Welcome to Cracking Tutorial #24! Ah finally, sorry for delays but I was busy like hell last weeks, and no modem at my home. :-/ For a bonus I'll do 2 versions today. (#24 and #25) Like I said earlier, nothing is gonna stop me now! :) Anyway, enjoy it! :) Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.25 W32Dasm 8.93 Hacker's View 6.04 SmartCheck 6.03 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1: ~~~~~~ <--------------------------------------------------------------------------------------> <------------------------------- Smart Check 6.1 beta ---------------------------------> <------------------------------ http://www.numega.com ---------------------------------> <--------------------------------------------------------------------------------------> <---------------------------------- Tutor by Creon ------------------------------------> <--------------------------------------------------------------------------------------> How get a valid serial! If you a interested to join a cracking group (it doesn't matter if you a good or a newbie) then ask me for trial membership by World Wide Warez. How you can contact me is told at the end of this page. This Tutor is written by an newbie to another newbie! Please excause very bad english Tools: SoftICE 3.24 Availible: http://www.surf.to/HarvestR Let's begin: 1. Start Smart Check and open a program. Press F5 to run and you will see an dialog. Press on "Purchase". 2. Type in your name and your company (I type "Creon" and "World Wide Warez"). Type in an serial(I choose "123456789") 3. Go to press Crtl+D and type: bpx messageboxa 4. Press F5. And push the OK button. *BANG* You are in SoftIce. press F11 and a messagebox will apear. Don't panic that is normal just press OK and you will be back in Softice where you will see this: 0137:10003FB7 CALL [USER!MessageBoxA] <--- display the messagebox 0137:10003FBD JMP 10003FEC 0137:10003FBF PUSH 00002000 0137:10003FBF PUSH 10013B19 0137:10003FBF PUSH 10014281 0137:10003FBF PUSH ESI 5. I understand nothing. But a few lines above you will see something like this: 0137:1003ED6 LEA EAX,[EBP-28] 0137:1003ED9 PUSH EAX 0137:1003ED9 CALL 10002864 0137:1003ED9 ADD ESP,04 0137:1003ED9 LEA EAX,[EBP-14] <--- set here a breakpoint with F9 0137:1003ED9 LEA ECX,[EBP-28] 6. Set the breakpoint and clear the other breakpoint with "bc 0". Press F5 to run. Then press OK and you will be back in Softice type "d esp" and something like this will be shown in the right of SoftICE(You will have other datas): h.i.......i.Creo <----- your entered name n./...$..$....<. .$....B.^...*..$ V..$..=......... ......?...,..... =...........m... 8839599363541591 <----- the right unlock code ....123456789.#. <----- your wrong unlock code 7. Write down the number and clear the breakpoint. Press F5 and type in the right datas. Press now OK and *BINGO* you are registered. Thanx to BuL_LeT, tKC and other for there great Tutorials! <--------------------------------------------------------------------------------------> <-------------- For Questions, For Informations Or Trial Memberships ------------------> <------------------------- Contact Me On EFnet Or By E-mail ---------------------------> <----------------------------- creon_w3@angelfire.com ---------------------------------> <--------------------------------------------------------------------------------------> PART 2: ~~~~~~ Free Information Xchange presents: Half Life Version 1.0 - CD crack by R!SC - 06/01/99 and Half Life Version 1.0.0.6 ... REQUIREMENTS: Hex editor W32Dasm 8.9x Heh, I cracked version 1.0.0.6 first, because there were already enough cracks for version 1.0, in the readme file for 1.0.0.6, sierra stated this "We've disabled the portion of the CD authentication that checked for the music tracks since it was tripping up legitimate customers", thinking this would be more of a challenge, I ditched v1.0.0.6 and did a fresh install. I now had Half Life installed with ALL the CD checks enabled! First off, make a copy of hl.exe, load this into W32Dasm. I didn't really know where to start, I know for normal CD checks you look for GetDriveTypeA(like I did with v1.0.0.6) but I never cracked a game that checked for music tracks so we begin by looking through the string references for something interesting i.e. "a:\","c:\","Please insert the Half Life CD" After a few minutes scrolling through the list, I found "valve.ico", an icon file that is on the CD and in the install directory, so double click this. Double clicking again reveals that this is the only reference to it. * Referenced by a CALL at Addresses: |:0041CC5E , :0041CC9D | :0043AC80 B818120000 mov eax, 00001218 :0043AC85 E866C20300 call 00476EF0 <-- ??? take a look and see if you can figure it out ;) :0043AC8A C744240407000000 mov [esp+04], 00000007 :0043AC92 53 push ebx :0043AC93 56 push esi :0043AC94 57 push edi :0043AC95 55 push ebp :0043AC96 E8B5020000 call 0043AF50 <-- Routine to check CD audio?? :0043AC9B 8D442410 lea eax, dword ptr [esp+10] :0043AC9F 6866120000 