Welcome to Cracking Tutorial #93! Hiya guys, Sorry for delays, again I was busy with coding and all shit.. Here's a tut93.tKC... OK, let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) Making a loader for IconForge 4.7 (crypted exe) Target: IconForge 4.7 WWW: http://www.cursorarts.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: expiration, nags, others Tools: Deshrink 1.6, R!sc Process Patcher, Hiew, W32Dasm, Softice & Windows Commander 4.03 --------Motto for my actions:------- I'm for peace, love and prosperity and one global nation but without money to divide us and without ego, who keeps men separated! Be a man of good sense - be naturally, be divine! Try to progress on spiritual way! No God, no freedom! I'm against tyranny under any form, against mondial iudeo-masonic occult domination and against infiltrated bad rase of aliens! Out with Satan from this planet! Real happiness, free and freedom for all! -------- Yeah, I know that a previous version of IconForge was cracked also by me (4.6) in a tut, but it's interesting to see differences from a version to other and how to crack knowing some dates, on future versions, plus some new approachings. Also, tKC saids that it's interested in this program too, so why not playing a little? More, this will be not only a lesson on how to crack but to make loaders too. Yeah, why bother to use cracks, decrypt, etc, when it's more simple with a loader on original software, ha? A. Cracking the program to find the significant dates for loader ---------------------------------------------------------------- 1. Removing the first two nags with boring stuff... you know registering... etc...bullshit... Disassemble with W32Dasm a copy of IconForge.Exe which was decrypted before with Job deshrinker. A copy named y.exe, for instance (many will say - hey, Johnny, not always a program is working corectlly when you put another name - I know, for example Awave Studio 7.0). What we do know? We do like this: search for this group of instructions (from version 4.6 - concerning nags) or better after the hex string above in hiew.exe coz it's faster than w32dasm: 64FF30 push dword ptr fs:[eax] <<< --- here are the instructions 648920 mov dword ptr fs:[eax], esp common to both versions of B001 mov al, 01 IconForge and the string is this hex piece: "64 FF 30 64 89 20 B0 01". We find the string at FCB86 (hiew). Now look at this piece of hiew code: FCB72: 8BC0 FCB74: 55 <- here starts the function with nags bullshit, etc... FCB75: 8BEC FCB77: 6A00 FCB79: 6A00 FCB7B: 53 FCB7C: 8BD8 FCB7E: 33C0 FCB80: 55 FCB81: 6854CC FCB84: 4F FCB85: 0064FF <- our string is here FCB88: 006489 FCB8B: 20B001E8 <- and end here This piece of code is the one who interest us and is more or less like the 4.6 version, except that there are no text strings in w332dasm (that's the reason I searched so). And you also see at FCB74 or 4FCB74 (w32dasm) that there is no specific text about calls, coz it's Delphi program. OK, let's make 55 -> C3 (FCB74 - hiew). Good job, coz nags are history now! 2. The final nag with that man laughing, but not for much longer. My old trick doesnt work in this new version which could be a sign that the author did saw my tut. OK, no big deal, we make some breakpoints in Softice like this: bpx LoadBitmap and bpx LoadBitmapA. Bingo, press F11 to get the caller which is at w32dasm adress 521DFB. Now we look at this piece of w32dasm code: :00521DAD 00C4 add ah, al :00521DAF 7444 je 00521DF5 <-- here is the jump boy we're interested in :00521DB1 008BC0B81D52 add byte ptr [ebx+521DB8C0], cl :00521DB7 0007 add byte ptr [edi], al :00521DB9 0B54476F or edx, dword ptr [edi+2*eax+6F] :00521DBD 6F outsd :00521DBE 64 BYTE 064h :00521DBF 42 inc edx :00521DC0 7965 jns 00521E27 :00521DC2 4E dec esi :00521DC3 61 popad :00521DC4 67E41C in al, 1C :00521DC7 52 push edx :00521DC8 00B8A942003B add byte ptr [eax+3B0042A9], bh :00521DCE 00044E add byte ptr [esi+2*ecx], al :00521DD1 61 popad :00521DD2 673400 xor al, 00 :00521DD5 008BC0558BEC add byte ptr [ebx+EC8B55C0], cl :00521DDB 6A00 push 00000000 :00521DDD 53 push ebx :00521DDE 8BD8 