Welcome to Cracking Tutorial #86! Hiya guys, Sorry for delays, again I was busy with coding and all shit.. And now, I would like to present my tKC's Tutorial Viewer 2000 v1.1! It's a fast, better Viewer and Tutor Editor, and more features added! Also released tKC's Tutorial Viewer 2000 Lite, for those who have problems with their 3D cards. You can find them at http://www.crackersinaction.org... enjoy it! Here's a tut86.tKC... OK, let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.50 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) WHY PATCHING WHILE SERIAL NUMBER IS FISHY ANIMATED SCREEN v4.2 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM Animated Screen lets you create Windows screen savers, stand-alone presentations and animated .GIF files that you can give to your friends and customers or publish at your Web site. You can also use Animated Screen to start your own screen saver business, selling custom shareware screen savers, with your company listed as the author. There are no distribution fees and, as an Animated Screen owner, you can distribute the animations that you create in unlimited quantities, royalty-free. WHERE TO DOWNLOAD Author : PY Software, Inc. Homepage : http://www.pysoft.com URL : http://209.235.102.9/%7Eani25727/ascrstp.zip Size : 3.1 MB HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run ANIMSCR.EXE, in the main program click on HELP/REGISTRATION/ REGISTRATION KEY ... submenu. In the registration dialog box type these below informations : Name : PIRATES ORDER Licence Code: 73881050 Do not click OK button yet ( hereinafter refered to as OK button ) 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now it's time to click OK button... you must get into SoftIce! In within SoftIce press F11, F5, and F11 once again. You got to go to main program's code, press F12 several times ( 11 times - if I had no mistaken ) until you see and landed at : __________________________________________________________________ 00507D29: E84AAAF2FF call 000432778 <== you land here 00507D2E: 8B95F4FDFFFF mov edx,[ebp][0FFFFFDF4] 00507D34: 58 pop eax 00507D35: E832C3EFFF call 00040406C <== D EAX here 00507D3A: 0F84EB000000 je 000507E2B 00507D40: 8D95F4FDFFFF lea edx,[ebp][0FFFFFDF4] 00507D46: 8B83C8020000 mov eax,[ebx][0000002C8] 00507D4C: E827AAF2FF call 000432778 00507D51: 8B85F4FDFFFF mov eax,[ebp][0FFFFFDF4] 00507D57: 8D95F8FDFFFF lea edx,[ebp][0FFFFFDF8] 00507D5D: E8D64EFCFF call 0004CCC38 00507D62: 8B85F8FDFFFF mov eax,[ebp][0FFFFFDF8] 00507D68: 50 push eax <== D EAX here 00507D69: 8D95F4FDFFFF lea edx,[ebp][0FFFFFDF4] 00507D6F: 8B83D0020000 mov eax,[ebx][0000002D0] 00507D75: E8FEA9F2FF call 000432778 00507D7A: 8B95F4FDFFFF mov edx,[ebp][0FFFFFDF4] 00507D80: 58 pop eax 00507D81: E8E6C2EFFF call 00040406C 00507D86: 0F849F000000 je 000507E2B 00507D8C: 8D95F4FDFFFF lea edx,[ebp][0FFFFFDF4] 00507D92: 8B83C8020000 mov eax,[ebx][0000002C8] 00507D98: E8DBA9F2FF call 000432778 00507D9D: 8B85F4FDFFFF mov eax,[ebp][0FFFFFDF4] 00507DA3: 8D95F8FDFFFF lea edx,[ebp][0FFFFFDF8] 00507DA9: E8F64EFCFF call 0004CCCA4 -------- 00507DAE: 8B85F8FDFFFF mov eax,[ebp][0FFFFFDF8] 00507DB4: 50 push eax <== D EAX here 00507DB5: 8D95F4FDFFFF lea edx,[ebp][0FFFFFDF4] ___________________ANIMSCR!CODE+00106D29_____________________ In case different in address do a search string ( in the Command Line off course ) as follow : s 0 l ffffffffffff E8 4A AA F2 FF [enter] SoftIce will report : Adreess found at 0137:0000XXXXX <== bpx this location [enter] 4. Since you're already in the main progs code, clear or disable previous breakpoint by typing : bd * or bd 00 [enter] then set a new breakpoint for further usage : bpx 0137:00507D29 [enter] 5. Let's start tracing the codes; F10 once, then type d edx [enter] ==> your fake reg.code appear in the Data