Welcome to Cracking Tutorial #88! Hiya guys, Sorry for delays, again I was busy with coding and all shit.. Here's a tut88.tKC... OK, let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.50 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) How to crack & enhance Snoqualmie 1.0 (magnificent screeensaver) Target: Snoqualmie 1.0 (exe - 315392 bytes) WWW: http://www.syntrillium.com (site of CoolEdit) Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: unregistered style, boring messages Tools: W32Dasm, Hiew, Exescope & Windows Commander 4.03 --------My biggest desire for you - pure love------- Try to grow spiritually if you want real happiness in your life! The ancient spiritual sistems YOGA & TANTRA are the ways to evoluate! Oh God, TANTRA is pure freedom! Yaaa! Also read books of Master Osho (www.osho.org)! -------- Snoqualmie 1.0 is really one of the best screensavers that exists on the WEB! It's a must have for the persons who like special effects of shapes & colours! So, it's a great honour to crack this! Let's start! After installing, we grab a copy of file snoqualmie.exe from c:/windows/system and put it into a new subdirectory, c:\x, for example. We disable the Snoqualmie screensaver that may be active from Display Properties, because we don't want any interaction between the shareware version and our cracked version. Now let's observe the protections: a. in titlebar - unlicensed copy; b. press Purchase -> all there is look as unlicensed; c. Show messages - disabled d. press Preview - messages after a while that announce to register today, etc; e. in Preview also -> words "Unlicensed copy..." that move constantly. 1. Unregistered style. First, let's try to register: a name and a number (press Purchase -> Enter Serial Number... and OK. Boom... "The serial number you entered is invalid". OK, let's disassemble snoqualmie.exe with w32dasm and make a copy for cracking -> y.exe. Alt-S-Enter, search after the words above "The serial...", boom, we found them at w32dasm adress 401BDF. You see that this lines of code are called from jump 401B40. Press Shift-F12, write 401B40, go there. Three lines above is a call, on 401B36 -> call 401F40. Let's go now in the place where is adressed the call -> 401F40. To me, this code from 401F40 and below looks like a serial check. So, let's cancel the processing of this piece of code, maybe the program will register without verifying the real serial. Adress 401F40 means hiew 1F40 (you see it down, OK?) instead 55 -> C3. Let's test now. Hmmm, still unregistered, let's register again. A wonderfull message (that's all crackers are waiting for) appear: "You now have the full version of Snoqualmie.". Great, the protections a, b, c are gone forever! 2. Now, the messages from full screen like "License your copy today" - shore, shore, that's I'm doing now, pal, can't you see? Search after the words above -> -> Shift-S-Enter, write, go. We land on w32dasm adress 403624. Nice words are around, but crackers prefer to be not... So, we see our jump above, from 40358A. Go there. Wow, a big jump it's here! Let's kill this big jump guy, how we learn from all today movies, kill him (he,he,he, see invisible govern)! Hiew 358A - - replace with 909090909090 (6!). Let's test, see if it's buried! Bingo, protection d is gone too! 3. Now, only those moving words from full screen (Preview mode) are still around. Here are two posibilities: - the quickest - replace words "Unlicensed copy of Snoqualmie" with spaces in our exe file (begining from hiew 22850); - the next one. Search after moving words above... we land on w32dasm adress 406040, and the begining of this function is on 406010. We see "Referenced by a CALL at Adress: 409245. Go there, at 409245. Above line 409245 is 40923F je 40924A, we are gonna make this jump to go over our call from 409245, hiew 923F - 74 -> EB. Test it, great, works just fine! Protection e is gone too, so, all protections are knocked out! 4. Optional. I don't like two more things: message "Your message goes here" that still appears from time to time, and the fact that the window of Snoqualmie has a very small frame for presenting the effects. The words "Your message..." will be replaced after searching in hiew y.exe with spaces (hiew 227CC). OK. Enlarging with Exescope 5.12 the effects frame: my choice was to first enlarge all the Snoqualmie window for reaching at an aproximative 800x600 size and than I increased the size of the effect frame untill it reached at a quarter of Snoqualmie window size. Than I relocated all buttons for an equilibrated design. If you wanna see and/or use my choice of enhancing the Snoqualmie screensaver, please go on my site www.geocities.com/john_aum/john_files/ and download the file enhance.exe. You must use this file only with shareware version (uncracked) of Snoqualmie. Enjoy this state of the art screensaver! Bye now! ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Va doresc din toata inima sa ajungeti intr-o zi sa intelegeti cu adevarat semnificatia cuvintelor "evolutie spirituala personala"! Incercati prin yoga si tantra sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ How to crack Lview Pro 2.8 Target: Lview Pro 2.8 WWW: http://www.lview.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: nags, expiration Tools: W32Dasm, Hiew & Windows Commander 4.03 -------- My biggest desire for you - pure love ------- Try to grow spiritually if you want real happiness in your life! The ancient spiritual sistems YOGA & TANTRA are the ways to evoluate! Oh God, TANTRA is pure freedom! Yaaa! Also read books of Master Osho (www.osho.org)! -------- Beautifull image editor, special effects, for old PC maniacs is a program which has no need for any presentation. Great tool! 1. First, install the program. Ok, let's see. Whoops! In my case, Lview Pro is already expired, because I've cracked the program about 2-3 months ago and some expiration data remained in Registry. For you, to expire, must set clock on 2001. OK, so it's expired. 2. Disassemble LviewPro.exe with w32dasm and make a copy -> y.exe, for cracking. If we search after words from expiration nag "The evaluation period..." we do not find anything. But if we take a close look in the code of program we find interesting data on w32dasm adress 4CA670. Few lines below is some data (at 4CA6B5): "65C1BF90-1B7B-11d3-9A78-00A02...". Let's search after these characters in Registry. I use Registry Crawler 1.21 (enhanced by me - search for 4 ways at a time + exit button - a tut soon). Bingo! We found our data on: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65C1BF90-1B7B... Let's delete this key from 65C1BF90-1B7B... OK. First we set clock again in 2000 and then we enter in program. OK, it's working. LviewPro restart from it's 1st day in evaluation. Good. So, you remember were we was? At w32dasm 4CA670. If we look in the code, program make like that: call 4CA670, this function see if expiration period is over and return to 4C86BC and if all looks fine (trial it's unexpired) jump (je 4C8BD3) and goes on. So, we reverse je -> jne or EB (in w32dasm 4C8B76 = hiew C8B76 - 74 -> 75). Let's set clock on 2001 for see if expiring nag is showing now, or what? If we test with LviewPro.exe, it's expired. But on testing y.exe modified now, expiration nag is gone! OK! 3. Second nag, with words "This is day 