mov ebx, eax :00521DE0 33C0 xor eax, eax :00521DE2 55 push ebp :00521DE3 686F1E5200 push 00521E6F :00521DE8 64FF30 push dword ptr fs:[eax] :00521DEB 648920 mov dword ptr fs:[eax], esp * Possible StringData Ref from Code Obj ->"Teddy" <-- Teddy, the name of the laughing man who saids goodbay from now on! :00521DEE 687C1E5200 push 00521E7C :00521DF3 A188845800 mov eax, dword ptr [00588488] :00521DF8 8B00 mov eax, dword ptr [eax] :00521DFA 50 push eax * Reference To: user32.LoadBitmapA, Ord:0000h | :00521DFB E8304AEEFF Call 00406830 <-- here's the breakpointed function with Sice :00521E00 50 push eax You can see up that I've marked a jump. Let's change this 74 -> EB to abort displaying the final nag with the bitmap. Don't ask how I got this conclusion, I just tryied first (hiew 121DAF). OK, the laughing man just passed away. 3. Expiration problem. Well, it's not a problem for me. Coz either you make a reg file to postpone the time for some hundreds years (like in 4.6) or you do this new way which is easier. Look at this next code from w32dasm (I localizated it with the reg adress where proggie is storing trial dates): :004F7AC0 E8E7E8F4FF call 004463AC :004F7AC5 B101 mov cl, 01 * Possible StringData Ref from Code Obj ->"CLSID\{A6421B4F-3D7C-602C-1543-7D453980F32A}" | :004F7AC7 BA847D4F00 mov edx, 004F7D84 :004F7ACC 8BC3 mov eax, ebx <-- you see, here's the change we are :004F7ACE E86DEAF4FF call 00446540 gonna make it :004F7AD3 6A00 push 00000000 :004F7AD5 33C9 xor ecx, ecx * Possible StringData Ref from Code Obj ->"defaulticon" | :004F7AD7 BABC7D4F00 mov edx, 004F7DBC :004F7ADC 8BC3 mov eax, ebx :004F7ADE E841F4F4FF call 00446F24 :004F7AE3 8B55FC mov edx, dword ptr [ebp-04] :004F7AE6 898220070000 mov dword ptr [edx+00000720], eax * Possible StringData Ref from Code Obj ->"InfoTip" | :004F7AEC BAD07D4F00 mov edx, 004F7DD0 :004F7AF1 8BC3 mov eax, ebx See above my note. So, we see next: eax take the value of ebx, and if ebx=0 then eax=0. right? If eax=0 is meaning that IconForge is running first time and must store the first day trial dates there (in reg adress - see up). OK, will do this: instead mov eax,ebx we put 33C0 (xor eax, eax). You know, yes, this mean that eax is 0 all the time, so IconForge 4.7 will start always like is the first day from trial (hiew adress F7ACC). Good, is working and expiration is not posible now. Keep going for next issue. 4. Characters from regbar (the maroon one with "Trial version - day 0"). We can do like in version 4.6 (the tut) but better will try something else now - like don't display anything on the maroon regbar. Don't display must be connected somehow with API function DrawTextA, right? So, I searched and I found this interesting piece of code: :0043F164 8D55E4 lea edx, dword ptr [ebp-1C] :0043F167 8BC3 mov eax, ebx :0043F169 E86E20FEFF call 004211DC <- here's the proccesing of what to display :0043F16E 8B45E4 mov eax, dword ptr [ebp-1C] :0043F171 E89A4EFCFF call 00404010 :0043F176 50 push eax :0043F177 8BC6 mov eax, esi :0043F179 E8A285FDFF call 00417720 :0043F17E 50 push eax * Reference To: user32.DrawTextA, Ord:0000h | :0043F17F E85C74FCFF Call 004065E0 :0043F184 33C0 xor eax, eax :0043F186 5A pop edx We look now at line 43F169 call 4211DC, coz i tryied some changes around and guiding from ASM code a little I found that I must cancel this call for displaying nothing in regbar. Let's try. Let's try E8 -> B8 trick (hiew 3F169). This is like we are noping the call (9090, you know...). Good, good, it worked just fine. OK, this will be all about collecting dates for a loader (of corse the regbar can be eliminated, but remind this as your homework, if your good enough). B. Making the promised loader: ------------------------------ 1. Our w32dasm adresses looks like that (recapitulation needed for loader): 4FCB74 55 -> C3 <-- removing the begining nags 521DAF 74 -> EB <-- removing the final nag 4F7ACC 8B -> 33 <-- keeping unexpired 4f7ACD C3 -> C0 43F169 E8 -> B8 <-- cancel displaying of dates on regbar 2. And below the text file a.rrp (R!sc Patcher file) maded with notepad (copy & paste it): --cut from here - without this line---- F=iconforge.exe: O=a.exe: P=43F169/E8/B8: P=4F7ACC/8B/33: P=4f7ACD/C3/C0: P=4FCB74/55/C3: P=521DAF/74/EB: $ --cut end here - without this line-- After making file a.exe with R!sc Process Patcher 1.4-1.5, put it in the right subdirectory and press on it directly. Ok, my job is done, bye! PS. During cracking operations, you can keep an eye from time to time (for some help) on my previous tut about IconForge 4.6 -> tKCtut 78/5. In special if you wish that regbar to be yellow (but works only if the exe file is cracked, not with the loader). ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ How to crack for a random serial Count Down Timer 1.3a Target: Count Down Timer 1.3a (57344 bytes) WWW: http://www.nettaxi.com/citizens/HackSoft/index.html Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: unique type of serial Tools: Hiew, W32Dasm & Windows Commander 4.03 --------Motto for my actions:------- I'm for peace, love and prosperity and one global nation but without money to divide us and without ego, who keeps men separated! Be a man of good sense - be naturally, be divine! Try to progress on spiritual way! No God, no freedom! I'm against tyranny under any form, against mondial iudeo-masonic occult domination and against infiltrated bad rase of aliens! Out with Satan from this planet! Real happiness, free and freedom for all! -------- I'm in a harry, because I must send to TKC my tuts and I still need a new one and clock is running quickly. So, I pick a shareware program from my archive, this Count Down Timer 1.3a, let's see it fast. 1. Disassemble with W32Dasm a copy of countdown.exe - > y.exe . 2. Let's take a look in the code, some exploration first... 3. After I take a deep look in the code, I observed not more but a helpfull thing: this code is the type like the one from ConFigSafe 3.06.04 (look for my tut -> tkctut 85/part 1). This mean that I should look for typical words, strcmp, remove, etc, may work... So let's take a close look to "IMPORT MODULE DETAILS"... aha, here at "Import module 002 MSVCRT.dll": are words like "strstr", "mbscmp", etc. 4. This word "mbscmp" is talking himself: must be something with string comparations. Let's search in W32Dasm after "mbscmp"; are 2 cases: a. 4039DA and is jump there a little down; b. 403CAC and is a jump there also; Let's try this jumps, let's modify them, is very probable (I say from my experience) that we are on the right places! The first, nothing no sign of registration (hiew 39E5 - 74 -> 75). The second (hiew 3CC0 - 74 -> 75)... WOW, it's working with any serial! The proggie said: "Thanks You For Registering"! I made some tests to be sure is working, ya, all it's just OK. Believe it or not, this method should be tryied first when you see some code like the one from our program, or like in ConfigSafe. This method is very fast and accurate. I encountered other programs that works to be cracked in this manner. Remember this method! I know, this program can be cracked with Softice, either for serial, either through breakpointing the nags, etc. But I'm still in a harry, bye now! ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ Find a serial in a Visual Basic 6.0 program - TextSpy 1.0 Target: TextSpy 1.0 WWW: http://runsolutions.8k.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: unregistered style Tools: Softice & Windows Commander 4.03 or 4.50 better --------Details about the real Earth liders - bad ET's------- We are one of the poorest in spirituality planet of the our galaxy. Why? Because we are manipulated to stay so for thousands of years by "Masters Of Dreams" - the reptiliens. Like on other controlled population of other captive planets of them, we are bombarded mentally through high tech and paranormally with thoughts like: do sex, work, sleep, obey, you are weak, don't try to understand, follow the liders & obey to them, politicians are your masters, the God is dead, Satana is your lord, etc. All this is maded by these bad aliens & hyptnotized allyes: Inte- ligence Community (KGB, CIA, Mossad), iudeo-masonery, all the Mafia's, liders of USA & Europe CE. Masters Of Dreams=they create for you dreams in which you live. You are now sleeping, believe me! -------- Yaa, this program is a nice viewer, can be split in 2 parts, can be set with fonts, background, text, etc. Yeah, but tKC viewer 2000 is great also, good job tKC, real fine! So, we have this VB6 program, ha? Let's kill'it! 1. Modify your winice.dat in this way: ;F5="^x;" F5="^x;^dd eax;" ;EXP=c:\windows\system\msvbvm50.dll EXP=c:\windows\system\msvbvm60.dll because we must prepare for VB6 programs, you guess! Restart your PShit (PC I mean)! Joking... 