Window. F10 once again, type d eax [enter] ==> your FIRST potential reg.code it's 09CCF100 6. Keep continue pressing F10 and stop at 0137:00507D68, type d eax [enter] ==> your SECOND potential reg.code it's 91C6EA00 7. Press F10 again and stop at 0137:50D7B4, type d eax [enter] ==> the THIRD potential reg.code it's 42F06100 8. Upto this stage don't you even think " how many times do I have to press F10 key and get a new potential reg.code ? ". Here I would like to give you a tip(s), don't get hurry on loading SoftIce before you evaluate the program itself. First, observe the main program's window is there exist a nag screen, remaining evaluation period, unregistered string in the title bar, etc. Second, read HELP contents and check REGISTRATION section. If you read the HELP menu (later on), there are 3 ( three ) kinds of licenses applied to this program. They're are as follows : License at Home only Commercial license and License for creating .GIF and .AVI only 9. So, you have already get that three potential reg. codes, which one of them will be applied to the above license(s)? 10. Disable current existing breakpoint : bd * [enter] F5 to return to REgistration window retype the reg.code you'd found, then click OK to confirm. 11. Once you entered the reg.code for Commercial License there will be no classic message 'Thank you for registering' , but brings you back into the main progs window. All you have to do is viewing the license thru HELP/ABOUT sub menu. YOU'RE REGISTERED now... However, as a matter of fact you do ILLEGAL REGISTRATION for which the Author hate it!. END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] [EOF] DEAD LISTING,PATCHING AND ENJOY THE JOKES FROM O' RORKE PASSWORD ASSISTANT v1.5 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM Password Assistant is a program designed to help you manage the unavoidable sea of passwords that build up in everyday life so that you only have to remember a single one. As long as you remember your password to get into Password Assistant, it can take care of the countless others for you. It presents a simple, and easy to use interface that allows quick storage and retrieval of passwords. All files it saves are encrypted to prevent anyone else from finding out your passwords, keeping them safe and secure. Features -Unlimited users -Free 30 day trial period -Secure storage of passwords -Unlimited password storage -Easy hierarchical navigation -Installer/Uninstaller WHERE TO DOWNLOAD Author : John O'Rorke ( Bubonic Software ) Homepage : http://www.starfighter.net/bubonic/ URL : http://www.starfighter.net/bubonic/programs/pass/passwordsetup.exe Size : 132 KB MY HYPOCRISY If you had read my tutorial(s) before, I always put WHY PATCHING WHILE SERIAL NUMBER IS FISHY in the header. This time, off course NOT! Why I do this patching ? * The program is small * The Author is trying to fool newbie(s) by telling "Registration code for Bubonic Software's Password Assistant.DO NOT DISTRIBUTE THIS INFORMATION 1164398" - which hard coded in the .exe file. Nice try, Rorke! eventhough that's a part of reg. code formula. And you NEWBIES take a look at step no.9 below .... muhahahaha! Further, there are 2 main reasons why Iam not so much like a 'Dead Listing' approach : 1. Dead listing ( mostly ) sometime took a lot of HD space. 2. Iam reluctant people register the program by using his/her own username and fake reg.code illegaly. So, I let end user using un-usual /ugly name like i.e ASTAGA or other scarry names. PREPARATION * Check the tools/utility that I currently used at the bottom section of this tutorial. * I recommend you to read early tKC's or FLUX[PC] tutorials to become familiar with 'dead listing' approach. Posibly you can found and downloaded it from : http://zor.org/krobar/ or http://homepages.hack-net.com/ghetto/collection/main.html LET'S DANCE ... DANCE ACROSS THE FLOOR 1. Make a backup copy of Password.exe called T.EXE or whatever you like. Read early tKC's tutorial why should make this procedure. Run WDASM, open PASSWORD.EXE wait until diasembling process is finihed. 