Welcome to Cracking Tutorial #34! Hiya peepz, Here's another tutor for you, I was kinda busy last days, working on some projects... and look out for Tutor Trilogy soon! Oh yes, today a year ago, I've met Ms_Jessca, I'm glad she's my liefie! Anyway, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.00 W32Dasm 8.93 Hacker's View 6.15 SmartCheck 6.03 TASM 5.00 Windows Commander 4.00 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) Winamp Skin Maker v1.05 http://members.tripod.com/ajie_g/skinner.htm Winamp Skin Maker (Skinner, for short) is a tool to help you to create your own skin. You can put the picture of your favorite soccer team, your cat, your girl/boy friend, or anything as your Winamp's skin. With easy user interface, you won't waste your time, you only need less than one minute! Skinner will automatically save your skin to current skins directory, so you should have a Winamp installed on your system, before using this program. 1) Run SKINNER.EXE, click on "Help" and "About". 2) Click on the "Register" button and enter the following:- Name: mISTER fANATIC [C4A] Reg. #: 5544332211 3) Press "CTRL-D" to return into SoftIce, type "bpx hmemcpy", and press "CRTL-D" to return into Winamp Skin Maker. Finally, click on the "OK" button to register and you are back to SoftIce. 4) Press "F12" until you see the following:- xxxx:0040A113 8D44242C LEA EAX,[ESP+2C] xxxx:0040A117 6A1E PUSH 1E xxxx:0040A119 50 PUSH EAX xxxx:0040A11A 68FD030000 PUSH 000003FD xxxx:0040A11F 56 PUSH ESI xxxx:0040A120 FFD7 CALL EDI xxxx:0040A122 8D44240C LEA EAX,[ESP+0C] 5) Type "bd 0" or "bd *" to disable the breakpoint. 6) Press "F10" until the line below:- xxxx:0040A12C 83C404 ADD ESP,04 7) Then, type "? eax" and you will see something interesting like "5929175". Hah, its the real registration code. 8) Press "CTRL-D" to return to Winamp Skin Maker. Enter the following:- Name: mISTER fANATIC [C4A] Reg. #: 5929175 BOOM, its registered! Well, I hope you learned something from this tutorial. mailto: mr_fanatic@iname.com or c4a@iname.com How to register Directory Printer 2.4 Tutor by RSiP Tools to use ~~~~~~~~~~~~ W32DASM 8.93 Hiew 6.04 Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ http://ourworld.compuserve.com/homepages/galcott Let's do it ~~~~~~~~~~~ Start dirprint.exe If you start the program there is a (nag)message about the 30 day's trail period. Goto Help -> Enter registration code Enter any number and press OK. The ERROR box is displayed with 'Incorrect registration code' Remember the displayed message. Start W32DASM now. Now there are two ways to goto the program location. 1a. Goto Search->Find text->Incorrect registration code) 1b. Goto String Data References and search for the ERROR message Double klik on the "error" TWICE (one box with many messages) untill you see: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044713F(C) | :0044723E 6A30 push 00000030 * Possible StringData Ref from Code Obj ->"Error" | :00447240 68F8724400 push 004472F8 * Possible StringData Ref from Code Obj ->"Incorrect registration code" | :00447245 6800734400 push 00447300 :0044724A 8B45FC mov eax, dword ptr [ebp-04] :0044724D E8A6BAFDFF call 00422CF8 :00447252 50 push eax lets goto the Conditional jump adress :0044713F(C) You see this: :0044713F 0F85F9000000 jne 0044723E (goto badboy) The @offset = 0004653F this is where we patch the program. Start HIEW now. Open DIRPRINT.EXE press F4 (Decode) Press F5 and enter 0004653F Now change :0044713F 0F85F9000000 jne 0044723E in to :0044713F 0F84F9000000 je 0044723E press F9 and exit.. now start dirprint.exe goto Help ->Enter registration code. now enter ANY number and press OK Success. You have been successfully