1 of the 21 day evaluation period". OK, I found these words on w32dasm adress 4C9321. Remember this adress. Now we can try our trick 82 -> 7E. You see also the words "This a LIMITED TIME EVALUATION VERSION". Search in hiew y.exe after them. I found them at hiew adress 1C6C18, change 82 -> 7E. Test now. What...?! What the f... is happening? All windows try to display but quickly then goes out. He, he, he, this looks like a protection if we try this trick with 82 -> 7E. Let's see. You remember the above w32dasm adress 4C9321? Let's go up in the code, at the point of where is called this piece of code. We have (line 4C91E0 - about 5 PageUp's) 2 calls: 4C8D03 and 4CA1C8. We go on 4C8D03 with Shift-F12. OK, we are on line 4C8D03. Below is a jump -> (line 4C8D0A) je 4C8E43, this looks like the jump who send program out if we try 82 -> 7E trick. Let's switch it. So, hiew C8D0B, 84 -> 85, Now, let's test (we have until now 2 modifications). Wow, working like clock! All appears to be just fine! Nags are gone forever! 4. Optional. At hiew adress 1CD523 are the next words (from About): "LIMITED TIME EVALUATION VERSION". We have 2 methods here: 1st - we replace words with spaces or 2nd, we replace 50 (P) -> 00 (one of my tricks). Job done, bye! Enjoy this fine tool! And set clock at year 2000! ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Va doresc din toata inima sa ajungeti intr-o zi sa intelegeti cu adevarat semnificatia cuvintelor "evolutie spirituala personala"! Incercati prin yoga si tantra sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ ! How to find a valid serial for PLASMA's COMEBACK CrackMe! [ [s [sc sc]orp[ [sc] p[sc]or c]orp]s [sc]o [sc]orp ]orp p[sc]or orp[ orp[ p[sc]orp rp[s rp[s p[sc]orp[ [sc]orp[sc]o p[sc p[sc p[sc]orp[sc]or sc]orp[sc]or [sc] rp[sc rp[sc]orp[sc] p[sc]orp[s [sc] p[sc]orp[sc]orp c]orp sc]o p[sc]o [sc]orp[sc]or sc]orp[sc]o orp[sc] p[sc]orp[ ]orp[ p[sc]or ]orp c]o rp[ ]or ]orp rp[sc]o p[sc]orp orp[s [sc]orp rp[s orp[sc]orp[sc rp[sc]orp[s p[sc]or rp[sc [sc] p[sc]orp[sc [sc]orp[sc p[sc]o p[sc] [sc] c]or sc] [sc] c]or p[sc] [sc]orp[sc]o c]orp[sc]orp[ [sc ]orp orp[ p[sc sc]orp[sc]or orp[sc]orp[sc c]o p[sc p[sc p[s p[ p Target : PLASMA's COMEBACK CrackMe Protection : Name/Serial Toolz : SmartCheck v6.* What we will do? : We will find the good serial for your name... Hmm, first, sorry for my bad english, i hope you understand me. Ok, lets go.... Before start this tutorial I suggest you to **SAVE** your work! Because this crackme will reboot your computer if you find the good serial. It's not very cool. Let's go. Run SmartCheck and load the crackme in, press F5 to run it and enter your name and a fake registration code, for my it look like this: Name : TiMeLoRD Serial : 1234 Hit the "CHECK" button and you must have this message in the crackme: "Do you just guess?" Now close the crackme in SmartCheck and you should see a "+ _Click" double click on and you see this : -----------------------------------SmartCheck Piece Of Code---------------------------------- <---- This is my comment ;) OnError(long:1) String("1234")--> Double(1234) <---- Our fake serial! Len(String:"TiMeLoRD")returns LONG:8 <---- h‚h‚ my sn Long(8) --> Integer (8) Mid$(String:"TiMeLoRD",long:1,VARIANT:Integer:1) Asc(String:"T")returns Integer:84 <---- take the value of each char in ascii here "T" returns "84" Mid$(String:"TiMeLoRD",long:2,VARIANT:Integer:1) Asc(String:"i")returns Integer:105 <---- "i" returns 105 etc..... Mid$(String:"TiMeLoRD",long:3,VARIANT:Integer:1) Asc(String:"M")returns Integer:77 Mid$(String:"TiMeLoRD",long:4,VARIANT:Integer:1) Asc(String:"e")returns Integer:101 Mid$(String:"TiMeLoRD",long:5,VARIANT:Integer:1) Asc(String:"L")returns