Welcome to Cracking Tutorial #75! Hiya guys, Sorry for delays, too busy etc.. anyway I've included a new TUTOR.EXE in #74, be sure to get it!. Keep this version for next tutors! I've added File Associate, which you can doubleclick on *.tKC to load TUTOR.EXE! Now enjoy tut75.tKC... OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.30 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ DongJong's NEWBIE TUTORIAL How to get a PERSONAL SERIAL for Engineering Power Tools v1.9.3 Tools to use ~~~~~~~~~~~~ SmartCheck 6.01 Where to get Tools ~~~~~~~~~~~~~~~~~~ http://cracking.home.ml.org http://surt.to/HarvestR http://crackstore.com http://www.pepsoft.com Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ Engineering Power Tools v1.9.3 http://www.pwr-tools.com Program description ~~~~~~~~~~~~~~~~~~~ ENGINEERING POWER TOOLS for Windows is a POWERFUL engineering tool for use by both students and professionals. OVER 70 program modules and data tables are organized into one easy-to-use package. The programs solve a wide variety of common engineering problems QUICKLY and easily. ELIMINATE WASTED TIME, hunting through manuals and performing calculations by hand. With POWER TOOLS the information and formulas you need are only a click away. Categories included are: Math, HVAC, Mechanical, Electrical, Materials and Structural. The registered version allows saving and restoring of data files as well as printing of all forms. POWER TOOLS can be easily NETWORKED from a single location (multiple installations are not typically required). Give your efficiency a boost with ENGINEERING POWER TOOLS! Procedures ~~~~~~~~~~ Start SmartCheck (sc) and open ept-19.exe, run the program by pressing F5, then a program splash box appears that has a disclaimer AGREE and DISAGREE button on it, click AGREE of course, then you are in the program, naturally we look for the menu item, often at the help-about menu, looking for our registration box :> but unluckily there ain't! so lets exit and run the proggie again, but take note now below those buttons is imbedded the word UNREGISTERED , it shows you aren't registered user or owner of the proggie :> he he (isn't that always the case) :> Now, on with our tutor ok :> Press that UNREGISTERD word and et VOILA! it's the registration screen we are up to! So it ask for a Name and a reg code, i register with my friends name, like this (you can input your name and any number you want, just follow my tut) : Name: Albert Alexander Lay Serial: 1434 Then after filling on the details click on OK, and a nice message will greet you saying "Invalid Registration Code"! ouuccchhh! napakasakit kuya eddie! he he :> (well just part of the game) :) Now just press on and just click on and exit the program, press on the error the "Acknowledge" button and SC stops tracing for us to begin hunting that code :> Ok, so now let's look on the left side of SmartCheck, luckily... just a few, but don't count on it, inside maybe is a lot for us to look to :> but just take a look at the string with [+] MAINFORM_Load , click that and it expand, whew! he he, i told you it's long :>, below that expand [+] Splash.Show , you see a lot of [+] Timer1_Timer , that's the result or timer for SC to record your keystrokes, how long you've been idle it takes you to :> so just explore down, until you see [+] btn_regok_Click, isn't it a hint already (reg), so click on it and trace down, you'll see a long redundancy of Chr$ and Mid$ ... --- snip for brevity --- Chr$ Mid$ Chr$ Mid$ Chr$ Mid$ Chr$ Mid$ --- snip for brevity --- There's a lot below it, which is which, just start with the one which when you click, the right pane of SC displays your input name, place the cursor on it and press it (blue line highlights it) and look at the right corner of SC, you'll see like this... [-] String string1 = 006D0C68 | |--"Albert Alexander Lay" Look here, just follow it, as the "Asc returns Integer:xx" keeps on appearing way down but of different value, why? you ask, because that corresponds to the letter of name you input, and that is case sensitive :> like this ... Place the cursor on Asc retuns Integer:65 ( be highlighted in blue) Now look at the right hand side of SmartCheck, waddaya see... of course a letter ... [-] String string=005D2BC0 | |-- = "A" do the same for others, and you'll spell out your name, kewl ;-) we're near, for