Welcome to Cracking Tutorial #95! Hiya guys, Sorry for delays, again I was busy with coding and all shit.. Here's a tut95.tKC... OK, let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) DongJong's NEWBIE TUTORIAL DongJong's How to get a PERSONAL SERIAL for SNACK v2.2 Tools to use ~~~~~~~~~~~~ SmartCheck 6.01 Where to get Tools ~~~~~~~~~~~~~~~~~~ http://cracking.home.ml.org http://surt.to/HarvestR http://crackstore.com http://www.pepsoft.com Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ SNACK V2.2 (Super Numerical Airfoil Creation Kit) http://www.dreesecode.com/ftp/pub/snack2.zip Program description ~~~~~~~~~~~~~~~~~~~ SNACK (Super Numerical Airfoil Creation Kit) is a shareware program that lets you do almost anything with airfoils, including printing them out to scale or saving them in several formats. The best part is the Virtual Wind Tunnel which lets you evaluate your airfoils. SNACK helps you design/analyze airfoils and then use them. You can print them out, save them as a file, or run them through the Virtual Wind Tunnel (TM) to evaluate how well they perform. There are many other useful features to SNACK including the Comparison Workshop and the AeroCalculator. Procedures ~~~~~~~~~~ Start SmartCheck (SC) and open Snack.exe, run the program by pressing F5, as usual, you need to click only the "ACKNOWLEDGE" button when SC is running and gives you option buttons to click to, until we came when SC now loads the program. The first time it loads, the program displays a nag screen telling us that it only allows you 30 days of evaluation time to try the airfoil maker software and that it costs you $99.95 to register the lite version which is for the registration code only! up to $150.00 for the complete kit :< But, needless to say, it's a nice software for airfoil design hobby for airplanes, race cars, or any motorsports that needs to craete lift or reduce drag :> Okey! lets go on, enough of the advertisement (it's already midnight :) With that flashing nag splash screen, the About box bar buttons appears, and one of them is the REGISTER button ( but you can also do it on the REGISTER menu within the program), but let's do it now! Click on Register, a registration screen ask you for your User's name and last name (separate box input) and Password, i register with my friends name, like this (you can input your name and any number you want, just follow my tut) : Name: Albert Alexander Lay Serial: 1434 Then after filling on the details click on OK, and a nice message will greet you saying "Error:Please check registration number, also input name all in capital leters"! ggggrrrrrr! hanep! wow mali nga! ha ha :> (well just part of learning) :) Now just press on and just click on and exit the program, press on the error the "Acknowledge" button and SC stops tracing for us to begin hunting that code :> Ok, so now let's look on the left side of SmartCheck, luckily... SC didn't run too long for us to begin decoding, it stops within 5 minutes :> just take a look and you'll see a lot of Mid$ (s) in it, with a fake serial number of 17 characters, i use it anyway, but it's WRONG (as it is the fake John Doe and not our input name)! So we tread on a thousand miles, and a lot of [+]Timer (s) are greeting our sight. There's a lot below it, which is which, okey a hint, go to the last [+]Timer :> (I'm still so generous, even though i'm sleepy :) it's not easy, got to fish it out, here's the tree structure : [-]Timer1_Timer | [-]About.Show | [-]Command6(0)_Click | [-]Register.Show | [-]Command1_Click Look here, just follow it, as the "Asc returns Integer:xx" keeps on appearing way down but of different value, why? you ask, because that corresponds to the letter of name you input, and that is case sensitive :> like this ... Place the cursor on Asc retuns Integer:69 (will be highlighted in blue) Now look at the right hand side of SmartCheck, waddaya see... of course a letter ... [-] String string=00667A90 | |-- = "E" do the same for others, and you'll spell out your name, kewl ;-) we're near, for a test, what should be for a capital letter "D"? well in case you still hadn't get it it's ... Asc returns Integer:68 ------> corresponds to letter "D" Ok, now trace down till the last line of this structure and what you'll see is the flag Mid$ (s) lots of them again, and displaying that 18 character serial, and it's very enticing! (just like icing on a cake :> maninamnam :> he he :> [-]String str = 00760208 | | | |-- = "S68766589657-K1452" | |-- Long start = 18 0x00000012 | [-]Length (variant) | |--Integer .iVal = 1 0x0001 but BEWARE it's not the one! (you can try it anyway to prove it's really not the one :> So, where is it then? As you notice, there's a Mid$ that's kind of separated from the rest of the pack click on it and see the right side of SC and you'll see like this: [-]String str = 00667F50 | | | |-- = "S68766589657-K24522" | |-- Long start = 1 0x00000001 | [-]Length (variant) | |--Integer .iVal = 7 0x0007 Hmm... he he, keep on smiling, as the long walk is over, we can sleep now, goodnight to all ye readers from all over the world, crackingdom :> Well, that's it, you've made it! Start Snack.exe, and click on the Register bar button and use this info: User Name : Albert Alexander Lay Registration Code : S68766589657-K24522 Click OK and what you got? Eureka! It says "Thank You very much for registering SNACK! In this single act, you have given your support...... Please exit and restart SNACK for the registration to take effect, thank you again!". So click the OK button, exit and restart SNACK, a start-up screen will not flash "Please Register" then a box says This Copy of SNACK is License to: Albert Alexander Lay (or your name on it ;) kewl :> Maayung Gabii sa tanan! Matulog na gyud ta! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetings goes to these people: tkc- i would like to thank tKC for his tutors. MsJessca- for hosting the tuts and inspiring tkc :> Albert Alexander Lay- KeWl DuDe! for the computer and Internet, goodluck ;) Ms. KJF- hello 7372122 :-) TSUP! Happy Birthday! I Love You! ;) All cracking groups and cracking fanatics and newbies galores! Have fun :> keep on rockin' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hanggang sa Muli... MABUHAY! Another Tutor by DongJong ;-) sutra@goplay.com What The Hell Is Hex? From the neural processes of Un-Thesis Wacky definition: Hex is the number system originating from 16-fingered aliens that was transmitted via osmosis to several of the first programmers from the medical scanners placed on them while they were being abducted. More indepth: Hex is the dialect of math that games use to store their values, becuase they make really large numbers much smaller and which is easier to graph to memory chips than the decimal, binary, or octal systems. Consider that 1600 in hex is only 640 (2.5x smaller) Why learn a new digit system?? 1) Game hacking revolves around it. Fortunately, hacking programs block you from most of it, but did you know that memory addresses themselves are hex numbers? 2) The first step in Hex Editing is learning hex. 3) Some game programmers like the smaller size of hex so they make their variables into hex. This can spell major problems! If you're looking for a variable that is based on decimals, but is really hex, you'll never find it using conventional game hacking practices such as simply searching for a value. 4) It is much, much easier to solve problems in hex. When dealing w/ a bunch of small numbers, I always convert them to hex and then it is much easier to do the batch since each can be simplified by / 8 then adding them together and then multiplying by 8. 5) You'll be ahead of the class if you ever take computer science. Any way. Hex is based on 16 digits which are 0-9 then A=10,B=11,C=12,D=13,E=14,F=15 Fortunately, most tools do this automatically, but it really helps to be able to tell whether you're searching for a hex or not. That's about every thing a neophyte gamehacker needs to know. However, if you'd like to fill your morbid fascination with more math jargon, feel free to continue. Converting from Hex to Binary: x = base For reference, the number we will deal w/ first is 100x10, 64x16 & 1100100x2 which, btw, is the same number. Since the lowest common denominator of 10 and 16 is 2, the easiest way to manually find out what 100 is in base 16 is to convert it to binary first. Here's how: Take the number and divide by 2, write down the remainder, and divide your answer by 2 until what you are dividing is 0. 100/2 = 50R0 50/2 = 25R0 25/2 = 12R1 12/2 = 6R0 6/2 = 3R0 3/2 = 1R1 1/2 = 0R1 The answer is the remainders in reverse order, 1100100. Converting from Binary to Hex: Converting to hex is really easy. Each binary digit can hold 2 values 0 or 1. Each hexadecimal digit could hold 16 possible vaues, so to convert a binary number to a hexadecimal one, simply divide the binary into sections of four digits, adding digits if necessary. You end up w/ 0110 and 0100. Now to convert to hex, #1 multiple each digit by 2 raised to the number of numbers from the right it is, and #2 add them together. 