Integer:76 Mid$(String:"TiMeLoRD",long:6,VARIANT:Integer:1) Asc(String:"o")returns Integer:111 Mid$(String:"TiMeLoRD",long:7,VARIANT:Integer:1) Asc(String:"R")returns Integer:82 Mid$(String:"TiMeLoRD",long:8,VARIANT:Integer:1) Asc(String:"D")returns Integer:68 Len(String:"TiMeLoRD")returns LONG:8 Long (8) --> Integer (8) <---- "8" is the number of char in my sn Double (5632) --> String ("5632") <---- Is this our serial? No it's only the addition of each ascii value of my sn * by the number of char in my sn. Look: 84+105+77+101+76+111+82+68 = 704 704 * 8 = 5632 Left$(String:"5632",long:1) String("5") --> Integer (5) Double (90192) --> String ("90192") <---- This is our serial! String ("90192") --> Double (90192) -----------------------------------SmartCheck Piece Of Code---------------------------------- Well now close SmartCheck and the crackme, because we have done it. What? We don't have try to enter our serial in the crackme to verify? Ohh, if you want do it, it will work and you must be have this message "You got it, here's your surprise..." If you don't understand the surprise is the shutdown of your computer (not shutdown but reboot). Maybe it's funny for you so try it =) And a special FUCK to PLASMA for the reboot code because I've cracked this crackme before without save my work (Napster, email etc...) A 1 2 c 4! For contact me email me at: timelordfr@hotmail.com Meet us at http://shmeitcorp.cjb.net Another one done by TiMeLoRD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetz (not in specifical order) tKC for all ur great work, Gaelle, M‚lanie, M‚lody, WiiTiGo (t un dieu), Smeita, Kspr, BuL-LeT yeah ur pretty cool, Satan_Is_Watching_u alors boulette h‚h‚, ACiD BuRN toi t'es pas cool sur caramail, Static REvenge, Xeuj, ShadowRUNNER hey man getup crackstore seems to be dead, MrPhilex, eGIS, Hambo, SiraX, R!SC thanks for all ur work, aTm, PC, CiA, CLASS, C4A, CrackingForNewbies, Paradigm, G-RoM, TERAPHY, ceux que j'oublie mais qui devrait etre la comme tout les amis sur IRC et ailleurs, tous les crackers au monde, un grand WESH a toutes les cit‚ francaise ou etrangŸre, and... Happy cracking for all! ! FuCK THE LAMERZ! ! FuCK RACiST! ! FuCK THE PEDOPHiLE! ! How to patch the nag/serial routine and timelimit in L0phtCrack v2.5! ø øø øøë øøøøøøø øøøë øøøøøøø øøëëëëë øøøëë øøøëëëë øøëë øøøøëëë øëëë øøëë øøøëëëëë øëëë øøëë øøøëëëëëë øøøøøøøøøøøë øøëë øøëë øøøëëëëëëëëëëë øøëëëëëëëëëë øøëë øëëëë øøøøøøøøøøøø øøøøøøøøøø øøëë øøøëëëëëëëëëëëë øøëëë øøëë øøøëëë øëëëëëëëëëëëë øëëëëëëëëëë øøëëëëë øëëëëëëëë øøëëë øøøøøëë øëëë øëø ëëë øëë ëëë øøëëëëë øøëëëëëë øøëëë øøëëëëë øëëë øëøøøøøøøøëëë øëëøøøøøëëø øøëëëëë øøëëë øëëë øëëëëëëëëëëë øëëëëëëëëë øøëëëë øøëëë øøøø øëëë øëë øëëë øëëë øøëëë øøëëëëëëëëëë øëëëøøøøøëëëë øëë øëëë øëëë øøëë øøëëëëëëëëëë øëëëëëëëëëëëë øëë øëëë øëëë øøë øø ø Target : L0pht Crack v2.5 TRiAL Protection : Serial/NAG/TimeLimit Toolz : WDASM v8.9/HexEditor/Brain What we will do? : We will patch the serial You can find L0pht Crack here: www.l0pht.com Hmm, first, sorry for my bad english, i hope you understand me. Ok, lets go.... Why in this tutorial I don't teach how to get a valid serial? Because I love patching =) Install L0pht Crack and made two copy of the original exe file. Call the first "Backl0pht.exe" and se second "Crackl0pht.exe" start WDASM and disassemble the "Backl0pht.exe". While WDASM disassemble our file I suggest you to run L0phtCrack and see his protection. Me when I run it I have a nag screen that say "L0phtCrack 2.5 Trial Version" "OK" "Register". Hmm that's nice, click on..... register (hehe) and it give you a serial number, for me the serial