Welcome to Cracking Tutorial #91! Hiya guys, Sorry for delays, again I was busy with coding and all shit.. Here's a tut91.tKC... OK, let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.50 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) How to crack fast a crypted/packed program - example: OptOut 0.999999 Target: OptOut 0.999999 (exe - 32256 from 31/05/2000) WWW: http://grc.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: expiration Tools: ProcDump 1.6.2, R!sc Patcher 1.4, File Info 2.30, W32dasm & Windows commander 4.03 --------Secret infos about invisible mondial govern & facts------- Haarp project (Alaska): this giant installations are maded for instant delivery of very huge quantities of electromagnetic energy on desired locations on Earth or in space: - for alimentation with energy of the USA-bad aliens net of laser weapons against good aliens; - for throwing down of the nuclear rockets of a potential enemy or more; - for throwing down any plain or a thing that fly somewhere above Earth - if is wishing this; - for provoking "natural" earthquakes, like these from Kobe-Japan or Iran, Turkey, etc; - for the net of satellites who mantain a mental domination for a low level of Earth population (this is something like in "They Lives" -> the movie - which is absolutely true in some aspects); - for others satanic projects of this crazy mondial aliens-iudeo-masonic govern. [I must mention, with proofs, that USA, Great Britain were all the time conducted by the aliens] -------- This quick method can be easyly apllied to other programs that are crypted or packed. I use this method from months ago. This is in special usefull when the exe's cannot be decompressed or decrypted completely with ProcDump or other specialized proggies. About this OptOut: this program is able to detect and remove the software of occult iudeo-masonery which installs on your computer a small spy who reports on a predefined location from WEB (when you're connected on WWW) any interesting details and informations about you (see your details from Win 95/98 etc) and what's installed on your PC. Grab it now! It's a must! Fuck these bastards who tries to spy us continuous! 1. Let's see with what is crypted/packed this exe -> optout.exe. With File Info 2.30. I have this fi.exe in c:\windows\command and from Windows Commander 4.03, I just typed: fi *.* (when I am in subdirectory of optout.exe). Good, it's crypted with PE Compact 1.23-1.24 . 2. Let's try to decompress this program with ProcDump 1.6.2 (select PE Compact - simple); no shit, an error window just appear with this message: "an error occured at script line...". @!#$@!#, not good! What we can do? We do this, coz we are smart guys! Go to subdirectory of optout.exe and what we see (in this time ProcDump is stopped at the error mentioned above) - the next temporary file: $$temp$$.$$$ . Make a copy of it: y.exe. Now exit from ProcDump. And we have a fresh decrypted partially copy of optout.exe. You see, has even an icon. You can try to decrypt all sections manually and recompute the header, but I want fast cracking. (Probably you already tryied and observed that this new file obtained -> y.exe it's not working! OK, no big problem - he,he,he this are words of tKC! - let's continue...) 3. Let's think a little: that's not a problem, this unfunctionally exe can be helpfull! How? That's how -> you will disassemble with W32Dasm and see where is the code we are interested in! 4. Disassemble fast with W32Dasm this fresh file: y.exe. WOW, we have even text informations on STRING Reference button. Great! What now? Now goto API Function GETLOCALTIME from w32dasm adress 4035DC, how I quickly observed, this is the place where we must modify some jump boy! More precisely -> at 4035F1 jb 403620. Because we are gonna make a loader (for cracking in memory) we need just these dates: 4035F1, jb(72). 