Welcome to Cracking Tutorial #45! Last week when I burnt a cd with all my source codes, I formatted my harddrive (for installing NT), then I found out my cd is fokked up. Last nite I build an ISO file from that cd and I ripped shit, so I saved important data. *phew* :) I'm still offline (fok telkom) but as always, you'll hear from me again! OK, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.01 W32Dasm 8.93 Hacker's View 6.20 SmartCheck 6.03 TASM 5.00 Windows Commander 4.01 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net/ or ask any crackers to get you these tools! Are you ready?! OK! ;) How to find a Serial for Stringz VB6 Crackme! with SmartCheck By: +SEKt0r Howdy ppl...again ;) Back with my 5th tut, hehe. it's my first SmartCheck tut, so bear with me. Ok this is a VB6 crackme written in VB6 by a cracker called Stringz. It's compiled in native P-Code which can be a bastard sometimes :(. But don't worry, with this tut, nothing can go wrong, i hope! PART 1: TOOLS ============= You need the following tools: Numega Smartcheck Stringz VB6 Crackme A brain (duh!) Get the philes from here: www.protools.cjb.net (Great site for cracking shit!) After you have gotten the above tools continue. PART 2: SETTING UP SMARTCHECK ============================= STEP 1: Ok open up SmartCheck STEP 2: Click on Program -> Settings. Under Leaks in the Error Detection Tab, click on the Report Call Stack option. Make sure Report errors immedietly is checked on. STEP 3: Under the Reporting tab, everything should be clicked on except Report MouseMove events from OCX controls. STEP 4: Under the main View tab, click on Show All Events PART 3: FINDING THE SERIAL ========================== STEP 1: Ok, open up the exe stringzcm.exe STEP 2: Click on the green play button STEP 3: You should get an error saying that the exe (VB exe's are not real :( is compiled into Native P-Code, just click on continue to load file STEP 4: Keep clicking Acnowlege when the error box comes up, don't click suppress! STEP 5: Now the form should be loaded put a name, mine was +SEKt0r STEP 6: Click on Check STEP 7: Now in SmartCheck, it should say under the +_Click button: Mid(VARIANT:String"+SEKt0r",Long1,Variant:Integer:1) Asc(String:"+")Returns Integer: 43 --Snippit-- (Save space and reading time :) It should do the same for each letter of yer name STEP 8: Now we come to the kewl part, at the bottom of the +_Click button it should say: Left(VARIANT:Double:4.75672e+011,Long9) Ok, click on this line and the right hand bod should look something like this: -String(Variant) | |-double .dblVal = 475671630303 | |-Long Length = 9 0x00000009 STEP 9: Ok now put the serial in.... Hrmm no, wait a sec and think! What does that Long Length bit that equals to 9 mean?!?!? How long the serial must be! Ok so get the first 9 letters of the serial that we found out. eg: 475671630 STEP 10: Put the new serial in and click Check, did it work?!?! !AYY IT DID! My reg info was: Name: +SEKt0r Serial:475671630 PART 4: FINAL THANKS ==================== Many thx goes to these following ppl, again: Karnak -Thnx man for helping me with all the ASM shit! :) Xzi -Thnx for being a freind. eFFeCT -For being a friend and a newbie ;) ARSN!K -For being there to teach me Pascal :) WoLf -For his help + tuts ED!SON -For his KICK ASS tutor tKC -For also his tuts and giving me the oppotunities, thnx a lot man :) ME -hehe for writing this tut (:)->-< ALL THE PPL IN MEDIUM, KEEP CRACKING GUYZ! Everyone at #C.I.A #Cracking #Crackers #Cracking4Newbies #UCF2000 on EFNet, AND #TeamFortress and #VB on OzOrg. And everyone else that I forgot about :) Expect more tuts from me soon (:o)~ Contacting Me: E-Mail: t1cker@hotmail.com ICQ: 18381503 IRC: Usually on EFNet as SEKt0r or tIKA. Or sometimes on as SEKt0r|AU if I cant get SEKt0r or tIKA as my fucken nick :( You can find me usually in the above channels! *This tutorial, as usually, can only be used for educational purposes!* *If ya like the program, support the makers and buy it!