2. Let's put a breakpoint in Sice, like bpx __vbastrcat, Enter. Then CTRL-D, then complete registration window like this: Registration Name: Anyone, Registration Key: 12345. Press Register. Boom! We are in Sice again! Hello Sice, how are you man! Aaah, almost forgot: my ID is 547160338 . 3. Now we press F10 (11 times for my case per total) untill we are with cursor on line 137:66024D8C POP EBP. As we all can see, at this piece of code are some string comparations, like our imputed serial and the good serial. Now write bc *. And we put another breakpoint just here on the incrimined line: bpx 66024D8C because we want that Sice to give us a show. Now press Enter. 4. Ready, man? Now press F5 on a few times. You can observe that characters from our good serial appear one by one (how nice): 6....... -> F5 6I...... -> F5 6IW..... -> F5 6IWG.... -> F5 6IWGK... -> F5 6IWGK5.. press F5 again then appears text with registration unsuccesfull... no shit, really... guess what? Our good serial is, yes, this 6IWGK5 for dates above only, remember. ID is particularized per PC-launch, you see, yes? 5. Seems my job is done! Very easy, what do you think? PS. One more proposition: You newbie crackers, if you want to learn, practice not just read these cracking tuts! I received reports from beginners which only read these tuts, and I don't remember not a single time that I learned something without practice and efforts... I love you, you beginners, don't be angry on me for these words, but try to understand how the things stays! One more: if you cannot learn to crack about 80-90% of what you wish and need to crack, you are still a Sunday cracker, or Saturday cracker if you're jew! He,he,he! Joking... Aaah, a gift for lazy people: a reg file to register directly -> --cut here without-- REGEDIT4 [HKEY_USERS\.Default\Software\VB and VBA Program Settings\TextSpy\Register] "Number"="547160338" "Key"="6IWGK5" "Name"="Anyone" --cut here without-- ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!----------------------------------------------- How to crack ArtGem 1.1 for any serial Target: ArtGem 1.1 WWW: http://www.rlvision.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: unregistered style Tools: Hiew, W32Dasm & Windows Commander 4.50 --------Details about the real Earth liders - bad ET's------- We are one of the poorest in spirituality planet of the our galaxy. Why? Because we are manipulated to stay so for thousands of years by "Masters Of Dreams" - the reptiliens. Like on other controlled population of other captive planets of them, we are bombarded mentally through high tech and paranormally with thoughts like: do sex, work, sleep, obey, you are weak, don't try to understand, follow the liders & obey to them, politicians are your masters, the God is dead, Stana is your lord, etc. All this is maded by these bad aliens & hyptnotized allyes: Inte- ligence Community (KGB, CIA, Mossad), iudeo-masonery, all the Mafia's, liders of USA & Europe CE. Masters Of Dreams=they create for you dreams in which you live. You are now sleeping, believe me! -------- This is a very nice graphic painter, many effects, lots of image manipulations, study it & grab it! You must have it if you are a maniac in graphics! Yeah, I tryied a little to catch the serial with Sice, but I am hungry to see it how it works, and I always crack a program before I test it in details (if I like it, of corse)! So, I still haven't catched an authentic serial, so let's crack it instead, for any serial! 