2. Click STRNREF ( stands for String Data Reference - aka SDR ) icon in the right corner of the WDASM menu bar. The WDASM List of String Data Items window will appear, scroll down until you found "Incorrect information entered", double click this line, here's what will you get : * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: :00403816(C), :00403830(C) <=== follow these conditional jumps :004038EB 8B0DE4094200 mov ecx, dword ptr [004209E4] :004038F1 894C2408 mov dword ptr [esp+08], ecx * Possible StringData Ref from Data Obj ->"Incorrect information entered" | :004038F5 6800074200 push 00420700 :004038FA 8D4C240C lea ecx, dword ptr [esp+0C] :004038FE C684248400000002 mov byte ptr [esp+00000084], 02 :00403906 E8C9FD0000 call 004136D4 As you see in the above section, there are 2 ( two ) conditional jumps, let us know what are the contents. To do this, you have to "Goto Code Location" by pressing [SHIFT + F12], then enter 00403816 and 00403830 in the CODE OFFSET (HEX) field box respectively. 3. If nothing goes wrong, you should have 00403816 and/or 00403830 are highlighted by a green color. Look at the bottom line you should see : Line 5058 Pg66 of 729 Code Data @00403816 @Offset 00003816h in File:Password.exe and/or Line 5068 Pg66 of 729 Code Data @00403830 @Offset 00003830h in File:Password.exe respectively. Write down those two hex offset 3816h and 3830h for further usage. 4. Here are the snippet codes : part one : 00403816(C) * Possible StringData Ref from Data Obj ->"!User334" | :00403806 6830014200 push 00420130 :0040380B 50 push eax :0040380C E8640F0000 call 00404775 :00403811 83C408 add esp, 00000008 :00403814 85C0 test eax, eax :00403816 0F85CF000000 jne 004038EB <===== reverse it! part two : 00403830(C) * Possible StringData Ref from Data Obj ->"1164398" <=== nice try, Rorke :00403820 6828014200 push 00420128 :00403825 51 push ecx :00403826 E84A0F0000 call 00404775 :0040382B 83C408 add esp, 00000008 :0040382E 85C0 test eax, eax :00403830 0F85B5000000 jne 004038EB <===== reverse it! 5. Run your favorite Hex Editor, but iam using Hackers View ( HIEW ), open T.EXE ; OR you can directly type HIEW T.EXE in the command line, press [ENTER] 2 times, Press F5 then type 3816 [enter]. Here's what you get : T.EXE R PE.00403816 a32 -------- 159744 | Hiew 6.00 00403816: 0F85CF000000 jne .0004038EB ----- (1) 0040381C: 8B4C2470 mov ecx,[esp][00070] 00403820: 6828014200 push 000420128 ;" B(" Press F3, you're in HIEW's edit mode T.EXE W PE 00003817 a32 159744 | Hiew 6.00 00003816: 0F85CF000000 jne 0000038EB 0000381C: 8B4C2470 mov ecx,[esp][00070] press right arrow key once, change 85 to 84, after changed they will look as follow : T.EXE W PE 00003817 a32 159744 | Hiew 6.00 00003816: 0F84CF000000 je 0000038EB press F9 to save your work, then Press F10 to quit HIEW. 6. Run T.EXE, repeat registration procedure and enter any name & number as your serial number, click OK ...... but alas ... the prog still won't registered! 7. Well, do you remember there are 2 conditional jumps right ? We have done patching the offset at 3816, now the last thing is the hex offset at 3830. 8. Run again HIEW, go to hex offset 3830 ( you know how to do it! ) change 00403830: 0F85B5000000 jne .0004038EB to 00403830: 0F84B5000000 je .0004038EB Saved it , quit HIEW , re-run T.EXE, repeat registration procedure click OK and see what did you get ? You have successfully registered Password Assistant You are no longer constrained ..................... Do not distribute the registration information! YOU'RE REGISTERED now... However, as a matter of fact you do ILLEGAL REGISTRATION! 