Welcome to Cracking Tutorial #76!


Hiya guys,

Here's a tut76.tKC...enjoy it...

OK, let's rave!


TOOLS
~~~~~

You'll need the following tools:

(I use these tools, I assume you'll use 'em, but it doesn't
mean that you'll need to use all those tools, so be sure to
get them handy for the examples in this tutorial!)

SoftICE v4.05
W32Dasm v8.93
Hacker's View v6.30
SmartCheck v6.03
ProcDump32 v1.6.2
Windows Commander v4.03 (I use it coz of easier to multitask)
Delphi, VB, C++, or TASM to code a keygen or a patch..

Don't ask me where to download all these tools since you had
a chance to get them when you used my older tutorials. Here
is a good site where you can grab tools from:

http://protools.cjb.net
http://w3.to/protools
http://www.crackstore.com

or ask any crackers to get you these tools!

Are you ready?!

OK! ;)


PART 1
~~~~~~

HOW TO CRACK Quick Heal 5.19 bY dAvId/nIgHTMaRe'1 August 1999
  Welcome to my 23rd cracking Tutorial
       This time i'll teach you how to crack Quick Heal 5.19

Sorry for my bad grammatic, but i hope u will under stand it anyway...


Well its been a while since i wrote a cracking tutor actully the reason i
stoped writing tutors is becuse i have been busy working (WORK SUCKS) :)
well a couple of days a go some guy called TheVirus was asking around in
the channel #cracking4newbies about help cracking something and since i'm
a nice guy i told him i would help so i did also i promisted to write a
small cracking tutor about how i did it so that the reason i'm writing this 1
 well enough bull shit.


-----------------------------------------------------------------------------
Quick Heal is an Anti-Viral software i.e. you can use Quick Heal to rid your system
of viruses and to prevent further infections. Viruses are malicious programs that
more often than not cause damage to your data. Viruses do not cause physical damage
to your computer but your data can be corrupted beyond repair. Quick Heal is
available for Dos, Windows 3.x and Windows 95/NT and as a Netware loadable module
(NLM) . Quick Heal comes with complete LAN support. Its Heuristic scanner also
detects unknown viruses! Quick Heal has been developed at Cat Computer Services Pvt.
Ltd. (India) by people driven by your requirements.
-----------------------------------------------------------------------------

Tools Used:
 W32Dasm 89.3    (The Best Dissambler)
 Far 1.62        (The Best File Commander)
 Hiew 6.15       (The Best File Editor i like it cuse of build in dissambler)
 1 or more cups off Cappuccino / Coffee you can i worse cases also drink tea
 1 or more ciggys (A Pack will usualy do) (Smoke em Baby Smoke em) he he


Where
  http://www.quickheal.com


Protection Type
  Serial


Crack Type
  *PATCH*

what the fuck are you watting for ... lets go

start quick heal and goto Utility:Registration
enter 123454 as the key and press OK you'll get a error telling you this crap

   Incorrect unlock code

ah fuck what now cuse we don't have the correct code don't shit your self

goto far find the directory where you installed quickheal

copy qh32.exe to qh32.exx for backup
copy qh32.exx to qh32.w32 for use with w32dasm

start up w32dasm and dissamble qh32.w32 when done goto the strn ref button
and click it


go down until you see   <Incorrect unlock code> double click it and minimize
the strn ref window you'll be here

* Possible StringData Ref from Data Obj ->"Incorrect unlock code."