1. Disassemble the program file -> ArtGem.exe and make a copy, y.exe for cracking. 2. Let's look at the program. Enter in it. Yeah, on splash is "UNREGISTERED...". bleah, bleah, very uggly.... Go further. In About Splash, again the uggly creature. Let's read help, for some shareware limitations, to see if are details there. Saids there: "The unregistered version is fully functional, but some export functions have been disabled". These means: clipboard is not functional and save as bmp or other iamge formats, not posible, you can try to see for yourself. 3. Let's crack now! Start! Let's register with a name, a company and serial: 12345. 4. Press OK! No shit! It saids: "Invalid Key!" Typical bug! I always find these bugs in shareware proggies. Jesus! What is happening? These authors should fix this once for ever! Let's search in W32dasm -> Alt-F-Enter (or Alt-F-S) , write words, press Find Next. 5. At adress 43860E are the words. And above, few lines above, is a reference to a jump from adress 438578. Let's go there! The jump line is: 438587 je 438601 and above is the call where the calculations for serials are maded, line 43856E. Put cursor on it, and press Call button. 6. We arrive at 434C00, and we quickly see that this piece of code is called from 2 places. First, serial is checked on entering in program and second when you input a serial from Registration Window, I guess! You guess too, ha? Let's try some moves here! The simplest first: At w32dasm adress 434C00 replace 83 -> C3 with hiew (adress 34C00). And we test (export functions too) and... bingo! All is working just fine! Aaah, too easy man, too easy! What a pitty! Appears that my job is done! Bye now! See you soon! PS. If you really want an authentic serial of ArtGem 1.1, e-mail me a little, why not? ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!----------------------------------------------- How to crack Repligator V6 Demo Target: Repligator V6 Demo WWW: http://www.ransen.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: lots of, you'll see Tools: Hiew, W32Dasm, Softice & Windows Commander 4.51 --------New infos: Silent Wars for gaining total control------- The theory behind silent wars was elaborated of 300 years ago by iudeo-masonery. Then was declared a total war against the masses of people around the Earth, because "they are so stupid & animalic that they must be conducted & manipulated in the direction we wish forever". This war was restart in modern age in 1989 and is the 3rd mondial war and is given in economical & menthal plane for conquering the whole world and to declare the begining of New World Order - - the worshipers of Satana Order - and must be finished around year 2035 or in the worst case in 2050(worst for these bastards). Fight hard against any abuse in human rights and autority abuses! Fight back instantly even with a process (trial) if necesarry! And don't give away your protection weapons! And also fight against governs who hides the high technology of new era! -------------------- Well, Repligator V6 Demo is a very nice graphic tool, which has astonishing hundreds of effects for processed of an image. You must see it! it's so nice! For maniacs in graphics it's a must! So, let's smash it! We look in the program to see the limitations, protections, etc... We see splash, everytime tips, nags, and what's ugglliest, these words on processed image: "Repligator Demo", unabled Clipboard. The limits at saving and only 16 images per time cannot be solved, but I triyed. 1. Let's kill splash, splash temporization and tips (Repligator become fastest, in this way). Open Sice, put breakpoint bpx LoadBitmapA to see where in code is this function (splash loading). Go in Repligator... Boom! We are in code... press F11 to get the caller: 137:433291. So, remeber this w32dasm adress: 433291. Disassemble the copy of replig6.exe -> y.exe with W32Dasm. Go to that adress above. We quickly see that API function and the surrounding code. All is called from 4331A1. Go there. From 4331A1, we go to adress 43315D je 4331D9. If we make this jump permanent, Repligator will jump over splash loading and tips (look in the code, all is there). How do I know so sure? Simple, I made the test: hiew 3315D - 74 -> EB. Good, delayed start is gone forever. 