9. Here is the SHIT FACTs of cracking this program : Get the clean virgin uncracked PASSWORD.EXE In the registration window type these info: User Name :!User334 Password : 1164398 click OK .... again you're registered! ! NO PATCHING IS NEEDED! Muhahahahaha .... I start liking your joke ... Rorke! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-pwdassistant15.zip or c4a_pa15.zip [EOF] 6/1/00 1:53:12 PM astaga2000@mailcity.com Tools : Windows Commander v4.03 http://www.ghisler.com W32Dasm v8.93 http://www.ukrik.hr/~corleone/fajlovi/tools/w32dsm89.zip http://www.wco.com/%7Emicuan/Tools/wdasm893.zip http://members.xoom.com/little_timmy/duelist/ w32dasm.v8.9.already.patched.zip http://www.crackworld.com/hambo/files/s-w32dsm.zip http://www.esoterica.pt/delphi-pt/crack/cractol_wdasm89.zip http://www.crackstore.com/toolz/w32ds893.zip http://mitglied.tripod.de/ahlman/Tools/wdasmvb.zip http://software.freepage.de/acg2000group/download/tools/ w32ds893.zip http://hackersclub.com/km/files/cfiles/cfiles99/w32ds893.zip http://dread99.cjb.net/ http://www.phys.uu.nl/~vdweerd/dread/resources/files.html Hackers View v6.x http://members.dencity.com/muad/files/hiew604.zip http://skyscraper.fortunecity.com/valve/256/hiew.zip http://themen01.exit.de/internet/member/lecentral/files/ hiew616.zip WHY PATCHING WHILE SERIAL NUMBER IS FISHY SCREEN POWER v1.3 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM Screen power is a tray app program for WIN95-98-NT that allows fast and easy one-click: - access (run/configure) to your screensavers - temporarily DISABLE your default screensaver (very useful when you are running time critical applications like Backup - Burning CD-ROMs - Disk tools - MPEG movie viewing and a lot of other programs. Don't let your screen saver slow down your programs or ruin a CD-ROM burning) - shutdown, reboot, log-off, force shutdown, go in standby mode - hide/disable: desktop icons, start button, taskbar buttons, system keys (like ALT+TAB) WHERE TO DOWNLOAD Author : mindbeat.com Homepage : http://www.mindbeat.com URL : http://members.xoom.com/Utilmind/images/xpow.zip Size : 842 KB HOW TO GET VALID SERIAL NUMBER by using SoftIce This program is not so special beside quiet old - rel September 1999- but I choose this one to show on how amazing is HMEMCPY breakpoint and where the program doesn't have OK button to confirm our registra tion key. 1. Run XPOWER.EXE - 421888 bytes, the main program resides in the tray bar. Right click on the left icon program, choose CONFIGURE SCREEN POWER submenu then click REGISTER tab. In the registration dialog box type these below informations : Registration Key : 9073884665 ha there is no OK button ... right ? 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. In the beginning you that the program dosen't have usual OK button, so, what you gonna do now ?? You can either type a one character/ number or press BACKSPACE key once. Now, press BACKSPACE key once, ... you must bring back into SoftIce! In within SoftIce press F11 once followed with pressing F12 several times ( 12/14 times - if I had no mistaken ) until you see and landed at : _____________________________________________________________________ 0045189C: E8ABC5FCFF call 00041DE4C <=== YOU LAND HERE 004518A1: 8B4DF4 mov ecx,[ebp][-000C] 004518A4: 8B5308 mov edx,[ebx][00008] 004518A7: 8B45FC mov eax,[ebp][-0004] <== D EDX here 004518AA: E81955FEFF call 000436DC8 004518AF: 33C0 xor eax,eax 004518B1: 5A pop edx 004518B2: 59 pop ecx 004518B3: 59 pop ecx 004518B4: 648910 mov fs:[eax],edx _______________________XPOWER.EXE!CODE+0005089C______________________ Note : In case of different address do a search string as follow : s 0 l fffffffffffffffff E8 AB C5 FC FF 8B 4D [enter] SoftIce will report : Address found at 0137:000XXXXXXXXXXX --> bpx this location. 