registerd. Greetings to tKC and all members of CIA. Home Buyer's Calculator Suite, 1.0.02 http://www.wheatworks.com Tutor by PinguTM (PinguTM@hotmail.com) This is my 11th tutorial, whey another one ;) Type: Register 4 Nuffin' Tools: WinDASM, Hiew This proggie has loads of calculators for doing different shit..... Quick Calculator Mortgage Qualifier Loan Spread Calculator Loan Amortization Estimated Closing Costs Refinancing Calculator Rent vs Buy Calculator Biweekly Payments 1. When you start the program you are hit with the nag. Press enter reg code or whatever it is and enter any old shit and hit register. Ah geeez, Registration code denied. 2. Load WinDasm and decomplie hbcs1002.exe Now select string data references and select "Registration code denied " 3. You will now see something like this.... * Possible StringData Ref from Code Obj ->"Registration Code denied." | :0048B5BC B838B64800 mov eax, 0048B638 :0048B5C1 E81A72FCFF call 004527E0 4. Scroll up a little till you see this........ * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0048B553(C) | :0048B5B1 6A00 push 00000000 :0048B5B3 668B0DE8B54800 mov cx, word ptr [0048B5E8] :0048B5BA B203 mov dl, 03 5. Notice the 0048b553(C) well we want to go there. Hit GoTo Location button, and type "48b553" and press ok. BOOM, now you land here.... :0048B553 755C jne 0048B5B1 :0048B555 8B45FC mov eax, dword ptr [ebp-04] :0048B558 C6402501 mov [eax+25], 01 6. Well, lets change that jne to a je... load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is "8A953" Now press F3 for edit mode and type "74" press F9 to save, and F10 to quit. 7. Re-Load the proggie and enter any old shit like last time into the registration screen and hit enter. Sweet, It accepts it and the proggie is now fully registered. Also there is no check so this proggie is a one byte wonder ;) -=-=-=- PinguTM -=-=-=- WinRamTurbo v1.33 14 Day Trial Version http://scselp.com/winramturbo/ Tutor by PinguTM (PinguTM@hotmail.com) This is my 12th tutorial, whey another one ;) Type: Time Limit Tools: WinDASM, Hiew 1. When you start the program a splash screen appears with 14 day evaluation, you have.. since this is kinda a demo version there is no Registration input screen. So i guess we need to kill the time limit 2. Load WinDasm and decomplie winram turbo.exe Now select string data references and select " 21 Day TRIAL, 0 days left for " (You get this when the proggie expires) 3. You will now see something like this.... * Possible StringData Ref from Code Obj ->" 21 Day TRIAL, 0 days left for " ->"evaluation!" | :00454DA6 BA104F4500 mov edx, 00454F10 :00454DAB E800E8FAFF call 004035B0 :00454DB0 8B95F4FEFFFF mov edx, dword ptr [ebp+FFFFFEF4] :00454DB6 8B83B4010000 mov eax, dword ptr [ebx+000001B4] :00454DBC E8FFE9FBFF call 004137C0 :00454DC1 E9E1000000 jmp 00454EA7 4. Scroll up a little till you see this........ :00454D4E 8B3500BF4500 mov esi, dword ptr [0045BF00] :00454D54 2B3528BF4500 sub esi, dword ptr [0045BF28] :00454D5A 85F6 test esi, esi :00454D5C 7E05 jle 00454D63 <----Jumps to Badboy :00454D5E 83FE0E cmp esi, 0000000E <----Compares usege to trial period :00454D61 7E63 jle 00454DC6 <----Jumps to Goodboy 5. Lets banish the 1st jle :) load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is "5415C" Now press F3 for edit mode and type "9090" (This cancel's out that operation) press F9 to save, but dont press F10 yet.. 6. Now we always want it to jump to the Goodboy dont we so... press F5 and type in the offset which is "54161" Now press F3 for edit mode and type "EB" (This now will always jump to Goodboy) press F9 to save, and F10 to quit. 7. Now set your clock forward a few months and re-load the proggie. Kool it now shows us