2. Let's do something about saving our processed images, even if code for saving is not, but it is something... the TMP files (temporary files from REPLITEMP subdirectory, *.tmp files). If we are clever guys, and we are, what the f..., we think, what if I change extension tmp with bmp? You will have while Repligator is activated, saved processed images. Fine, ha? I'll tell you the hiew location: 8FA50 - 54 -> 42 (T -> B). OK! Remember, if you exit from program the TMP files will be deleted (actually, BMP files - after above modification. 3. What's next? Text with "Unlicensed demo version..." from About. If you search about them in hiew you find them at adress 8C6D8. Replace and repozition all nicely, make probes, OK! Next! 4. Copying in clipboard disabled, yeah! Let's kill this bloody limitation! If we try to copy something to clipboard, we encounter these words and nag: "Copying to the clipboard...". We search after them in w32dasm: adress 432073 is the one. And above is a jump at 432071. So, hiew 32071 75 -> EB. We make probes from the both 2 ways to copy to clipboard, it's just OK! Next one! 5. If we processed 16 images and start again the cycle (load another image and restart) we encounter next limitation and nag: words are something like this "...reached the demo limit...". Good, let's supress this limitation too. Search after the above words in w32dasm... bingo at 430BBB. Above is line 430BB7 jl 430BDC. We must change this jump like this: hiew 30BB7 - - 7C -> EB for working all the time. Good, next one, please! 6. OK, now let's deal with words from processed images: "Repligator Demo". Let's try again a breakpoint: for me it's suggestive this one: bpx SetTextAlign (because we're talking here about some text and random alignment, yeah?). Boom... press F11 for caller, which is code line 458778 CALL EDI. We go in w32dasm and we take a look. The begining of this piece of code is at 45874F. Good, we see about 7 calls here. We go at the first, 401925. We take a close look, what's all this around?... Yeah, this is how we'll do! We go up in the code at the line (w32dasm) 4018E7. What we see here? You see what I see? Text like "Repligator 6". Interesting... We see just a line up, a jnb jump boy. Look, if jumping directly, Repligator doesn't show text "Repligator 6" but goes fast at the text shit... Let's try this: hiew 18E5 jnb -> 90 90. We test, and ... yeah, now instead text "Repligator Demo" is text "Repligator 6". Let's go with hiew at adress 8D660. How nice! You got my point? Now let's space the words... 20,20,20,20... tralala and test... BINGO! I just smash the bastardissimo! Next, please! 7. Now, optional stuff: words "This Image Idea Sequence..." from the end of series of 16 images one time; 41425F is the w32dasm adress were are; the jump above must be changed; hiew 1425B - - 75 -> EB. OK, next! 8. Optional: words "Image saving is disabled..."these are at w32dasm adress 432270 and are called from adress 42F781; go there and see the code; there is a jump above, on line 42f776; so, at hiew 2F776 - 75 -> EB. OK, next, please, very warm here...boring nags @#!$#@! 9. Optional also: words "File saving is disabled"; we found these words at w32dasm adress 432243 and above is the line 432240 56 push esi; let's change 56 to C3; hiew 32240 (very warmly here); let's test... OK! Next... There is no next, aaah, still warm... Bye now, guys, friends, crackers... but not really, (OH, YES) just a moment: 10. I forgot about a useless nag for this demo, the one which ask when try to exit or to close an processed image: "Save this image...". I found them quickly at 42F766, and the begining of this code at line (w32dasm) 42F720 which is hiew 2F720 - 6A > C3. Good, finally, that's all! ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #94 soon! ;) Credits goto: bM[tgfx] for Splash Logo. Johnny Aum for providing 5 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 28 July 2000 Cracking Tutorial #93 is dedicated to Ginny...