4. Now we are in the main program codes. Clear the current existing breakpoint since we don't need anymore bd 00 or bd * [enter] Set a new breakpoint at the new location ; bpx 0137:0045189C [enter] 5. Press F10 once - stop at 0137:004518A4, and type : D ECX [enter] your fake reg key appear in the Data Window. 6. Press F10 once again - stop at 0137:004518A7, type : D EDX [enter] In the Data Window you'll see 2 ( two ) suspected valid registration keys, that are : AF00B0FF1 and 30330017161011171905A0A4510 7. Let's try your luck, Disable all breakpoints : bd * [enter] F5 to return to registration window 9. Retype the S/N you have noted as your registration code, you'll be confirmed " Thank you for registering " in the line below the registration field box. YOU'RE REGISTERED now... However, as a matter of fact you do ILLEGAL REGISTRATION! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] [EOF] HOW TO GET THE SERIAL FOR Cli-Mate v1.5.9 Welcome to yet another cracking tutorial, written by some guy in South Africa. This time I'll show you how to KeyGen Cli-Mate v1.5.9 Tools Used: SmartCheck 6.01 W32Dasm 8.93 Softice 4.01 BCB 4 Pro Web: http://users.nac.net/splat/climate/ Ok...time for some more practise on a VB program. We start off by loading cli-mate.exe in Smartcheck and pushing F5 to start tracing. Click Help->Register and enter your details. Hit Ok to continue. I used: Name: JayT [CrackZA-TnD] Code: 10111978 boom..the error message appears. Click ok to close the message and close the registration window. Exit the program as well. Now looking in SmartCheck you should see the following: [+] _Load [+] _Timer (This may be repeated various times) . " . " . " [+] _Click [+] _Unload Ok...from this we can see what the program was basically doing. It loads its self and settings and then waits for user input. By us selecting the Register menu option, we triggered the _Click event. So lets click the [+] before it and see what else we can find. hmm..a few more _Timer events and then one more _Click event. Ok, this would be when we clicked on Ok on the register box. So lets click on the [+] again and follow further. Cool. I see my name and straight away I noticed the program was calculating the values of each letter in my name. $Str(VARIANT:ByRef Long:20000) Trim$(String:"20000") Scrolling down I saw that it was using a value of 20000. At first I thought it was just the sum of my char values added up...but I wasn't even close if I added them up. hehe. So, feeling a bit lazy, I loaded cli-mate.exe up in W32Dasm and went to the offset of the last function before the above 2 lines. CLI-MATE.EXE!0006D07A Which would be Address 46D07A in W32Dasm. * Reference To: MSVBVM60.rtcAnsiValueBstr, Ord:0204h | :0046D07A E84954F9FF Call 004024C8 <-- You land here. :0046D07F 0FBFC0 movsx eax, ax So now you can either trace this bit in softice (which is recommended) or you can take a chance and see if you can find anything from inside W32Dasm. Originally I used softice..but I'll use W32dasm for this tut. As we follow this code... we end up 19 lines further down in W32dasm. I think its about 15 F10's in softice? Anyway... you need to trace down to the following line. * Reference To: MSVBVM60.__vbaVarForNext, Ord:0000h | :0046D0B0 E86F52F9FF Call 00402324 :0046D0B5 EB98 jmp 0046D04F F10 over the call and you end up jumping to 0046D04F. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046D0B5(U) | :0046D04F 3BC3 cmp eax, ebx <-- You land here :0046D051 7464 je 0046D0B7 Press F10 and go into the next jump. You should end up at the code below. Now taking a closer look at this bit of code we can see that the value in eax is multiplied by 0xDh ( which is 13 decimal ) and 3 lines lower, 6 is added to it. Now if you were using softice... you should notice the value in eax is the total value we were trying to find :) In my case...its the 20000 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046D051(C) | :0046D0B7 8B45D4 mov eax, dword ptr [ebp-2C] :0046D0BA C78554FFFFFF03400000 mov dword ptr [ebp+FFFFFF54], 00004003 :0046D0C4 6BC00D imul eax, 0000000D <-- eax = eax * 13 :0046D0C7 0F809C050000 jo 0046D669 :0046D0CD 8945D4 mov dword ptr [ebp-2C], eax :0046D0D0 83C006 add eax, 00000006 <-- eax = eax + 6 :0046D0D3 0F8090050000 jo 0046D669 :0046D0D9 8945D4 mov dword ptr [ebp-2C], eax For those of you trying this in W32dasm... take the value you got from SmartCheck, subtract 6 from it and then divid it by 13. You should end up with the total of the sum of the char values in your name :) So..lets move on. Left$(String:"JayT [Cr...", Long:1) UCase$(String:"J") By clicking on the lines above, you will be able to see the full Strings used in the right side of SmartCheck. By clicking on Left$ line from above, I would see the following in the right panel: [-]- String str = 00580460 | | | --- = "JayT [CrackZA-TnD]" ---- Long length = 1 0x00000001 Following a bit further down (on the left side of SmartCheck) you see Right$(String:"JayT [Cr...", Long:1) UCase$(String:"]") Now what this has done is that its taken the first and last chars of my name and converted them to uppercase. hmm...well..thats as far as my tracing goes before the error message, so lets look in the top right window of SmartCheck for the file offset of the last command before the MsgBox appeared. I get CLI-MATE.EXE!0006D15E (no debug info) Now before we can set a breakpoint in Softice, we need to add 400000 to the above offset. Dont ask me why, I've forgotten, but we just need to ;) So the actual address we will be using is 46D15E. Run cli-mate.exe and goto the registration screen. Enter your details again and push Ctrl-D. Cool..inside softice. Now set a breakpoint for hmemcpy. Press F5 to return to the program and then hit Ok. Boom...back into softice. Now press F11 once, and then Alternate pressing F12 and F10 12 times. eg. F12, F10 (1) - F12, F10 (2) - F12, F10 (3) up till 12. If you go to fast, you'll miss the right spot. *grin* You should land up inside the cli-mate.exe file. Once inside, type bc * and then enter the new breakpoint we wrote down from earlier (bpx 46D15E). Press F5 to continue. Boom...softice breaks again. Now press F10 5 times to the following call. CALL MSVBVM60!__vbaStrCat hit F8 to enter it and then press F10 9 times till you trace down till you see the following lines jl 66046FFC mov EAX, [EBP+08] pop EBP Press F8 so you pass the above lines and then type 'd eax' Cool! Our code. Now we can see whats its done with the other values! Its concatenated the first and last chars of name to the beginning and end of the sum of the char values of our name respectively. Name: JayT [CrackZA-TnD] Code: J20000] So lets see what this would look like in coding This is what I came up with using Borland C++ Builder 4 //--------------------------------------------------------------------------- void __fastcall TForm1::Edit1Change(TObject *Sender) { int length; char name[255], code[255] = " "; long value = 0; AnsiString firstletter, lastletter; length = Edit1->Text.Length(); strcpy(name, Edit1->Text.c_str()); firstletter = name[0]; lastletter = name[length - 1]; if(!Edit1->Text.IsEmpty()){ for(int i = 0; i < length; i++){ value = value + name[i]; } value = (value * 13) + 6; sprintf(code, "%ld", value); Edit2->Text = firstletter + code + lastletter; } else Edit2->Text = ""; } //--------------------------------------------------------------------------- void __fastcall TForm1::FormShow(TObject *Sender) { Edit1Change(Sender); } Sorry for the bit in the