was: "16465016" and he want an activation code. Enter anything and hit the "OK" button. Whaou a messagebox "You have entered an invalid registration code. Please try again" ok, ok, go back in wdasm and search in the String Data Reference this sentence (it's one of the last in the string data reference) and double click on it. -----------------------------------WDASM PiECE OF CODE--------------------------------------- <--- is my comment =) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406397(C) | :0040630B 8D8C24E0000000 lea ecx, dword ptr [esp+000000E0] :00406312 51 push ecx :00406313 8BCB mov ecx, ebx :00406315 E880EE0300 call 0044519A :0040631A 8D542414 lea edx, dword ptr [esp+14] :0040631E 52 push edx :0040631F 6A00 push 00000000 :00406321 8BCE mov ecx, esi :00406323 E869F10300 call 00445491 :00406328 50 push eax :00406329 E819B1FFFF call 00401447 :0040632E 83C408 add esp, 00000008 :00406331 8D44242C lea eax, dword ptr [esp+2C] :00406335 50 push eax :00406336 6A00 push 00000000 :00406338 8BCF mov ecx, edi :0040633A E852F10300 call 00445491 :0040633F 50 push eax :00406340 E802B1FFFF call 00401447 :00406345 8B03 mov eax, dword ptr [ebx] :00406347 8D4C241C lea ecx, dword ptr [esp+1C] :0040634B 51 push ecx :0040634C 50 push eax :0040634D E80EFF0100 call 00426260 :00406352 83C410 add esp, 00000010 :00406355 85C0 test eax, eax :00406357 7449 je 004063A2 :00406359 8B03 mov eax, dword ptr [ebx] :0040635B 8D54242C lea edx, dword ptr [esp+2C] :0040635F 52 push edx :00406360 50 push eax :00406361 E8FAFE0100 call 00426260 :00406366 83C408 add esp, 00000008 :00406369 85C0 test eax, eax :0040636B 7435 je 004063A2 :0040636D 6A00 push 00000000 :0040636F 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"You have entered an invalid code. " <--- You will ->"Please try again." be here. | :00406371 6830354800 push 00483530 :00406376 E8F0020500 call 0045666B :0040637B 56 push esi :0040637C 8D8C24E0000000 lea ecx, dword ptr [esp+000000E0] :00406383 E812EE0300 call 0044519A :00406388 8D8C2480000000 lea ecx, dword ptr [esp+00000080] :0040638F E88ED50300 call 00443922 :00406394 83F801 cmp eax, 00000001 :00406397 0F846EFFFFFF je 0040630B :0040639D E9A9000000 jmp 0040644B * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00406357(C), :0040636B(C) | :004063A2 83C9FF or ecx, FFFFFFFF :004063A5 C785C000000000000000 mov dword ptr [ebp+000000C0], 00000000 :004063AF 33C0 xor eax, eax * Possible StringData Ref from Data Obj ->"Software\L0pht\L0phtCrack" <--- write your reg info in the registery | :004063B1 BF10354800 mov edi, 00483510 :004063B6 F2 repnz :004063B7 AE scasb :004063B8 F7D1 not ecx :004063BA 2BF9 sub edi, ecx :004063BC 8BC1 mov eax, ecx :004063BE C1E902 shr ecx, 02 :004063C1 8D942448010000 lea edx, dword ptr [esp+00000148] :004063C8 8BF7 mov esi, edi :004063CA 8BFA mov edi, edx :004063CC F3 repz :004063CD A5 movsd :004063CE 8BC8 mov ecx, eax :004063D0 83E103 and ecx, 00000003 :004063D3 F3 repz :004063D4 A4 movsb :004063D5 8D4C2428 lea ecx, dword ptr [esp+28] :004063D9 51 push ecx :004063DA 681F000200 push 0002001F :004063DF 6A00 push 00000000 :004063E1 8D942454010000 lea edx, dword ptr [esp+00000154] :004063E8 52 push edx :004063E9 6801000080 push 80000001 * Reference To: ADVAPI32.RegOpenKeyExA, Ord:0172h | :004063EE FF156C0BD100 Call dword ptr [00D10B6C] :004063F4 85C0 test eax, eax :004063F6 7545 jne 0040643D :004063F8 83C9FF or ecx, FFFFFFFF :004063FB 8B1B mov ebx, dword ptr [ebx] * Possible StringData Ref from Data Obj ->"Registration" | :004063FD BF00354800 mov edi, 00483500 :00406402 F2 repnz :00406403 AE scasb :00406404 F7D1 not ecx :00406406 2BF9 sub edi, ecx :00406408 8BC1 mov eax, ecx :0040640A C1E902 shr