5. Make now a file with notepad from here - a *.rpp file for R!sc Patcher 1.4-1.5 (I use 1.4 coz has more bytes to patch). Great cracker, this R!sc guy! Thank you man for your efforts to help all us! And thank to all good soul crackers who didn't keep all just for themselves! This *.rpp file looks like that: ---cut here for file loader.rpp - without this line--- F=optout.exe: O=a.exe: P=4035f1/72/eb: $ ---cut here for file loader.rpp - without this line--- So, we replace 72 (jb) with permanent jump -> EB. Good, let's try our loader -> a.exe, but first set the clock on 2002! WOW, it's working well! From now, optout.exe will never expire. You can even make a loader named optout.exe and the real optout.exe renamed main.exe, and run all the time from loader (In this case rename lines from script of loader properly) . I assume that you memorized the method used by me from here: decrypt/unpack the exe, make a copy of file $$temp$$.$$$ -> y.exe, disassemble with w32dasm and quickly find were to patch in memory with a loader (this when you cannot decrypt/unpack the exe of a program). I tryied this method succesfully with Phrozen Crew viewers (nice, very nice!), with AZPR 3.0, 3.01, 3.11, Awave Studio 7.0 (new), the program above, etc... ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ How to crack Aspack 2.1 (keep unexpired) Target: Aspack 2.1 (exe with 222720 bytes) WWW: http://www.aspack.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: expiration Tools: ConfigSafe (old versions good too) & Windows commander 4.03 --------Secret infos about invisible mondial govern & facts------- Haarp project (Alaska): this giant installations are maded for instant delivery of very huge quantities of electromagnetic energy on desired locations on Earth or in space: - for alimentation with energy of the USA-bad aliens net of laser weapons against good aliens; - for throwing down of the nuclear rockets of a potential enemy or more; - for throwing down any plain or a thing that fly somewhere above Earth - if is wishing this; - for provoking "natural" earthquakes, like these from Kobe-Japan or Iran, Turkey, etc; - for the net of satellites who mantain a mental domination for a low level of Earth population (this is something like in "They Lives" -> the movie - which is absolutely true in some aspects); - for others satanic projects of this crazy mondial aliens-iudeo-masonic govern. [I must mention, with proofs, that USA, Great Britain were all the time conducted by the aliens] -------- First: this tutorial is to help the guys who cannot use Aspack continuous. So, this tutorial is not about cracking/patching this program, but about making to be prolonged forever unexpired. In the case of this program, untill now I was not able to crack/patch it definitively. A small help for guys who want to crack Aspack with Sice: replace with hiew at 362B7- 3D -> 00 (near see words -> "Debugger detected" in hiew) for never sense the presence of Softice (this works on others old programs protected with AsProtect). 1. I will use ConfigSafe to quickly see where Aspack is storing it's infos about time expiration. So I can observe that the exe is taking the time from win.ini, if I remember well. So, for making a probe about how this program look expired you must first change the clock for 2002 and then restart the PC. Good, remember this. 2. The infos from Registry (because in Registry are stored) looks like that: [HKEY_USERS\.Default\Software\ASPack] "Option"=hex:f2,96,e6,60,12,ec,e1,40 <----- here is the string about when to expire "VersionNum"="2.1" 3. We think that if we remove these hex dates from string and then reintroduce this modified dates (reg file) in Registry, maybe Aspack will think it's first time installed - "30 days" remaining. 