Welcome to Cracking Tutorial #53! Hiya guys, Sorry for delays but I was really busy last days. Here are 3 tutors (#53, #54, and #55) for today, enjoy it... OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.5.0 Windows Commander 4.01 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ DataArmour v1.3.0.1 http://homepages.ihug.co.nz/~nclayton DataArmour is a personal backup tool, designed for PC's, replacing or complementing the need for tape based systems. The idea being that you can backup locally, or to any FTP server (assuming you have write access). 1) Run DATAARMOUR.EXE, you will see a popup message box. 2) Click on the "Register" button and enter the following:- User name : mISTER fANATIC [C4A] Company (optional): Number of licenses: 1 Registration code : 5544332211 3) Press "CTRL-D" to return into SoftIce, type "bpx hmemcpy", and press "CRTL-D" to return into DataArmour. Finally, click on the "Ok" button to register and you are back to SoftIce. 4) Press "F12" once and you will see the following:- xxxx:0048137F 8B55FC MOV EDX,[EBP-04] xxxx:00481382 8D4630 LEA EDX,[ESI+30] xxxx:00481385 E82E28F8FF CALL 00403BB8 xxxx:0048138A 8D55FC LEA EDX,[EBP-04] 5) Type "bd 0" or "bd *" to disable the breakpoint. 6) Press "F10" until the line below:- xxxx:0048143C 8D55FC LEA EDX,[EBP-04] xxxx:0048143F 8B8304020000 MOV EAX,[EBX+00000204] xxxx:00481445 E8EA03FAFF CALL 00421834 xxxx:0048144A 837DFC00 CMP DWORD PTR [EBP-04],00 xxxx:0048144E 7462 JZ 004814B2 7) Then, press "F10" until the line below:- xxxx:00481463 E8FCD3FFFF CALL 0047E864 <-- press F8 to trace xxxx:00481468 84C0 TEST AL,AL xxxx:0048146A 7542 JNZ 004814AE At line xxxx:00481463, press "F8" to trace. Then, press "F10" until the line below:- xxxx:0047E8B8 8B45F8 MOV EAX,[EBP-08] <-- real code xxxx:0047E8BB 8B55FC MOV EDX,[EBP-04] <-- fake code xxxx:0047E8BE E8A98EF8FF CALL 0040776C xxxx:0047E8C3 85C0 TEST EAX,EAX xxxx:0047E8C5 0F94C0 SETZ AL At line xxxx:0047E8BB, type "e eax" and you will see something interesting like "76F8 1C25 DB25 AE77 8349 67AA 7776 5B14". Hah, its the real registration code. 8) Press "CTRL-D" to return to DataArmour. Enter the following and click the "Ok" button:- User name : mISTER fANATIC [C4A] Company (optional): Number of licenses: 1 Registration code : 76F8 1C25 DB25 AE77 8349 67AA 7776 5B14 BOOM, its registered! Well, I hope you learned something from this tutorial. mailto: c4a@iname.com PART 2 ~~~~~~ ------------------------------- - - Name : Shadow Man 1.0 Cracker : Mr.T From : Mars :) Mail : mrt.mrt@caramail.com Date : 17/11/99 Protection: CD-Check ------------------------------- - - Tools: ~~~~~~ _W32DASM 8.9x _HIEW 5.60 I think u can get these tools on ShadowRUNNER's website: http://www.crackstore.com Intro: ~~~~~~ I hope you have a little knowledge of W32DASM and HIEW cause i'll not explain how to use them. Errr... my english is very "bad" so i hope u'll understand what i'm talking about :] I don't know if there is many ShadowMan version but mine is English, French and Spanish one, at the start of the installation it ask me to choose the language of the installed game. When the installation ask you to choose what u whant to install, you must install Program Files and data. Let's start: ~~~~~~~~~~~~ Ok first we want to know what append when we run the game without the CD so first install the game (huhu) then run it without the CD ( simple no ? :) ) _ well a messagebox tell us: "Please insert your ShadowMan CD" Ok let's crack this game... 1. Make always a backup of your victim, copy "Shadowman.exe" to "Backup.exe" and open Backup.exe with W32DASM, open