ecx, 02 :0040640D 8D942448010000 lea edx, dword ptr [esp+00000148] :00406414 8BF7 mov esi, edi :00406416 8BFA mov edi, edx :00406418 8B542428 mov edx, dword ptr [esp+28] :0040641C F3 repz :0040641D A5 movsd :0040641E 8BC8 mov ecx, eax :00406420 83E103 and ecx, 00000003 :00406423 F3 repz :00406424 A4 movsb :00406425 8B43F8 mov eax, dword ptr [ebx-08] :00406428 50 push eax :00406429 53 push ebx :0040642A 6A01 push 00000001 :0040642C 6A00 push 00000000 :0040642E 8D8C2458010000 lea ecx, dword ptr [esp+00000158] :00406435 51 push ecx :00406436 52 push edx * Reference To: ADVAPI32.RegSetValueExA, Ord:0186h | :00406437 FF15680BD100 Call dword ptr [00D10B68] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004063F6(C) <--- this is the caller is this call is made, u are registered | :0040643D 6A00 push 00000000 :0040643F 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"You have successfully registered " <--- hehe good ->"L0phtCrack 2.5." boy | :00406441 68C4344800 push 004834C4 :00406446 E820020500 call 0045666B * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00406305(C), :0040639D(U) | :0040644B 8D8C24E0000000 lea ecx, dword ptr [esp+000000E0] :00406452 C68424D001000004 mov byte ptr [esp+000001D0], 04 :0040645A E802EC0300 call 00445061 :0040645F 8D8C24DC000000 lea ecx, dword ptr [esp+000000DC] :00406466 C68424D001000003 mov byte ptr [esp+000001D0], 03 :0040646E E8EEEB0300 call 00445061 :00406473 8D8C2480000000 lea ecx, dword ptr [esp+00000080] :0040647A C68424D001000001 mov byte ptr [esp+000001D0], 01 :00406482 E8E1CF0300 call 00443468 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004062CD(C) | :00406487 8B85C0000000 mov eax, dword ptr [ebp+000000C0] :0040648D 85C0 test eax, eax :0040648F 741F je 004064B0 :00406491 8B85C4000000 mov eax, dword ptr [ebp+000000C4] :00406497 85C0 test eax, eax :00406499 7F15 jg 004064B0 :0040649B 6A00 push 00000000 :0040649D 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Your trial version of L0phtCrack " <--- when your ->"2.5 has expired. You must register" trial is expired :0040649F 68FC334800 push 004833FC :004064A4 E8C2010500 call 0045666B :004064A9 6A00 push 00000000 :004064AB E8825A0100 call 0041BF32 -----------------------------------WDASM PiECE OF CODE--------------------------------------- :00406369 85C0 test eax, eax :0040636B 7435 je 004063A2 This routine check if the serial is valid, if yes, he take this JE on 004063A2. So change the "74" in a "EB". 74 = JE EB = JMP 75 = JNE Blablablabla =) Now it's time to run L0phtCrack and enter any serial for see if it work. Ok it work, but when you restart it the nag is here! Fuck, no prob we will kill the nag and the trial time limit. Look on the nag screen, we have a this word: " Days until trial version will expire" thats pretty g00d for us, this text in hex look like this : 44 61 79 73 20 75 6E 74 69 6C 20 74 72 69 61 6C 20 76 65 72 73 69 6F 6E 20 77 69 6C 6C 20 65 78 70 69 72 65 Search for it on your favourite hex editor. Me I use HEditPro and when I search for this string it tell me "Data was not found." Why? Because this soft is in 32bits and it use "00" between each letter, if you have understand search for this string: 00 44 00 61 00 79 00 73 00 20 00 75 00 6E 00 74 00 69 00 6C 00 20 00 74 00 72 00 69 00 61 00 6C 00 20 00 76 00 65 00 72 00 73 00 69 00 6F 00 6E 00 20 00 77 00 69 00 6C 00 6C 00 20 00 65 00 78 00 70 00 69 00 72 00 65 00 Yes! Found, now look on bytes before, you should see this "FF FF FF FF 82" hehe change the "82" to a "7E" don't tell me why, it work all time. Now save and exit, run l0phtcrack and whouou, no nag. That's ok now we must patch the timelimit. -----------------------------------WDASM