push 00001266 :0043ACA4 C744241400000000 mov [esp+14], 00000000 * Possible StringData Ref from Data Obj ->"valve.ico" <-- ref that brought us here | :0043ACAC 68B8E84B00 push 004BE8B8 :0043ACB1 50 push eax :0043ACB2 E8E9FEFFFF call 0043ABA0 <-- Routine to check file on CD :0043ACB7 8A44241C mov al, byte ptr [esp+1C] :0043ACBB 83C40C add esp, 0000000C :0043ACBE 3A0548C14B00 cmp al, byte ptr [004BC148] :0043ACC4 750D jne 0043ACD3 <-- If we found the first file, Jump to check next file on CD :0043ACC6 33C0 xor eax, eax <-- Otherwise, setup for a failed CD check :0043ACC8 5D pop ebp :0043ACC9 5F pop edi :0043ACCA 5E pop esi :0043ACCB 5B pop ebx :0043ACCC 81C418120000 add esp, 00001218 :0043ACD2 C3 ret Highlight the first call "call 00476EF0", and press cursor right to take a look at what this call does, nothing interesting really, push cursor left to return. Scroll down to the next call "call 0043AF50", push cursor right. Brings us here... * Referenced by a CALL at Address: |:0043AC96 <-- Only one caller to this little check !) | :0043AF50 83EC20 sub esp, 00000020 :0043AF53 833D90044D0000 cmp dword ptr [004D0490], 00000000 :0043AF5A 53 push ebx :0043AF5B 56 push esi :0043AF5C 57 push edi :0043AF5D 55 push ebp :0043AF5E 7438 je 0043AF98 <-- I missed this bit out, but its practically the same :0043AF60 8D44241C lea eax, dword ptr [esp+1C] * Reference To: WINMM.mciSendCommandA, Ord:0032h <-- Windoze multimedia library command | <-- probably used quite often in CD checks, but i have never seen it :0043AF64 8B35008F4E00 mov esi, dword ptr [004E8F00] * Possible StringData Ref from Data Obj ->"cdaudio" <-- Clue to whats going off... | :0043AF6A C744242498E84B00 mov [esp+24], 004BE898 :0043AF72 50 push eax :0043AF73 6800210000 push 00002100 :0043AF78 6803080000 push 00000803 :0043AF7D 6A00 push 00000000 :0043AF7F FFD6 call esi :0043AF81 85C0 test eax, eax :0043AF83 740D je 0043AF92 :0043AF85 B8FFFFFFFF mov eax, FFFFFFFF <-- Don't really care about the return value :0043AF8A 5D pop ebp -- this is one of three possible exit values :0043AF8B 5F pop edi -- I don't know where they are checked either! :0043AF8C 5E pop esi :0043AF8D 5B pop ebx :0043AF8E 83C420 add esp, 00000020 :0043AF91 C3 ret OK, probably the CD audio authentication. Push cursor left to return us to where we came from, scroll down to the next call "call 0043ABA0" and take this one by pushing cursor right. * Referenced by a CALL at Address: |:0043ACB2 <-- hi there | :0043ABA0 81EC04010000 sub esp, 00000104 :0043ABA6 33C0 xor eax, eax :0043ABA8 B940000000 mov ecx, 00000040 :0043ABAD 53 push ebx :0043ABAE 56 push esi :0043ABAF 57 push edi :0043ABB0 8D7C2410 lea edi, dword ptr [esp+10] :0043ABB4 55 push ebp :0043ABB5 F3 repz :0043ABB6 AB stosd :0043ABB7 50 push eax * Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F7h <-- commonly used in CD checks | :0043ABB8 8B3D848B4E00 mov edi, dword ptr [004E8B84] :0043ABBE 50 push eax :0043ABBF FFD7 call edi __________________ snip boring code ------------------ :0043AC0C 8D7801 lea edi, dword ptr [eax+01] :0043AC0F 57 push edi * Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh | :0043AC10 FF15988B4E00 Call dword ptr [004E8B98] :0043AC16 83F805 cmp eax, 00000005 <-- well, we know '5' means CD-ROM :0043AC19 75E1 jne 0043ABFC -- so this is deffinatly our CD check After having a look around, we know this is our CD check routine, push cursor left to take us back to our first piece of code. This if referenced to by two callers, if your using W32Dasm 8.93, double right click the first number, otherwise, press shift+F12 and type in the first number. * Referenced by a CALL at Addresses: |:0041CC5E , :0041CC9D <-- this one is part of this routine aswell ^^ <-- the first number Doing this brings us to this piece of code... :0041CC5E E81DE00100 call 0043AC80 <-- The call to the two? CD checks :0041CC63 85C0 test eax, eax <-- Check return value :0041CC65 7572 jne 0041CCD9 <-- jump if not equal to the end of the routine :0041CC67 68027F0000 push 00007F02 -- otherwise do some other stuff * Reference To: USER32.LoadCursorA, Ord:0172h | :0041CC6C 8B1D448E4E00 mov ebx, dword ptr [004E8E44] :0041CC72 6A00 push 00000000 :0041CC74 FFD3 call ebx Normally, in most cases I have seen, when there's a call to a CD check, a test and a conditional jump afterwards, the protection can be bypassed by either forcing the jump, or not taking it at all. Well, I edited the jne 0041CCD9 after the call to the CD check to a jmp 0041CCD9, saved the file, ran halflife and i could play the game without the CD! StaticVengeance likes to remove the CD check altogether if possible, "Well, if it's going to fail the check, whats the point in taking it at all" he probably said (don't quote me on this, its probably true though) so i changed the jmp back to a jne, edited the call to a mov eax, 0001E01D by changing the E81DE00100 to a B81DE00100, This stops the call from existing, so the cd check is never taken, it also puts a none zero value into eax, so the 'jne 0041CCD9' after the 'test eax, eax' is