how many days we have used it for over the usage date :) and the proggie still never expires NOTE: Although this is fully cracked, when you quit the program a small nag appears telling you where to buy/obtain the full product. If anyone removes this please email me on how you done it, Cheers! Cya next time. -In the words of Elmour Fudd: Thats all folks! -=-=-=- PinguTM -=-=-=- Name : MechWarrior 3 Version : 1.0 US Editor : Microprose Protection: Lame CD-check Target : Mech3.exe (2357248 bytes) Tools : Softice 4.0 (ARgghh!the bEsT !) Hexworkshop 2.54 Brain Mechwarrior 3 is an excellent simulation of Mechs.Of course, it is superior than the preceding number ,thanks to his engine 3D. Protection is a lame CD-CHECK at the beginning of the play. Setp ONe: Install Mechwarrior 3 and remove CD of your CD-ROM. If you launch the game, a nagscreen appears " PLEASE INSERT thE Mechwarrior 3 CD ". This is CD-CHECK, wich will be removed by using Softice 4.0. Setp TWo: Take Symbol Loader (delivered with Softice).Open Mechwarrior 3 and launch the debugging. We will use Breakpoint " GETDRIVETYPEA " to crack the software. The API " GETDRIVETYPEA " returns a carry to determine if the CD-ROM reader is active (if there is a CD in the reader ,if it is the right cD,ETC...) or if it is teally a reader of D-ROM . If the carry 5 is returned by " GETDRIVETYPEA ", it's a CD-ROM. To place the breakpoint, type under Softice: BPX GETDRIVETYPEA. And we start again with F5. Setp THREe: Softice must have started up. It is necessary to support ONCE on F12 to return in the principal code of the game. You should come upon at this: 0056F7BA CALL [KERNEL32!GetDriveTypeA]------ the API one which we seek... 0056F7C0 SUB EAX,03 0056F7C3 JZ 0056F7E8------------------------ 0056F7C5 SUB EAX,02 | 0056F7C8 JNZ 0056F80C | Various tests of CD-ROM 0056F7CA CMP EDI,05 | to determine on it is a CD-ROM,a hard 0056F7CD JNZ 0056F80C----------------------- disk ,or a removable disk. 0056F7CF LEA EDX, [ESP+lC] 0056F7D3 PUSH EDX 0056F7D4 PUSH 007263A8 0056F7D9 CALL [00585590]-------------------- CD-CHeck! 0056F7DF ADD ESP,08 0056F7E2 TEST EAX,EAX----------------------- test the result of the CD-CHECK 0056F7E4 JNZ 0056F80C----------------------- BaD BoY !we jump 0056F7E6 JMP 0056F804----------------------- It's good CD, we jump in 56F804 to put [ ESP+1 ] at 1 0056F7E8 CMP EDI,03 0056F7EB JNZ 0056F80C 0056F7ED LEA EAX, [ESP+lC] 0056F7Fl PUSH EAX 0056F7F2 PUSH 007263A8 0056F7F7 CALL [00585590] 0056F7FD ADD ESP,08 0056F800 TEST EAX,EAX 0056F802 JNZ 0056F80C 0056F804 MOV DWORD PTR [ESP+10],01---------- GooD BoY ! ESP+10=1 ... 0056F80C MOV EAX, [ESP+10]------------------ Put contents of ESP+10 in EAX 0056F810 TEST EAX,EAX----------------------- Test EAX 0056F812 JNZ 0056F839----------------------- EAX = 1 ? yes! We jump in 56f839 0056F814 MOV EDI,ESI 0056F816 OR ECX, -01 0056F819 XOR EAX,EAX 0056F818 REPNZ SCASB 0056F81D NOT ECX 0056F81F DEC ECX 0056F820 JZ 0056F848 0056F822 MOV EDI,ESI 0056F824 OR ECX,-01 0056F827 REPNZ SCASB 0056F829 MOV EDI, [ESP+14] 0056F82D NOT ECX 0056F82F DEC ECX 0056F830 LEA EBX, [ECX+EBX+01] 0056F834 JMP 0056F7A0 0056F839 MOV EAX,007263A8------------------ Good Boy : CD-Check CRaCKeD ! 0056F83E POP EDI 0056F83F POP ESI 0056F840 POP EBP 0056F841 POP EBX 0056F842 ADD ESP,0000015C 0056F848 RET 0004 0056F848 POP EDI--------------------------- Bad Boy ! 