0 1 1 0 2^3 2^2 2^1 2^0 So that 0110 = 6. Do the same w/ 0100 and you get 4. Place them together, and wow, you get 64! Converting from Binary to Decimal: Converting to 10 is just as easy, just take the entire binary number and add up everything. 1 1 0 0 1 0 0 64 32 16 8 4 2 1 64+32+4 = 100 That's all there is to it...w/ paper and pen, or Notepad (me), almost anyone can change base systems! Test Yourself: Now, test your new skill by converting AA in hex to binary and then to decimal. For reference, 170x10 = AAx16 = 10101010x2. It's easier than you think =) A = 10 Convert to base 2 (hint: it REALLY helps if you memorize the binary for 0-15) 10/2 = 5R0 5/2 = 2R1 2/2 = 1R0 1/2 = 0R1 Ax16 = 1010x2 A A = 1010 1010 1 0 1 0 1 0 1 0 2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0 128 64 32 16 8 4 2 1 128+32+8+2 = 170 See how much easier that was?? The reasons computers like hex are because it stores more info in less space and can be divided by 2 four times, whereas 10 can only be divided once. Credits: Author = Un-Thesis Edited and Revised by unixfu Cracking using DeDe - first essay by Godfather+ *** (Look at the end below to view a short summary what's DeDe!) *** Prologue: First of all I must thanks +DaFixer for magnificent tool which he made. Hey crackers take a good look on this tool especially if work with Delphi targets. I don't explain how to use it because it is so intuitive and +DaFixer say all important in his readme.txt. If needed I'll wrote some first step for newbies. Feel free to mail me. How start cracking? Always, but ALWAYS is essential to know type of .exe with you playing. Type of exe determine which tools we use and right choose of tools may spare us many, many time. To determine type of exe except experience another tools may help very well fa, fs, gt to find type of exe, is it protected or not etc. But definitely one of the best tool for me is ExeScope. In special cases I use Restorator, but it is only when target have enormous type of dialogs which I must inspect quickly. I do not now explain technique for recognition if needed I'll wrote essay especial for this theme - look prologue. BTW, All this tool can be found on protools thank you Kaparo. What is our target and what tools we need? 1 - Target: ExeScope 5.12 excellent little resource viewer/editor. 2 - Type of crack: Serial number fishing 3 - What program do if not regged: complain about that when try to save some changes 4 - Tools used: DeDe and if you do not like math, TRW only because I am to lazy to reboot my win98 for Ice :-), old TD32 may be good too 5 - Little time, about 10 minutes with DeDe. Without DeDe It will take much more. Let's crack target! Fire DeDe choose our target and press Process button. After some time target is processed and ready for us to start exploring. Playing with DeDe you very quickly learn what is what and where it is. Now go on DFM section. This section is responsible for showing Delphi form in text format. Find out TFReg and inspect caption, oh this is our "Regist" caption which means that is form for we look. Do not be afraid if see some strange characters some in the description form or in hints, author of ExeScope, Toshi is Japanese. Let's sniff some more, press DCU button and you find all events which are on specified form. Most beautiful part coming now: In left window select our DCU which depend on TFReg, in right window select event (RegBtnClick). Now press right mouse button and select disassemble. WOW what is this? Excellent disassembled code appear right in front of us! Not 10 MB or more of asm code, not somewhere without sense in code but exactly where we MUST be - inside event which happen when someone press button for registration. If you include Delphi symbols all Delphi functions are shown. If you do not know how to include symbols in your code read +DaFixer's readme.txt. If this isn't still enough fell free to email me. After disassembling we have this situation (most important part): * Possible Reference to Control 'NameEdit:TEdit' 0047D12A 8B83DC010000 mov eax, [ebx+$01DC] * Reference to: Controls.TControl.GetTextBuf() 0047D130 E89B5FFAFF call 004230D0 0047D135 8B55FC mov edx, [ebp-$04] 0047D138 A1EC804800 mov eax, dword ptr [$4880EC] * Reference to: System.LStrCat() 0047D13D E83A68F8FF call 0040397C 0047D142 8D55FC lea edx, [ebp-$04] * Possible Reference to Control 'IDEdit:TEdit' 0047D145 8B83E0010000 mov eax, [ebx+$01E0] * Reference to: Controls.TControl.GetTextBuf() 0047D14B