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408431(C)
|
:00408443 6A30                    push 00000030
:00408445 8BCE                    mov ecx, esi

* Possible StringData Ref from Data Obj ->"Error"
                                  |
:00408447 6878034400              push 00440378

so follow the (U)nconditional or (C)onditional Jump

 press shift + f12 and enter 00408431 you'll land here

:00408426 E8C3D1FFFF              call 004055EE
:0040842B 83C408                  add esp, 00000008
:0040842E 83F801                  cmp eax, 00000001
:00408431 7510                    jne 00408443 <-hmm looks like a flag test

hey it is a flag test lets see the offset is 7831

 fire up hiew qh32.exe press F5 enter 7831 press F3 change the
 75<->jne to 74<->je press F9 to update the file exit hiew

 start quick heal goto uttility:registration enter any key does it work ??
  NO hehe why not ? becuse like %80 procent this proggy check twice crap
  what now ah not to worry back to w32dasm goto the strn ref window
   try to clcik the Incorrect unlock code again this time you land here

* Possible StringData Ref from Data Obj ->"Incorrect unlock code."

 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004086B9(C)
|
:0040871F 6A30                    push 00000030
:00408721 8BCE                    mov ecx, esi

* Possible StringData Ref from Data Obj ->"Error"
                                  |
:00408723 6878034400              push 00440378



so again follow the (U)nconditional or (C)onditional Jump

 press shift + f12 again and enter 004086B9 you'll land here

:004086AE E83BCFFFFF              call 004055EE
:004086B3 83C408                  add esp, 00000008
:004086B6 83F801                  cmp eax, 00000001
:004086B9 7564                    jne 0040871F <-flag test again

look like the same shit as before so lets do the same thing

 fire up again hiew qh32.exe press f5 enter 7AB9 press F3 change the
 75<->jne to 74<->je press F9 to update the file exit hiew

 start quick heal goto uttility:registration enter any key does it yes cool

   you get this message

    Quick Heal has been upgraded to a complete working version
     you can now use this software to full of it's capabillities

       it that cool or what ????

   AND NOW you can thank GOD that this little tutor is over l8r



 if you got any comments or questions send em to me if i got enough time i'll
  send you an-email back you might find me on irc/EFNET
              under the nick dAvIdnM1 if i got time i'll chat

       anyway i'hope to sea you in Tutor #24

    Cracking Tutorial #23 Written bY dAvId/nIgHtMaRe'1 August 1999
     Wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net