Shadowman.exe with HIEW 2. In W32DASM , click on String Data References and search for that error message , you find it well double - clik on it... 3. you must see this piece of code: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040AF79(C), :0040B018(C) <-- THIS IS WHERE IT WAS CALLED | :0040B026 BA01000000 mov edx, 00000001 * Possible StringData Ref from Data Obj->"Please Insert Your ShadowMan CD" ^^^ <- BOO! BAD BOY! | :0040B02B B9B42A5500 mov ecx, 00552AB4 :0040B030 E88893FFFF call 004043BD :0040B035 83F801 cmp eax, 00000001 :0040B038 0F8492FEFFFF je 0040AED0 blablabla... let's see below... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040AF54(C) | :0040B04F 8D7C245C lea edi, dword ptr [esp+5C] :0040B053 83C9FF or ecx, FFFFFFFF :0040B056 33C0 xor eax, eax :0040B058 F2 repnz :0040B059 AE scasb :0040B05A F7D1 not ecx :0040B05C 2BF9 sub edi, ecx :0040B05E 8BC1 mov eax, ecx :0040B060 8BF7 mov esi, edi :0040B062 BFEC566700 mov edi, 006756EC :0040B067 C1E902 shr ecx, 02 :0040B06A F3 repz :0040B06B A5 movsd :0040B06C 8BC8 mov ecx, eax :0040B06E 83E103 and ecx, 00000003 :0040B071 F3 repz :0040B072 A4 movsb :0040B073 8D4C245C lea ecx, dword ptr [esp+5C] :0040B077 51 push ecx * Possible StringData Ref from Data Obj ->"--- CD Found --- : %s" ^^^ <- HMMM... INTERESSANT :) blablabla... click on goto code location and enter 40AF79, we want to go to the code location where this error message was called, you must see this now: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040AEE4(C), :0040AEF9(C), :0040AF1E(C) | :0040AF5A 43 inc ebx :0040AF5B 83FB1A cmp ebx, 0000001A :0040AF5E 0F8C71FFFFFF jl 0040AED5 "--- CD Not Found ---" | :0040AF64 68D42B5500 push 00552BD4 :0040AF69 E8CB72FFFF call 00402239 :0040AF6E A1CC5D6700 mov eax, dword ptr [00675DCC] :0040AF73 83C404 add esp, 00000004 :0040AF76 83F804 cmp eax, 00000004 :0040AF79 0F87A7000000 ja 0040B026 :0040AF7F FF248544B14000 jmp dword ptr [4*eax+0040B144] :0040AF86 BA01000000 mov edx, 00000001 * Possible StringData Ref from Data Obj ->"Please Insert Your Shadow Man " ->"CD" | :0040AF8B B9AC2B5500 mov ecx, 00552BAC <-- YOU ARE HERE NOW Let's see what this jl 0040AED5 contain, click on this line and click on the JUMP TO button now you see: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040AF5E(C) | :0040AED5 8B442410 mov eax, dword ptr [esp+10] :0040AED9 BA01000000 mov edx, 00000001 :0040AEDE 8BCB mov ecx, ebx :0040AEE0 D3E2 shl edx, cl :0040AEE2 85D0 test eax, edx :0040AEE4 7474 je 0040AF5A <- JUMP TO CD NOT FOUND :0040AEE6 8ACB mov cl, bl :0040AEE8 8D54245C lea edx, dword ptr [esp+5C] :0040AEEC 80C141 add cl, 41 :0040AEEF 52 push edx :0040AEF0 884C2460 mov byte ptr [esp+60], cl :0040AEF4 FFD7 call edi :0040AEF6 83F805 cmp eax, 00000005 :0040AEF9 755F jne 0040AF5A <- JUMP TO CD NOT FOUND :0040AEFB 8D44243C lea eax, dword ptr [esp+3C] :0040AEFF 6A20 push 00000020 :0040AF01 8D4C2418 lea ecx, dword ptr [esp+18] :0040AF05 50 push eax :0040AF06 8D542420 lea edx, dword ptr [esp+20] :0040AF0A 51 push ecx :0040AF0B 52 push edx :0040AF0C 6A00 push 00000000 :0040AF0E 8D442430 lea eax, dword ptr [esp+30] :0040AF12 6A20 push 00000020 :0040AF14 8D4C2474 lea ecx, dword ptr [esp+74] :0040AF18 50 push eax :0040AF19 51 push ecx :0040AF1A FFD5 call ebp :0040AF1C 85C0 test eax, eax :0040AF1E 743A je 0040AF5A <- JUMP TO CD NOT FOUND hmm. :0040AF20 8D74241C lea esi, dword ptr [esp+1C] * Possible StringData Ref from Data Obj ->"SHADOWMAN1" | :0040AF24 B8F02B5500 mov eax, 00552BF0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040AF47(C) | :0040AF29 8A10 mov dl, byte ptr [eax] :0040AF2B 8ACA mov cl, dl :0040AF2D 3A16 cmp dl, byte ptr [esi] :0040AF2F 751C jne 0040AF4D :0040AF31 84C9 test cl, cl :0040AF33 7414 je 0040AF49 :0040AF35 8A5001 mov dl, byte ptr [eax+01] :0040AF38 8ACA mov cl, dl :0040AF3A 3A5601 cmp dl, byte ptr [esi+01] :0040AF3D 750E jne 0040AF4D :0040AF3F 83C002 add eax, 00000002 :0040AF42 83C602 add esi, 00000002 :0040AF45 84C9 test cl, cl :0040AF47 75E0 jne 0040AF29 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040AF33(C) | :0040AF49 33C0 xor eax, eax :0040AF4B EB05 jmp 0040AF52 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040AF2F(C), :0040AF3D(C) | :0040AF4D 1BC0 sbb eax, eax :0040AF4F 83D8FF sbb eax, FFFFFFFF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040AF4B(U) | :0040AF52 85C0 test eax, eax :0040AF54 0F84F5000000 je 0040B04F <- JUMP TO CD FOUND hmmm, more interessant... Huhu i gat an idea , you see the last jump to " CD NOT FOUND " at 40AF1E ? ok we'll change that JUMP CD NOT FOUND to JUMP CD FOUND at 40AF54 , in this way if the CD is not here it' ll works. So double-clik on 40AF1E and check out the bottom of W32DASM and look at the OFFSET: @Offset 0000A31Eh Go to HIEW press F4 then F2 then F5 enter A31E press ENTER then press F4 then F3 and you see this now: .0000AF1E: 743A je .00000AF5A ---------- (1) 74 in hex mean jump equal (je) in ASM, 3A is the code location (40)AF5A We want to go to (40)AF54 to jump to CD FOUND so press F3 to EDIT this ASM code, press F2 and change " je 00000AF5A " to " je 00000AF54 " press ENTER and press F9 to update. 4. Ok we broke the first CD-Check, but there is another one ( u want to check? well run the CD and try to play ShadowMan :) ) There is different way to crack a CD-Check protection, click on Imported Modules and Function and search for "KERNEL32.GetDriveTypeA" then double click on it you must see this now : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B24C(C) <--!IMPORTANT! IT'S WHERE THIS WAS CALLED | :0040B25B 53 push ebx :0040B25C 55 push ebp :0040B25D 56 push esi * Reference To: KERNEL32.GetLogicalDrives, Ord:0120h | :0040B25E FF1588867900 Call dword ptr [00798688] :0040B264 89442414 mov dword ptr [esp+14], eax :0040B268 6A01 push 00000001 * Reference To: KERNEL32.SetErrorMode, Ord:0264h | :0040B26A FF158C867900 Call dword ptr [0079868C] * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h | :0040B270 8B3D90867900 mov edi, dword ptr [00798690] Goto 40B24C then you must see this: :0040B24C 740D je 0040B25B <-- IT CALL THE CD-CHECK PROCEDURE je mean jump equal in ASM CODE Check out the bottom of W32DASM and look at the OFFSET : @Offset 0000A64Ch and go to HIEW and press F4 then press F2 then press F5, enter A64C then press ENTER. You see this: 74 0D it's our call, change this and put 75 0D instead, the whole line looks like this now: 67 00 C7 44 24 04 00 00 00 00 85 C0 [74 0D] B8 01 <- before 67 00 C7 44 24 04 00 00 00 00 85 C0 [75 0D] B8 01 <- now I explain, before it was - jump equal = 74 0D and we put - jump not equal = 75 0D , it's something like= if the CD is not here jump to " DAMN YOU DON'T HAVE YOUR CD IN THE CD-DRIVE " and we put = if the CD is not here jump to " WELL YOU ARE A GOOD BOY YOU KNOW :) " ... you gat it ? ... Ok, press F3 enter 75 then press F9. 