E8805FFAFF call 004230D0 0047D150 8B55FC mov edx, [ebp-$04] 0047D153 A19C804800 mov eax, dword ptr [$48809C] * Reference to: System.LStrCat() 0047D158 E81F68F8FF call 0040397C 0047D15D 8B159C804800 mov edx, [$48809C] 0047D163 8B12 mov edx, [edx] 0047D165 A1947F4800 mov eax, dword ptr [$487F94] 0047D16A 8B00 mov eax, [eax] * Reference to published proc: TFMain.CheckCode <- People look this: no one today's disassembler cant do that in this way, nor out beloved IDA without hard work and many hours of thinking, believe me. 0047D16C E8DB780000 call 00484A4C 0047D171 84C0 test al, al 0047D173 0F848D000000 jz 0047D206 Well this be very easy, but let's explore some more. In this case you can do this on follow two ways: 1 - Go directly where it say: TFMain.CheckCode and disassemble it like previous event. 2 - Or copy this call address on clipboard, go on menu tools->disasemble proc, paste address and press OK. This is useful if procedure isn't published for now this work on this way but in future this will be more easier. Trust me ;-). Little theory for continuing. Delphi deals with global and locals variables references it on the following way: [ebp+xy] means that is pointer on global variable, [ebp-xy] means that it is pointer on local variable. When we continue our explore we found next: 00484A6C 8B45FC mov eax, [ebp-$04] <- pointer on local var. in eax | or: System.LStrOfChar() 00484A6F E830F1F7FF call 00403BA4 <- Dede just fine find what is this call but only if you include symbols 00484A74 83F80A cmp eax, +$0A <- look, look, our code must be 10 chars 00484A77 7527 jnz 00484AA0 <- if not, go out you bad cracker 00484A79 8B45FC mov eax, [ebp-$04] 00484A7C 803841 cmp byte ptr [eax], $41 <- is first char 'A' 00484A7F 751F jnz 00484AA0 <- nope, go out you bad cracker 00484A81 8B45FC mov eax, [ebp-$04] 00484A84 0FB64008 movzx eax, byte ptr [eax+$08] <- take 8'th char in eax 00484A88 8B55FC mov edx, [ebp-$04] 00484A8B 0FB65209 movzx edx, byte ptr [edx+$09] <- take 9'th char in edx 00484A8F 03C2 add eax, edx <- add edx on eax, put all in eax 00484A91 B90A000000 mov ecx, $0000000A 00484A96 99 cdq 00484A97 F7F9 idiv ecx <- divide with ten 00484A99 83FA04 cmp edx, +$04 <- if remainder is 4 all ok you registered it! I suggest something like A23456708 for serial number because ($30+$38)/$A give us 4 remained. $30 and $38 are our last two chars 0 and 8 hex. 00484A9C 7502 jnz 00484AA0 <- nope, go out you bad cracker 00484A9E B301 mov bl, $01 00484AA0 33C0 xor eax, eax 00484AA2 5A pop edx 00484AA3 59 pop ecx 00484AA4 59 pop ecx Like I say before if you do not like math just put bpx on $00484A99 in Ice, Trw, TD32 or some other windows debugger, but remember code must start with capital A and be 10 char long, and almost forgot you may use any name. Last word, ExeScope do not say nothing like 'Thank you or something', but complain if enter wrong serial code. Epilogue: Basically this registering intermediate skill cracker may do only with DeDe without any problem. This is for first public tutorial fell free to send your comments or questions at: godfather@phreaker.net or godfatherplus@hotbot.com Godfather+ of essay... ---------------------------------------------------------------------------------------------- What is Dede? DeDe is a very fast program that can analyze executables compiled with Delphi 3,4,5 and give you the following: - All dfm files of the target. You will be able to open and edit them with Delphi - All published methods in well commented ASM code with references to strings, imported function calls, classes methods calls, components in the unit, Try-Except and Try-Finally blocks. By default DeDe retries only the published methods sources, but you may also process another procedure in a executable if you know the RVA offset using the Tools|Disassemble Proc menu - A lot of additional information. - You can create a Delphi project folder with all dfm, pas, dpr files. Note: pas files contains the mentioned above well commented ASM code. They can not be recompiled! You can also: - View the PE Header of all PE Files and change/edit the sections flags - Spy a program for WinAPI calls with the API Spy tool - Use the opcode-to-asm tool for translating intel opcode to assembler - Use RVA-to-PhysOffset tool for fast converting physical and RVA addresses - Use the DCU Dumper (view dcu2int.txt for more details) to retrieve near to pascal code of your DCU files - Use BPL Dumper to see BPL exports and create symbol files to use with DeDe Disassembler DeDe is a free software and you have no need to register it neither to crack it :) , no nags no limits. It has its full functionality! Dede latest version will always be available from ftp.balbaro.com/dede. Cracking using TRW2000 by Chinese Power *** (Look at the end below to view a short summary what's TRW2000!) *** ACDSee 3.0 Trial Version Crack Tutorial Product: ACDSee 3.0 Build 1209 (657,920 bytes) Compress by ASPack 1.08? (Special Version for ACD System) Tutorial: 1: For newbie in newbies, search ACDSee 3.0 Retail Version (Build 1208). 