BA10000000 mov edx, 00000010 :0042EE48 B880020000 mov eax, 00000280 :0042EE4D B900030000 mov ecx, 00000300 :0042EE52 E85D120F00 call 005200B4 Now go to that line where cd check is made and write down the @offset code which should be 2E204. Now go back to HIEW and do everything we made earlier but goto location is different (2E204 now). Press F3 and change 0F8|5|48FFFFFF to 0F8|4|48FFFFFF. And if you did everything right and as I showed, you should be able to play NBA Live 98 without a CD. Congratz! This was an easy one.... wasn't it? If you patched the first cd-check you should've noticed it was only the error message which was then removed. There might be other ways to crack this game. I'm just a newbie... If you happen to know any other way, please e-mail me. NOTE! Remember to make a full install... install everything. Also remember to press enter to get past the black screen at the beginning Special request: If you're able to help and tell me how can I rip the game (zeroing movies...) without the error message I always get: Setstreamspeed failed... or sumthin'...I succeeded ripping Fifa99 'cuz it didn't give any error messages... Please e-mail me if you can help me out. Greetz to: Blue Dragôn, Sephiroth... and to everyone I know (especially at Kiss' chat) Also huge thanx to tKC's tutors... they've been a great help E-mail me at: zakeman@hotmail.com -Written by Cloud [StarGazer] PART 5: ~~~~~~ Project 11 - April 26, 1999 +=widY@cL 2011=+ from newbie to another Tools: Used : W32dasm 8.93 - Hiew 6.04 Target : CompuPic 4.50 build 979 Homepage: http://www.photodex.com CompuPic is a high performance, easy to use digital content manager distributed exclusively online by Photodex. Digital Content Managers enable graphic and web designers, digital photography enthusiasts and business and home users to efficiently acces and manage digital content stored across a single hard drive or across a network. --------------------------------------------------------- Ok .. run the program .. aah we have a trial message .. skip it .. this time we're not gonna find out the correct password .. 'coz we have more interesting way to registering this program .. now look at the title bar .. you should see ' Evaluation Copy ' .. this text won't show up if we are a registered user right ?! .. heh a good hint don't you think ?! .. let's dissasemble compupic.exe .. find the text in SDR .. waah it's not in here ! .. now dissasemble if.dnt .. wait ... wait .. done .. ok find the text in SDR .. double kick on it : 10004B57 E824B30200 call ; we must return from this call with EAX=1 1002FE80 10004B5C 85C0 test eax, ; ands 1 with 1 result 1 ( zero flag not eax set) 10004B5E 753A jne ; so we'll jump to 10004B9A (good routine) 10004B9A * Possible StringData Ref from Data Obj ->" - Evaluation Copy" Now let's take a look what's inside the CALL .. snip .. snip .. aah here is the interesting parts : * Reference To: if._ReadRegVal@12 1002FEBDE86EE5FFFF call 1002E430 1002FEC285C0 test eax, eax 1002FEC40F858F000000 jne 1002FF59 ; we should nop this jump 1002FECA6639742408 cmp word ptr [esp+08], si 1002FECF0F8584000000 jne 1002FF59 ; nop 1002FED5668B44240A mov ax, word ptr [esp+0A] 1002FEDA660344240C add ax, word ptr [esp+0C] 1002FEDF668B0DBC630A10mov cx, word ptr [100A63BC] 1002FEE66603442408 add ax, word ptr [esp+08] 1002FEEB662944240E sub word ptr [esp+0E], ax 1002FEF066394C240E cmp word ptr [esp+0E], cx 1002FEF57562 jne 1002FF59 ; nop 1002FEF7668B44240E mov ax, word ptr [esp+0E] 1002FEFC662944240A sub word ptr [esp+0A], ax 1002FF01662944240C sub word ptr [esp+0C], ax 1002FF068B4C240C mov ecx, dword ptr [esp+0C] 1002FF0A51 push ecx 1002FF0BE8C0EFFFFF call 1002EED0 1002FF1083C404 add esp, 00000004 1002FF138BF8 mov edi, eax 1002FF15E876F1FFFF call 1002F090 1002FF1A2BF8 sub edi, eax 1002FF1C783B js 1002FF59 ; nop 1002FF1E8B44240A mov eax, dword ptr [esp+0A] 1002FF2250 push eax 1002FF23E8A8EFFFFF call 1002EED0 1002FF2883C404 add esp, 00000004 1002FF2B8BF8 mov edi, eax * Reference To: KERNEL32.GetTickCount, Ord:0130h 1002FF2DFF1560470B10 Call dword ptr [100B4760] 1002FF332B05B8630A10 sub eax, dword ptr [100A63B8] 1002FF39B9E8030000 mov ecx, 000003E8 1002FF3E2BD2 sub edx, edx 1002FF40F7F1 div ecx 1002FF422BF8 sub edi, eax 1002FF442B3D40180B10 sub edi, dword ptr [100B1840] 1002FF4A780D js 1002FF59 ; nop 1002FF4CB801000000 mov eax, 00000001 ; coz we must reach this lovely code ! 