a test, what should be for a small letter "a"? well in case you still hadn't get it it's ... Asc returns Integer:97 ------> corresponds to letter "a" Ok, now trace down till the last letter of your name, wat da ya got? Well, your full input name again, and a lil bit long list of wannabeess :> Now trace down till the end of [+] btn_regok_Click, five rows above it, you'll see on left pane of SC, Left$, click on it and look at the right pane of SC this time you'll see like this: [-] String str = 005D1AA8 | | | |-- = "14C9814C3114C6414C7114CBB14CB914CB41.........." | |--Long length = 8 0x00000008 He he :> to me :> did you get it now? in case you don't it simply says that take the first 8 character of the string above to be your reg code for your input name :> Well, that's it, you've made it! Start ept-19.exe, and click on the imbedded UNREGISTERED using this info: User Name : Albert Alexander Lay Registration Code : 14C9814C And yes, a bit of reminder, it's cAsE sEnSiTiVe :> Click OK and what you got? Magic! in place of the imbedded UNREGISTERED word is your registration name :> All features of Engineering Power Tools is now ENABLED! kewl :> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetings goes to these people: tKC- i would like to thank tKC for his tutors. MsJessca- for hosting the tuts and inspiring tKC :> Albert Alexander Lay- KeWl DuDe! for the computer and Internet ;) Ms. KJF- hello 7372122 :) TSUP! All cracking groups and cracking fanatics and newbies galores! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hanggang sa Muli... MABUHAY! Another Tutor by DongJong ;) sutra@goplay.com PART 2 ~~~~~~ DongJong's NEWBIE TUTORIAL How to get a PERSONAL SERIAL for Electronic Survey Program v1.1 Tools to use ~~~~~~~~~~~~ SmartCheck 6.01 Where to get Tools ~~~~~~~~~~~~~~~~~~ http://cracking.home.ml.org http://surt.to/HarvestR http://crackstore.com http://www.pepsoft.com Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ Electronic Survey Program v1.1 http://www.gepetosoftware.com/downloads/espsetup.exe Program description ~~~~~~~~~~~~~~~~~~~ ESP lets students create an "electornic survey" on the computer! Then, on a single classroom computer or an entire networked lab, students can take the survey with just a few mouse clicks. There are lots of options (including password protection for networks), all with a simple interface that even an elementary student could use. What makes ESP really stand out, though, is the ability to tally, print, or even export the survey results directly to Microsoft Excel for graphing! Procedures ~~~~~~~~~~ Start SmartCheck (sc) and open survey.exe, run the program by pressing F5, keep on clicking only SC's ACKNOWLEDGE buttons whenever it pop ups :> there's no splashes, it goes direct to the main program body, click the help--about setting, and click on register, it asked for your USER NAME and a REGCODE, i just register with my friends name, like this (you can input your name and any number you want, just follow my tut) : Name: Albert Alexander Lay Serial: 1434 Then after filling on the details click on OK, and what you have input will be erased! kind of it was not accepted because it was the wrong code :> (well you know it was wrong!) :) Now just press on and just click on and exit the program, press on the error the "Acknowledge" button and SC stops tracing for us to begin hunting that code :> Ok, so now let's look on the left side of SmartCheck, luckily... just a few, and lots of [+] _Click(s), just find those with meaningful datas in it, for me, it's the third [+] _Click, expand it and there's your meaningful datas , he he :> we're very near completing our task :> Below that is Len returns LONG:20 , it's the number of characters you have input as your user name, click on it and look at the right pane of SC, what you got? It's like this : [-] String string1 = 0054027C | |--"Albert Alexander Lay" Look here, just follow it, as the "Asc returns Integer:xx" keeps on appearing way down but of different value, why? you ask, because that corresponds to the letter of name you input, and that is case sensitive :> like this ... Place the cursor on Asc retuns Integer:65 ( be highlighted in blue) Now look at the right hand side of SmartCheck, waddaya see... of course a letter ... [-] String string=005D2BC0 | |-- = "A" do the same for others, and you'll spell out