PiECE OF CODE--------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004062CD(C) | :00406487 8B85C0000000 mov eax, dword ptr [ebp+000000C0] :0040648D 85C0 test eax, eax :0040648F 741F je 004064B0 <--- If this JE is made, it mean that your trial is not ended. Change the "74" by "EB" :00406491 8B85C4000000 mov eax, dword ptr [ebp+000000C4] :00406497 85C0 test eax, eax :00406499 7F15 jg 004064B0 <--- Its the same, but don't change it because it will never made. :0040649B 6A00 push 00000000 :0040649D 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Your trial version of L0phtCrack " <--- when your ->"2.5 has expired. You must register" trial is expired :0040649F 68FC334800 push 004833FC :004064A4 E8C2010500 call 0045666B :004064A9 6A00 push 00000000 :004064AB E8825A0100 call 0041BF32 -----------------------------------WDASM PiECE OF CODE--------------------------------------- That's ok, now save and run it..... it's ok, no nag, no serial, no timelimit, this is a 100% crack and I love it. A 1 2 c 4! For contact me email me at: timelordfr@hotmail.com Meet us at http://shmeitcorp.cjb.net Another one done by TiMeLoRD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetz (not in specifical order) tKC for all ur great work, Gaelle, Melanie, Melody, WiiTiGo (t un dieu), Smeita, Kspr, BuL-LeT yeah ur pretty cool, Satan_Is_Watching_u alors boulette h‚h‚, ACiD BuRN toi t'es pas cool sur caramail, Static REvenge, Xeuj, PeeWee, ShadowRUNNER hey man getup crackstore seems to be dead, MrPhilex, eGIS (I love ur release), Hambo (u too), SiraX (u too), R!SC thanks for all ur work, aTm, PC, CiA, CLASS, C4A, CrackingForNewbies, Paradigm, G-RoM, TERAPHY, ceux que j'oublie mais qui devrait etre la comme tout les amis sur IRC et ailleurs, tous les crackers au monde, un grand WESH a toutes les cite francaise ou etrangere, mes amis de Cote D'Ivoire, de France, Pologne, Italie, US, Liban, ma famille (ben ouai faut y penser), and... Happy cracking for all! ! FuCK THE LAMERZ! ! FuCK RACiST! ! FuCK THE PEDOPHiLE! ! How to crack NetZip Classic v7.5.0.63! / // /// /////// //// /////// /////// ///// /////// //// /////// //// //// //////// //// //// ///////// //////////// //// //// ////////////// //////////// //// /\\\\ \\\\\\\\\\\\ \\\\\\\\\\ //// /////////////// ///// //// //\\\\ \\\\\\\\\\\\\ \\\\\\\\\\\ /////// ///////// ///// /////// \\\\ \\\ \\\ \\\ \\\\ /////// //////// ///// /////// \\\\ \\\\\\\\\\\\\ \\\\\\\\\\\ /////// ///// \\\\ \\\\\\\\\\\ \\\\\\\\\\ ////// ///// //// \\\\ \\\ \\\\ \\\\ ///// //////////// /////////\\\\ \\\ \\\\ \\\\ //// //////////// /////////\\\\ \\\ \\\\ \\\\ /// // / Target : NetZip Classic v7.5.0.63 Protection : Serial & NAG & TimeLimit (timelimit is just a sentence in red on the nag when your trial period is over) Toolz : Hexadecimal editor/Wdasm 8.9 What we will do? : We will patch the nag You can find L0pht Crack here: www.l0pht.com Hmm, first, sorry for my bad english, i hope you understand me. Ok, lets go.... Why in this tutorial I don't teach how to get a valid serial? Because I love patching and in this prog, the serial and the timelimit info is on the same screen, it's the nag. This nag come up when you try to open a Zip file, after patching the nag it will never ask for the serial again and the software will be fully functionnal. Run NetZip and try to open any Zip file, after choose the file you should see this: "Thank you for evaluating Netzip." You have X day(s) remaining in your FREE evaluation. Purchase Netzip today and benefit from unlimited use, free technical support and special money saving offers. When you purshase...... blablablablabla and two button, the first is "YES" (in red) the