PART 2
~~~~~~

*** To dAvId/nIgHtMaRe'1:
*** I didn't forget to patch but to install cracked version, didn't you
*** read what I said in Tutor #70/71 and in Tutor #71 Part 5, there is
*** already a tutor how to remove these shit below......anyway I'll
*** publish this shit.......tKC



      HOW TO CRACK FIX / tKC's Cracking Tutorials 58-64 and octavius 2.0
            Written bY dAvId/nIgHtMaRe'1
              Welcome to my #24th cracking tutorial
                created on 24 March 2000



Sorry for my bad grammatic, but i hope u will under stand it anyway...


Where:
  http://www.msjessca.da.ru
  http://tkc.'s.computer <- (not an url) ;) <- what the heck? - tKC :)

Protection System:
 Nag/Timeout

Crack Type:
  **PATCH**

Special Note to tKC:
  you forget how to patch AHM Triniton tools ???

Tools:
  one or more cups of cofee (but you can drink what you have)
  a ciggy or more if you like (any brand will do) but i smoke red cecil
  Hiew 6.x (best hex editor around)
  Soft-Ice 4.0x (it really rox)
  Far 1.63 Beta or any other Norton Commander Clone
  The Ultimate Packer for executables v0.99.1 (good exe compressor)
  Get the tools at http://protools.cjb.net

Files:
 tutor58.exe tutor59.exe tutor60.exe tutor61.exe <-tkc tutorials
 tutor62.exe tutor63.exe tutor64.exe             <-tkc tutorials
 octavius.exe <-tkc octavius 2 you know what it is
 setup.exe <-octavius installer


what the hell is this you might ask cracking fixing
tkc's cracking tutorials 58-64 and octacius 2.0
well i'll tell you i downloaded the tuts a couple of days ago
some time later that day/night i tried to run one of the tuts and
guess what happend a nasty nag appered telling me that this trial
product has expired and i should visit http:\\www.tritontools.com to register
now fist i thought that it was a joke i mean tKC always uses ahm components
in his programs and knows how to crack em so maby its only tutor58.exe ?
no its all of them shit tKC what a bug **eg** (: hehe

ok it dosen't really matter lets crack/fix this bug

go into soft-ice press ctrl+d do a bpx getlocaltime

next start any of the tutors or octavius s-ice will pop but you'll be in kernel press
F11 you'll see this

note this might be diffrent as of witch tut your cracking i choose tutor58.exe but
you can use any one you like since they all contain the same bug :)


:00409040 E85BD2FFFF              Call 004062A0
:00409045 668B4C240E              mov cx, word ptr [esp+0E]
:0040904A 668B54240A              mov dx, word ptr [esp+0A]
:0040904F 668B442408              mov ax, word ptr [esp+08]
:00409054 E86BFFFFFF              call 00408FC4
:00409059 DD1C24                  fstp qword ptr [esp]
:0040905C 9B                      wait
:0040905D DD0424                  fld qword ptr [esp]
:00409060 83C418                  add esp, 00000018
:00409063 C3                      ret

ok now keep press F10 until you get to the ret press F10 once more you'll land here

:00467979 E8BA16FAFF              call 00409038
:0046797E DC5DEC                  fcomp qword ptr [ebp-14]
:00467981 DFE0                    fstsw ax
:00467983 9E                      sahf
:00467984 7609                    jbe 0046798F <-is program expired?

keep pressing F10 until :00467984
type A <-thats the soft-ice assembler it will prompt you to enter a new command
(code) enter jmp 0046798F press enter

and then x followed again by enter
the tutor will load with out nag or browser execute good
if not you did wrong start over

lets make it a perm crack write down the bytes DF E0 9E 76 09 you need em
in a minute in hiew

since all of tkc tuts and also octavius 2.0
is packed with upx you need to unpack em first before you can
patch em just do a upx -d tutor58.exe or upx -d tutorxx.exe
and you'll have the unpacked file for patching

ok goto far (its real nice) copy tutor58.exe to tutor58.exx just
in case you fuck up

now hiew tutor58.exe press F4 and select decode press F7
pick hex type DF E0 9E 76 09 followed by enter

now press F3 to change DF E0 9E 76 09 to DF E0 9E EB 09
finist off by pressing F9 to update the exe and exit hiew

Special Note: for octavius/octavius installer press f7 and search once more
since there are two check points just do the same

and now the moment you'll all been w.a.t.t.i.n.g for run tutor58.exe
wow no nag heh much nicer than before

you can now repack the file using upx --best tutor58.exe do decress the file size
from 1,512,960 to 579,584 witch will save you a little hard drive space

ok thats it

 sea you all later


        Cracking Tutorial #x Written bY dAvId/nIgHtMaRe'1 On 24 March 2000
        wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net

if you got any comments or questions send em to me if i got enough time i'll
   send you an e-mail back you might find me on irc/EFNET
        under the nick dAvId_nM1 if i got time i'll chat

                anyway i'hope you sea you in tutor #25


PART 3
~~~~~~

    òòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòò
    òò    ____                     __       __           òòáë
    òò   /  _/_ _  __ _  ___  ____/ /____ _/ /           òò ëáë
    òò  _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /            òò ë ë
    òò /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/             òò ë ë
    òò   ____                          __          __    òò ë ë
    òò  / __ \___ ___ _______ ___  ___/ /__ ____  / /____òò ë ë
    òò / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<òò ë ë
    òò/_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/òò ë ë
    òò                                                   òò ë ë
    òò      Web: http://www.ImmortalDescendants.com      òò ë ë
    òò                 Author: ACiD BuRN                 òò ë ë
    òò                Date: 09/01/2000                   òò ë ë
    òò         Topic: cracking TSCUBE's RSA CRACKME      òò ë ë
    òò               Level: intermediate                 òò ë ë
    òò                                                   òò ë ë
    òòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòò ë ë
      ëšššššššššššššššššššššššššššššššššššššššššššššššššššššë ë
        ëšššššššššššššššššššššššššššššššššššššššššššššššššššššë