1002FF515F pop edi 1002FF525E pop esi 1002FF5383C414 add esp, 00000014 1002FF56C20C00 ret 000C Fire up Hiew .. open if.dnt .. and make the following changes : OFFSET ORIGINAL CRACKED BYTES BYTES 2F2C4 0F858F000000 0F8500000000 2F2CF 0F8584000000 0F8500000000 2F2F5 7562 7500 2F31C 783B 7800 2F34A 780D 7800 Now run the program .. BOOM .. it's fully registered .. yep another 3 minutes cracking .. and once again cracking without using debugger ! You can write your nick name in the title bar by selecting Help - Enter Password .. put your name and any entry for the rest .. push Register Your Password .. [OK] .. repeat this few times ) .. your name should be written in the title bar when you re-run the program. Program settings stored in system registry : HKEY_CLASSES_ROOT\CompuPic Let me know if you have any comments : widya2011@hotmail.com Copyright c 1999. All Rights Reserved. PART 6: ~~~~~~ Project 12 - April 26, 1999 +=widY@cL 2011=+ from newbie to another Tools: Used : Win32Dasm 8.93 - SoftICE 3.24 - Hiew 6.03 Target : System Cleaner 98 2.0 Build 2.0.0.34 Homepage : http://infortechsolutions.com A hard drive certainly can be a messy place. It can be crammed full of stuff you don't need, or want. Windows applications litter your hard drive with junk that serves no purpose. This junk can cause your PC to slow down and even cause some application problems. System Cleaner 98 fixes and prevents errors in Windows 95 and Windows NT 4.0 by finding and cleaning(deleting) error-producing and space-wasting garbage files. System Cleaner 98 operates by regularly scanning your hard drive for various error producing files and then optionally cleaning them from your system for you. System Cleaner 98 targets specific types of error producing files that common disk utilities, uninstall, defrag, disk-scanning, and sweep-type programs will miss. The error files that System Cleaner 98 searches for and deletes can produce hazardous results if they are not properly cleaned from your drive on a periodic basis. System Cleaner 98 is a safe, fast, and thorough way of keeping your system running like new. --------------------------------------------------------- We are limited to 30 Days of use + 5 days of grace period as an unregistered user. The register option in the tray area won't do nothing .. even we kick on it ! Let's pushed the system date 2 months forward .. run the program .. boom .. the expiration message pops up follow by the registration dialog ! Heh believe me you can't make it registered even you entered the correct code ! So let's forget this stupid things ! Now push the system date backward and run the program .. boom .. " The system clock has been moved back .. bla bla bla " .. huh let's finish this naughty delphi. We should use GETLOCALTIME function whenever we're trying to crack time limit protection. Set BPX GETLOCALTIME and run the program .. boom .. X [ENTER] .. F11 once to get the caller .. you should land in sc98 now .. keep tracing (F10) untill you see 1E value being compare / move into register .. snip .. snip .. oh ! : 0049CE53BA1E000000 mov edx, 0000001E; recognize this ?! .. yep it's our 30 days trial period 0049CE58E8ABA3FEFF call 00487208 0049CE5D8B03 mov eax, [ebx] 0049CE5FBA05000000 mov edx, 00000005; and this ?! .. sure it's our 5 days grace period 0049CE64E86FA4FEFF call 004872D8 0049CE698B03 mov eax, [ebx] .. we can make our trial period more longer ! e.g : mov edx, CHANGE mov edx, 00000001E TO 00FFFFFFF ; this will give us 268,435,455 days mov edx, CHANGE mov edx, ; plus 268,435,455 days of grace 000000005 TO 00FFFFFFF period so we'll have 536,870,910 days of trial period ! he he he seems we'll enjoy the grace period in hell .. but let's continue our exciting trip 'coz thiz is not our target .. 