0056F84C POP ESI 0056F84D POP EBP 0056F84E XOR EAX,EAX----------------------- EAX=0 0056F850 POP EBX 0056F851 ADD ESP,0000015C 0056F857 RET 0004 Therefore while supporting once on F12 we arrive at address 56F7C0. We do have a CALL [ KERNEL32!GetDriveTypeA ] which test the CD-ROM. The loop should be traced several times to arrive at the CD-ROM. Indeed, API GetDriveTypeA goes initially to find your hard disk before finding your CD-ROM reader . While tracing several times the loop, we arrive at address 56F7D9. And the CALL [ 00585590 ] is the routine which check if the right CD is in the reader... The CALL [ 00585590 ] is followed by a conditional jump (56F7E4 : JNZ 0056F80C). If this jump is carried out,it's not the right CD and well on if this conditional jump is not executed,it's the right CD... It is thus enough to remove it JNZ 0056F80C at address 56F7E4.For that we use instruction NOP. Into hexadecimal, NOP=090h. For this crack,take an hexa editor and go to the offsets: 16EBE4 and put 90,90. For remarKs,critiKs,contaKts: SamSouL99@Hotmail.com Frenchies: if you want tutorials written in FReNH , SEND me a mail... TaMaMBoLo From SamSouL CraKING CReW Name : Photoline Version : 5.10 Availability : http://www.pl32.com or http://www.ciebv.com Protections : - Nagscreen - Waiting with each launching Target : Photoline.exe (2420736 Bytes) Tools : Softice 3.25 Windasm 8.93 Hexworkshop 2.54 Brain Contact us : Samsoul99@Hotmail.com (Welcome Frenchies !) Photoline is a small shareware which makes it possible to make drawing and final improvement photograph .The protection of the software is a nagscreen which is posted with each starting and makes you wait a few seconds before giving you the hand. We go to patch the program to make him believe that we are recorded users... Step ONe: We will use Softice for this crack. I used Windasm to show you the desassemblages . We will trace the program from the beginning to the end .The nagscreen is at the beginning of the progy,at a moment,we'll find its posting (and makes an attempt it few seconds)... For that,we take Symbol loader. Load the program in memory and launch the debugging . Now,we trace the program while pressing on the key F10.But while tracing the program since the beginning,you don't find the nag as soon as we begin :that would be too easy! It will be necessary to return in several calls before we find the nagscreen... Follow me... Step TWo: Therefore we trace the program with the key F10 .We go at a first call: 594b37 call 594bb0 This call is used for initialization of the program: it calls a DLL suitable for the language C (MFC42.DLL) .This call doesn't post the nagscreen. It's necessary to return in the call 594bb0 .We use the key F8 . Supporting on F8,we fall on this: 594bb0 push [ esp+10 ] 594bb4 push [ esp+10 ] 594bb8 push [ esp+10 ] 594bbc push [ esp+10 ] 594bc0 call 594c08 At this time,it's the call 594c08 which initializes the program.As previously ,it's necessary to return in the call 594c08 to see what occurs there. In supporting on F8,we see that : 594c08 jmp [ 5b4a78 ] We will continue to trace the prog with the F10 key .If you look at the bottom of the screen of softice (on the green line) you will see the name of the prog in which we are. This time we find ourselves in DLL MFC42.DLL. In tracing with F10,we arrive at this address: 5f410f80 call [ eax+58 ] This time it's the call [ eax+58 ] which opens the program.As previously ,we return inside with the key F8 .There,it becomes interesting coze we return in photoline code (look at the name in the bottom,on the green line of Softice)... We start to bring us closer... Step THRee Now, we are really in the principal code of the program .Now the period of initialization being is finished, we inevitably arrive at the nag .In supporting on F10,we arrive at that (Warning ! the trace is long!) : :004DA929 E8B2020000 call 004DABE0 ------- Test if recorded user :004DA92E 6685C0 test ax, ax --------- Test the preceding result (with register AX) :004DA931 7519 jne 