5. Well it's finished, exit HIEW then run the game without the CD and... it works! :) ________________________________________________________________________ I am bad in asm but this piece of code works so, if there is any errors i am sorry :D ===========================================CUT HERE :) ================= ;/-----------------------------------------------------------------------> ; Mr.T file patcher -> Basic asm Code :) crack.asm ;\-----------------------------------------------------------------------< assume cs:code,ds:code code segment org 100h ;/-----------------------------------------------------------------------> ; START ;\-----------------------------------------------------------------------< start: ;--- clear screen mov ax,0003h int 10h ;--- display some text lea dx,text1 call print ;--- open the file mov ah,3dh mov al,2 lea dx,victim int 21h ;--- check if the file exist jnc filexist ;--- the file doesn't exist show error then exit lea dx,error call print jmp exit ;--- the file exist continue filexist: ;--- save file handle mov handle,ax ;--- patch the victim! call patch ;--- close the file mov ah,3eh mov bx,handle int 21h ;--- display some text then exit lea dx,noprob call print jmp exit ;/-----------------------------------------------------------------------> ; PATCH PROCEDURE ;\-----------------------------------------------------------------------< patch: ;--- goto offset 1 mov ah,42h xor al,al mov bx,handle xor cx,cx mov dx,off1 int 21h ;--- at offset 1 patch with value 1 mov ah,40h mov bx,handle mov cx,1 lea dx,val1 int 21h ;--- goto offset 2 mov ah,42h xor al,al mov bx,handle xor cx,cx mov dx,off2 int 21h ;--- at offset 2 patch with value 2 mov ah,40h mov bx,handle mov cx,1 lea dx,val2 int 21h ret ;/-----------------------------------------------------------------------> ; PRINT TO SCREEN PROCEDURE ;\-----------------------------------------------------------------------< print: mov ah,09h int 21h ret ;/-----------------------------------------------------------------------> ; END OF THE PROGRAM ;\-----------------------------------------------------------------------< exit: mov ah,4ch int 21h ;/-----------------------------------------------------------------------> ; DATA ;\-----------------------------------------------------------------------< handle dw 0 error db 'Error: You must run this crack in the program directory',13,10 db ' > I don''t found the EXE...',13,10 db ' > Maybe the EXE has a read only attribute...',13,10,'$' noprob db 'Well, the file has been successfully patched :]',13,10,'$' text1 db ' ֎--R<',13,10 db ' - Shadow Man - crack by Mr.T',13,10 db ' -->',13,10,'$' victim db 'SHADOW~1.EXE',0 off1 dw 41759 ;--- offset to change 41759 = A31F in decimal val1 db 52 ;--- value to change (go with off1) 52 = 34 in decimal off2 dw 42572 ;--- offset to change 42572 = A64C in decimal val2 db 117 ;--- value to change (go with off2) 117 = 75 in decimal ;/-----------------------------------------------------------------------> ; DATA END ;\-----------------------------------------------------------------------< code ends end start ===========================================CUT HERE :) ================= =========================================== MAKE.BAT ================= tasm crack.asm tlink /t /3 crack =========================================== MAKE.BAT ================= ________________________________________________________________________ Last words: ~~~~~~~~~~~ I haven't write a tutorial since ( err.. many time ) so i hope i explain correctly all procedure to crack this game, if you like it... well thanx dude :) If not, well i am sorry and i'll try it better next time. If i made any errors u can mail me to tell me where i'm wrong. Finally it works! so i think there is no error :)) Announcement: ~~~~~~~~~~~~~ Many crackz by me are on the ShadowRUNNER website ( http://www.crackstore.com ) but im searching for someone who can put my whole web site ( it contains 70 crackz and 11 tutorialz ) the whole site size is ~900 Ko so if you can help me, mail me :) Mr.T PART 3 ~~~~~~ App : Email Via Phone V1.0 Web : www.evphone.com Tools used : Softice Crack : Serial Compiled with : Visual Basic 6.0 The Serial ---------- As i already mentioned the program is coded in Visual Basic so the usual Softice breakpoints wont work. Instead we will have to break on Visual Basic calls (take a look at the CrackersNotesto find information about them). Now go ahead install the program and run it. A screen will pop up asking you to register. Enter anything you like but make sure that you fill the name field with at least 8 characters, cause thats the minimum number of characters you have to enter in order to register. After you have done that start Softice and set a bpx on __vbastrcmp (read CrackersNotes for more info) , return to the program and press unlock. Softice will break and you will find yourself in the VisualBasic runtime . Now trace the code with F10 until you reach the main code. Once you have reached the main code write down the adress of the call to the __vbastrcmp routine ( for me it has been : 0167:0047C645 ). Clear the breakpoint on __vbastrcmp and set a new breakpoint at 0047C645 and press Ctrl-D to go back to windows. Back in the app press unlock and Softice will break at the call to __vbastrcmp. Now type do a "d ecx" and you will see the name you have entered in the data window. After that do a "d edx" and you will see the word "t.r.i.a.l" in the data window. This is not what we have been looking for :) Well good, now clear your breakpoint set a breakpoint at __vbastrcmp again go back to the program hit the unlock button again. Since we already know that the first __vbastrcmp is not what we are looking for ignore it and press Crtl-D again and you will find yourself in the __vbastrcmp function again. Trace using F10 until you reach the main code again. Write down the adress of the call to the __vbastrcmp function clear breakpoints set a new one at the call to the __vbastrcmp function (for me : 00167:47E1ED) Leave Softice and press unlock for the final time. After you are back in Softice do a "d ecx" and you will find a strange combination of numbers (8.3.8.2.-.6.9.8.0 etc) in the data window that look like a valid serial number to me. Well just to make sure type in "d edx" and you will see the serial number you have entered (s.o.m.e.t.h.i.n.g) . I will leave the rest to you since you should know what to do from here Final Note ---------- I would like to thank EVERYBODY out there that is writing tutors, KEEP GOING! DEF PART 4 ~~~~~~ Name : GifLine Version : generic Editor : Diprode Software Target : gifline.exe s/n saved : [HKEY_CURRENT_USER\Software\setenil] Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.11 http://www.geocities.com/athens/3683 Please excuse my poor english, its not my mother language.... --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Start Gifline. There's an interesting button... 'Register...' *g*. Let's do so. 2. E-Mail: LW2000@TUTORIALS.COM Serial: 1230099 *BOOM* Sorry, This Registration Code is incorrect. Typical program bug ;) Exit the program. 