always taken. THankyou for listening, half life is now cracked (FiX'ed) " btw, internet gaming probably wont work, it doesn't work with cracked version of half life 1.0.0.6, i was informed of this problem by a couple of guys e-mailing me and moaning about it, i never play games over the internet so i never new about this problem, i had a look through the exe but cant figure out if its possible to fix this. " (sORRY) Another tutorial comes to an end and another game has been FiX'ed! happy cracking love R!SC -- risc_1@hotmail.com for v1.0 - edit hl.exe (offsets are in hex) =========================================================== Search for: E8 1D E0 01 00 at offset 1C05E Change to : B8 -- -- -- -- for v1.0.0.6 - edit hl.exe (offsets are in hex) =========================================================== Search for: E8 62 FF FD FF at offset 3E2A9 Change to : B8 -- -- -- -- =========================================================== hi, (very) quick guide to cracking HalfLife v1.0.0.6 need w32dasm8.9(3) & hex editor run the game without CD, click game/new/easy. it asks for the CD 3 times then says failed authentication. load hl.exe into wdasm32. no win95 dialog box to ask for the CD, so we check functions/imports for GetDriveTypeA, double click it and up pops this little snippet... * Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh | :0041EA5D FF15A88B4E00 Call dword ptr [004E8BA8] :0041EA63 83F805 cmp eax, 00000005 <--05 = check for cd-rom :0041EA66 740C je 0041EA74 :0041EA68 8BC6 mov eax, esi scroll up a bit to find out the caller(s) * Referenced by a CALL at Addresses: |:0041EDAD , :0041EF93 goto the first caller 41EDAD, this drops us in the middle of the the cd-check routine, * Referenced by a CALL at Address: |:0041EE42 <-- this is the important bit, boring bits of code have been cut out | :0041ED30 81EC04010000 sub esp, 00000104 :0041ED36 33C0 xor eax, eax snip :0041ED47 50 push eax * Reference To: KERNEL32.GetLogicalDriveStringsA, Ord:00F7h | :0041ED48 8B3DA08B4E00 mov edi, dword ptr [004E8BA0] :0041ED4E 50 push eax :0041ED4F FFD7 call edi :0041ED51 8BF0 mov esi, eax snip * Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh | :0041EDA0 FF15A88B4E00 Call dword ptr [004E8BA8] :0041EDA6 83F805 cmp eax, 00000005 <-- yeah, CD-ROM :0041EDA9 75E1 jne 0041ED8C :0041EDAB 55 push ebp :0041EDAC 57 push edi :0041EDAD E83EFCFFFF call 0041E9F0 <---the call to the first routine we found :0041EDB2 83C408 add esp, 00000008 :0041EDB5 83F807 cmp eax, 00000007 O.K. lets go to the caller to this bit then, 41EE42 * Referenced by a CALL at Addresses: |:0043EEA9 , :0043EEE8 <-- this bit called twice, have a look here if you like | :0041EE10 B818120000 mov eax, 00001218 :0041EE15 E806990500 call 00478720 :0041EE1A C744240407000000 mov [esp+04], 00000007 :0041EE22 53 push ebx :0041EE23 56 push esi :0041EE24 57 push edi :0041EE25 55 push ebp :0041EE26 E8B5020000 call 0041F0E0 :0041EE2B 8D442410 lea eax, dword ptr [esp+10] :0041EE2F 6866120000 push 00001266 :0041EE34 C744241400000000 mov [esp+14], 00000000 * Possible StringData Ref from Data Obj ->"valve.ico" <-- search for this on the CD | :0041EE3C 68F4D24B00 push 004BD2F4 :0041EE41 50 push eax :0041EE42 E8E9FEFFFF call 0041ED30 <-- call first cd-check routine that calls the :0041EE47 8A44241C mov al, byte ptr [esp+1C] -- second cd check routine :0041EE4B 83C40C add esp, 0000000C :0041EE4E 3A054CC14B00 cmp al, byte ptr [004BC14C] <-- do some check :0041EE54 750D jne 0041EE63 <-- jump to next bit which checks another file on the CD :0041EE56 33C0 xor eax, eax <-- otherwise fail CD-Check :0041EE58 5D pop ebp :0041EE59 5F pop edi :0041EE5A 5E pop esi :0041EE5B 5B pop ebx :0041EE5C 81C418120000 add esp, 00001218 :0041EE62 C3 ret right then, the code that calles this bit checks eax, jne to play the game, so we make it return not equal all the time. (or patch the code that checks the return value, but thats boring...) :0041EE54 750D jne 0041EE63 <-- change this to xor eax,eax (33C0) :0041EE56 33C0 xor eax, eax <-- change this to inc eax ; nop (4090) patch offset 1E254 in hl.exe, change the 750D33C0 to 33C04090 or be boring and patch the check after the call to this bit. :0043EEA9 E862FFFDFF call 0041EE10 <-- call to routine above... :0043EEAE 85C0 test eax, eax :0043EEB0 7572 jne 0043EF24 <-- change this to jmp 0043EF24 (EB72) patch offset 3E2B0 in hl.exe, change the 7572 to EB72 OK, it was a bit harder than this but I'm telling you the proper way to crack it, I tried patching the actual checks that check the cd is readonly, has no free space, that the file sizes are correct, but there was just too much to follow, i gave up, tried again and after about half an hour, came up with this, yeah, I did it the boring way by patching the both the jne's after the calls at 0043EEA9 & 0043EEE8, realised that if the first one was a jmp, the second one would never be reached. screw the check for how many times the cd-check was run, because it passes first time anyway. love R!SC risc@notme.com PART 3: ~~~~~~ HOW TO CRACK Net