Crackme is here: http://www.infini.fr/~lkubaski/reverse/RSAcrkme10.zip


Introduction:

well , this crackme is RSA24 , so it is not that hard , but it is good to
familiarise with RSA stuff ...
I won't explain lot on how RSA works , but just explain how to reverse this
crackme!
There is already some docs on RSA , like the Lucifer48 'n Crackz ones ...
you can find it at : http://www.multimania.com/lucifer48/ and
http://www.wco.com/~micuan/


Tools needed:

- Factor.exe (to calcul p and q when we know n) and ce.exe ...
  url: http://134.155.63.117/~quantico/ghiribizzo/rsa/rsa.html

- abn.exe coded by TSCUBE, will be avaiable soon , i can't spread the beta
version...

****************
* Basic of RSA:*
****************

p*q = n

We know n and we need to find p and q (p and q are primes numbers)
it is not evident when n=512 bits ..

How to get "p" and "q" when we got "n" ?
Well for this , i used "factor.exe"

let's look the crackme itself!
Desasm it and look in string data references! we see some numbers :

12790891
5666933
8483678
9901
...

if we check the code in asm we see this:

* Possible StringData Ref from Data Obj ->"9901"       <-- e
                                  |
:004029CD 68DC004200              push 004200DC
:004029D2 8D8C24E4000000          lea ecx, dword ptr [esp+000000E4]
:004029D9 E852E7FFFF              call 00401130

* Possible StringData Ref from Data Obj ->"12790891"   <-- n (n > e so we
know it is n)
                                  |
:004029DE 68D0004200              push 004200D0
:004029E3 8D4C241C                lea ecx, dword ptr [esp+1C]
:004029E7 C784246406000000000000  mov dword ptr [esp+00000664], 00000000
:004029F2 E839E7FFFF              call 00401130

* Possible StringData Ref from Data Obj ->"8483678"   <-- 1st uncrypted part
of the serial
                                  |
:004029F7 68C8004200              push 004200C8
:004029FC 8D8C2474020000          lea ecx, dword ptr [esp+00000274]
:00402A03 C684246406000001        mov byte ptr [esp+00000664], 01
:00402A0B E820E7FFFF              call 00401130

* Possible StringData Ref from Data Obj ->"5666933"   <-- 2nd uncrypted part
of the serial
                                  |



This crackme use RSA 2 times!
the final serial is the 1st crypted part + the 2nd crypted part , added as
string

ok , enough blablabla , let's go


1st , we want to have "p" and "q" , fire up "factor.exe" ...
it show us how to use it:

C:\rsa>factor.exe

Usage: factor <number>
OR
factor -f <formula>
e.g. factor -f 10#100-19

To suppress the commentary, use flag -s
To input from a file, use flag -i <filename>
To input from a binary file, use flag -b <filename>
To output to a file, use flag -o <filename>
e.g. factor -f 10#100-7 -s -o factors.dat

ok so: factor.exe n


we do factor.exe 12790891 and we obtain this :


C:\rsa>factor.exe 12790891
first trying brute force division by small primes
PRIME FACTOR     1667
PRIME FACTOR     7673

ok, good! now we have p=1667 and q=7673


We will need to calcul d now!
For this we will use ce.exe!

Fire up it and look :


Exponent Calculator v1.3 _ Ghiribizzo [OR&L/uKC] 1999

Usage: CE <p> <q> <e>

p=1667 and q=7673 and e=9901 (we have found "e" in string data reference)

let's enter this numbers:

C:\rsa>CE 1667 7673 9901

Exponent Calculator v1.3 _ Ghiribizzo [OR&L/uKC] 1999

Inverse Exponent:
10961333

so d=10961333 ...

ok, now we can finish our work! we will cryp each uncrypted part of the
crackme
to make our final serial!
It is an serial only crackme , coz the name is not used for the
calculation...