your name, kewl ;-) we're near, for a test, what should be for a small letter "b"? well in case you still hadn't get it it's ... Asc returns Integer:98 ------> corresponds to letter "b" Ok, now trace down till the last letter of your name, wat da ya got? Well, it didn't count up to the last character of the name, and it already produces a result! you'll see on left pane of SC, LCase, click on it and look at the right pane of SC this time you'll see like this: [-] String (variant) | [-] unsigned short**.pbstrVal = 00441D80 | [-] String = 00442438 | |-- ="ESP909" He he :> to me :> did you get it now? You bet! Well, that's it, you've made it! Start survey.exe, and click on the help--about and register using this info: User Name : Albert Alexander Lay Registration Code : ESP909 Click OK and what you got? Magic! in place of the UNREGISTERED word now is **Registered Version-- Do Not Distribute**! Kewl :> you can now have an unlimited response! The registered data is stored in its own directory in a file "espdata.dat" modify it if you wanna reverse the status of your proggie! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetings goes to these people: tKC- i would like to thank tKC for his tutors. MsJessca- for hosting the tuts and inspiring tKC :> Albert Alexander Lay- KeWl DuDe! for the computer and Internet ;) Ms. KJF- hello 7372122 :) TSUP! All cracking groups and cracking fanatics and newbies galores! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hanggang sa Muli... MABUHAY! Another Tutor by DongJong ;-) sutra@goplay.com PART 3 ~~~~~~ Well, we are attacing this target: Unique filer 1.4 You have an anoying nag telling you it nag's you, so what are we gonna do? try the other button (something like register or so), and enter some details. let it generate a key, and...enter username & password.. you got an error.. nice, note it and close the app! make a copy of the exe, and launch w32dasm, load the copy, and search the error! got it? click on it once, twice.. offset doesn't change.. good ;) You're here: :004C6958 BAB06A4C00 mov edx, 004C6AB0 Scroll up untill you see this: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004C68F2(C), :004C6934(C) now go to this location: |:004C68F2(C) and you'll see this :004C68F2 755C jne 004C6950 scroll up (until you see a call - this one): :004C68EB E888E0FFFF call 004C4978 trace into that call: (you have a button for that on top of w32). When you did that, you're here: :004C4978 55 push ebp <= NOTE THiS OFFSET :004C4979 8BEC mov ebp, esp So, what are we gonna do?? We're gonna change it! Launch hiew and open the exe file.. go to the offset you noted, press F3 and F2 type: mov eax,1 ret and launch the exe! Patched, isn't it? Good luck, enjoy life, iNNU3NDo [CiA] Greets to all ppl in #C.i.A #DREAD #FAiTH2000! PART 4 ~~~~~~ Target name: AudioCD MP3 studio 2000 Target url: http://www.ashampoo.com Target version: v. 2.0 SE Target type: MP3 to music cd write program Target bothers you: a lot - jingle - nag Target protection: serial Cracker: iNNU3NDo / LW2000 Cracking Tools: W32Dasm, Hiew, paper, pen, brain, computer Team: COROSiVE [cRV] / cRACKERS iN aCTiON [CiA] Tutorial Number: 6 Yowza, Another tutorial from me..! While I was searching a program to write my MP3 collection to audio CD, I found this app. I didn't test it yet cause of this part (little copy/paste of the notes.txt included with the program): "After entering the key you will be able to use AudioCD MP3 Recording Studio 2000 with full functionality -- the 23-second jingle will no longer be inserted in your playlists or your CDs." I hope you enjoy my method of work, and.. remember, if you think it's a good program, buy it! you launch the program, click away all those anoying messages, and you search where you can enter your "reg/trial key". Fill in something (doesn't matter what). If it is registered after you clicked "ok/registerer, whatever", you can stop reading here ;) Else, note down the messagetext (with pen and paper) and close the program. *Whaaa*, another anoying popup! Open your explorer and go to the directory where you installed the program, make a copy of "cdaudio.exe" and name it "cdaudio.w32" and another copy named "cdaudio.bak" (DON'T FORGET THiS, OR FiRST READ THE WHOLE DOCUMENT!). Now you have a file to dissassemble in W32DASM (*.w2), you patch the *.exe and you can