4. Here's the new file -> 1.reg: ---cut from here without this line--- REGEDIT4 [HKEY_USERS\.Default\Software\ASPack] "Option"=hex: "VersionNum"="2.1" ---cut from here without this line--- 5. Save it as 1.reg and every time when Aspack is "30 days over" press on this file first. Of corse, you can automatize this with a file *.bat and a pascal proggie (or other language) in such a way that every time when Aspack is started, the infos from 1.reg are introduced in Registry (so you don't have the need to press the file 1.reg and aspack.exe). OK, my job is done! PS. You can make a loader for replacing word "UNREGISTERED" with your name; here's the source of a R!sc Patcher 1.4 loader (a *.rpp file with my name - try this first): ---cut here for a.rpp--- F=aspack.exe: O=a.exe: P=4591b2/55,4e,52,45,47,49,53,54,45,52,45,44/20,4a,6f,68,6e,6e,79,20,41,55,4d,20: $ ---cut here for a.rpp--- ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ WHY PATCHING WHILE SERIAL NUMBER IS FISHY TrayIcon version 3.1.153 A Cracking Tutorial by ASTAGA [D4C/C4A] ABOUT THE PROGRAM TrayIcon is a Windows 95/NT 32-bit program that was developed to provide one-click access to programs. Using TrayIcon, you can add icons to the Windows 95 system tray to quickly launch your favorite programs. TrayIcon is a Windows 95/NT 32-bit program that was developed to provide one-click access to programs using the Windows 95 system tray. Using TrayIcon, you can add icons to the system tray to quickly launch your favorite programs. In addition to adding applications to the system tray, there are two kinds of special icon you can add:  DeskAccess Icon: When you click on this icon it will open a window showing you the icons on your desktop. Just click on the application or document you want to open.  Dial-up Networking Icon: When you click on this icon it will open a window listing all Dial-up Networking connections on your computer. You can then select and open one of these connections. WHERE TO DOWNLOAD Author : MetaProducts Corporation Homepage : http://www.metaproducts.com URL : http://www.metaproducts.com/download/tcsetup.exe Size : 382 KB Download date : July 01,2000 HOW TO GET A VALID SERIAL NUMBER by using SoftIce 1. Run TRAYICON.EXE, click REGISTER button then type these following infos : Reg Name : Pirates Order REg Code : 907361205 Dont click OK button yet. 2. Fireup SoftIce [ ctrl+D ] and set new breakpoint : bpx GetWindowTextA [enter] F5 to return to the main program Click OK button, and when you returned back into SoftIce press F11, F5, F11. If nothing goes wrong you should land and see these below codes : _____________________________________________________________ 00421B3C: FF15A4934200 call GetWindowTextA 00421B42: 8B4D10 mov ecx,[ebp][00010] 00421B45: 6AFF push 0FF 00421B47: E813D5FFFF call 00041F05F 00421B4C: EB0B jmps 000421B59 <== jump here 00421B4E: 8B4510 mov eax,[ebp][00010] 00421B51: FF30 push d,[eax] 00421B53: 56 push esi 00421B54: E890F2FFFF call 000420DE9 00421B59: 5F pop edi <== ret jump 00421B5A: 5E pop esi 00421B5B: 5D pop ebp 00421B5C: C20C00 retn 0000C ;" " ......... ......... _________________TRAYICON! text+00020B3C___________________ 3. Press F10 3 times - at 0137:00421B4C - type: D ECX [enter] you'll see 907361205 in the Data Window. If scroll up one line you'll see your registration name too. 4. Keep on going press F10 32 times - at 0137:408E06 - type: D ECX [enter] again, you'll see your fake registration code in the Data Window. Now, let's check the SS Register. In my case SS Register is look like this : SS 0067F584=33373039 To know what is the content(s) of SS Register you can drag your mouse button closed to the 33373039 then Right Click and choose DISPLAY, or in the Command Line type : ? 