3. Load W32Dasm with gifline.exe. Click on the SDR Buton and choose the string "Sorry, This Registration Code ". * Referenced by a Unconditional or Conditional Jump at Address: |:0045C581(C) <-- here we go! | * Possible StringData Ref from Code Obj->"Sorry, This Registration Code" ->"is incorrect. Please try again" ... :0045C607 B8FCC64500 mov eax, 0045C6FC :0045C60C E847B1FDFF call 00437758 4. Double rightclick on |:0045C581(C) now you should be here: :0045C576 8B55E8 mov edx, dword ptr [ebp-18] :0045C579 8B45F8 mov eax, dword ptr [ebp-08] :0045C57C E8A376FAFF call 00403C24 <-- our Call :0045C581 0F8580000000 jne 0045C607 <-- Bad BOY! :0045C587 B201 mov dl, 01 :0045C589 A16CE54400 mov eax, dword ptr [0044E56C] :0045C58E E80D21FFFF call 0044E6A0 Ok, I think we've found the bug... 5. Place the green bar on: :0045C581 0F8580000000 jne 0045C607 Our Offset is: 5B981 Close W32DASM and load Hiew with gifline.exe Press Enter twice to go to Decodemode. Press F5 and enter our Offset: 5B981 Press F3 to edit the file. Now change 0F85 to 0F84. Our jne goes je. Save our work and start gifline again. Name: LW2000@TUTORIALS.COM Serial: 1230099 =>> GifLine Registered Version. Congratulation! You are a registered user! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Name : ICQ Version : 99b Editor : Mirabilis Target : icq.exe Tools : Softice Brain Cracker : LW2000 Tutorial : No.12 http://www.mirabilis.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Overview: --------- How to pass ICQ Startup Security Check Please excuse my poor english, its not my mother language.... Think about the following situation: You launch ICQ (hey, your own of course ;), but ICQ wants to have a PWD to work... 1. Launch ICQ, a PWD Dialog appears. Take 1230099 for the password. *BOOM* Incorrect password! Typical program bug ;) 2. [Ctrl]+[d] to Softice and set a Breakpoint on GetWindowtexta: bpx windowtexta [F5] to return to the application. 3. PWD: 1230099 *BOOM* Softice pops up. [F5] and then [F11] to get the Caller. Now trace to the Code [F10] until you see this: 0177:2190039A 7440 JZ 219003DC <-- Bad BOY! 0177:2190039C 39BED0000000 CMP [ESI+000000D0],EDI 0177:219003A2 757A JNZ 2190041E 0177:219003A4 E8C40EF8FF CALL 2188126D 0177:219003A9 8BCE MOV ECX,ESI 0177:219003AB 8BD8 MOV EBX,EAX Trace till you are on 0177:2190039A 7440 JZ 219003DC 4. Now enter: r fl z to change the zero flag. Type 'bd *'. Press [F5] to return to ICQ. Fine, icq works. But lets turn of this security feature. 5. Click on ICQ | Preferences & Security | Security & Privacy Set the Security level on 'low'. Press the Save Button. Seems to be our PWD Dialog... [Ctrl]+[d] to Softice and enter 'be *' to enable our breakpoint. [F5] to return to the application. 6. PWD: 1230099 *BOOM* Softice pops up. [F5] and then [F11] to get the Caller. Now trace to the Code [F10] until you see this: 0177:219003D9 59 POP ECX 0177:219003DA 7442 JZ 2190041E <-- Bad BOY 0177:219003DC 39BED0000000 CMP [ESI+000000D0],EDI 0177:219003E2 7406 JZ 219003EA 0177:219003E4 FF86E0000000 INC DWORD PTR [ESI+000000E0] 0177:219003EA 8D45F0 LEA EAX,[EBP-10] 0177:219003ED 684D1F0000 PUSH 00001F4D 0177:219003F2 50 PUSH EAX 0177:219003F3 FF15EC469E21 CALL [219E46EC] Trace till you are on 0177:219003DA 7442 JZ 2190041E Now enter: 'r fl z' to change the zero flag. Type 'bd *' to disable our bpx. Press [F5] to return to ICQ. Now press Done. 7. Quit ICQ and fire it up, again. Congratulation! You have beaten the ICQ Security Startup Check. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #54 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Socko for Interface. InfErNo for Splash Logo mISTER fANATIC for providing a tut in this version. Mr. T for providing a tut in this version. DEF for providing a tut in this version. LW2000 for providing 2 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials. See below for my email address! *** 75 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled with Delphi 5 on 13 December 1999 Cracking Tutorial #53 is dedicated to 9 Pearls in a Oyster... esp Mandy!