Welcome to Cracking Tutorial #69! Hiya guys, One more, enjoy it! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ FeNOreZ tutorial #1 -------------------- How to crack --==CiA's Trial crackme #4==-- -------------------------------------------- tARGeT: patch the NAG screen out, find the code, find the passphraze, find a serial for your name. t00lZ : SofT!CE 3.25 (or higher), ProcDump32 v1.4, FRoGSiCE v0.31, any hexeditor, FRoGSiCE -> http://www.thepentagon.com/frog_s_print URL : on IRC - EFnet- -> #C.i.A and type in the channel: "/msg CiA[FiLE]!get c_trial4.zip" cRACKER/aUTHoR: FeNOreZ FiRST wORDS ----------- This trial crackme is not very easy. This tutorial will teach u how patch NAG screens in packed files -here UPX 0.72- and find codes which comes out from decryption. ...sorry if there are any gramatyccall errors - that's my first tut -... Letz begin ... --------------- As u can see when u start the program a messagebox appears saying "debuger detected". It's a peace of cake ... run FRoGSiCE, right click to the icon appeard and disable the setting "Desplay on screen"(that's annoying). Now run the proggy again. Cool... works fine! Enjoy ... =====================1st -> Patch the NAG screen====================== Let's fire up SoFT!CE and make a "bpx getwindowtexta". SiCE breaks up and press F5 until the NAG will be displayed. You see that is SiCE breaks 3 times and in the 4th the proggy's NAG is shown. Run the proggy again, press F5 twice in softice and keep pressing F12 (16 times) since u get this code : :00478117 E8B4B1FCFF call 004432D0 :0047811C A13CA84700 mov eax, dword ptr [0047A83C] :00478121 8B00 mov eax, dword ptr [eax] :00478123 8B80D0020000 mov eax, dword ptr [eax+000002D0] :00478129 8B10 mov edx, dword ptr [eax] :0047812B FF5230 call [edx+30] <-- That's the NAG's call! :0047812E A140A74700 mov eax, dword ptr [0047A740] :00478133 8B00 mov eax, dword ptr [eax] :00478135 E816B2FCFF call 00443350 In the address 0047812B when u press F10 over it the proggy shows the NAG screen and after 3-4 seconds returns to SiCE at the next line. That's the call we need to patch!. Make a breakpoint on this call (bpx 0047812B) and run the proggy again. When u are on the call press F8 to trace into. You see this code: :0046478C 55 push ebp <-- make this ret! :0046478D 8BEC mov ebp, esp :0046478F 83C4E8 add esp, FFFFFFE8 :00464792 53 push ebx We don't want the proggy to run this call so at the address 0046478C make it a ret so it returns out of the call: Type "a", then "ret" and -enter- twice. Press F5 to run the proggy. WOW! Running without a NAG! Finaly the byte is => 0046478C -> ret (C3 in hex). The next step is packing UPX packed file! Generally, to patch a packed file u have to find where the file gets unpacked in memory (entry point) and also to find the final jmp or call which goes to the real program's code after unpacking.Then u put your code to the program before the jmp or the call to make the proggy patch itself! -exciting- eh ?? The question is how to find the entrypoint to the packed file. Let's open ProcDump, click to the PE editor and open the crackme's file.You see: Entry point -> 000B3000. Click on the sections and find the closer offset to the Entry point in the Virtual Offset catalog.Hmm .. UPX2 section has the same VirOff! Now right click on the UPX2 and select "edit section". What u are looking for, is the "offset": 1400. Hmmm ... that's the entry point's offset! (Now .. if u want to patch a packed file in which, the entry point has not a section's Virtual offset equal to it, u do this calculation: (entry point - RVA)+offset -> RVA and offset is included in "edit section" and as i told before the section must have the closer Virtual Offset to the entry point). Let's pLAY ... Open the file Crkme4.exe and goto offset 1400. You see the byte 60 and make it CC (CC -> int 03 in asm). Soft!CE looks to be forgotten ... so open it and make a "bpint 03" and run the proggy. WOW! S!CE breaks up. Write "e eip 60" as it was before to avoid errors and keep pressing F10. The code u see is the unpacking code which makes a lot of loops .... When it finishes those loops this code apears: :004B316C 31C0 xor eax, eax :004B316E 8A07 mov al, byte ptr [edi] :004B3170 47 inc edi :004B3171 09C0 or eax, eax :004B3173 7422 je 004B3197 :004B3175 3CEF cmp al, EF :004B3177 7711 ja 004B318A :004B3179 01C3 add ebx, eax :004B317B 8B03 mov eax, dword ptr [ebx] :004B317D 86C4 xchg ah, al :004B317F C1C010 rol eax, 10 :004B3182 86C4 xchg ah, al :004B3184 01F0 add eax, esi :004B3186 8903 mov dword ptr [ebx], eax :004B3188 EBE2 jmp 004B316C :004B318A 240F and al, 0F :004B318C C1E010 shl eax, 10 :004B318F 668B07 mov ax, word ptr [edi] :004B3192 83C702 add edi, 00000002 :004B3195 EBE2 jmp 004B3179 :004B3197 61 popad :004B3198 E94B4FFCFF jmp 004780E8 <-- that's the jmp! As u see the first 20 lines are a loop. When this finishes the location 004B3173 -> je 004B3197 jumps out of the loop. The next jump goes to the real proggy's code! (u see the location is different - 0047.. =\ 004B..).Hmmm ... our patch will look like this : :004B3197 61 popad :004B3198 90 nop :004B3199 90 nop :004B319A 90 nop :004B319B 90 nop :004B319C 90 nop :004B319D C6058C474600C3 mov byte ptr [0046478C],C3 (that's the patch) :004B31A4 E93F4FFCFF jmp 004780E8 I first nop the jmp and u may wonder why. So i can't explain why crashes in mine PC when I put code without nopping the jmp. Now hexedit the file, go and find out those bytes: EBE261E94B4FFCFF (locations 004B3195-98) and replace the code: E94B4FFCFF with our crack: 9090909090C6058C474600C3E93F4FFCFF. Works fine! "A piece of cake", don't u think ?? =====================2nd -> Find a serial for your name==================== I must say that this part is not so difficult. After a lot of calculations the code comes clear and it's easy to find a serial.LeTz.. bEGIN ... As usual u know that every serial is looking for SiCE to fire up! So make a "bpx hmemcpy", put name FeNOreZ - [CiA] and code 123-456-789-012 and press verify. S!CE breaks a lot of times(not a certain number for everytime). Count them and stop when it last breaks.Then press F12 (12 times) till u see the following code: :00477209 FFB508FFFFFF push dword ptr [ebp+FFFFFF08] :0047720F 8D851CFFFFFF lea eax, dword ptr [ebp+FFFFFF1C] :00477215 BA07000000 mov edx, 00000007 :0047721A E8F9CAF8FF call 00403D18 :0047721F 8B851CFFFFFF mov eax, dword ptr [ebp+FFFFFF1C] :00477225 50 push eax :00477226 FF75F8 push [ebp-08] :00477229 6870784700 push 00477870 :0047722E FF75F4 push [ebp-0C] :00477231 6870784700 push 00477870 :00477236 FF75F0 push [ebp-10] :00477239 6870784700 push 00477870 :0047723E FF75EC push [ebp-14] :00477241 8D8518FFFFFF lea eax, dword ptr [ebp+FFFFFF18] :00477247 BA07000000 mov edx, 00000007 :0047724C E8C7CAF8FF call 00403D18 :00477251 8B9518FFFFFF mov edx, dword ptr [ebp+FFFFFF18] | :00477257 58 pop eax |That's it! :00477258 E80BCBF8FF call 00403D68 | :0047725D 7515 jne 00477274 | Trace over that lines till u get to 00477251. Hmm strange code .... trace over 00477251 and make a "d edx". Ooohh.. a strange serial: 625-922-187-574!-looks like the correct one!-. Trace over the next line and make a "d eax". OOOooooohhh our code!. And in the next call they get compared so ... This code in edx must be the correct!. Put it and ...... WOW! That's it! Tooooo easy i think .......... ======================3rd -> Find the pASSpHRAZE!========================== This is more difficult part! - cryptografy - But ... LeT'Z gO 0n! Fire up S!CE and make a "bpx hmemcpy". It breaks ones and keep pressing F12 (12 times) until u get to some serious code: :00476AEE 68E8CC0300 push 0003CCE8 :00476AF3 8D45F8 lea eax, dword ptr [ebp-08] :00476AF6 50 push eax :00476AF7 B916F70800 mov ecx, 0008F716 :00476AFC BAFA920300 mov edx, 000392FA :00476B01 8B45FC mov eax, dword ptr [ebp-04] <-- Your code! :00476B04 E82FFCFFFF call 00476738 <-- cryptografy's call! :00476B09 8B45F8 mov eax, dword ptr [ebp-08] <-encrypted phraze :00476B0C BA5C6B4700 mov edx, 00476B5C <-correct encrypted code :00476B11 E852D2F8FF call 00403D68 <- compares ... :00476B16 7515 jne 00476B2D <- jump if not equal! :00476B18 6A00 push 00000000 :00476B1A 668B0D786B4700 mov cx, word ptr [00476B78] :00476B21 B202 mov dl, 02 :00476B23 B8846B4700 mov eax, 00476B84 :00476B28 E887FFFCFF call 00446AB4 You see that at address 00476B01 when u do a "d eax" your code appears. Next is the main call in which your code gets encrypted. Now before trace into this call go to address 00476B0C where is the correct encrypted code ,make a "d edx" and write down the hex value of the code -> D7 71 39 14 6F AD 85 6A E8 B8 9F 44 CB 6B C9 79 D8 43 D2 A3 98 4E F1 BD E2 Now, trace into the "magic" call : :00476738 55 push ebp :00476739 8BEC mov ebp, esp :0047673B 83C4F0 add esp, FFFFFFF0 :0047673E 53 push ebx :0047673F 56 push esi :00476740 57 push edi :00476741 33DB xor ebx, ebx :00476743 895DF0 mov dword ptr [ebp-10], ebx :00476746 894DF8 mov dword ptr [ebp-08], ecx :00476749 8BF2 mov esi, edx :0047674B 8945FC mov dword ptr [ebp-04], eax :0047674E 8B7D08 mov edi, dword ptr [ebp+08] :00476751 33C0 xor eax, eax :00476753 55 push ebp :00476754 68CB674700 push 004767CB :00476759 64FF30 push dword ptr fs:[eax] :0047675C 648920 mov dword ptr fs:[eax], esp :0047675F 8BC7 mov eax, edi :00476761 E876D2F8FF call 004039DC :00476766 8B45FC mov eax, dword ptr [ebp-04] <- gets your phraze :00476769 E8EAD4F8FF call 00403C58 lenght :0047676E 84C0 test al, al :00476770 7643 jbe 004767B5 :00476772 8845F7 mov byte ptr [ebp-09], al :00476775 B301 mov bl, 01 :00476777 8D45F0 lea eax, dword ptr [ebp-10] :0047677A 33D2 xor edx, edx :0047677C 8AD3 mov dl, bl :0047677E 8B4DFC mov ecx, dword ptr [ebp-04] :00476781 8A5411FF mov dl, byte ptr [ecx+edx-01] <-gets one by one :00476785 8BCE mov ecx, esi the letters :00476787 C1E908 shr ecx, 08 <- a value to cl! :0047678A 32D1 xor dl, cl <- xors the cl with your letter(dl) :0047678C E8EFD3F8FF call 00403B80 :00476791 8B55F0 mov edx, dword ptr [ebp-10] :00476794 8BC7 mov eax, edi :00476796 E8C5D4F8FF call 00403C60 :0047679B 33C0 xor eax, eax :0047679D 8AC3 mov al, bl :0047679F 8B17 mov edx, dword ptr [edi] :004767A1 0FB64402FF movzx eax, byte ptr [edx+eax-01] :004767A6 03F0 add esi, eax :004767A8 0FAF75F8 imul esi, dword ptr [ebp-08] :004767AC 03750C add esi, dword ptr [ebp+0C] :004767AF 43 inc ebx :004767B0 FE4DF7 dec [ebp-09] :004767B3 75C2 jne 00476777 <- loop to take all letters At location 00476781 the letters one by one are moved to dl (make a "? dl" to see) and then are xored with a cl. That's the encryption! The result of this xor is the letter encrypted and it must be the same with the correct encrypted. Now ... let's say we put the phraze : "ISHOULDCRACKTHISSHIT". DL has the letter "I" and it is xored with cl which have "392". The result must be the first letter of the encrypted correct phraze "D7"(as we wrote this down before). We have this : x xor 392 = D7 <=> x = D7 xor 392. Take a calculator(i use this in windows accessories) and make this calc (D7 xor 392) and u get this result: "345". U only need the last 2 "45" which is "E" in ascii. c00l... we have the first correct letter! lET'z put : ESHOULDCRACK as phraze and go at the location which compares the encrypted phrazes (00476B09). "D EDX" to see our encrypted and in hex there is : D7 74 29 ... WOW! "E" in correct -D7-! and if u "D EAX" u see D7 71 .... s0 the first letter "E" is correct! To decrypt all the letters u put first the letter "E" which is correct. Then there is a loop at 004767B3 which goes to 00476777 and do the same for all the letters. But be careful. The value in cl which xors each letter is not the same for all the letters and depends from the previous u have put. s0 u should put the second correct letter to the phraze to see cl 's value for the next letter and u put the 3rd correct and to see the cl's value for the 4th. Not to put any phraze and see at once the values of cl. OK ??? If u follow that the phraze will be : EVERYGENERATIONHASALEGEND =======================FiNAL-> FiND tHE c0DE!======================== tHE most difficult part of the crackme .... i tHINK! g0_0n .... Put the code 1234567890, make a "bpx hmemcpy" in S!CE and press verify. S!CE stops once and press F12 (12 times again) till u get here : --------first encryption---------- :0047691D 8D45FC lea eax, dword ptr [ebp-04] :00476920 E85FFDFFFF call 00476684 <- Magic cAll :00476925 8B45FC mov eax, dword ptr [ebp-04] :00476928 E82BD3F8FF call 00403C58 :0047692D 8BD8 mov ebx, eax :0047692F 85DB test ebx, ebx :00476931 7E24 jle 00476957 :00476933 BE01000000 mov esi, 00000001 At the address 00476920 u see a "magic cAll". Press F8 to trace into it to this code: :00476684 53 push ebx :00476685 56 push esi :00476686 57 push edi :00476687 51 push ecx :00476688 8BF0 mov esi, eax :0047668A 8B06 mov eax, dword ptr [esi] :0047668C E8C7D5F8FF call 00403C58 :00476691 8B1558A84700 mov edx, dword ptr [0047A858] :00476697 8902 mov dword ptr [edx], eax :00476699 8B06 mov eax, dword ptr [esi] :0047669B E8B8D5F8FF call 00403C58 :004766A0 84C0 test al, al :004766A2 7633 jbe 004766D7 :004766A4 880424 mov byte ptr [esp], al :004766A7 B301 mov bl, 01 ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| :004766A9 B81B000000 mov eax, 0000001B :004766AE E819C4F8FF call 00402ACC :004766B3 8BFB mov edi, ebx :004766B5 81E7FF000000 and edi, 000000FF :004766BB 8B16 mov edx, dword ptr [esi] :004766BD 0FB6543AFF movzx edx, byte ptr [edx+edi-01] :004766C2 03C2 add eax, edx <- adds sth to your letter :004766C4 50 push eax :004766C5 8BC6 mov eax, esi :004766C7 E85CD7F8FF call 00403E28 :004766CC 5A pop edx :004766CD 885438FF mov byte ptr [eax+edi-01], dl :004766D1 43 inc ebx :004766D2 FE0C24 dec byte ptr [esp] :004766D5 75D2 jne 004766A9 <- jump when all the letters are <- added with eax (when the <- encryption finishes) The first lines are less important axcept u can see your code for first time in eax at 0047668A. The encryption starts at 004766A9. It put sth to eax and adds it to your letter till all of them are added with eax - the encryption finishes -. When u leave the call eax has the encrypted code u entered!: "9::L<9K?QJ" -> the "1234567890" encrypted.(i think u understand) ----------Second encryption----------- :00476938 8D55F0 lea edx, dword ptr [ebp-10] :0047693B 8B45FC mov eax, dword ptr [ebp-04] :0047693E 0FB64430FF movzx eax, byte ptr [eax+esi-01] :00476943 E81013F9FF call 00407C58 <- some encryption again :00476948 8B55F0 mov edx, dword ptr [ebp-10] :0047694B 8D45F8 lea eax, dword ptr [ebp-08] :0047694E E80DD3F8FF call 00403C60 :00476953 46 inc esi :00476954 4B dec ebx :00476955 75E1 jne 00476938 <- jmp when the encrypt is done. The code it takes is 9::L<9K?QJ. At 0047693E eax has the value 39 (9 in ascii). Trace in the next call and at 00476948 u see with "d edx" that has 57. Next, it does the same and comes out those numbers and finally our code after that encryption (u'll this this after .. ): 57 58 58 76 60 57 75 63 81 74. But if u look more carefully u can see: "9" -> 57 in decimal, ":" -> 58 in dec, ":" -> 58 in dec, "L" -> 76 in dec, etc.. As u understand it takes the ascii of the encrypted code and takes out the decimal numbers of each letter. That's what the second encryption does! -----------3rd encryption (the same with the first)------- :00476957 8D45F8 lea eax, dword ptr [ebp-08] :0047695A E825FDFFFF call 00476684 <- the magic cAll again! ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| :0047695F 8D45F4 lea eax, dword ptr [ebp-0C] :00476962 8B55F8 mov edx, dword ptr [ebp-08] :00476965 E8F6D2F8FF call 00403C60 :0047696A 8B45FC mov eax, dword ptr [ebp-04] :0047696D E8E6D2F8FF call 00403C58 :00476972 83F805 cmp eax, 00000005 :00476975 7C7A jl 004769F1 :00476977 8B45F8 mov eax, dword ptr [ebp-08] :0047697A E8D9D2F8FF call 00403C58 :0047697F 83F805 cmp eax, 00000005 :00476982 7C6D jl 004769F1 :00476984 8B45F4 mov eax, dword ptr [ebp-0C] :00476987 E8CCD2F8FF call 00403C58 :0047698C 83F805 cmp eax, 00000005 :0047698F 7C60 jl 004769F1 :00476991 8B45FC mov eax, dword ptr [ebp-04] Here is the same encryption as the first but now encryptes the demical numbers which came out from the second encryption. The code which appears: EGGH;H;@A>NAC:IGQ>MG * Possible StringData Ref from Data Obj ->"secret" | :00476994 BA246A4700 mov edx, 00476A24 :00476999 E8CAD3F8FF call 00403D68 :0047699E 7451 je 004769F1 :004769A0 8B45FC mov eax, dword ptr [ebp-04] * Possible StringData Ref from Data Obj ->"crackass" | :004769A3 BA346A4700 mov edx, 00476A34 :004769A8 E8BBD3F8FF call 00403D6 004769AD 7442 je 004769F1 :004769AF 8B45FC mov eax, dword ptr [ebp-04] * Possible StringData Ref from Data Obj ->"naked" | :004769B2 BA486A4700 mov edx, 00476A48 :004769B7 E8ACD3F8FF call 00403D68 :004769BC 7433 je 004769F1 :004769BE 8B45FC mov eax, dword ptr [ebp-04] * Possible StringData Ref from Data Obj ->"yayaiamabadass" | :004769C1 BA586A4700 mov edx, 00476A58 :004769C6 E89DD3F8FF call 00403D68 :004769CB 7424 je 004769F1 Some useless code that checks words with your encrypted password. Just for fun ... ( i dunno )! hehe... ----Here it is!-------- * Possible StringData Ref from Data Obj: ->"L=A58CA<9D;N>EJF>?I;<7"DD5<>=F>:LJ" :004769CD 8B45F4 mov eax, dword ptr [ebp-0C] <- your encrypted code! :004769D0 BA706A4700 mov edx, 00476A70 <- the correct encrypted code! :004769D5 E88ED3F8FF call 00403D68 <- compares :004769DA 7515 jne 004769F1 <- if equal then show messagebox! If u trace over 004769D0 and make a "d edx" u see that code: L=A58CA<9D;N>EJF>?I;<7=F>:LJ which is the correct encrypted. Now comes the decryption! Because the 3rd encryption is the same with the 1st, we can use the first call (00476920) to decrypt the 3rd encrypted code. Put as code: L=A58CA<9D;N>EJF>?I;<7=F>:LJ (the correct) and get to the "mAGIC cAll" (mentioned before). At address 004766C2 adds sth to our letter. Let'z trick...Type