Checkers 3.50 On May 1999 Welcome to my 12th Cracking Tutorial This time i'll teach you how to crack Net Checkers 3.50 Sorry for my bad grammatic, but i hope u will under stand it anyway... Tools Used: W32Dasm 89.3 Far 1.52 or any other Norton Commander like clone Hiew 6.04 1 or more cups of coffee (A Pot will usualy do) you can also drink tea 1 or more ciggys (A Pack will usualy do) (Smoke em baby Smoke em) he he Where http://www.netintellgames.com/ Protection Type serial Crack Type Correct Serial Start Net Checkers 3.50 goto registration:register enter 123454 as code you'll get an error message telling you sorry your personal registration code is uocorrect NOTE IT goto far copy checkers.exe to checkers.w32 for use whit w32dasm fire up w32dasm and dissamble checkers.w32 when done goto the Strn Ref Button Click it and go down until you see <-sorry your personal registration-> Double Click on it and close down the Strn Ref Window and you'll land here * Possible StringData Ref from Data Obj ->"Sorry, your personal registration " ->"code is uncorrect." :00403A8C 8B8664010000 mov eax, dword ptr [esi+00000164] :00403A92 6A10 push 00000010 :00403A94 50 push eax :00403A95 C7867001000000000000 mov dword ptr [esi+00000170], 00000000 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403A74(C) lets follow the (U)nconditional or (C)onditional Jump press shift + F12 and enter 00403A74 you'll land here :00403A6C E86FFFFFFF call 004039E0 <-trace this call :00403A71 83F801 cmp eax, 00000001 :00403A74 7516 jne 00403A8C so lets trace the call press right arrow and you be here :004039E0 E8B8E50100 call 00421F9D :004039E5 8B4004 mov eax, dword ptr [eax+04] :004039E8 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Reg" | :004039EA 6860D14200 push 0042D160 * Possible StringData Ref from Data Obj ->"Names" | :004039EF 68C4D04200 push 0042D0C4 :004039F4 8BC8 mov ecx, eax :004039F6 E825E00100 call 00421A20 :004039FB 33C9 xor ecx, ecx :004039FD 3D10633C74 cmp eax, 743C6310 <-now what is this ? :00403A02 0F94C1 sete cl :00403A05 8BC1 mov eax, ecx :00403A07 C3 ret did you guess it Net Checkers 3.50 only has one valid reg code heh cool so start up Net Checkers 3.50 goto the registration:register dialog enter 743C6310 did it work ? i think not why well in 743C6310 notice thE C ? its not decimal its hexicecimal sux ? NO lets use a calculator windows calc start the calculator press hex enter 743C6310 press dec and you'll get the number 1950114576 now go back 2 Net Checkers 3.50 enter 1950114576 you'll now the the message Thank you for support NetIntellGames shareware authors! well cool you cracked Net Checkers 3.50 i hope you learned something from this tutorial sea in Tutor #13 if you got any comments or questions send em to me if i got enough time i'll send you an e-mail back you might find me on irc/EFNET in the channel #c.i.a under the nick dAvId_nM1 if i got time i'll chat anyway i'hope you sea you in tutor #13 Cracking Tutorial #12 Written bY dAvid/nIgHtMaRe'1 On Maj 1999 wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net PART 4: ~~~~~~ HOW TO CRACK Form-Printery 99 English 2.0 bY dAvid/nIgHtMaRe'1 on May 1999 Welcome to my 13th Cracking Tutorial This time i'll teach you to how crack Form-Printery 99 English 2.0 Sorry for my bad grammatic, but i hope u will under stand it anyway... Tools Used: W32Dasm 89.3 Soft-Ice 3.25 Far 1.52 or any other Norton Commander like clone Hiew 6.04 1 or more cups of coffee (A Pot will usualy do) you can also drink tea 1 or more ciggys (A Pack will usualy do) (Smoke em baby Smoke em) he he Where http://software.webset.de/cadkas/ Protection Type serial Crack Type Correct serial / *PATCH* Ok Start Form-Printery 99 English 2.0 you notice a nag that says you have 30 days left until it will expire unless you register hmm sux goto register enter name dAvId/nIgHtMaRe'1 or Any Name you like and as code 123454 or any code you like you'll get an error message telling you <-Number is incorrect-> remember it goto far copy formprint.exe to formprint.w32 for use whit w32dasm start w32dasm and dissamble formprint.w32 when dissambled goto the Strn Ref button click it goto down until you see Number is incorrect double click on it and close down the Strn Ref Window you'll see this * Possible StringData Ref from Code Obj ->"The number is incorrect. The registered " :0048DA04 B920DB4800 mov ecx, 0048DB20 * Possible StringData Ref from Code Obj ->"Number is incorrect" :0048DA02 6A40 push 00000040 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048D90B(C) | ok follow the (U)nconditional or (C)onditional Jump press shift + F12 enter 0048D908 and you'll be here :0048D904 E897FEFFFF call 0048D7A0 <-trace this call :0048D909 84C0 test al, al :0048D90B 0F84F1000000 je 0048DA02 trace the call press right arrow and you'll end up here now just keep looking true the code until you see a cmp and that just might the the one your looking for you'll say i'm right later i know you will :0048D7A0 55 push ebp :0048D7A1 8BEC mov ebp, esp :0048D7A3 81C4F0FDFFFF add