middle getting a bit confusing. I had to do some stuff for a while and lost my train of thought when I came back *grin* Let me know if you are totally confused and I'll help ya. ******************************************************************* * Thats all for now! * ******************************************************************* Greets to: fREkaZ0iD, siward, Zombie, |cepick, Outrageous, Warchild, zero_grip, Skiller, AnachromY, LandR, GI-Joe, psyclone, pepsi, Retro, lesley and nj and all other members of CrackZA and TnD * Special Greets to tKC for his VERY cool lookin' tuts! Thanks man Cracking Tutorial Written by JayT [CrackZA-TnD] Email: CZ-JayT@iname.com irc: irc.hotice.co.za Channel: #TnD HOW TO GET THE SERIAL FOR Texturizer 1.73 Welcome to yet another cracking tutorial, written by some guy in South Africa. This time I'll show you how to find a valid serial for Texturizer 1.73 Tools Used: SmartCheck 6.01 Web: http://djst.cjb.net Hi all, I dont have much time to sit here and type out another tut...but I'll try and get as much done in the time I have. Ok..let's get started. Load Texturizer.exe in SmartCheck and click the green play button or push F5 to start tracing the program. Once the program is fully loaded, click help->Enter Registration Code and enter your details and hit Ok. I used: Name: JayT [CrackZA-TnD] Code: 10111978 Boom...the error message pops up. Just click Ok, cancel the registration screen and close the application. Once its closed, you should see the green play button again. Now we need to do a search for the name you entered, but first make sure you have set View->Arguments On. Push Ctrl-F and enter your name or the first part of your name. Cool..it finds my name JayT. Scroll down a bit and you'll notice the program checks each letter of your name to a set of prespecified characters. DOH! "[" happends to be one of those characters it wont allow...so make sure you are basically using only letters in your name. Ok..lets redo what we've done using letters only. Press F5, go back to the registration screen, enter your details and hit Ok. I used: Name: JayT of CrackZA and TnD Code: 10111978 At the error message, click Ok, then Cancel and close the program again. Now lets find our name again and see what else we can find out. Ok...I'm back at my name and now if I scroll down I see a lot more stuff. Lets just skip most of this junk and find where the error message pops up. + MsgBox(VARIANT:String:"The User...." blah blah is where we need to stop. Just above that line you should see the following: Right$(String:"FE3C-DE6...", long:1) Len(String:"F3C-DE6...") returns LONG:57 Hmm...that looks like it could be part of a reg code. Click on those lines. Cool...they're the same. Write down the code and try register the program again Boom! "Thank you for registering Texturizer!" etc Name: JayT of CrackZA and TnD Code: FE3C-DE68-E02B-4428-6AB9-E543-C358-A7D3-B1E2-7180-A030-B7 ******************************************************************* * Thats all for now! * ******************************************************************* Greets to: fREkaZ0iD, siward, Zombie, |cepick, Outrageous, Warchild, zero_grip, Skiller, AnachromY, LandR, GI-Joe, psyclone, pepsi, Retro, lesley and nj and all other members of CrackZA and TnD * Special Greets to tKC for his VERY cool lookin' tuts! Thanks man Cracking Tutorial Written by JayT [CrackZA-TnD] Email: CZ-JayT@iname.com irc: irc.hotice.co.za Channel: #TnD I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #87 soon! ;) Credits goto: bM[tfgx] for Splash Logo. ASTAGA for providing 3 tuts in this version. JayT for providing 2 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.org (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 9 June 2000 Cracking Tutorial #86 is dedicated to Sonia...