this: "a 004766C2" -enter- and "sub edx,eax" -enter- "push edx" -enter-enter-. U understand that we change the add, the encryption, and made it sub, the dectyption, cause this code has been added this "sth" and it needs to be subed. Press F12 to leave the call and make a "d eax" when u see those numbers: 759085781106311749122977285834814012710767711218090657560 ... that's the decimal (2nd encryption). To decrypt this i used cracker's tool v1.0 to make a demical -> ascii. Do the following: 75=K,90=Z,85=U,78=N,110=n,63=?,117=u,49=1, 122=z,97=a,72=H,85=U,83=S,48=0,140=..,127=..,107=k,67=C,71=G,121=y,80=P,90=Z, 65=A,75=K,60=<. And the code is: KZUNn?u1zaHUS0....kCGyPZAK< (the .. , .. are 2 letters that looks chinizz in ascii and we have to guess ..) Now put the code: KZUNn?u1zaHUS0zzkCGyPZAK<, change the add to sub and the push eax to push edx (mentioned above), press F12 to leave the call and "d eax" has a code!: 6FK5h)k&gK0LK(bbg57jGH683. Looks the correct after this decryption! But we guessed the 2 letters. So put this code and trace over till the end of the second encryption and compare what we put (bb in the code -zz- in the encrypted, zz = 122,122 in decimal) and we want 140,127. I think 2 letters can easily be bruteforced so after 2-3 mins u find that they are "tg". aND tHE fINAL c0DE iS : 6FK5h)k&gK0LK(tgg57jGH683 wE DiD iT! -c0DE aCCEPTeD!- lAST w0RDs ------------ I hope u enjoyed this tut and learned sth .... (-hopefully). If u want to ask sth or suggest feel free to contact me at: FeNOreZ@Email.com. Cya ... and soon my next tutor will come ..! gREETz ------- N0rthpole, H3llsp4wn, CiRUS, -all CiA's member and tKC for releasing this! hAVE a NiCE DaY! PART 2 ~~~~~~ EditPlus Text Editor v2.00h http://www.editplus.com/ Tutor by PinguTM (PinguTM@hotmail.com) This is my 18th tutorial Type: Time Limit, 30 Day Tools: WinDASM, Hiew 1. Start the proggie. You will notice it brings up a nag straight away. Hit Enter Registration Code. Fill out User Name and Reg Code. Hit Register. Shit!... Invalid Registration Code! 2. Load WinDasm and decompile editplus.exe Now select string data references& select "Invalid registration code. Please check that you entered exa" 3. You will now see something like this....... * Possible Reference to String Resource ID=24449: "Invalid registration code. Please check that you entered exa" | :0042781F 68815F0000 push 00005F81 :00427824 E8151B0800 call 004A933E 4. Scroll up a few lines untill you come across this..... :0042780B 83F86D cmp eax, 0000006D :0042780E 756C jne 0042787C :00427810 8B561C mov edx, dword ptr [esi+1C] :00427813 50 push eax :00427814 52 push edx 5. Notice the jne 0042787C, well we want that to look like a je 0042787C. Take note of the offset which is "2780E" we will change this later as we arent finished yet.. Go back to string data references again and select "Invalid registration code. Please check that you entered exa" again. Scroll up untill you see this.... :00460544 7513 jne 00460559 :00460546 6AFF push FFFFFFFF :00460548 6A10 push 00000010 * Possible Reference to String Resource ID=24449: "Invalid registration code. Please check that you entered exa" | :0046054A 68815F0000 push 00005F81 :0046054F E8EA8D0400 call 004A933E :00460554 E9A1000000 jmp 004605FA 6. That jne 00460559 looks suspect to me and i want it to be a je 00460559, so note the offset which is "60544" now close WinDASM and fire up editplus.exe into Hiew. If you dont know how to work Hiew by now look back into the older tuts. Now once you change the jne's into je's reload editplus.exe 7. Fill out the Reg details again and hit Register. Yup we got the reg info from the dudes that made this :) It will tell you to reload to verify the details or some shit, do so.. Sweet No Nag.. Its registered. If you go to About Editplus it will still say its Unregistered... Dont worry it wont expire on your ass! also if you want to change the text just do a HEX edit of editplus.exe Remember to put 00 in between each char when HEX searching for Unregistered and whatever else! P.S. in tut 17 you may notice it jumps paragraph numbers dont worry though this was just a type error.. Its the full tut! -=-=-=- PinguTM -=-=-=- PART 3 ~~~~~~ Name : MeltIce (anti-sice routine) Target : example.exe Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.58 --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- OK, first what is MeltIce? MeltIce is a Anti-Sice routine which will find Softice if the vdx is installed. Open the file in W32Dasm and make a deadlisting. In this tut i'll teach you how to defeat MeltIce if the string is hardcoded. Maybe i'll teach you in one of my next tuts how to defeat non-hardcoded MeltIce strings... The passeges we need are easy to find, because of the strings "\\.