33373039 [enter] SoftIce will respond : 33373039 085254841 "3709" <== part of our fake code in reverse order! At this step I can feel that the correct registration code will be stored in ECX . At the 34th of pressing F10 ( at 0137:408E0A ) ; if you dump ECX register you'll see again the fake code in the Data Window. 5. Press F10 once and stop at : 0137:00408E0B 50 push eax <== here 0137:00408E0A 50 push eax 0137:00408E0B 8D4594 lea eax,[ebp][-006C] Let's check it out the SS Register. In my case SS Register is look like as follow : SS 0067F558=61726950 As you've done it before ( step 4 ), type ? 61726950 [enter] SoftIce will respond : 61726950 1634888016 "ariP" <== part of our Reg. Name in reverse order! 6. At the 38th of pressing F10 and stop at 0137:00408E14 59 pop ecx <=== STOP HERE! 0137:00408E15 85C0 test eax,eax 0137:00408E17 59 pop ecx 0137:00408E18 745D je 000408E77 in the Command Line, type : ? ECX [enter] SoftIce will respond : 0000250B 0000009483 "% " As I told you before, Iam curious of the contents of ECX Register because if you continue pressing F10 and dump this ECX you will always get your fake reg. code. So why didn't we tried 9483 as our valid reg. code ? 7. Disable current existing breakpoint(s) by typing BD * [enter] F5 to return to the program 11. Repeat registration procedure and keyed-in 9483 as your registration code. Click OK button. Yeah .... you'll confirmed with " Thank you for Registe ring your copy of TrayIcon " classsic message. Of course the Author will loose his USD$15.00 by your illegal registration method, so don't be a Lamer! . END NOTES I HOLD NO RESPONSIBILITIES ( IN ANY SHAPE OR WHATSOEVER ) OF THE MISUSE ILLEGAL DISTRIBUTABLE REGISTRATION CODES FROM THIS TUTE. I'VE WARNED YOU, AS WELL AS THE AUTHOR THAT PERPETRATORS OF SOFTWARE PIRACY / ILLEGAL USERS OF THIS SOFTWARE WILL BE PROSECUTED BY ALL MEANS TO THE FULLEST EXTENT OF THE LAW. _ Never attribute to malice that which is adequately explained by stupidity _ This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > ASTAGA [D4C/C4A] [EOF] WHY PATCHING WHILE SERIAL NUMBER IS FISHY TrayIcon Menu v1.0.33 A Cracking Tutorial by ASTAGA [D4C/C4A] ABOUT THE PROGRAM TrayIcon Menu is a Windows 95/NT 32-bit program that was developed to let you quickly run your favorite application directly from the Windows 95 system tray. TrayIcon Menu adds a single icon to the tray which, when clicked, displays a menu to which you can add links to your favorite applications. In addition to adding applications to the menu, there are a few kinds of special icon you can add:  Desktop Icon: When you select this icon in the menu, it will open a window showing you the icons on your desktop. Just click on the program or document you want to open.  Dial-up Networking Icon: When you select this icon in the menu, it will open a window listing all Dial-up Networking connections on your computer. You can then select and open one of these connections.  Control Panel Icon: When you select this icon in the menu, you can start up a Control Panel applet, just as if you'd selected it from the Control Panel itself. WHERE TO DOWNLOAD Author : MetaProducts Corporation Homepage : http://www.metaproducts.com URL : http://www.metaproducts.com/download/tmsetup.exe Size : 382 KB Download date : July 01,2000 HOW TO GET A VALID SERIAL NUMBER by using SoftIce 1. Run TM.EXE, click REGISTER button then type these following infos : Reg Name : Pirates Order REg Code : 907361205 Lic Type : Site License Dont click OK button yet. 2. Fireup SoftIce [ ctrl+D ] and set new breakpoint : bpx GetDlgItemTextA [enter] F5 to return to the main program Click OK button, and when you returned back into SoftIce press F11, F5, F11. If nothing goes wrong you should land and see these below codes : _____________________________________________________________ 004296FF: FFD3 call ebx you 00429701: 8B4608 mov eax,[esi][00008] <== Land 00429704: 8B3D84634300 mov edi,[000436384] here 0042970A: 33DB xor ebx,ebx 0042970C: 53 push ebx 0042970D: 53 push ebx 0042970E: 6847010000 push 000000147 ;" G" 00429713: 68F0030000 push 0000003F0 ;" _" 00429718: 50 push eax 00429719: FFD7 call edi 0042971B: 8B4E08 mov ecx,[esi][00008] 0042971E: 53 push ebx ..... ..... 