replace it with the *.bak (backup) file. Open W32Dasm and load the *.w32 file. Let is load (and get something to drink..) Loaded? OK..go to the SDR window and search the errormessage "Invalid registration code" Click on it, twice.. and another time.. offset doesn't change.. good ;) now you should be here: :0040AA73 684DEF0000 push 0000EF4D so.. scroll up untill you have a (U)nconditional or (C)onditional jump at addres: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040AA40(C) right-double click on that addres (0040AA40). Now you end up here: :0040AA40 742D je 0040AA6F <= do you see the JE ?? As you know already from other tutorials, change the JE into JNE. Let's try! Open cdaudio.exe in hiew and press enter twice, then press F5 and enter the offset (look in the statusbar of W32Dasm - which is still open (with the indicator bar over the line you want to patch (offset = 0000AA40h) (forget the "h", it's only there to say it's hexadecimal). Now press F3 and replace 74 with 75 (JE => JNE) 74 = JE 75 = JNE Press F9 to update your work, and F10 to quit hiew Launch the program again, and enter your (nick) name and (wrong) serial. Normally now the program registers when you enter a wrong serial, and it doesn't accept the good one (but there is more chance you find a wrong serial anyway ;) ---> enter 22446688 as serial and look at this: "Registration completed Congratulations! ..." You have to restart the program in order to make it full functional! (but it isn't when you restart it) So, what have we done wrong? We patched the regcheck, not the registration routine, so here we go. Replace the exe with the backup file (and rename it to exe) and launch W32Dasm again and search the error message, scroll up, jump to that address (look above for more info), and you'll see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040A9FC(C) | :0040AA2C 6A00 push 00000000 :0040AA2E 8B8DCCFEFFFF mov ecx, dword ptr [ebp+FFFFFECC] :0040AA34 E891FAFFFF call 0040A4CA <= we need this! :0040AA39 25FF000000 and eax, 000000FF :0040AA3E 85C0 test eax, eax :0040AA40 742D je 0040AA6F <= here we are.. don't patch this (again)! So, what do we do? scroll up until the indicator line is above that call, and choose the option: "execute call". Note the offset and quit W32Dasm (offset = 0000a4ca) Launch hiew and load audiocd.exe. Press twice. Press and enter the offset you just noted Press and enter this: mov eax,1 ret launch the program and enter a serial of your choice. Click "ok" and restart the app. It's registered, isn't it? (well.. that anoying track isn't there anymore.. that's the most important thing..) Enjoy! Well.. Greets to: LW2000 (this is a 50/50 LW-iNNU production), SiONiDE, Kaai, sep, iCEPiC, anyman, H3llSp4wn, tKC, BuLLeT, Dark Shaddow, Northpole, PeeWee, DnNuke, TiwiS, T4D, zer00ne, warezpup, Dj-CoDe, Potsmoke & Mushi: keep trying, everybody I forgot (and that are lots of ppl.. sorry guys/girls!) I hope you enjoyed this tutor as much as I did... If you have comments/questions, don't hestimate to contact me @: iNNU3NDo@COROSiVE.com This tutorial was written with TuTWRi 0.9 alpha (a simple program I coded to make it easy for crackers to write tutorials - can be found at http://www.corosive.com under cRV coding releases // iNNU3NDo: You can't be yourself 365 days a year! PART 5 ~~~~~~ My fav Windows Commander! OK OK OK, no need to wet your pants! I decided to write a quick tutor how to remove the NAG ONLY, but NOT how to register, or NOT how to make a keygen for this application, so don't bitch me... And this isn't just an easy reversing of a NAG like in any other applications, this is a long procedure! < Melany, are you paying your attention here? :) > Ok, let's go.. What we'll need: SoftICE v4.05 - http://w3.to/protools W32Dasm v8.93 - http://w3.to/protools HIEW v6.30, or any HEX editor - http://w3.to/protools UN-Aspack v1.0.8.3 - http://w3.to/protools Windows Commander v4.03 - http://www.ghisler.com AND YOUR BRAIN! Step 1. This WC file is packed with Aspack, so we'll need to unpack it with UN-Aspack first before we can crack it. So unpack it now.. Step 2. Done? Kool, now run WINCMD32.EXE, and you'll get a messagebox which it says "WARNING: Wincmd executable file is corrupted, possible VIRUS! blah blah..." Ok, no problem. This is a CRC check routine. Step 3. Load your W32Dasm and open WINCMD32.EXE.BAK, done? Ok, with