2: Start TRW2000, press OK (put TRW2000 to SysTray), Ctrl+N enter debug mode, use command PMODULE, run ACDSEE.EXE now, it tells you trial time expired (remember set your system time before debug), Ctrl+N ( nothing happen after you enter this hotkey), close the expired window, TRW2000 popup now, 004045A8 CALL 00433830 ; Key Call 1 004045AD ADD ESP,BYTE +04 ; We stop here press F6, move to 004045A8, press F9 to set break point, press F5. run ACDSEE.EXE again, we'll stop at the Key Call 1, press F8 to enter. | | tracing...until | 00433ABB CALL 00433FE0 ; Key Call 2 press F8 enter Key Call 2. 00433FE0 MOV EAX,[ESP+04] 00433FE4 MOV ECX,[004E8FE8] PUSH BYTE +00 PUSH DWORD 00434010 PUSH EAX PUSH DWORD 0407 PUSH ECX 00433FF8 CALL USER32!DialogBoxPa ; Key Call 3, display expired window. 00433FFE DEC EAX NEG EAX SBB EAX,EAX 00434003 INC EAX why i know Key Call 3 is use to display expired window? because TRW2000 already translate the call, it's USER32!DialogBox, simple, press F10 at that call, that windows display, try yourself. we know how to kill that nag window now, do you found there is 5 push command before that call? we need modify one to jmp to bypass that call, but how i can know which should modify? easy, trace every push, use D ESP to check their ESP register value, find which is the same ESP value as 00433FFE, do you found? yes, it's the first push command, use CODE ON command now, write down the first push command machine code, it's 6A00, what we need to to is change it to JMP 00434003 (EB17). what a lazy man i am, even though ACDSEE.EXE can easily unpack, i don't want to do that, if you want, unpack it yourself (ProcDump 1.6.2 or TRW 2000's MAKEPE command should work), i use PP instead. (or you can try TMG's ASPatch 1.2.1) Example: #Process Patcher Configuration File Version=3.60 DisplayName= ACDSee 3.0 Build 1209 Trial Time Limit Remover Filename=acdsee.exe Filesize=657920 Arguments=/quiet WaitInfinite=true Address=0x433FEA:0x6A:0xEB Address=0x433FEB:0x00:0x17 #End of Configuration File End. of tutor... ---------------------------------------------------------------------------------------------- What's TRW2000? TRW2000 is an advanced system-level debugger which runs under Windows 9x. What does "system-level" mean? It means that TRW2000 sits between the Operating System and your computer's hardware. Because of this, TRW2000 can debug and trace any code that is running under Windows (DOS .COM Programs, DOS .EXEs, DOS protected mode programs, old 16-bit "NE" executables, new 32-bit "PE" executables, and even executables that run at Ring 0 (the Windows Kernel, device drivers, VxDs, etc...) including other system-level debuggers, SoftICE/W, WDEB386! Powerful than SoftICE/W: 1) Designed based on an open-system... future versions will have support for plug-ins. 2) Dynamically loadable, dynamically unloadable! Run it when you need it. No need to reboot! 3) Automatically displays all 32-bit/and 16-bit export function names. 4) Supports all video adaptors. 5) Write out files instantly! 6) New commands: PDLL32, PNEWSEC, TRNEWTCB, TRNEWDOS, PMODULE, SUSPEND You can download TRW2000 at http://www.knlsoft.com/download.htm Cracking using TRW2000 by Chinese Power *** (Look at the end below to view a short summary what's TRW2000!) *** cheet! for bleem! Crack Tutorial Product: cheet! from http://www.addon-factory.com Anti Debuger SoftICE (MAD), but TRW2000 works well. :) Tutorial: Before use TRW2000 to crack it, let us see what's going on using SoftICE to trace. My computer shut downs suddenly! (with SoftICE) hum...what happened?...windows loads again...i want to put some breakpoint in softice...i press ctrl+d...gee softice does not show...i press again ctrl+d...hum...my D button fucked up again? (D is my kick button when i play tekken3).Nope...i take a look in my softice folder (c:\siw95)...gee! no more winice.exe...it was renamed:"cracking ownz" by cheet! that's why softice is not active. This thing pissed me off...I restored my winice.exe...reboot. Now , we