\\SICE" and "\\.\\NTICE" . You should see something like this now: :002214DF 6A13 push 00000013 :002214E1 68000000D0 push D0000000 * Possible StringData Ref from Data Obj ->"\\.\SICE" | :002214E6 6828734400 push 00447328 * Reference To: KERNEL32.CreateFileA, Ord:0000h | :002214EB E806440400 Call 004458F6 <-- Create file :002214F0 8945FC mov dword ptr [ebp-04], eax :002214F3 837DFCFF cmp dword ptr [ebp-04], FFFFFFFF <-file there? :002214F7 7410 je 00221509 <-- no file = jmp :002214F9 FF75FC push [ebp-04] * Reference To: KERNEL32.CloseHandle, Ord:0000h <-- Close file | :002214FC E8E3430400 Call 004458E4 :00221501 B801000000 mov eax, 00000001 <-- eax=1 :00221506 59 pop ecx :00221507 5D pop ebp :00221508 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:002214F7(C) :00221509 33C0 xor eax, eax <-- ret eax=0 :0022150B 59 pop ecx :0022150C 5D pop ebp * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:002214A2(C) :0022150D C3 ret The NTICE-part is the same and you will find the reference to it only few lines down our part. How to beat the bitch? Mhhm, change the je to jne and you will have no probs to run sice... Congratulation! Now u have the knowledge to defeat MeltIce with hardcoded strings. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ Name : PowerStrip Version : 2.55 Editor : Pstrip.exe Target : EntechTaiwan Tools : W32Dasm Hiew Procdump Brain Cracker : LW2000 Tutorial : No.59 http://www.entechtaiwan.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Mhmm, lets try to register first.. Name: LW2000 [CiA] Key: 1230099 Mhmm, don't work! Why? Lets fix this bug... ;) 2. Ok, first we take a look at PStrip.exe with getTyp (I always do this first!). Why? -> Mhmm, because more and more proggies are packed with a exe-packer. ... like this one: AsPack! Ok, load Procdump and unpack PowerStrip (you should know how this works...) 3. Unpacked? Fine! Load the unpacked Pstrip.exe in W32Dasm and click on the String Data Reference. Mhmm, nice strings.... "Thank you for registering. You " sounds very interesting ;) Lets go there! | :004B1515 B904164B00 mov ecx, 004B1604 :004B151A E861D2F8FF call 0043E780 :004B151F A134174F00 mov eax, dword ptr [004F1734] :004B1524 E8E30F0100 call 004C250C :004B1529 3C01 cmp al, 01 :004B152B 752B jne 004B1558 <--- Bad Boy! :004B152D A134174F00 mov eax, dword ptr [004F1734] :004B1532 C6803805000001 mov byte ptr [eax+00000538], 01 :004B1539 6A40 push 00000040 * Possible StringData Ref from Code Obj ->"PowerStrip Registration" | :004B153B B908164B00 mov ecx, 004B1608 * Possible StringData Ref from Code Obj ->"Thank you for registering. You " 4. Easy going! The jne in :004B152B is our bad boy. IF al=0 our proggy is registered else we fail. Lets fix it... Go into the Call 004C250C and note the offset. 5. Start Hiew, open the unpacked pstrip.exe, goto our offset and change to decode mode. Press F3 to Edit, F2 to enter Asm commands. Now type the following: mov al,1 [Enter] ret [Enter] [Esc] Save your work. 6. Ok, lets try it. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Name : script.ini for Procdump Version : 1.6.x Target : script.ini Tools : Brain Cracker : LW2000 Tutorial : No.60 --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Ok, i was asked a dozen of times after script.ini. I mailed, dcc and send it in the last days a couple of times, too. So if it is for general interest, here is my script.ini =) I hope u are all lucky now =) ... and no one asks for it any more! ========= Begin of script.ini ========== ;ŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽ ; ProcDump Specifics Packers/Protectors Definitions. ; ; (C) G-RoM iN 1998, 1999 ;ŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽ ; Implemented : ; ; ADD : ADD a value to temporary address ; BP : Set a Breakpoint at temporary address. ; BPX : Set a Breakpoint at given address. ; BPREG: Set a Breakpoint with register value [EAX/EBX/EDX/ECX/EDI/ESI]. ; BPF : Break until flag is set/unset. ; BPC : Break until Counter is reached. ; BPV : Break until Register [EAX/EBX/EDX/ECX/EDI/ESI] is equal. ; DEC : DEC a value to temporary address ; EIP : Use next EIP as Original EntryPoint. ; HELP : Launch external file with PARAMS. ; OBJR : Set Object search start with current EIP. ; LOOK : Scan a signature. Address found is stored temporary. ; MOVE : Set eip to eip + param. Be carefull with it! ; POS : Set Local Address Value ; REPL : Replace at temporary address by string. ; STEP : Single step mode (end of batch). ; WALK : Execute the next instruction. ;ŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽ ; All parameters will be interpreted As hexadecimal values. ; For parameters Don't use prefix, postfix like 0x or h. They will cause ; to stop parameters interpretation. ;ŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽ ; -->> LW2000 [CiA] script.ini <<-- ;ŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽ [OPTIONS] CAPTION=ProcDump32 (C) 1998, 1999 G-RoM, Lorian & Stone BHRAMA=ProcDump32 - Dumper Server OPTL1=00000000 OPTL2=01000101 OPTL3=01010001 OPTL4=00010000 OPTL5=00000000 [INDEX] P1=Hasiuk/NeoLite P2=PESHiELD P3=Standard P4=Shrinker 3.3 P5=Wwpack32 I P6=Manolo P7=Petite<1.3 P8=Wwpack32 II P9=Vbox Dialog PA=Vbox Std PB=Petite 1.x PC=Shrinker 3.2 PD=PEPack PE=UPX PF=Aspack<108 P10=SoftSentry P11=CodeSafe 3.X P12=Aspack108 P13=Neolite2 P14=Aspack108.2 P15=Petite 2.0 P16=Sentinel P17=PKLiTE P18=Petite 2.1 P19=PCShrink P1A=PCGUARD v2.10 P1B=Aspack108.3 P1C=Shrinker 3.4 P1D=PECompact 0.971 b P1E=PECompact 0.975 b P1F=Aspack108.4 P20=UPX 0.7X-0.8X P21=UPX 0.89.6 P22=STNPE Encrypter 1.xx P23=PE Compact P24=PC Shrink II P25=VGCrypt 0.75 P26=Shrinker 3.x P27=Wwpack32 P28=Aspack2000 [Aspack<108] L1=OBJR L2=LOOK 75,00,E9 L3=BP L4=WALK L5=WALK L6=OBJR L7=LOOK 61,FF,E0 L8=ADD 1 L9=BP LA=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [Aspack108] L1=OBJR L2=LOOK E9 L3=BP L4=WALK L5=OBJR L6=LOOK AC,AA,58 L7=BP L8=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [Aspack108.2] L1=OBJR L2=LOOK E9 L3=BP L4=WALK L5=OBJR L6=LOOK E8,8A,02,00,00,E8 L7=BP L8=MOVE 0F L9=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [Aspack108.3] L1=OBJR L2=LOOK 6A,00,50 L3=JZ 5 L4=QUIT L5=BP L6=OBJR L7=LOOK 50,C3 L8=ADD 1 L9=BP LA=WALK LB=OBJR LC=LOOK 50,C3 LD=ADD 1 LE=BP LF=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [Aspack108.4] L1=OBJR L2=LOOK ?,C3 L3=JZ 5 L4=QUIT L5=BP L6=OBJR L7=LOOK 5B,0B,DB L8=BP L9=OBJR LA=LOOK C3 LB=BP LC=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [CodeSafe 3.X] L1=LOOK 89,04,8A L2=ADD 5 L3=BP L4=LOOK FF,E1,C3 L5=BP L6=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00010000 OPTL5=00000000 [Hasiuk/NeoLite] L1=LOOK 50,FF,25 L2=BP L3=BPR EAX L4=EIP L5=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01010001 OPTL4=00010100 OPTL5=00000000 [Manolo] L1=BPX 181 L2=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01000001 OPTL4=00010000 OPTL5=00000000 [Neolite2] L1=OBJR L2=LOOK FF,E0,80,3D L3=BP L4=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [PCGUARD v2.10] ; Layer1 L1=LOOK 86,07,47,C3 L2=BP L3=WALK L4=LOOK 86,07,47,C3 L5=BP L6=WALK L7=OBJR L8=LOOK FC,8D L9=BP ; Layer2 LA=LOOK 86,07,47,C3 LB=BP LC=WALK LD=LOOK 86,07,47,C3 LE=BP LF=WALK L10=OBJR L11=LOOK FC,8D L12=BP ; Layer3 L13=LOOK 86,07,EB,01 L14=BP L15=WALK L16=LOOK 86,07,EB,01 L17=BP L18=WALK L19=OBJR L1A=LOOK FC,8D L1B=BP ; Layer4 L1C=LOOK 86,07,EB,01 L1D=BP L1E=WALK L1F=LOOK 86,07,EB,01 L20=BP L21=WALK L22=OBJR L23=LOOK FC,8D L24=BP ; Layer5 L25=LOOK 86,07,EB,01 L26=BP L27=WALK L28=LOOK 86,07,EB,01 L29=BP L2A=WALK L2B=OBJR L2C=LOOK FC,60 L2D=BP ; GET RID OF DEBUG API CHECK L2E=LOOK 0F,84,07,01,00,00 L2F=REPL 90,E9 ; FIND CLEARUP L30=LOOK F3,AA,8B,85 L31=ADD 2 L32=BP L33=OBJR ; FIND JUMP BACK L34=LOOK 61,C3 L35=BP L36=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00020000 OPTL5=00000000 [PCShrink] L1=LOOK FF,E2 L2=BP L3=STEP OPTL1=00000000 OPTL2=01000101 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [PCShrink II] L1=LOOK 5F,FF,E7 L2=JZ 4 L3=QUIT L4=ADD 1 L5=BP L6=WALK L7=OBJR L8=LOOK 5F,F3,A4,E9 L9=ADD 3 LA=BP LB=WALK LC=LOOK 61,9D,BA LD=BP LE=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [PE Compact] L1=LOOK 5A,FF,E2 L2=JZ 4 L3=QUIT L4=ADD 1 L5=BP L6=WALK L7=OBJR L8=LOOK 5F,F3,A4,E9 L9=ADD 3 LA=BP LB=WALK LC=LOOK 61,9D,68 LD=BP LE=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [PECompact 0.971 b] L1=LOOK 5A,FF,E2 L2=WALK L3=WALK L4=BP L5=LOOK F3,A4,E9 L6=WALK L7=WALK L8=BP L9=STEP OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [PECompact 0.975 b] L1=LOOK 5F,FF,E7 L2=WALK L3=WALK L4=BP L5=LOOK F3,A4,E9 L6=WALK L7=WALK L8=BP L9=STEP OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [PEPack] L1=LOOK 