* How to make a Crack for Virtua Fighter with Win32DASM By: +SEKt0r HEY! Woahh, my 6th tut! Damn, i dunno, must be superman or something today :) Ok, Virtua Fighter is a 3D fighter... it's pretty crap game, but my freind asked me to make a crack for him, so i decided to do it. PART 1: TOOLS ============= You need the following tools: Win32DASM (I use 8.93!) A Copy Of Virtua Fighter Turbo Pascal 7.0 A brain (duh!) Get the philes from here: www.protools.cjb.net (Great site for cracking shit!) +Just search for Virtua Fighter, you might find a site. After you have gotten the above tools continue. PART 2a: FINDING THE OFFSET =========================== STEP 1: Install VF. STEP 2: Open VF (VFPC.exe). STEP 3: Hrmm. A MsgBox, "Cannot find Virtua Fighter(TM) PC CD" STEP 4: Open up W32DASM, and open up VFPC.exe. Wait...wait...wait....DONE! STEP 5: Click on the String Data Refrences (SDR) button, look for the nag, remember?!?! (Cannot find Virtua Fighter(TM) PC CD) STEP 6: Ok, double click it. STEP 7: You will come here: *Possible StringData ref from Data Obj ->"Cannot find Virtua Fighter(TM)" ->"PC CD" :00505B58 Push 00B260CC :00505B5D Push 00000000 STEP 8: Now go up till you see: *Refrence To: USER32.BringWindowToTop, Ord:000Ah ;Hrmm bring MsgBox to front? :00505B08 Call dword ptr [00C094C0] :00505B0E xor eax,eax ; eax = 0 :00505B10 jmp 00505BE8 ; :00505B1A test eax,eax ;Well, check to see if CD is in drive, if eax = 0 then :00505B1C je 00505B6C ;jump to error MsgBox STEP 9: Well what will happen is we change the je to jne?!? STEP 10: Fire up Hiew and open the file, change the je to jne. STEP 11: Run VFPC, did it work?!?!?!?! STEP 12: Ahhh YES! PART 2b: Patching ================= We have our offset, now we are ready. I have included the Pascal Source Code for all the newbies. Here it is: Uses Crt; Const A: Array[1..1] of Record {<-------- 1 byte to be patched} A : Longint; B : Byte; End = ((A:$00104F1;B:$0F74)); {<--------------- Offset "0008519B" and byte "0F74 = 74 = je " to be changed} Var Ch:Char; {<----- Defines the variables and what they mean} I:Byte; F:File; FN:file of byte; Size:longint; Begin {<------------ Start of the proggy} textcolor(white); {<----- Changes the textcolor} Writeln(' Crack for Virtua Fighter PC '); textcolor(blue); writeln(' BY: +SEKt0r '); Textcolor(red); writeln('Status:'); Assign(F,'VFPC.exe'); {<-------------- Filename to be patched} {$I-} Reset(F,1); {$I+} If IOResult <> 0 then begin textcolor(red); writeln('File not found!'); {<--Display error message if file not found} writeln('Put the crack in the same dir as Tekfct95.exe'); halt(1); {<------ Quit the proggy} end; If FileSize(F) <> 2500096 Then {<----Exact file size} Begin textcolor(red); Write(' Wrong Version/File Size! .. aborted!'); Halt(1); End; For I:=1 to 1 do {<---------------------- 1 byte to be patched} Begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); End; Writeln('File successfully patched!'); End. PART 3: FINAL THANKS ==================== Many thx goes to these following ppl, again: KarnaK -Yer thnx for the TASM stuff and the help, never forget it man Xzi -Thnx for being a freind. eFFeCT -For being a friend and a newbie ;) ARSN!K -For being there to teach me Pascal :) WoLf -For his help + tuts ED!SON -For his KICK ASS tutor tKC -For also his tuts and giving me the opportunities, thnx a lot man :) ME -For writing this quick tut? ALL THE PPL IN MEDIUM, KEEP CRACKING GUYZ! Everyone at #Medium #C.I.A #Cracking #Crackers #Cracking4Newbies #UCF2000 on EFNet, AND #TeamFortress and #VB on OzOrg. And everyone else that I forgot about :) Expect more tuts from me soon :~) Contacting Me: E-Mail: t1cker@hotmail.com ICQ: 18381503 IRC: Usually on EFNet as SEKt0r or tIKA if I cant get SEKt0r as my fucken nick :( You can find me usually in the above channels! *This tutorial, as usually, can only be used for educational purposes!* *If yer like the program, support the makers and buy the program!* How to make a Crack for Lime 5.10 with Win32DASM By: +SEKt0r eLLo ppl, once again i have made a tut just for the newbies out there =] I don't really know what this program is (i think it is some sort of keyboard proggy) but GlowBidie from #Cracking4Newbies asked me to crack it for him. Ok enough talk lets get into it. PART 1: TOOLS ============= You need the following tools: Win32DASM (I use 8.93!) Lime 5.10 Turbo Pascal 7.0 A brain (duh!) Get the philes from here: www.protools.cjb.net (Great site for cracking shit!) ftp://datura.cerl.uiuc.edu/pub/lime/Windows/LIMESFX.EXE (1.9mb) After you have gotten the above tools continue. PART 2a: FINDING THE OFFSET =========================== STEP 1: Install Lime (duh?!?!). STEP 2: Copy Lime.exe to 1.exe then run it. STEP 3: Hrmm. When we try to enter a fake name and serial we get a msgbox saying "Incorret Password" STEP 4: Open up W32DASM, and open up Lime.exe, the file Lime.exe is 1.36 mb, so we have to wait a while till the bastard's finished :( STEP 5: Click on the String Data Refrences (SDR) button, look for the incorrect password messagebox. STEP 6: Found it?!?! When you have, just double click it STEP 7: You will come here: *Possible StringData ref from Data Obj ->"Incorrect Password" :004DBA17 Push 00531654 STEP 8: Now go up till you see: *Possible StringData Ref from Data Obj ->"1c7qkjf8sypwd3" ; possible code? -----Snippit------- :004DBA07 call 004F3300 ;calculate reg info :004DBA0C add esp, 0000000C ; add 0000000C to esp :004DBA0F test eax,eax ;check if the right serial and the one we inputed equal :004DBA11 je 004DBA2B ;jump to bad msgbox if codes do not equal? STEP 9: The above should be quite easy to understand, what would happen it we changed the je to jne???? STEP 10: Fire up Hiew (best hex editor...i rekon anyway) and open 1.exe STEP 11: Change the je to jne at the offset of: 000DAE11 STEP 12: Run 1.exe, enter any reginfo, Click ok, work?? AYYYYY YEAH BABY! PART 2b: Patching ================= We have our offset, now we are ready. I have included the Pascal Source Code for all the newbies. Here it is: Uses Crt; Const A: Array[1..1] of Record {<-------- 1 byte to be patched} A : Longint; B : Byte; End = ((A:$000DAE11;B:$75)); {<--------------- Offset "000DAE11" and byte "0F75 = 75 = jne " to be changed} Var Ch:Char; {<----- Defines the variables and what they mean} I:Byte; F:File; FN:file of byte; Size:longint; Begin {<------------ Start of the proggy} textcolor(white); {<----- Changes the textcolor} Writeln(' Crack for Lime 5.10 '); textcolor(blue); writeln(' BY: +SEKt0r '); Textcolor(red); writeln('Status:'); Assign(F,'VFPC.exe'); {<-------------- Filename to be patched} {$I-} Reset(F,1); {$I+} If IOResult <> 0 then begin textcolor(red); writeln('File not found!'); {<--Display error message if file not found} writeln('Put the crack in the same dir as Tekfct95.exe'); halt(1); {<------ Quit the proggy} end; If FileSize(F) <> 2500096 Then {<----Exact file size} Begin textcolor(red); Write(' Wrong Version/File Size! .. aborted!'); Halt(1); End; For I:=1 to 1 do {<---------------------- 1 byte to be patched} Begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); End; Writeln('File successfully patched!'); End. PART 3: FINAL THANKS ==================== Many thx goes to these following ppl, again: KarnaK -Yer thnx for the TASM stuff and the help, never forget it man Xzi -Thnx for being a freind. eFFeCT -For being a friend and a newbie ;) ARSN!K -For being there to teach me Pascal :) WoLf -For his help + tuts ED!SON -For his KICK ASS tutor tKC -For also his tuts and giving me the opportunities, thnx a lot man :) ME -For writing this tut? ALL THE PPL IN MEDIUM, KEEP CRACKING GUYZ! Everyone at #C.I.A #Cracking #Crackers #Cracking4Newbies #UCF2000 on EFNet, AND #TeamFortress and #VB on OzOrg. And everyone else that I forgot about :) No thanks goes to the lamerz who stold #Medium, fuck you faggets die in hell DOGS! If anyone comes across anyone who is in #Medium give them a big FUCK YOU for me Expect more tuts from me soon :~) Contacting Me: E-Mail: t1cker@hotmail.com ICQ: 18381503 IRC: Usually on EFNet as SEKt0r or tIKA if I cant get SEKt0r as my fucken nick :( You can find me usually in the above channels! *This tutorial, as usually, can only be used for educational purposes!* *If yer like the program, support the makers and buy the program!* RAScounter v1.20 C4A Cracking Tutorial by ASTAGA 9/10/99 DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but for educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM RAScounter counts telephone impulses for you. It supports automatic detection of connection type by scanning your dialup networking (phonebook) entries and associating appropriate connection rate. It also supports automatic disconnection after defined time interval or when all defined windows are closed. WHERE TO DOWNLOAD http://www.angelfire.com/ok/mp3five/images/RAScount.zip ( recommended ) http://erc.riteh.hr/users/dmalic/RAS/rascounter.zip Size : 108 KB HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run the program ( rascounter.exe ) , see that nag ? just confirm by clicking OK button. In the main window program, click on ABOUT folder, and type name , company and fake number as follows : Name: ASTAGA - C4A Company: Cracking for All Serial Number: 69696969691 if you click REGISTER button right now, you'll found that the progs will reset all fields by blank entries. So, DON'T DO IT . 