second "No Thanks", and also we have a textbox for enter the purchase key. Enter anything in it and hit the "Enter" button, this message will popup "You have entered an invalid key. Please either clear your entry or enter a valid key." Now close NetZip and run WDASM, disassemble the exe file and go to the String Data Reference to find the error message. I've did it but the error message is not here! Hmm I think the prog should be call a DLL file or anything like that so look all file in the NetZip directory, i'll save your time, here's the file I've been look "Evalware.dll". I think "Eval" mean Evaluation, so we must disassemble this DLL file to see if the error message are in. Don't forget to make a backup copy of the DLL. Click on the string data references and you must see on the first line our error message. That's nice double click on it, and double click on it another time etc.... do you see? It have more than 6 same error message on the code, we can made a crack for force the prog to accept any serial but patching all this error message is too long. I've find another solution and I will use it. Do you remember the nag? "You have 7 day(s) remaining....", I will try to find it in the DLL file but the prob is the number of days because it changes all day (i'm not sure u understand me here =) so I will not search for all the phrase, only for the end it: "remaining in your" in hex 16bits it will be: "72 65 6D 61 69 6E 69 6E 67 20 69 6E 20 79 6F 75 72" Convert it in 32bits (remember my last tut) so it look like this: 00 72 00 65 00 6D 00 61 00 69 00 6E 00 69 00 6E 00 67 00 20 00 69 00 6E 00 20 00 79 00 6F 00 75 00 72 00 Yes, I've found it, scroll up a bit while you see "FF FF FF FF 82" and change the "82" by "7E" If you look you will see "FF FF 82", only four "F", if you want to patch here it will work but the most time when you are going to patch a nag it will be "FF FF FF FF 82". Now save your work, run NetZip and try to open any Zip file. Whaouou it work without nag. Close NetZip and set your computer date to years 2001 (only for test if the prog will tell to us anything like "Your evaluation period is over...." run the prog, try to open a file and it work. Well g00d j0b. I hope u understand me in this tutorial, and another time, sorry for my bad english =) A 1 2 c 4! For contact me email me at: timelordfr@hotmail.com Meet us at http://shmeitcorp.cjb.net Another one done by TiMeLoRD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetz (not in specifical order) tKC for all ur great work, Gaelle, Melanie, Melody, WiiTiGo (t un dieu), Smeita, Kspr, BuL-LeT yeah ur pretty cool, Satan_Is_Watching_u alors boulette h‚h‚, ACiD BuRN toi t'es pas cool sur caramail, Static REvenge, Xeuj, PeeWee, ShadowRUNNER hey man getup crackstore seems to be dead, MrPhilex, eGIS (I love ur release), Hambo (u too), SiraX (u too), R!SC thanks for all ur work, aTm, PC, CiA, CLASS, C4A, CrackingForNewbies, Paradigm, G-RoM, TERAPHY, ceux que j'oublie mais qui devrait etre la comme tout les amis sur IRC et ailleurs, tous les crackers au monde, un grand WESH a toutes les cite francaise ou etrangere, mes amis de Cote D'Ivoire, de France, Pologne, Italie, US, Liban, ma famille (ben ouai faut y penser), and... Happy cracking for all! ! FuCK THE LAMERZ! ! FuCK RACiST! ! FuCK THE PEDOPHiLE! I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #89 soon! ;) Credits goto: bM[tgfx] for Splash Logo. Johnny Aum for providing 2 tuts in this version. TiMeLoRD for providing 3 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.org (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 26 June 2000 Cracking Tutorial #88 is dedicated to Sonia...