( uncrypted ^ d ) % n = serial!

As this crackme use 2 parts as serial here comes the caculation :


* 1st Part: (we use abn.exe for this calcul a=8483678 , b=10961333 ,
n=12790891)

(1st Message uncrypted ^ d ) mod n = 1st serial crypted

For us :

(8483678 ^ 10961333 ) mod 12790891  = 7167622 = 1st part



* 2nd part: (we use abn.exe for this calcul a=5666933 , b=10961333 ,
n=12790891)

(2nd Message uncrypted ^ d ) mod n = 1st serial crypted

For us :

(5666933 ^ 10961333 ) mod 12790891  = 3196885 = 2nd part


so the final serial is: Part1 + Part2 (added as string)= Part1Part2

The serial is: 71676223196885


Enter your name , this serial and we obtain:

Well done, ACiD BuRN ....
Great , we did it!


PART 4
~~~~~~

                     _______________________________
                    | How to keygen Chop Shop v1.0  |
                    |    by webmasta[PGC/RiSE]      |
                     -------------------------------

 Ok i was not going to write a tutorial on this program but i felt it must be
 needed because the release group ECLiPSE coudnt release a working keygen. So
 this tutorial is for ECL and all the other crackers.

 Notes-....:
 Name......: Chop Shop v1.0
 Publisher.: Kupex
 URL.......: http://www.kupex.com/chopshop/chopshop.zip
 Protection: Visual Basic, Name/Serial
 Tools.....: NuMega SmartCheck* v6.x, Windows Calculator, and a Brain
    * URL: http://200.197.103.34/hambo/tools.html

 -----------------------------------------------------------------------------
                              The Cracking
 First, open the program, when it stats you should see a timer counting down
 to 0 and a huge "Shareware" notice. There is also a "Enter Register Info"
 button on this window. So click on it. Ahh, a name/serial. Ok, exit the target,
 do a "quick view" or read the file header, you notice is is a Visual Basic
 program. Now that we knows its name/serial, the easist thing to do would set
 a break point on __vbaStrCmp in Sice, but everyone should know that, so lets
 do it an easier way. Open the target in SmartCheck and run it.

 Enter your name and serial, I choose "webmasta", "67676767". When the
 message box appears End the program in SmartCheck, and we see:

 +  _Load    ; Load main part or program, finds if its registered or not if
             ; not registered then shows Nag Screen

 +  _Timer   ; The timer that counts down on the Nag Screen

 +  _Click   ; Our Click on "Enter Registration Info"

 That should explain what you see, lets open +  _Click by double clicking it

 +  _Load    ; Loads Registration window

 +  _Timer   ; Timer from Nag Screen
 +  _Timer
 +  _Timer
  .....
 +  _Click   ; Our click on "OK" in Registration window

 Lets see what happens when we click "OK" by double clicking  +  _Click

 UCase$                        ; Gets your name in Upper Case

 Len returns LONG:8            ; Gets Length of your name

 Long (8) --> Integer(8)

 Mid                           ; If you goto "Show All Events" you see that this
                               ; Compares every letter of your name to " " space
 Mid                           ; if there is a space then it gets rid of it...
 Mid                           ; "webmasta Q" ->  "webmastaQ"
 ..

 Len returns LONG:8            ; Get new length

 Long (8) --> Integer(8)

 Mid$                          ; 1st Char

 Asc returns Integer:87        ; W

 Mid$                          ; 2nd Char

 Asc returns Integer:69        ; E

 Mid$                          ; 3rd Char

 Asc returns Integer:66        ; B

 Mid$                          ; 4th Char

 Asc returns Integer:77        ; M

 Mid$                          ; 5th Char

 Asc returns Integer:65        ; A

 Mid$                          ; 6th Char

 Asc returns Integer:83        ; S