esp, FFFFFDF0 :0048D7A9 53 push ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048D73B(C) | :0048D7AA 56 push esi :0048D7AB 57 push edi :0048D7AC 8955F8 mov dword ptr [ebp-08], edx :0048D7AF 8945FC mov dword ptr [ebp-04], eax :0048D7B2 8B45FC mov eax, dword ptr [ebp-04] :0048D7B5 E84667F7FF call 00403F00 :0048D7BA 8B45F8 mov eax, dword ptr [ebp-08] :0048D7BD E83E67F7FF call 00403F00 :0048D7C2 33C0 xor eax, eax :0048D7C4 55 push ebp :0048D7C5 6899D84800 push 0048D899 :0048D7CA 64FF30 push dword ptr fs:[eax] :0048D7CD 648920 mov dword ptr fs:[eax], esp :0048D7D0 C685F4FDFFFF00 mov byte ptr [ebp+FFFFFDF4], 00 :0048D7D7 BFFF200000 mov edi, 000020FF :0048D7DC 8D85F4FEFFFF lea eax, dword ptr [ebp+FFFFFEF4] :0048D7E2 8B55FC mov edx, dword ptr [ebp-04] :0048D7E5 B9FF000000 mov ecx, 000000FF :0048D7EA E83965F7FF call 00403D28 :0048D7EF 0FB6B5F4FEFFFF movzx esi, byte ptr [ebp+FFFFFEF4] :0048D7F6 85F6 test esi, esi :0048D7F8 7E3F jle 0048D839 :0048D7FA C745F401000000 mov [ebp-0C], 00000001 :0048D801 8D9DF5FEFFFF lea ebx, dword ptr [ebp+FFFFFEF5] you stop here now you remember i say you should look for a cmp well look down under what do you see ? yes it a cmp edi,eax good that the one :0048D862 8D55F4 lea edx, dword ptr [ebp-0C] :0048D865 8B45F8 mov eax, dword ptr [ebp-08] :0048D868 E89753F7FF call 00402C04 :0048D86D 3BF8 cmp edi, eax <-breakpoint on this one just in case you dont know how to configure soft-ice here is my winice.dat ;winice.dat starts here PENTIUM=ON NMI=ON ECHOKEYS=OFF NOLEDS=OFF NOPAGE=OFF SIWVIDRANGE=ON THREADP=ON LOWERCASE=OFF WDMEXPORTS=OFF MONITOR=0 PHYSMB=32 ;change this to your system ram size SYM=1024 HST=256 TRA=8 MACROS=32 DRAWSIZE=4096 ;change this to your graphics card ram size INIT="X;LINES 59;WW;WC 24 ;WD 24;CODE ON ;WW" F1="h;" F2="^wr;" F3="^src;" F4="^rs;" F5="^x;" F6="^ec;" F7="^here;" F8="^t;" F9="^bpx;" F10="^p;" F11="^G @SS:ESP;" F12="^p ret;" SF3="^format;" CF8="^XT;" CF9="TRACE OFF;" CF10="^XP;" CF11="SHOW B;" CF12="TRACE B;" AF1="^wr;" AF2="^wd;" AF3="^wc;" AF4="^ww;" AF5="CLS;" AF8="^XT R;" AF11="^dd dataaddr->0;" AF12="^dd dataaddr->4;" CF1="altscr off; lines 60; wc 32; wd 8;" CF2="^wr;^wd;^wc;" EXP=C:\WINDOWS\system\kernel32.dll ; EXP=C:\WINDOWS\system\user32.dll EXP=C:\WINDOWS\system\gdi32.dll EXP=C:\WINDOWS\system\comdlg32.dll EXP=C:\WINDOWS\system\shell32.dll EXP=C:\WINDOWS\system\advapi32.dll EXP=C:\WINDOWS\system\shell232.dll EXP=C:\WINDOWS\system\comctl32.dll EXP=C:\WINDOWS\system\crtdll.dll EXP=C:\WINDOWS\system\version.dll EXP=C:\WINDOWS\system\netlib32.dll EXP=C:\WINDOWS\system\msshrui.dll EXP=C:\WINDOWS\system\msnet32.dll EXP=C:\WINDOWS\system\mspwl32.dll EXP=C:\WINDOWS\system\mpr.dll EXP=C:\WINDOWS\system\msvbvm50.dll EXP=C:\WINDOWS\system\msvbvm60.dll EXP=C:\WINDOWS\system\vb40032.dll EXP=C:\WINDOWS\system\vbrun300.dll ;winice.dat ends here ok start Form-Printery 99 English 2.0 goto register enter name dAvId/nIgHtMaRe'1 or any like and as code 123454 or any on you like now don't press ok yet go into soft-ice press ctrl+d or what every you hot key is place a breakpoint on hmemcpy bpx hmemcpy press ctrl+d press OK press F11 to leave kernl now keep pressing F12 until you in the code of of formprint type bd * cuse you wont need that break point bpx 0048D86D press x to leave soft-ice and it will break into this code :0048D868 E89753F7FF call 00402C04 :0048D86D 3BF8 cmp edi, eax do a ? eax you see your dummy code 123454 do a ? edi and you'll see your real code in my case 18639 do a bc * to clean the breakpoint on the cmp press F5 you'll get the error goto register enter name dAvId/nIgHtMaRe'1 and as code 18639 *boom* **regged** cool you cracked Form-Printery 99 English 2.0 are we done yet ? well we could be but lets also make a patch we will almost do the same thing almost first delete the file formvoll.dat cuse we need an unregistreted version Ok Start Form-Printery 99 English 2.0 you notice a nag that says you have 30 days left until it will expire unless you register hmm sux goto register enter name dAvId/nIgHtMaRe'1 or Any Name you like and as code 123454 or any code you like you'll get an error message telling you <-Number is incorrect-> remember it goto far copy formprint.exe to formprint.w32 if you erased the last one for use whit w32dasm start w32dasm and dissamble formprint.w32 when dissambled goto the Strn Ref button click it goto down until you see Number is incorrect double click on it and close down the Strn Ref Window you'll see this * Possible StringData Ref from Code Obj ->"The number is incorrect. The registered " :0048DA04 B920DB4800 mov ecx, 0048DB20 * Possible StringData Ref from Code Obj ->"Number is incorrect" :0048DA02 6A40 push 00000040 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048D90B(C) | ok follow the (U)nconditional or (C)onditional Jump press shift + F12 enter 0048D908 and you'll be here :0048D904 E897FEFFFF call 0048D7A0 <-trace this call :0048D909 84C0 test al, al :0048D90B 0F84F1000000 je 0048DA02 trace the call press right arrow and you'll end up here now