2. ( I assumed you have run SoftIce ) Press CTRL - D , then type BPX GetWindowTextA Press F5 to return to the program. 3. Click REGISTER button ..... you'll back into SoftIce again ..... Press F11, F5, F11, F5 and again F11 until you see your fake serial number appear completely / copied to memory address 013F:79DFB4 ( remember, it may differ in your machine ) as it in the Data Window, and landed at : _______________________________________________________________ ........ 0137:0041FE9A FF1534194300 CALL [USER32!GetWindowTextA] 0137:0041FEA0 6AFF PUSH FF <----- here 0137:0041FEA2 8B4D10 MOV ECX,[EBP+10] ........ ________________ RASCOUNTER!.text+00001EE9A __________________ At this step I made and typed a breakpoint ( address may differ on your side ) BPM 013F:0079DFB4 4. Press F10 three times .... you'll feel splash screen and landed HERE : ______________________________________________________________ 0137:BFF7117E F2AE REPNZ SCAZB as you landed here you'll ........ see another REPNZ, 14 ........ lines below after this stop ........ 0137:BFF7119A F2AE REPNZ SCAZB ........ ______________________________________________________________ at this stage I made 2 ( two ) breakpoints ( I admitted it's hard to explain why I do this .... but it works ) : BPX 0137:BFF7117E and BPX 0137:BFF7119A 5. Now press F10 to trace the code. Because I've traced before so I can tell you that at the 55th, 59th and 72nd of F10's I feel the screen splashed Sice's Register Window show me that EAX register contain of 0066F098 . 6. At the 76th of F10 the screen again splashed ( and still EAX=0066F098 ), then I stop here : ........ 0137:00404235 751A JNZ 00404251 and do dump/display memory of EAX by typing : d eax wow.... there are sequence of numbers -15 digits - appear in the Data Window ( 013F:0066EE14 ) that is 16414370222641040 . 7. To me that's most likely the serial number that we are looking for. So, why don't we try our luck .... eh ??? Type BD * and press F5 to return to the program. 9. Retype your Name, Company and enter 16414370222641040 as your serial number in the registration window, click REGISTER button. There is nothing happen ..... there is no classic " Thank you for Registering .... " message! Let's think a while, do you remember at the first time of trying fake serial number ? The registration window reset all fields by blank entries. 10. Now QUIT the program. Re-run the program, this time there is NO NAG reminder .... right ? Yes, The program is now REGISTERED! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror.  Never attribute to malice that which is adequately explained by stupidity  crack release : c4a_ra12.zip August 17,1999 at http://listen.to/C4A or http://surf.to/C4A [eof] DongJong's NEWBIE TUTORIAL DongJong's How to get a PERSONAL SERIAL for Addict v2.02 Tools to use ~~~~~~~~~~~~ SmartCheck 6.01 Where to get Tools ~~~~~~~~~~~~~~~~~~ http://cracking.home.ml.org http://surt.to/HarvestR http://crackstore.com http://www.pepsoft.com Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ Addict v2.02 http://www.dearflower.com/Addict/ Program description ~~~~~~~~~~~~~~~~~~~ Addict is a program you can use to prevent yourself and others from using the computer or from using certain applications.If you schedule Addict to keep you from playing Solitaire, it won't just remind you it's time you stopped playing - it will close it for you, and not let you use it again for a while. If you want the computer off at 2am until the next morning, Addict will turn it off and keep it off, guaranteed. You can use Addict to keep yourself or others from using practically any program, or from using the computer at all. Procedures ~~~~~~~~~~ Start SmartCheck (sc) and open Addict.exe, run the program by pressing F5, then when the program appears, press on File menu ---> Register, and try