 Mid$                          ; 7th Char

 Asc returns Integer:84        ; T

 Mid$                          ; 8th Char

 Asc returns Integer:65        ; A

 Double (2.27338e+007) --> Long(22733824)   ; Large number calculated from
                                            ; something

 Left                                       ; takes the first 7 chars of
                                            ; 8075418025984

 String ("8075418") --> Double(8.07542e_006); 8075418

 Left                                       ; takes first 3 chars from the left
                                            ; and puts  123-

 Double (8.07542e+006) --> String("8075418"); 8075418

 Mid$                                       ; takes 4, 5, 6 char and puts 456-

 Right                                      ; takes the 1st char from the right
                                            ; and sticks it on the end

 Msgbox                                     ; bad Msgbox

 OK, that is the main serial algo..  this is where your brain is supposed to
 be used. We know the program takes the ascii value of our names but how does it
 get that big number after it does that? Lets see.. if we add the ascii values up
 we get 87+69+66+77+65+83+84+65=596 well 22733824/596 = 38144 intresting but this
 is not the number that will work.. if we do 38144/596 = 64! ok, but what about
 8075418025984? well. 8075418025984/596 = 13549359104 hmmm i tried this in a
 keygen but it didnt work, so lets try 13549359104/596 = 22733824.. of course..
 if you did not understand here is the algo:

 A = ASCII of Each Char of Name
 A = Z                           ; Z = 596
 A = A * 64                      ; A = 596 * 64
 A = A * Z                       ; A = 596 * 38144
 B = Z * Z                       ; B = 596 * 595
 B = B * A                       ; B = 355216 * 22733824

 B is equal to 8075418025984

 the algo then takes the first 7 chars "8075418" and splits it into
 "807-541-8"

 Another One Cracked.

 Greets: Nitrus, Muad`Dib, llama, C_DKnight, WarezPup, #cracking4newbies, risc,
 nchanta, lithium2, BNW, sheep140, insane[pgc], thesmurf, speedsta, Immortal
 Desendants, CrEaM, izelion, dlw, ACiD BuRN, Toth, hell, Dow, dennison, prs, TK4,
 glen, jess0r, metaray, nail, Black Acid, TCA wh0res, #cracking4newbies, FireWorx,
 Dormouse, Da_DiABLO, PGC, DC (R.I.P), RiSE and DVN

Thanks to tKC, Maud`Dib, LaZaRuS, risc, Eternal Bliss, Tornado, Acid Burn, and
others for thier great Tutorials!

Contact Info: #cracking4newbies on Efnet (IRC) or webmasta@pgc-cracker.com


 **Keygen Source**************************************************************
 **Visual Basic**
 strName = TxtName.Text
 strName = UCase(strName)
 For i = 1 To Len(strName)
   X = Mid(strName, i, 1)
   If X = " " Then GoTo 500
   newName = newName & X
   500:
 Next i
 For i = 1 To Len(newName)
   A = A + Asc(Mid(newName, i, 1))
 Next i
 Z = A
 A = A * 64
 A = A * Z
 B = Z * Z
 B = B * A
 B = LTrim$(B)
 B = Left$(B, 7)
 C = Str$(Left$(B, 3))
 C = C & "-"
 C = LTrim$(C)
 D = Str$(Mid$(B, 4, 3))
 D = D & "-"
 D = LTrim$(D)
 E = Str$(Right$(B, 1))
 E = LTrim$(E)
 E = C & D & E
 TxtSerial.Text = LTrim$(E)
 *****************************************************************************


PART 5
~~~~~~

## Incoming transmision...

## hOW tO cRACK tWEAKI ... fOR pOWER uSERS  v 2.6.0!

------------------------------------------------------------------------------

## Tools that you will need:
## -- W32dasm patched with SDR Enabler for VB apps by _duelist
## -- Hiew or any other hexeditor
## -- A little spare time

------------------------------------------------------------------------------

##dISCLAIMER
~~~~~~~~~
THIS IS FOR EDUCATIONAL PURPOSE ONLY .
I'LL NOT BE BLAMED FOR A MIS-USE OF THIS MATERIAL.