just keep looking true the code until you see a cmp and that just might the the one your looking for you'll say i'm right later i know you will :0048D7A0 55 push ebp :0048D7A1 8BEC mov ebp, esp :0048D7A3 81C4F0FDFFFF add esp, FFFFFDF0 :0048D7A9 53 push ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048D73B(C) | :0048D7AA 56 push esi :0048D7AB 57 push edi :0048D7AC 8955F8 mov dword ptr [ebp-08], edx :0048D7AF 8945FC mov dword ptr [ebp-04], eax :0048D7B2 8B45FC mov eax, dword ptr [ebp-04] :0048D7B5 E84667F7FF call 00403F00 :0048D7BA 8B45F8 mov eax, dword ptr [ebp-08] :0048D7BD E83E67F7FF call 00403F00 :0048D7C2 33C0 xor eax, eax :0048D7C4 55 push ebp :0048D7C5 6899D84800 push 0048D899 :0048D7CA 64FF30 push dword ptr fs:[eax] :0048D7CD 648920 mov dword ptr fs:[eax], esp :0048D7D0 C685F4FDFFFF00 mov byte ptr [ebp+FFFFFDF4], 00 :0048D7D7 BFFF200000 mov edi, 000020FF :0048D7DC 8D85F4FEFFFF lea eax, dword ptr [ebp+FFFFFEF4] :0048D7E2 8B55FC mov edx, dword ptr [ebp-04] :0048D7E5 B9FF000000 mov ecx, 000000FF :0048D7EA E83965F7FF call 00403D28 :0048D7EF 0FB6B5F4FEFFFF movzx esi, byte ptr [ebp+FFFFFEF4] :0048D7F6 85F6 test esi, esi :0048D7F8 7E3F jle 0048D839 :0048D7FA C745F401000000 mov [ebp-0C], 00000001 :0048D801 8D9DF5FEFFFF lea ebx, dword ptr [ebp+FFFFFEF5] you stop here now you remember i say you should look for a cmp well look down under what do you see ? yes it a cmp edi,eax good that the one :0048D862 8D55F4 lea edx, dword ptr [ebp-0C] :0048D865 8B45F8 mov eax, dword ptr [ebp-08] :0048D868 E89753F7FF call 00402C04 :0048D86D 3BF8 cmp edi, eax <-the cmp this time we'll change the cmp so it will always register cool right ? fire up hiew formprint.exe press F3 and select decode mode press F5 and enter 8CC6D press and change 3BF8 to 3BFF press F9 to update the file run Form-Printery 99 English 2.0 and you dont get an nag screen or you just get an regged version of Form-Printery 99 English 2.0 cool you Cracked Form-Printery 99 English 2.0 again if you got any comments or questions send em to me if i got enough time i'll send you an e-mail back you might find me on irc/EFNET in the channel #c.i.a under the nick dAvId_nM1 if i got time i'll chat anyway i'hope you sea you in tutor #14 Cracking Tutorial #13 Written bY dAvid/nIgHtMaRe'1 On May 1999 wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net PART 5: ~~~~~~ HOW TO CRACK Poster-Printery English 2.0 bY dAvid/nIgHtMaRe'1 on May 1999 Welcome to my 14th Cracking Tutorial This time i'll teach you to how crack Poster-Printery English 2.0 Sorry for my bad grammatic, but i hope u will under stand it anyway... Tools Used: W32Dasm 89.3 Soft-Ice 3.25 Far 1.52 or any other Norton Commander like clone Hiew 6.04 1 or more cups of coffee (A Pot will usualy do) you can also drink tea 1 or more ciggys (A Pack will usualy do) (Smoke em baby Smoke em) he he Where http://software.webset.de/cadkas/ Protection Type serial Crack Type Correct serial / *PATCH* Ok Poster-Printery English 2.0 you notice a nag that says you have 30 days left until it will expire unless you register hmm sux goto register enter name dAvId/nIgHtMaRe'1 or Any Name you like and as code 123454 or any code you like you'll get an error message telling you <-Number is incorrect-> remember it goto far copy poster2.exe to poster2.w32 for use whit w32dasm start w32dasm and dissamble poster2.w32 when dissambled goto the Strn Ref button click it goto down until you see Number is incorrect double click on it and close down the Strn Ref Window you'll see this * Possible StringData Ref from Code Obj ->"The number is incorrect. The registered " ->"copy did not become activated." :00463838 B954394600 mov ecx, 00463954 * Possible StringData Ref from Code Obj ->"Number is incorrect" :00463836 6A40 push 00000040 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046373F(C) | ok follow the (U)nconditional or (C)onditional Jump press shift + F12 enter 0046373F and you'll be here :00463738 E897FEFFFF call 004635D4 <-trace this call :0046373D 84C0 test al, al :0046373F 0F84F1000000 je 00463836 trace the call press right arrow and you'll end up here now just keep looking true the code until you see a cmp and that just might the the one your looking for you'll say i'm right later i know you will :004635D4 55 push ebp :004635D5 8BEC mov ebp, esp :004635D7 81C4F0FDFFFF add esp, FFFFFDF0 :004635DD 53 push ebx :004635DE 56 push esi :004635DF 57 push edi :004635E0 8955F8 mov dword ptr [ebp-08], edx :004635E3 8945FC mov dword ptr [ebp-04], eax :004635E6 8B45FC mov eax, dword ptr [ebp-04] :004635E9 E88A08FAFF call 00403E78 :004635EE 8B45F8 mov eax, dword ptr [ebp-08] :004635F1 E88208FAFF call 00403E78 :004635F6 33C0 xor eax, eax :004635F8 55 push ebp :004635F9 68CD364600 push 004636CD :004635FE 64FF30 push dword ptr fs:[eax] :00463601 648920 mov dword ptr fs:[eax], esp :00463604 C685F4FDFFFF00 mov byte ptr [ebp+FFFFFDF4], 00 :0046360B BFE01B0000 mov edi, 00001BE0 :00463610 8D85F4FEFFFF lea eax, dword ptr [ebp+FFFFFEF4] :00463616 8B55FC mov edx, dword ptr [ebp-04] :00463619 