SDR you won't find any strings found, eg. "virus" or sumthing like that in W32Dasm, coz this string might be encrypted! Don't close W32Dasm! Step 4. Hmmm, what now? Let's try another trick. Because I've a good knowledge of Delphi, I'll show you what to do with applications that's written in Delphi. Ok, run your HIEW, open WINCMD32.EXE. Search for the string "NASTYNAGSCREEN" with F7. Found it? Ok, we're here at: .004C32E0: 77 01 00 28-04 94 35 4C-00 0F 54 4E-41 53 54 59 w? (?5L TNASTY .004C32F0: 4E 41 47 53-43 52 45 45-4E 07 00 58-08 44 00 D4 NAGSCREEN X?D + .004C3300: DE 42 00 44-50 42 00 28-6E 42 00 6C-D7 42 00 50 |B DPB (nB l+B P .004C3310: D0 42 00 C4-DA 43 00 90-07 0F 54 4E-41 53 54 59 -B -+C TNASTY .004C3320: 4E 41 47 53-43 52 45 45-4E F0 2E 4C-00 48 46 41 NAGSCREEN=.L HFA .004C3330: 00 38 00 06-4E 61 67 64-6C 67 00 00-55 8B EC 53 8 ?Nagdlg U8S ^^ 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F Step 5. Ok, those garbage shit above "NASTYSCREEN" is the DCU (unit) info used by Delphi. Now notice "55" in HEX, that's the beginning of the procedure. So the address that starts at "55" will be 4C333C, you got it??? Step 6. Go back to W32Dasm, press Shift-F12, enter "4C333C". We should get like this: * Referenced by a CALL at Address: |:004D157E :004C333C 55 push ebp :004C333D 8BEC mov ebp, esp :004C333F 53 push ebx :004C3340 8BD8 mov ebx, eax :004C3342 807B3700 cmp byte ptr [ebx+37], 00 Step 7. Ok, kool. This is the beginning of the procedure of registration check. We trace down down down down till here.. oh yea, while we're tracing, we will see the end of 'procedure' like this: * Possible StringData Ref from Code Obj ->"_^[YY]" :004C348B 68A5344C00 push 004C34A5 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C34A3(U) :004C3490 8D45F8 lea eax, dword ptr [ebp-08] * Possible Reference to String Resource ID=00002: "New directory" :004C3493 BA02000000 mov edx, 00000002 :004C3498 E85301F4FF call 004035F0 :004C349D C3 ret Step 8. This IS the end of the procedure but because an unit contains a few procedures, so we ignore "C3 ret" and continue till we finally come at: :004C3552 891D00385200 mov dword ptr [00523800], ebx :004C3558 E87B1F0000 call 004C54D8 :004C355D 33C0 xor eax, eax :004C355F 5A pop edx Step 9. We'll trace into a call, at 4C3558, going to 4C54D8: * Referenced by a CALL at Address: |:004C3558 :004C54D8 55 push ebp :004C54D9 8BEC mov ebp, esp :004C54DB 81C404F6FFFF add esp, FFFFF604 ..... ..... :004C5585 E822FDFFFF call 004C52AC <--- get filename "WINCMD.KEY".. ..... ..... Ok, we trace till: :004C55B9 E84ADFF3FF call 00403508 :004C55BE 83B80C00000000 cmp dword ptr [eax+0000000C], 00000000 :004C55C5 7521 jne 004C55E8 <--- we gotta nop this... Step 10. Now we have to nop at 4C55C5, coz it'll jump if not exist WINCMD.KEY. The Offset Address will be C49C5, now change it with your HIEW to "90 90". Done? Ok, is that ALL??? HAHAHA NOT! Step 11. We continue tracing down till we get at: :004C560C 0F84EA020000 je 004C58FC <--- we gotta jump to this address :004C5612 8D8508F6FFFF lea eax, dword ptr [ebp+FFFFF608] :004C5618 50 push eax Step 12. We gotta jump to 4C58FC coz below WC will try to decrypt shit from "WINCMD.KEY", so we'll patch at 4C560C, the Offset Address will be C4A0C, now change it with your HIEW to "E9 EB 02 00", where/how do we get those bytes? Ok, in HIEW, goto C4A0C. Press F3, then TAB key, you'll see "je 0000C4CFC" in the field, right? Ok, change je to jmp, you'll notice the bytes changes. Got it?!? Good... Step 13. Is that ALL? NOT! Now we've jumped to 4C58FC, where we are now at: :004C58FC 6803010000 push 00000103 :004C5901 8D8554F7FFFF lea eax, dword ptr [ebp+FFFFF754] :004C5907 50 push eax Step 14. We continue tracing down till we get at: :004C5958 0F84F8010000 je 004C5B56 <--- we gotta jump to this address :004C595E 8D858AFEFFFF lea eax, dword ptr [ebp+FFFFFE8A] :004C5964 B27C mov dl, 7C :004C5966 E80D4AF4FF call 0040A378 Step 15. We gotta jump to 4C5B56 coz below WC will put garbage shit on Windows Titlebar in stead of "NOT REGISTERED". So we'll patch at 4C5958, the Offset Address will be C4D58, now change it with your HIEW to "E9 F9 01 00", where/how do we get those bytes? Ok, in HIEW, goto C4D58. Press F3, then TAB key, you'll see "je 0000C4F56" in the field, right? Ok, change je to jmp, you'll notice the bytes changes. Got it?!? Good... Step 