~~~~~~~~~

One more thing to know....this is my first tutorial, hopefully
more will come.. Ah, and please forgive me for the mistakes that
you may see in this tutorial.

     Ok..first, make a copy of the file tweaki.exe. Disassemble the
copy of the tweaki.exe. Run the program and go to the
Options | About and try to enter a name and a serial number, a
messagebox will pop out :

 "The registration number entered is invalid. Please check your number
and try again"

This is good, now you know what you will look for...in w32dasm,
after you disassembled the file press ALT+S+F and enter the string,
within that messagebox you saw when you entered a false
registration number, in order to search it.You will see this:

* Possible StringData Ref from Code Obj ->"The registration number entered "
    				            ->"is invalid. Please check your "
				            ->"number and try again."

:004FB3E3  C7853CFFFFFF08C34600         mov    dword ptr  [ebp+FFFFFF3C], 0046C308
:004FB3ED  C78534FFFFFF08000000	     mov    dword ptr  [ebp+FFFFFF34], 00000008
-------------

Now  roll up until you will find this:

* Referenced by a (U)nconditional or (C)oncditional Jump at Address:
|:004FB29B(U)

:004FB2A7  A144C15A00	mov	eax,	dword ptr [005AC144]
:004FB2AC  50			push	eax

* Possible StringData Ref from Code Obj ->"INVALID_NUMBER"
-----------

Ok...now press SHIFT+F12 in order to enter that referenced address, 004FB29B.
After that roll up untill you will find this:

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h

:004FB129  FF15F8104000 	Call dword ptr [004010F8]
:004FB12F  83C40C		add esp, 0000000C
:004FB132  0FBF85E4FEFFFF	movsx eax, word ptr [ebp+FFFFFEE4]
:004FB139  85C0		test eax, eax
:004FB13B  0F84A4030000        je 004FB4E5                 <-- Here you must change
:004FB141  833DE8C25A0000	cmp dword ptr [005AC2E8], 00000000
:004FB148  751C		jne 004FB166
:004FB14A  68E8C25A00	push 005AC2E8
:004FB14F  68B4AB4300	push 0043ABB4
------------

You must change the "jne 004FB4E5" into "jmp 004FB4E5".
By doing this the program will always "think" that you
entered a good serial number no matter you will enter.


Ok...now that you know what byte to change  open the tweaki.exe
and search the address 004FB13B and change the 0F84A4030000
into E9A5030000...if you r using hiew press F3 and the F2 and change the
je into jmp and then F9 and then exit.

Now run the program and enter whatever name and serial you want
and press register.Congratulations, the program is registered.

Easy, huh?

## Transmision ended...

Date: Sunday, 08.04.2000
Comments or whatever at this address ---> WiShMakEr_Rulez@yahoo.com
-------------------------------------------------------------------


ABOUT
~~~~~

I really hope you've enjoyed this tutorial as much as I did!
Don't miss Tutor #77 soon! ;)

And as I said last time: Without knowledge, there's no power! ;)


Credits go to:

DnNuke for Interface.
N0rthpole for Splash Logo.
dAvId/nIgHTMaRe'1 for providing 2 tuts in this version.
ACiD BuRN for providing a tut in this version.
webmasta for providing a tut in this version.
WiShMakEr for providing a tut in this version.
tKC for coding this version :)

All the crackers (non-members of CiA) are welcome to send tutors
for the next tutorials .. see below for my email address!
*** 80 chars per line in textfile please! ***


And all the tutors can be found at:

http://www.crackersinaction.org

(or on IRC, ask CiA ops for urls!)

Greetz goto all my friends!

You can find me on IRC or email me at tkc@reaper.org

Coded by The Keyboard Caper - tKC
The Founder of PhRoZeN CReW/Crackers in Action 2000

Compiled with Delphi 5 on 22 April 2000

Cracking Tutorial #76 is dedicated to Melany...