0049CEA2E875DFFEFF call 0048AE1C ; step in here (F8) we're land here : 0048AE1C53 push ebx 0048AE1D8BD8 mov ebx, eax 0048AE1F8BC3 mov eax, ebx 0048AE21E87EACFFFF call 00485AA4 0048AE2684C0 test al, al 0048AE287439 je 0048AE63 ; we should change this code 0048AE2A8BC3 mov eax, ebx 0048AE2CE8D3A1FFFF call 00485004 0048AE3184C0 test al, al ; AL=1 means we run sc98 for the first time 0048AE337407 je 0048AE3C 0048AE358BC3 mov eax, ebx 0048AE37E8A8B1FFFF call 00485FE4 ; this call pop up the message "Thank you for trying ..bla bla" 0048AE3C8BC3 mov eax, ebx 0048AE3EE829ADFFFF call 00485B6C 0048AE438BC3 mov eax, ebx 0048AE45E8FEA3FFFF call 00485248 0048AE4A84C0 test al, al 0048AE4C7515 jne 0048AE63 0048AE4E8BC3 mov eax, ebx 0048AE50E86FB9FFFF call 004867C4 0048AE558BC3 mov eax, ebx 0048AE57E8D0A6FFFF call 0048552C ; step in here (F8) keep tracing until we reach this code : 0048566A3BD8 cmp ebx, eax 0048566C7D1A jge 00485688 ; if ebx >= eax then jump to 485688 else pops up " The system clock ; has been moved back .. bla bla bla " 0048AE5C8BC3 mov eax, ebx 0048AE5EE849B1FFFF call 00485FAC ; step in here (F8) .. you'll see a routine to check the expiration date 0048AE635B pop ebx 0048AE64C3 ret we don't need that stupid routine right ?! .. let's fix it .. now fire up Hiew and make the following changes: OFFSET ORIGINAL NEW BYTE BYTE 8A228 7439 EB79 Now push your system date 2 months forward and run the program .. does it expire ? NO ! .. now reset the system date back and run the program .. does the stupid message pops up ?! NO ! .. yep sc98 has updated ! Now let's make our work more perfect ! .. click on the about button you should see : This program is licensed to : Shareware You have 4 days left to Evaluate Unregistered evaluation copy We don't want to see these ugly text .. do we ?! double click on the text in SDR .. we should land here : cmp 0048F20F83B81801000000[eax+00000118], 00 0048F2160F8588000000 jne 0048F2A4 ; we should change this code * Possible StringData Ref from Code Obj ->"- Shareware -" 0048F21CBA34F34800 mov edx, 0048F334 0048F2218B830C020000 mov eax, [ebx+0000020C] 0048F227E88CB7F9FF call 0042A9B8 * Possible StringData Ref from Code Obj ->"Unregistered evaluation copy" Fire up Hiew and make the following changes: OFFSETORIGINAL NEW BYTE BYTE 8E616 0F85880000000F8488000000 Now the ugly text has been removed ... let's make it licensed to 'someone' : 0048F2A4A194F34900 mov eax, [0049F394] 0048F2A98B00 mov eax, [eax] 0048F2AB8B9018010000 mov edx, [eax+00000118] 0048F2B18B830C020000 mov eax, ; we should change this code ! [ebx+0000020C] 0048F2B7E8FCB6F9FF call 0042A9B8 0048F2BCA194F34900 mov eax, [0049F394] 0048F2C18B00 mov eax, [eax] 0048F2C38B9020010000 mov edx, [eax+00000120] 0048F2C98B832C020000 mov eax, ; we should change this code ! [ebx+0000022C] Fire up Hiew and make the following changes: OFFSETORIGINAL NEW BYTES BYTES 8E6B1 8B830C0200008B8018010000 8E6C9 8B832C0200008B8020010000 He he he .. now it's just like a registered version ! Notes : Most applications stored their settings either in the system registry or in the configuration file (INI, DAT, CFG, etc) .. you can use some tools to help u to find it, eg: Win32dasm (search in SDR), SoftIce (using CreateKey(A) function), Filemon (Finding files being used by the program), Regmon ( finding which key are used by the program), or RegCrawler ( to search spesific key in the registry). Especially in time limit / run time limited cracking .. you could just delete the key / configuration file created by the program to get your trial period back ! (actually you only need to delete the value used as a counter date but generally delete them all won't do no harm 'coz the program will create them again) Sc98 stored the settings in the system registry : HKEY_LOCAL_MACHINE\Config\0001\.SCSecurity HKEY_CURRENT_USER\Software\InforTech simply delete these keys to get your 35 days back ! Well .. that's all for now guys .. let me know if you have any comment : widya2011@hotmail.com Copyright c 1999, All Rights Reserved. We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #24 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: FunkyZero/CiA for Splash Logo. dAvId/nIgHtMaRe for providing 3 tuts in this version. Cloud [StarGazer] for providing a tut in this version. widYa-cL/2011 for providing 2 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 1 May 1999 Cracking Tutorial #23 is dedicated to... umm.. *I wish I would know to whom I should dedicate* ...umm..ok.. to all the crackers *g*