to register, hmmm.... it doesn't ask for a name, just the reg code, so i just input 359379 and press OK... BOING! it says, "Sorry, that's not the coorect registration code" so just click on and exit the program, press on the error the "Acknowledge" button and SC stops tracing for us to begin hunting that code :> Ok, so now let's look on the left side of SmartCheck, whew... a lot, but just take a look at the string with [+] MenuFR_Click , click that and it expand, whew! he he, we're kind of near, below that expand [+] RegistrationForm.Show , then expand [+] Command1_Click, so click on it and trace down, you'll see a long redundancy of Chr$ and Mid$ ... Ubound returns LONG:10 --- snip for brevity --- Chr$ Mid$ Chr$ Mid$ Chr$ Mid$ Chr$ Mid$ --- snip for brevity --- Now observe, that first of a series of Mid$, place the cursor on it and press it (blue line highlights it) and look at the right corner of SC, you'll see like this... [-] unsigned short * * IpDestination = 0066E8C0 | | | |-- String = 00444324 | | | |-- = "**********" | |-- Long start = 1 0X00000001 | |-- Long length = 1 0X00000001 | [-] String replacement = 00442304 | |-- = "y" Look here, just follow it, as you click on Mid$, you will observe a pattern is building up, it's replacing the unknown string represented by "**********" with a letter that is shown on "String replacement"... kewl, so need i explain more... the more the better he he he... ok, so go on and click on the succeeding Mid$, till you observe that pattern, and those "**********" are gradually replaced by a string (small letter alphabets in our case) and down on the last string in my SC it shows (hey! check out yours, maybe it would be different, what's important is following my tut ok, attaboy!), so mine shows at the end of the series of Mid$ as i told you is like this : [-] unsigned short * * IpDestination = 0066E8C0 | | | |-- String = 00444324 | | | |-- = "yxwoliifb*" | |-- Long start = 1 0X00000001 | |-- Long length = 1 0X00000001 | [-] String replacement = 00442304 | |-- = "t" Now, this is the highlight of our magic show, we now have our REG CODE! you see "yxwoliifb*" is our reg code but the last * indicates we lack one string, but hey look down at that "String Replacement" it's a letter "t", and that's what you should use to replace the last missing string for the *, which means we got "yxwoliifbt" as our code (minus the quotes of course), that just goes to say, the code contains 10 alpha strings :> kewl ... But, wait... as you scroll down you'll notice that there is another set of a series of Chr$ and Mid$ again, with the same format as what i have told you above, well, it's another set of codes, which you can use as your REG CODE! so all in all i got 7 sets of reg code to be used in this program. Well, that's it, you've made it! Start Addict.exe, and register using any of this: yxwoliifbt zyxpmjjgcu azyqnkkhdv rqphebbyun srqifcczvo tsrjgddawp Check the Help --> About box and see what we got there :> Say cheese ^^!^^, in place of the unregistered for xx days reminder we got a registered for xx days ago, how kewl :> I also found out that it's not case sensitive, you can type it in uppercase or combination of upper/lower case, it doesn't matter, as long as the strings are of the correct series, but you can't just pick out 10 random alpha strings, as it will fail ;-( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetings goes to these people: tkc- i would like to thank tKC for his tutors. MsJessca- for hosting the tuts and inspiring tkc :> Albert Alexander Lay- KeWl DuDe! for the computer and Internet ;) All cracking groups and cracking fanatics and newbies galores! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hanggang sa Muli... MABUHAY! Another Tutor by DongJong ;-) sutra@goplay.com We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #46 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Northpole for Splash Logo. +SEKt0r for providing 3 tuts in this version. ASTAGA for providing a tut in this version. DongJong for providing a tut in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! ***(don't send me tutors till I'm back online!)*** And all the tutors can be found at www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 7 October 1999 Cracking Tutorial #45 is dedicated to Ms_Jessca...