00429739: 8D85F0FDFFFF lea eax,[ebp][0FFFFFDF0] 0042973F: 50 push eax 00429740: E8DA93FFFF call 000422B1F 00429745: 83C410 add esp,010 ;"" <== Stop Here 00429748: 84C0 test al,al 0042974A: 0F840C010000 je 00042985C <== Patch here ? 00429750: 895DE8 mov [ebp][-0018],ebx 00429753: 895DFC mov [ebp][-0004],ebx 00429756: E88C26FEFF call 00040BDE7 0042975B: 8B08 mov ecx,[eax] ______________________________________________________________ 3. At the location where you land in SoftIce, type : D ESP [enter] you'll see 907361205 ( our fake code ) copied in the Data Window around the memory address of 013F:0069EA74 upto 013F:0069EB44. This time I would like to simple this tutorial, so you dont have dump/display where or what changes in Register Flag(s). 4. Keep on going press F10 24 times and stop at 0137:00429745 - and watch the Data Window. Did you see 556574-643943341-NY ? If you scroll up 3-4 lines above you'll see your Registration Name too. 5. Don't go further, in the above we entered Site License, so what will happen if we change into Single-User License without change the fake Reg.Code ? Disable the current existing breakpoint : BD * [enter] F5 to return to Registration Window click OK when the 'beggar-off' message appear Still in the registration window, change the license type into Single-User License. Don't press OK button yet. 6. Fireup SoftIce by pressing [CTRL+D], and enable the break point : BE * [enter] F5 to return to main program Click OK button NOW You'll back in SoftIce and landed at 0137:00429701 - if necessary dump ESP register again. Press F10 24 times exactly the same way as I described in the step 4 . Did you see 538633-643936679-MQ in the Data Window ? I think IT SHOULD BE! 7. Disable the breakpoint and return to the registration window, keyed-in those two suspected registration codes. Yeah .... you'll confirmed with " Thank you for Registe ring your copy of TrayIcon.. " classsic message. Of course the Author will loose his USD$15.00 by your illegal registration method, so don't be a PIRATE! . END NOTES I HOLD NO RESPONSIBILITIES ( IN ANY SHAPE OR WHATSOEVER ) OF THE MISUSE ILLEGAL DISTRIBUTABLE REGISTRATION CODES FROM THIS TUTE. I'VE WARNED YOU, AS WELL AS THE AUTHOR THAT PERPETRATORS OF SOFTWARE PIRACY / ILLEGAL USERS OF THIS SOFTWARE WILL BE PROSECUTED BY ALL MEANS TO THE FULLEST EXTENT OF THE LAW. _ Never attribute to malice that which is adequately explained by stupidity _ This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > ASTAGA [D4C/C4A] [EOF] How to find a Serial and make a Keygen in Add/Remove Cleaner v2.3 by tKC/CiA 2000 Target: http://distortions.com/software/addrmclr.exe While ago , a newbee, has told me that his serialnumber doesn't work. This application has accepted his serialnumber but the Register Button didn't disappeared / grayed. For a moment I thought this might be a bug or his Username is too short. So he asked me to take a look at it and write a tutor if possible. He gave me this with RegName: a Serial: a1012ae Ok, let's go.. What we'll need is SoftICE to start.. Step 1. Since this program is piss easy, I won't explain where to start, to save our time, we'll make use of ShowWindow in SI at Virtual Address: 448EDF. Now start your program and click I'll Register Later. Now goto SI (CTRL-D) and type: BPX showwindow. Step 2. Back in program, click Register. You should