B9FF000000 mov ecx, 000000FF :0046361E E87D06FAFF call 00403CA0 :00463623 0FB6B5F4FEFFFF movzx esi, byte ptr [ebp+FFFFFEF4] :0046362A 85F6 test esi, esi :0046362C 7E3F jle 0046366D :0046362E C745F401000000 mov [ebp-0C], 00000001 :00463635 8D9DF5FEFFFF lea ebx, dword ptr [ebp+FFFFFEF5] you stop here now you remember i say you should look for a cmp well look down under what do you see ? yes it a cmp edi,eax good that the one :00463696 8D55F4 lea edx, dword ptr [ebp-0C] :00463699 8B45F8 mov eax, dword ptr [ebp-08] :0046369C E847F5F9FF call 00402BE8 :004636A1 3BF8 cmp edi, eax <-breakpoint on this one just in case you dont know how to configure soft-ice here is my winice.dat ;winice.dat starts here PENTIUM=ON NMI=ON ECHOKEYS=OFF NOLEDS=OFF NOPAGE=OFF SIWVIDRANGE=ON THREADP=ON LOWERCASE=OFF WDMEXPORTS=OFF MONITOR=0 PHYSMB=32 ;change this to your system ram size SYM=1024 HST=256 TRA=8 MACROS=32 DRAWSIZE=4096 ;change this to your graphics card ram size INIT="X;LINES 59;WW;WC 24 ;WD 24;CODE ON ;WW" F1="h;" F2="^wr;" F3="^src;" F4="^rs;" F5="^x;" F6="^ec;" F7="^here;" F8="^t;" F9="^bpx;" F10="^p;" F11="^G @SS:ESP;" F12="^p ret;" SF3="^format;" CF8="^XT;" CF9="TRACE OFF;" CF10="^XP;" CF11="SHOW B;" CF12="TRACE B;" AF1="^wr;" AF2="^wd;" AF3="^wc;" AF4="^ww;" AF5="CLS;" AF8="^XT R;" AF11="^dd dataaddr->0;" AF12="^dd dataaddr->4;" CF1="altscr off; lines 60; wc 32; wd 8;" CF2="^wr;^wd;^wc;" EXP=C:\WINDOWS\system\kernel32.dll ; EXP=C:\WINDOWS\system\user32.dll EXP=C:\WINDOWS\system\gdi32.dll EXP=C:\WINDOWS\system\comdlg32.dll EXP=C:\WINDOWS\system\shell32.dll EXP=C:\WINDOWS\system\advapi32.dll EXP=C:\WINDOWS\system\shell232.dll EXP=C:\WINDOWS\system\comctl32.dll EXP=C:\WINDOWS\system\crtdll.dll EXP=C:\WINDOWS\system\version.dll EXP=C:\WINDOWS\system\netlib32.dll EXP=C:\WINDOWS\system\msshrui.dll EXP=C:\WINDOWS\system\msnet32.dll EXP=C:\WINDOWS\system\mspwl32.dll EXP=C:\WINDOWS\system\mpr.dll EXP=C:\WINDOWS\system\msvbvm50.dll EXP=C:\WINDOWS\system\msvbvm60.dll EXP=C:\WINDOWS\system\vb40032.dll EXP=C:\WINDOWS\system\vbrun300.dll ;winice.dat ends here ok start Poster-Printery English 2.0 goto register enter name dAvId/nIgHtMaRe'1 or any like and as code 123454 or any on you like now don't press ok yet go into soft-ice press ctrl+d or what every you hot key is place a breakpoint on hmemcpy bpx hmemcpy press ctrl+d press OK press F11 to leave kernl now keep pressing F12 until you in the code of of poster2 type bd * cuse you wont need that break point bpx 004636A1 press x to leave soft-ice and it will break into this code :0046369C E847F5F9FF call 00402BE8 :004636A1 3BF8 cmp edi, eax do a ? eax you see your dummy code 123454 do a ? edi and you'll see your real code in my case 17328 do a bc * to clean the breakpoint on the cmp press F5 you'll get the error goto register enter name dAvId/nIgHtMaRe'1 and as code 17328 *boom* **regged** cool you cracked Poster-Printery English 2.0 are we done yet ? well we could be but lets also make a patch we will almost do the same thing almost first delete the file postvoll.dat cuse we need an unregistreted version Ok Start Poster-Printery English 2.0 you notice a nag that says you have 30 days left until it will expire unless you register hmm sux goto register enter name dAvId/nIgHtMaRe'1 or Any Name you like and as code 123454 or any code you like you'll get an error message telling you <-Number is incorrect-> remember it goto far copy poster2.exe to formprint.w32 if you erased the last one for use whit w32dasm start w32dasm and dissamble formprint.w32 when dissambled goto the Strn Ref button click it goto down until you see Number is incorrect double click on it and close down the Strn Ref Window you'll see this * Possible StringData Ref from Code Obj ->"The number is incorrect. The registered " ->"copy did not become activated." :00463838 B954394600 mov ecx, 00463954 * Possible StringData Ref from Code Obj ->"Number is incorrect" :00463836 6A40 push 00000040 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046373F(C) | ok follow the (U)nconditional or (C)onditional Jump press shift + F12 enter 0046373F and you'll be here :00463738 E897FEFFFF call 004635D4 <-trace this call :0046373D 84C0 test al, al :0046373F 0F84F1000000 je 00463836 trace the call press right arrow and you'll end up here now just keep looking true the code until you see a cmp and that just might the the one your looking for you'll say i'm right later i know you will :004635D4 55 push ebp :004635D5 8BEC mov ebp, esp :004635D7 81C4F0FDFFFF add esp, FFFFFDF0 :004635DD 53 push ebx :004635DE 56 push esi :004635DF 57 push edi :004635E0 8955F8 mov dword ptr [ebp-08], edx :004635E3 8945FC mov dword ptr [ebp-04], eax :004635E6 8B45FC mov eax, dword ptr [ebp-04] :004635E9 E88A08FAFF call 00403E78 :004635EE 8B45F8 mov eax, dword ptr [ebp-08] :004635F1 E88208FAFF call 00403E78 :004635F6 33C0 xor eax, eax :004635F8 55 push ebp :004635F9 68CD364600 push 004636CD :004635FE 64FF30 push dword ptr fs:[eax] :00463601 648920 mov dword ptr fs:[eax], esp :00463604 C685F4FDFFFF00 