61,FF,E0 L2=BP L3=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [PESHiELD] L1=LOOK 0F,85 L2=BPF Z L3=LOOK FF,E0,00 L4=BP L5=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01000001 OPTL4=00010000 OPTL5=00000000 [PESHiELD Secure] L1=LOOK 0F,85 L2=BPF Z L3=LOOK CB,8D,B5 L4=ADD 1 L5=BP L6=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01000001 OPTL4=00010000 OPTL5=00000000 [Petite<1.3] L1=LOOK 5E,5B,C9,C3,E8 L2=JN 7 L2=ADD 4 L3=BP L4=WALK L5=OBJR L6=LOOK 61,66,9D L7=JZ 9 L8=QUIT L9=BP LA=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [Petite 1.x] L1=LOOK 5E,5B,C9,C3,E8 L2=ADD 4 L3=BP L4=WALK L5=OBJR L6=LOOK 61,66,9D L7=ADD 3 L8=BP L9=WALK LA=EIP LB=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [Petite 2.0] L1=OBJR L2=LOOK 83,3A,00,0F,84 L3=ADD 3 L4=BPF z L5=WALK L6=WALK L7=WALK L8=OBJR L9=LOOK 83,3E,00,0F,84 LA=ADD 3 LB=BPF Z LC=LOOK F3,AA,FD,33,C0,B9 LD=BP LE=OBJR LF=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [Petite 2.1] L1=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [PKLiTE] L1=LOOK 68,00,00,00,00,E8 L2=ADD 0A L3=BP L4=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00010000 OPTL5=00000000 [Sentinel] L1=LOOK 8B,44,24,1C,8B,4C,24,18,8B,54,24,14,50,51,52 L2=BP L3=WALK L4=WALK L5=WALK L6=WALK L7=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [Shrinker 3.x] L1=LOOK 8D,4D,E4,51,6A,02,FF,35 L2=JN 5 L3=ADD 14 L4=REPL 90,90 L5=LOOK FF,75,10,FF,75,0C,FF,75,08,FF,55 L6=JZ 8 L7=QUIT L8=BP L9=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00020000 OPTL5=00000000 [Shrinker 3.2] L1=BPX 2672 L2=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00020000 OPTL5=00000000 [Shrinker 3.3] L1=LOOK FF,75,10,FF,75,0C,FF,75,08,FF,55 L2=BP L3=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00010000 OPTL5=00000000 [Shrinker 3.4] L1=LOOK 8D,4D,E4,51,6A,02,FF,35 L2=ADD 14 L3=REPL 90,90 L4=LOOK FF,75,10,FF,75,0C,FF,75,08,FF,55 L5=BP L6=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00010000 OPTL5=00000000 [SoftSentry] L1=LOOK FF,D7,6A,00,68 L2=BP L3=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00020000 OPTL5=00000000 [Standard] L1=LOOK FF,E0 L2=BP L3=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01010001 OPTL4=00010000 OPTL5=00000000 [STNPE Encrypter 1.xx] L1=LOOK FF,E0 L2=BP L3=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [UPX] L1=LOOK 61,E9 L2=BP L3=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [UPX 0.7X-0.8X] L1=OBJR L2=LOOK EB,10 L3=BP L4=WALK L5=OBJR L6=LOOK 61,E9 L7=BP L8=STEP OPTL1=00000001 OPTL2=01010101 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [UPX 0.89.6] L1=OBJR L2=LOOK EB,0E L3=BP L4=WALK L5=OBJR L6=LOOK 61,E9 L7=BP L8=STEP OPTL1=00000001 OPTL2=01010101 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [VBOX Std] L1=LOOK FF,D0 L2=BP L3=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [VBOX Dialog] L1=LOOK FF,D0 L2=BP L3=BPR EAX L4=OBJR L5=LOOK FF,D0 L6=BP L7=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 [VGCrypt 0.75] L1=LOOK E9,E4,00,00,00 L2=JZ 4 L3=QUIT L4=BP L5=LOOK E8,4B,FF,FF,FF L6=BP L7=LOOK 00,FF,E3 L8=ADD 1 L9=BP LA=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00010000 OPTL5=00000000 [Wwpack32] L1=LOOK 3E,32,65,00,45,E2,F9 L2=JN B L3=ADD 7 L4=BP L5=DEC 7 L6=REPL 80,F4,CC,80,F4,66,90 L7=MOVE FFFFFFF9 L8=LOOK E2,F9,EB L9=ADD 2 LA=BP LA=LOOK 5D,5B,E9 LB=JZ D LC=QUIT LD=BP LE=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01010001 OPTL4=00010000 OPTL5=00000000 [Wwpack32 I] L1=LOOK 5D,5B,E9 L2=BP L3=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01010001 OPTL4=00010000 OPTL5=00000000 [Wwpack32 II] L1=LOOK 3E,32,65,00,45,E2,F9 L2=ADD 7 L3=BP L4=DEC 7 L5=REPL 80,F4,CC,80,F4,66,90 L6=MOVE FFFFFFF9 L7=LOOK E2,F9,EB L8=ADD 2 L9=BP LA=LOOK 5D,5B,E9 LB=BP LC=STEP OPTL1=00000000 OPTL2=01000001 OPTL3=01010001 OPTL4=00010000 OPTL5=00000000 [Aspack2000] L1=OBJR L2=LOOK 68,?,?,?,?,C3 L3=JZ 5 L4=QUIT L5=BP L6=STEP OPTL1=00000000 OPTL2=01010001 OPTL3=01010001 OPTL4=00030000 OPTL5=00000000 ============ End of script.ini ============= Congratulation! You have my script.ini. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #70 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tKC for Interface. tKC for Splash Logo FeNOreZ for providing a tut in this version. PinguTM for providing a tut in this version. LW2000 for providing 3 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 3 February 2000 Cracking Tutorial #69 is dedicated to all the crackers.