be back in SI, now type BD* to disable all the breakpoints. Then type G 448EDF. Back in program, type your name: a and your serial: 696969. Click Done Button. Now you should be back in SI at: :00448EDF E888E3FDFF call 0042726C :00448EE4 8B45F4 mov eax, dword ptr [ebp-0C] :00448EE7 E80CACFBFF call 00403AF8 :00448EEC 69F0F4030000 imul esi, eax, 000003F4 :00448EF2 8D45F4 lea eax, dword ptr [ebp-0C] :00448EF5 50 push eax :00448EF6 8D55F0 lea edx, dword ptr [ebp-10] :00448EF9 8B83CC020000 mov eax, dword ptr [ebx+000002CC] :00448EFF E868E3FDFF call 0042726C :00448F04 8B45F0 mov eax, dword ptr [ebp-10] :00448F07 B901000000 mov ecx, 00000001 :00448F0C 33D2 xor edx, edx :00448F0E E8E9ADFBFF call 00403CFC :00448F13 FF75F4 push [ebp-0C] :00448F16 8D55EC lea edx, dword ptr [ebp-14] :00448F19 8BC6 mov eax, esi :00448F1B E84CE9FBFF call 0040786C :00448F20 FF75EC push [ebp-14] :00448F23 8D45F0 lea eax, dword ptr [ebp-10] :00448F26 50 push eax :00448F27 8D55E8 lea edx, dword ptr [ebp-18] :00448F2A 8B83CC020000 mov eax, dword ptr [ebx+000002CC] :00448F30 E837E3FDFF call 0042726C :00448F35 8B45E8 mov eax, dword ptr [ebp-18] :00448F38 B901000000 mov ecx, 00000001 :00448F3D 33D2 xor edx, edx :00448F3F E8B8ADFBFF call 00403CFC :00448F44 FF75F0 push [ebp-10] :00448F47 68A0904400 push 004490A0 :00448F4C 8D45FC lea eax, dword ptr [ebp-04] :00448F4F BA04000000 mov edx, 00000004 :00448F54 E85FACFBFF call 00403BB8 :00448F59 8D55EC lea edx, dword ptr [ebp-14] :00448F5C 8B45FC mov eax, dword ptr [ebp-04] :00448F5F E864E6FBFF call 004075C8 :00448F64 8B45EC mov eax, dword ptr [ebp-14] :00448F67 50 push eax Step 3. Now trace down till address 448F5F, then type D EAX and you will see "a1012aE" in Data Window. This is a CORRECT serial. Keep this serial in mind. Step 4. Now trace down till address 448F67, type D EAX and you'll see "A1012AE" in Data Window. Another serial? No and Yes! Step 5. Now what the fuck? What couldn't figure is that the program doesn't accept serials in LowerCase or UpperCase! You can try type with "a1012ae" or "A1012AE", you'll notice Register Button will NOT be grayed. By the way this is 1 of lame proctections I ever seen. Now the trick is: Name: a Code: x1012xE (where x is first letter of your name, case sensitive, and "E" must be Uppercase!) Because there is 1 letter in your name, then it'll be 1012, if 2 letters in name then 2024 and so on.. Step 6. So now our real serial is "a1012aE". Try it, working? Good! Step 7. I figured out with my Name (without using SI) as "The Keyboard Caper" and my serial would be "T18216TE" this program accepted it! Now what about making a lame keygen in Delphi for fun? =) Step 8: Here below are my 2 source codes for Delphi: 1) Source Code without GUI: called keygen.dpr (no units used) --------------------------------------------------------------------- program keygen; {$APPTYPE CONSOLE} uses SysUtils; var A,B:string; C:integer; begin writeln('Keygen for Add/Remove Cleaner v2.3 by tKC/CiA 2000'); writeln; write('Your Name: '); readln(A); if length(A)=0 then begin writeln('ERROR: No name given!'); halt; end; C:=length(A) * 1012; B:=copy(A,1,1); writeln('Your Serial: ' + B + inttostr(C) + B + 'E'); end. -------------------------------------------------------------------------------- 2) Source Code with GUI: called keygen2.dpr (no units used) ----------------------------------------------------------------- program keygen2; uses Windows, Messages, SysUtils; const crackfor : pchar = 'Program: Add/Remove Cleaner v2.3'; const cracker : pchar = 'Cracker: The Keyboard Caper'; const datum : pchar = 'Cracked: 10 July 2000'; const msg1 : pchar = 'No Name given!'; const msg2 : pchar = 'Calculated!'; var WinClass: TWndClassA; Edit2, Edit1, Inst, Handle, Button1, Button2, Label1, Label2, Label3, Label4: Integer; Msg: TMsg; hFont, hFont2: Integer; var A,B,D:string; C:integer; procedure Check; var Textlength: Integer; Text: pchar; begin TextLength := GetWindowTextLength(Edit1); if TextLength < 1 then begin SetWindowText(Label4, msg1); exit; end; GetMem(Text,Textlength + 1); GetWindowText(Edit1, Text, TextLength + 1); A:=Text; if A='Enter your Name here...' then begin SetWindowText(Label4, msg1); exit; end; C:=length(A) * 1012; B:=copy(A,1,1); D:=B + inttostr(C) + B + 'E'; SetWindowText(Label4, msg2); SetWindowText(Edit2, pchar(D)); end; function WindowProc(hWnd, uMsg, wParam, lParam: Integer): Integer; stdcall; begin Result := DefWindowProc(hWnd, uMsg, wParam, lParam); if (lParam = Button1) and (uMsg = WM_COMMAND) then Check; if (lParam = Button2) and (uMsg = WM_COMMAND) then halt; if uMsg = WM_DESTROY then halt; end; begin Inst := hInstance; with WinClass do begin style := CS_CLASSDC or CS_PARENTDC; lpfnWndProc := @WindowProc; hInstance := Inst; hbrBackground := color_btnface + 1; lpszClassname := 'tKC'; hCursor := LoadCursor(0, IDC_ARROW); end; RegisterClass(WinClass); Handle := CreateWindowEx(WS_EX_WINDOWEDGE, 'tKC','KG for Add/Remove Cleaner v2.3', WS_VISIBLE{ or WS_SIZEBOX} or WS_CAPTION or WS_SYSMENU, 383, 278, 255, 155, 0, 0, Inst, nil); Button1 := CreateWindow('Button', 'Do it!', WS_VISIBLE or WS_CHILD or BS_PUSHLIKE or BS_TEXT, 196, 8, 45, 23, handle, 0, Inst, nil); Button2 := CreateWindow('Button', 'Exit!', WS_VISIBLE or WS_CHILD or BS_PUSHLIKE or BS_TEXT, 196, 39, 45, 23, handle, 0, Inst, nil); Label1 := Createwindow('Static', '', WS_VISIBLE or WS_CHILD or SS_LEFT, 5, 5, 190, 13, Handle, 0, Inst, nil); Label2 := Createwindow('Static', '', WS_VISIBLE or WS_CHILD or SS_LEFT, 5, 20, 190, 13, Handle, 0, Inst, nil); Label3:= Createwindow('Static', '', WS_VISIBLE or WS_CHILD or SS_LEFT, 5, 35, 190, 13, Handle, 0, Inst, nil); Label4:= Createwindow('Static', '', WS_VISIBLE or WS_CHILD or SS_LEFT, 5, 53, 190, 13, Handle, 0, Inst, nil); Edit1 := CreateWindowEx(WS_EX_CLIENTEDGE,'Edit', 'Enter your Name here...', WS_VISIBLE or WS_CHILD or WS_BORDER or BS_TEXT, 10, 73, 228, 21, handle, 0, Inst, nil); Edit2 := CreateWindowEx(WS_EX_CLIENTEDGE,'Edit', 'Your Code...', WS_VISIBLE or WS_CHILD or WS_BORDER or BS_TEXT, 10, 103, 228, 21, handle, 0, Inst, nil); hFont := CreateFont(-11, 0, 0, 0, 400, 0, 0, 0, DEFAULT_CHARSET, OUT_DEFAULT_PRECIS, CLIP_DEFAULT_PRECIS, DEFAULT_QUALITY, DEFAULT_PITCH or FF_DONTCARE, 'MS Sans Serif'); hFont2 := CreateFont(-11, 0, 0, 0, 700, 0, 0, 0, DEFAULT_CHARSET, OUT_DEFAULT_PRECIS, CLIP_DEFAULT_PRECIS, DEFAULT_QUALITY, DEFAULT_PITCH or FF_DONTCARE, 'MS Sans Serif'); if hFont <> 0 then begin SendMessage(Edit1, WM_SETFONT, hFont, 0); SendMessage(Edit2, WM_SETFONT, hFont, 0); SendMessage(Button1, WM_SETFONT, hFont, 0); SendMessage(Button2, WM_SETFONT, hFont, 0); SendMessage(Label1, WM_SETFONT, hFont, 0); SendMessage(Label2, WM_SETFONT, hFont, 0); SendMessage(Label3, WM_SETFONT, hFont, 0); SendMessage(Label4, WM_SETFONT, hFont2, 0); end; SetWindowText(Label1, CrackFor); SetWindowText(Label2, Cracker); SetWindowText(Label3, Datum); UpdateWindow(Handle); while(GetMessage(Msg, Handle, 0, 0)) do begin TranslateMessage(msg); DispatchMessage(msg); end; end. -------------------------------------------------------------------- Enjoy it, tKC... tkc@reaper.org I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #92 soon! ;) Credits goto: Johnny Aum for Splash Logo. ASTAGA for providing 2 tut in this version. Johnny Aum for providing 2 tuts in this version. tKC for providing a tut in this version. To ALL the crackers: You are welcome to send me your tutors to publish them - see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.org (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 20 July 2000 Cracking Tutorial #91 is dedicated to Ginny...