mov byte ptr [ebp+FFFFFDF4], 00 :0046360B BFE01B0000 mov edi, 00001BE0 :00463610 8D85F4FEFFFF lea eax, dword ptr [ebp+FFFFFEF4] :00463616 8B55FC mov edx, dword ptr [ebp-04] :00463619 B9FF000000 mov ecx, 000000FF :0046361E E87D06FAFF call 00403CA0 :00463623 0FB6B5F4FEFFFF movzx esi, byte ptr [ebp+FFFFFEF4] :0046362A 85F6 test esi, esi :0046362C 7E3F jle 0046366D :0046362E C745F401000000 mov [ebp-0C], 00000001 :00463635 8D9DF5FEFFFF lea ebx, dword ptr [ebp+FFFFFEF5] you stop here now you remember i say you should look for a cmp well look down under what do you see ? yes it a cmp edi,eax good that the one :00463696 8D55F4 lea edx, dword ptr [ebp-0C] :00463699 8B45F8 mov eax, dword ptr [ebp-08] :0046369C E847F5F9FF call 00402BE8 :004636A1 3BF8 cmp edi, eax <-the cmp this time we'll change the cmp so it will always register cool right ? fire up hiew poster2.exe press F3 and select decode mode press F5 and enter 62AA1 press and change 3BF8 to 3BFF press F9 to update the file run Poster-Printery English 2.0 and you dont get an nag screen or you just get an regged version of Poster-Printery English 2.0 cool you Cracked Poster-Printery English 2.0 again if you got any comments or questions send em to me if i got enough time i'll send you an e-mail back you might find me on irc/EFNET in the channel #c.i.a under the nick dAvId_nM1 if i got time i'll chat anyway i'hope you sea you in tutor #15 Cracking Tutorial #14 Written bY dAvid/nIgHtMaRe'1 On May 1999 wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net PART 6: ~~~~~~ HOW TO CRACK Net Cribbage 4.01 On May 1999 Welcome to my 15th Cracking Tutorial This time i'll teach you how to crack Net Checkers 3.50 Sorry for my bad grammatic, but i hope u will under stand it anyway... Tools Used: W32Dasm 89.3 Far 1.52 or any other Norton Commander like clone Hiew 6.04 1 or more cups of coffee (A Pot will usualy do) you can also drink tea 1 or more ciggys (A Pack will usualy do) (Smoke em baby Smoke em) he he Where http://www.netintellgames.com/ Protection Type serial Crack Type Correct Serial Start Net Net Cribbage 4.01 goto registration:register enter 123454 as code you'll get an error message telling you sorry your personal registration code is uncorrect NOTE IT goto far copy cribbage.exe to cribbage.w32 for use whit w32dasm fire up w32dasm and dissamble cribbage.w32 when done goto the Strn Ref Button Click it and go down until you see <-sorry your personal registration-> Double Click on it and close down the Strn Ref Window and you'll land here * Possible StringData Ref from Data Obj ->"Sorry, your personal registration " :0040646C 8B8680010000 mov eax, dword ptr [esi+00000180] :00406472 6A10 push 00000010 :00406474 50 push eax :00406475 C786F401000000000000 mov dword ptr [esi+000001F4], 00000000 * Possible StringData Ref from Data Obj ->"Thank You for support NetIntellGames " ->"shareware authors!" | :00406465 683C324300 push 0043323C :0040646A EB18 jmp 00406484 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406454(C) lets follow the (U)nconditional or (C)onditional Jump press shift + F12 and enter 00406454 you'll land here :0040644C E87F110000 call 004075D0 <-trace this call :00406451 83F801 cmp eax, 00000001 :00406454 7516 jne 0040646C so lets trace the call press right arrow and you be here :004075D0 E8A7DF0100 call 0042557C :004075D5 8B4004 mov eax, dword ptr [eax+04] :004075D8 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Reg" | :004075DA 6874324300 push 00433274 * Possible StringData Ref from Data Obj ->"Names" | :004075DF 68B4304300 push 004330B4 :004075E4 8BC8 mov ecx, eax :004075E6 E839E20100 call 00425824 :004075EB 33C9 xor ecx, ecx :004075ED 3D6A4D2E77 cmp eax, 772E4D6A <-now what is this ? did you guess it Net Cribbage 4.01 only has one valid reg code heh cool so start up Net Cribbage 4.01 goto the registration:register dialog enter 772E4D6A did it work ? i think not why well in 772E4D6A notice The E D A ? its not decimal its hexicecimal sux ? NO lets use a calculator windows calc start the calculator press hex enter 772E4D6A press dec and you'll get the number 1999523178 now go back 2 Net Cribbage 4.01 enter 1999523178 you'll now the the message Thank you for support NetIntellGames shareware authors! well cool you cracked Net Cribbage 4.01 i hope you learned something from this tutorial sea in Tutor #16 if you got any comments or questions send em to me if i got enough time i'll send you an e-mail back you might find me on irc/EFNET in the channel #c.i.a under the nick dAvId_nM1 if i got time i'll chat anyway i'hope you sea you in tutor #16 Cracking Tutorial #15 Written bY dAvid/nIgHtMaRe'1 On Maj 1999 wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #25 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: WhizKid for Splash Logo. R!SC for providing a tut in this version. Creon for providing a tut in this version. dAvId/nIgHtMaRe for providing 4 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 31 May 1999 Cracking Tutorial #24 is dedicated to Ms_Jessca... who else?