wonder....how does cheet know where our "gold mine" is installed?...maybe he uses softice registry keys? I put a breakpoint with softice on regqueryvalueexa ...i run cheet!,softice pops...i step a little through the code....with F10...and i found pretty soon in a register this string: HKEY_LOCAL_MACHINE\SOFTWARE\Nu-Mega\SoftICE\installdir Clear enough,this is how cheet knows where to do the dirty work. So ,we will delete that key with regedit.Let's try to start cheet! again...just crashes,no more reboot.Good. But still does not work with softice loaded...cheet! uses many anti-softice procedures: INT 68,INT 03 (BC),Meltice,SIWVID (checks softice video driver)...of course we can make cheet! run with softice loaded...(worked for me)..but there is a easier way... we will use another debugger... TRW2000 After rebooting without softice loaded,run TRW2000...with TRW2000 active,try to run cheet.exe,the program will not crash any more, but now exits.This means that trw2000 is sending some revealing code...this is becouse faults are on! heh,just enter TRW2000 (ctrl+n) and type faults off..exit TRW with ctrl+n now run cheet.exe ...and it should run normaly with TRW2000 loaded...good. cheet! won't work until we enter a good registration code... when we run cheet! a registration code prompt appears asking your email address and reg code...we notice also the ID code that we should send if we wannt to get our registration code. The question is how is this code generated?...i will tell u: in a very STUPID way! At startup it checks for the windows productid code string in registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\productid) then, he makes some magic with this productid and generates our ID code... hehe..now we could export a regfile with our productid, we name it setup.reg...and if we have a valid email/reg code combination we can distribute it to everyone! Let's presume that we entered the good key,the program will load, and then he will exit.How does he know now that i am a registered user? Well,he stores our email/reg code in registry and cheks them at startup (i found this with regmon). Our goal is to find WHERE this check is done,then reverse the bad boy jump so it will think i am a registered user and load the program. So,enter TRW2000 (ctrl+n) we put a breakpoint on regqueryvalueexa (bpx regqueryvalueexa)... and now begins the nighmare,since there will be many calls to regqueryvalueexa...and each time trw2000 pops, press f12 until u r in cheet!.exe,now start puting breakpoints on all the conditional jumps u see (in cheet!.exe)... heh..this isn't Zen cracking for sure! I will tell u where is that badboy jump located: 00446EF2 JZ (74,0C) 00446EFE (this address only fit the first version) So,the only thing that we will do is make that JZ (74) a JNZ (75) and our program is cracked. Becouse our target is packed ,we won't patch the exe...just use a process patcher (the one i used was RPP 1.4) or make your own loader. End. of tutor... ---------------------------------------------------------------------------------------------- What's TRW2000? TRW2000 is an advanced system-level debugger which runs under Windows 9x. What does "system-level" mean? It means that TRW2000 sits between the Operating System and your computer's hardware. Because of this, TRW2000 can debug and trace any code that is running under Windows (DOS .COM Programs, DOS .EXEs, DOS protected mode programs, old 16-bit "NE" executables, new 32-bit "PE" executables, and even executables that run at Ring 0 (the Windows Kernel, device drivers, VxDs, etc...) including other system-level debuggers, SoftICE/W, WDEB386! Powerful than SoftICE/W: 1) Designed based on an open-system... future versions will have support for plug-ins. 2) Dynamically loadable, dynamically unloadable! Run it when you need it. No need to reboot! 3) Automatically displays all 32-bit/and 16-bit export function names. 4) Supports all video adaptors. 5) Write out files instantly! 6) New commands: PDLL32, PNEWSEC, TRNEWTCB, TRNEWDOS, PMODULE, SUSPEND You can download TRW2000 at http://www.knlsoft.com/download.htm I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #96 soon! ;) Credits goto: RSiP for Splash Logo. DongJong for providing a tut in this version. Un-Thesis for providing a tut in this version. Godfather+ for providing a tut in this version. Chinese Power for providing 2 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 2 August 2000 Cracking Tutorial #95 is dedicated to Snoekie my dog who has died on 29 July 2000...