16. Now we've jumped to 4C5B56, where we are now at: :004C5B56 8D8554F7FFFF lea eax, dword ptr [ebp+FFFFF754] :004C5B5C 8B1518B95100 mov edx, dword ptr [0051B918] :004C5B62 E8C110F4FF call 00406C28 Step 17. Grrrrrrr, when is this shit gonna end? We continue tracing down till we get at: :004C5C3D B910000000 mov ecx, 00000010 :004C5C42 E8C5CDF3FF call 00402A0C :004C5C47 7402 je 004C5C4B <--- we gotta jump to this address :004C5C49 33DB xor ebx, ebx Step 18. Finally we gotta jump to 4C5C4B, else it'll display a NAG shit! Ok, we change "74" to "EB" at 4C5C47, the Offset Address will be C5047, now change it with your HIEW. Changed? Ok.. ummm is that ALL? NOT! Try run WINCMD32.EXE and look what happens, it'll tell you that your WINCMD file is fokked up (Virus shit), also if you try press any Function Key, it'll close itself! Step 19. Ok, we go back to W32Dasm and we gotta find Virus Shit Box. We have to run SoftICE, now press CTRL-D to get into SI, and bpx MessageboxA, exit SI, and run WC..and wait... *POP* Step 20. Now in SI, press F11, you'll be back in WC with Virus Box, now click OK. Ah goodie, this time you're back in SI... SI is so friendly to tell you, we called a Virus Box at 4D2203. Now type BC* to clear breakpoints, and get out of SI. Go back to W32Dasm, and press Shift-F12, enter "4D2203". We should get like this: * Reference To: user32.MessageBoxA, Ord:0000h :004D21FE E89D37F3FF Call 004059A0 :004D2203 6A00 push 00000000 Step 21. We have to trace BACK, so we do it now till we get: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004D1EA4(C) <--- we gotta goto this address.. * Possible Reference to String Resource ID=01345: "Print" :004D21BD 6841050000 push 00000541 Step 22. Ok, again Shift-F12, enter "4D1EA4" and we get: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004D1E50(C) <--- we gotta goto this address.. :004D1E88 83E809 sub eax, 00000009 :004D1E8B 0F8410060000 je 004D24A1 :004D1E91 48 dec eax :004D1E92 0F84BC060000 je 004D2554 :004D1E98 48 dec eax :004D1E99 0F845D060000 je 004D24FC :004D1E9F 2D36050000 sub eax, 00000536 :004D1EA4 0F8413030000 je 004D21BD Step 23. We have to goto Address at 4D1E50, what do we see? Here we get: :004D1E50 7F36 jg 004D1E88 <--- we gotta nop here... :004D1E52 0F842E060000 je 004D2486 Step 24. Kewl, now we gotta nop at 4D1E50 coz it''ll check CRC shit and call "VIRUS" Box. The Offset Address will be D1250, now change it with your HIEW to "90 90". Done? Ok... Step 25. Now try run WC... hmmm.. NAG gone, Virus Box doesn't appear anymore, but it still closes itself when you press any Function Key! Ok, I'm not gonna explain how I found the address, it's a long procedure, what I did do is to breakpoint at ExitProcess, where we have to patch at 4DA918 address, we are here at: :004DA918 740A je 004DA924 <--- we gotta patch here... * Possible Reference to String Resource ID=00001: "Enter file types........" :004DA91A B801000000 mov eax, 00000001 :004DA91F E8C09BF2FF call 004044E4 <--- this calls ExitProcess... Step 26. Ok, we change "74" to "EB" at 4DA91A, the Offset Address will be D9D18, now change it with your HIEW. Changed? Ok.. Step 27. Now go run WC! Kewl! .............done! Oh yea, at 5171BA Address, you can also nop the call to not display a quick NAG! Short Summary: 004C55C5 - We nop here, coz of getting filename "WINCMD.KEY".. 004C560C - We force to jump, coz it tries decrypt shit from "WINCMD.KEY".. 004C5958 - We force to jump, coz it tries put crap on WC Titlebar.. 004C5C47 - We force to jump, coz it'll display NAG shit (reg'd or not).. 004D1E50 - We nop here, coz it checks CRC shit (Virus Box).. 004DA918 - We force to jump, coz it closes itself, probably another CRC shit.. 005171BA - We nop here, to not display a quick NAG.. Enjoy it, tKC....................tkc@reaper.org To Ghisler: You're a LOSER! A few months ago I told you how to improve your application but noooo, you didn't listen! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #76 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: DnNuke for Interface. tKC for Splash Logo. iNNU3NDo & LW2000 for providing 2 tuts in this version. DongJong for providing 2 tuts in this version. tKC for providing a tut in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.org (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 12 April 2000 Cracking Tutorial #75 is dedicated to Melany...