004DA94C -------- User recorded? YeS! We jump... :004DA933 B970A36200 mov ecx, 0062A370 --- If not :004DA938 E873A5FBFF call 00494EB0 ------- We post the nag * Possible Reference to String Resource ID=10000: " Grau " | :004DA93D 6810270000 push 00002710 ------- And here we make wait :004DA942 B970A36200 mov ecx, 0062A370 --- the not-recorded user :004DA947 E844A5FBFF call 00494E90 ------ with this call... * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:004DA931(C) | :004DA94C B970A36200 mov ecx, 0062A370 --- here, we enter in the software... :004DA951 E82AD8F7FF call 00458180 :004DA956 8BCB mov ecx, ebx If you carried the preceding operations out well, you must arrive at the address 4da929. We see that there is a call 4dabe0 followed by a conditional jump... If this jump is not carried out,the program posts us the nagscreen and let us wait... Therefore if the conditional jump located at the address 4da931 is carried out, we jump behond the nag and the waiting time... It's then enough to put a JUMP at the address 4da931.But if you do that (the crack will also go), you will have always the message " unregistered version "... But, we are pros (!),we go for clean and effective crack ... Step FOr Do you remember the call to the address 4da929 (call 4dabe0)? it must this call which determines if we are a registered user or not. We will return inside to see what occurs there. We leave photoline . We take again Symbol loader, and we will put a BREAKPOINT at the address 4dabe0. Under softice,type BPX 4dabe0. We start again photoline with the key F5 . Softice gives on the way and stops again as envisaged at the address 4dabe0 . You are here (dump Windasm): :004DABE0 6AFF push FFFFFFFF :004DABE2 6820A85A00 push 005AA820 :004DABE7 64A100000000 mov eax, dword ptr fs:[00000000] :004DABED 50 push eax :004DABEE 64892500000000 mov dword ptr fs:[00000000], esp :004DABF5 83EC3C sub esp, 0000003C :004DABF8 8D4C2418 lea ecx, dword ptr [esp+18] :004DABFC E8FFA5FBFF call 00495200 :004DAC01 8D4C240C lea ecx, dword ptr [esp+0C] :004DAC05 C744244400000000 mov [esp+44], 00000000 :004DAC0D E8EEA5FBFF call 00495200 :004DAC12 6A01 push 00000001 * Possible StringData Ref from Data Obj ->"SerialNumber500"------ Hum ... | :004DAC14 6824CC5E00 push 005ECC24 :004DAC19 8D4C242C lea ecx, dword ptr [esp+2C] :004DAC1D C644244C01 mov [esp+4C], 01 :004DAC22 E8F9A5FBFF call 00495220 :004DAC27 6A00 push 00000000 :004DAC29 8D4C2404 lea ecx, dword ptr [esp+04] :004DAC2D C644244802 mov [esp+48], 02 :004DAC32 E849A6FBFF call 00495280 :004DAC37 8D442424 lea eax, dword ptr [esp+24] :004DAC3B 8D4C2400 lea ecx, dword ptr [esp] :004DAC3F 50 push eax :004DAC40 8D542434 lea edx, dword ptr [esp+34] :004DAC44 51 push ecx :004DAC45 52 push edx :004DAC46 C644245003 mov [esp+50], 03 :004DAC4B E880EDF2FF call 004099D0 :004DAC50 83C40C add esp, 0000000C :004DAC53 50 push eax :004DAC54 8D4C241C lea ecx, dword ptr [esp+1C] :004DAC58 C644244804 mov [esp+48], 04 :004DAC5D E8BEA8FBFF call 00495520 :004DAC62 50 push eax :004DAC63 8D4C2410 lea ecx, dword ptr [esp+10] :004DAC67 E8B4A8FBFF call 00495520 :004DAC6C 8D4C2430 lea ecx, dword ptr [esp+30] :004DAC70 C644244403 mov [esp+44], 03 :004DAC75 E836A6FBFF call 004952B0 :004DAC7A 8D4C2400 lea ecx, dword ptr [esp] :004DAC7E C644244402 mov [esp+44], 02 :004DAC83 E828A6FBFF call 004952B0 :004DAC88 8D4C2424 lea ecx, dword ptr [esp+24] :004DAC8C C644244401 mov [esp+44], 01 :004DAC91 E81AA6FBFF call 004952B0 :004DAC96 8D4C240C lea ecx, dword ptr [esp+0C] :004DAC9A E821ACFBFF call 004958C0 :004DAC9F 85C0 test eax, eax :004DACA1 0F848B000000 je 004DAD32----------------- If we jump, it's bad ! :004DACA7 56 push esi :004DACA8 8D4C2410 lea ecx, dword ptr [esp+10]- registered... :004DACAC E85FA9FBFF call 00495610 :004DACB1 89442408 mov dword ptr [esp+08], eax :004DACB5 6A01 push 00000001 :004DACB7 8D442438 lea eax, dword ptr [esp+38] :004DACBB 6A20 push 00000020 :004DACBD 50 push eax :004DACBE 8D4C241C lea ecx, dword ptr [esp+1C] :004DACC2 E8D9AFFBFF call 00495CA0 :004DACC7 50 push eax :004DACC8 8D4C2414 lea ecx, dword ptr [esp+14] :004DACCC C644244C05 mov [esp+4C], 05 :004DACD1 E84AA8FBFF call 00495520 :004DACD6 8D4C2434 lea ecx, dword ptr [esp+34] :004DACDA C644244801 mov [esp+48], 01 :004DACDF E8CCA5FBFF call 004952B0 :004DACE4 8D4C2410 lea ecx, dword ptr [esp+10] :004DACE8 E823A9FBFF call 00495610 :004DACED 8D4C2404 lea ecx, dword ptr [esp+04] :004DACF1 89442404 mov dword ptr [esp+04], eax :004DACF5 51 push ecx :004DACF6 E875000000 call 004DAD70 :004DACFB 83C404 add esp, 00000004 :004DACFE 8D4C2410 lea ecx, dword ptr [esp+10] :004DAD02 8BF0 mov esi, eax :004DAD04 C644244800 mov [esp+48], 00 :004DAD09 E8A2A5FBFF call 004952B0 :004DAD0E 8D4C241C lea ecx, dword ptr [esp+1C] :004DAD12 C7442448FFFFFFFF mov [esp+48], FFFFFFFF :004DAD1A E891A5FBFF call 004952B0 :004DAD1F 668BC6 mov ax, si :004DAD22 5E pop esi :004DAD23 8B4C243C mov ecx, dword ptr [esp+3C] :004DAD27 64890D00000000 mov dword ptr fs:[00000000], ecx :004DAD2E 83C448 add esp, 00000048 :004DAD31 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004DACA1(C) | :004DAD32 8D4C240C lea ecx, dword ptr [esp+0C]--- Unregistered ... :004DAD36 C644244400 mov [esp+44], 00 :004DAD3B E870A5FBFF call 004952B0 :004DAD40 8D4C2418 lea ecx, dword ptr [esp+18] :004DAD44 C7442444FFFFFFFF mov [esp+44], FFFFFFFF :004DAD4C E85FA5FBFF call 004952B0 :004DAD51 8B4C243C mov ecx, dword ptr [esp+3C] :004DAD55 6633C0 xor ax, ax-------------------- Bad Boy ! AX=0 :004DAD58 64890D00000000 mov dword ptr fs:[00000000], ecx :004DAD5F 83C448 add esp, 00000048 :004DAD62 C3 ret If you trace the routine with the key F10, you see that the conditional jump at the address 4DACA1 is carried out .And where doesn't bring us? At the address 4DAD32. And at 4DAD55 there is a pretty XOR AX,AX... This instruction will put AX at 0 (it is a OR exclusive)... And if you remember well,it's this register (AX) that the prog will test at the exit of the call which interresses us... And if instead of putting AX at 0,we put it to 1??? For that, we will just erase the instruction... A XOR AX,AX is equal to 3 bytes. It is thus enough to put 3 nops (90,90,90) instead of XOR AX,AX .Under softice type E 4DAD55. Now, type 90,90,90 in instead of 66,33,c0 .You press on entry and you start again photoline with F5. boOM! REgisTereD! Indeed,when you launch photoline,there is no nagscreen posting anymore (as waiting which does not exist any more) and doesn't post more you any more the number of days from your trial period and " Unregistered Version "... The software thinks that we are recorded users... It should be noted that this technique to crack this software is valid starting from the version 5.xx and will probably be valide for the following versions... For this crack,Take an hexa editor (Hexworkshop) ,go to offset DAD55 and put 90,90,90 . crACk By TaMaMBoLo From [(/$$Ï-SaMSoUL CRAcKInG-Ï$$\)] We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #35 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Mr. Socko! for Splash Logo. RSiP for providing a tut in this version. mISTER fANATIC for providing a tut in this version. TaMaMBoLo for providing 2 tuts in this version. PinguTM for providing 2 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials, see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 29 July 1999 Cracking Tutorial #34 is dedicated to Ms_Jessca, my liefie only, who else?