Welcome to Cracking Tutorial #96! Hiya guys, Sorry for delays, again I was busy with coding and all shit.. Here's a tut96.tKC... OK, let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) WHY PATCHING WHILE SERIAL NUMBER IS FISHY AutoDialogs v1.1.5.7 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM AutoDialogs is a Windows 95/98/NT/2000 32-bit program that was developed to provide quick access to the folders you use most often in standard Open/Save as/Browse for folder dialogs, Windows Explorer, Registry Editor and other programs. Using AutoDialogs, you can automatically insert pre-selected folders into your dialog boxes using a system tray menu (requires only 2 clicks) or a pre-assigned hot key. With AutoDialogs, you no longer need dozens of mouse clicks to navigate to that desired folder! AutoDialogs features the most complete list of supported applications , including Microsoft Office 95/97/2000 applications, Windows Explorer (with directories tree), Registry Editor (keys tree), Seagate Backup Exec software and others. WHERE TO DOWNLOAD Author : MetaProducts Corporation Homepage : http://www.metaproducts.com URL : http://www.metaproducts.com/download/adsetup.exe Size : ? KB as of July 02,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce Before you continue reading this tute, please take my note(s) that this program is packed, I just realized when I tried to copy the snippet codes by using HIEW. I couldn't find the address/codes that I saw in SoftIce. So, I ran WDASM which returned the same result. I have no patience when I ran ProcDump until unpacking is finished. So, if you found that address and codes slightly different in your PC it's just because I took from ProcDump's $$$TEMP$$$.$$$ file. The program doesn't confirm classic message " Thank you for Registering ", even you can see that string within SoftIce. NICE TRY, Bud! ENUFF ZNUFF .... Let's DANCE aCross da floor : 1. Run AD.EXE, right click the mouse button closed to the traybar where the program iconized. Click ABOUT and REGISTER button. In the registration dialog box type these below informations : Registered User : Pirates Order Registration Key: 73881050 License type : Single-User / Site License ( whatever you like ) Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now it's time to click OK button... you must returned into SoftIce! In within SoftIce press F12 several times ( 12 times - if I had no mistaken ) until you see and landed at : _____________________________________________________________________ 0048695C: E85FBCFAFF call 0004325C0 <---- you land here 00486961: A174204900 mov eax,[000492074] 00486966: 8B00 mov eax,[eax] 00486968: 8B4DF8 mov ecx,[ebp][-0008] 0048696B: 8B55FC mov edx,[ebp][-0004] 0048696E: E8A9740000 call 00048DE1C <---- follow this call (F8) 00486973: 84C0 test al,al 00486975: 744D je 0004869C4 00486977: A174204900 mov eax,[000492074] 0048697C: 8B00 mov eax,[eax] 0048697E: C6803303000001 mov b,[eax][000000333],001 _____________________________________________________________________ Disable current existing breakpoint by typing BC * [enter] , and set a new breakpoints as follows : bpx 015F:0048695C [enter] bpx 015F:0048696E [enter] .... later this gonna be useful 4. Press F10 until you reach 015F:0048696E and follow this call by typing F8 key, if nothing goes wrong you should be landed here : 0048DE1C: 55 push ebp 0048DE1D: 8BEC mov ebp,esp 0048DE1F: 83C4F0 add esp,-010 ;"" 0048DE22: 53 push ebx 0048DE23: 33DB xor ebx,ebx 0048DE25: 895DF0 mov [ebp][-0010],ebx 0048DE28: 895DF4 mov [ebp][-000C],ebx 0048DE2B: 894DF8 mov [ebp][-0008],ecx 0048DE2E: 8955FC mov [ebp][-0004],edx 0048DE31: 8B45FC mov eax,[ebp][-0004] 0048DE34: E88361F7FF call 000403FBC 0048DE39: 8B45F8 mov eax,[ebp][-0008] 0048DE3C: E87B61F7FF call 000403FBC ..... ..... You can trace the above code(s) by pressing F10 key and try to dump/display EAX and EDX register whenever their value were changed. You'll see a lot of cracker's name, cracking group(s) and generic registration name which are black listed by the Author. Beside, you'll face a routine codes ( looping and calculates ) that verifiy your name. 5. Keep on pressing F10 key ( around 50-60 times, I didn't count it. Sorry ) until you reach this below address : 0048DF76: E8F5FCFFFF call 00048DC70 <----- pay attention at this address 0048DF7B: 8B55F0 mov edx,[ebp][-0010] 0048DF7E: 8B45F8 mov eax,[ebp][-0008] <----- D EDX here 0048DF81: E8925FF7FF call 000403F18 0048DF86: 0F94C3 sete bl Stop at the address 015F:0048DF7E , and dump/display EDX register : D EDX [enter] Look at the Data Window, did you see interesting code 326543695747699JG there ? in my case it was located at the memory address 00C123B0 . 5. Write down those suspected registration code and disable all breakpoints : bd * [enter] F5 to return to registration window 6. Repeat registration procedure and keyed-in the S/N you have noted as your registration code. Click OK ..... you'll get your name appear in the REGISTERED TO field. Simply, YOU'RE REGISTERED now... da hast Du Dich aber anscheiáen lassen!. However, as a matter of fact it's ILLEGAL REGISTRATION! [NOTE]: 1. If you keyed-in the second registration code, you'll be regis tered to a certain time limit of 2 years, I just guess because I don't even understand German. 2. If you try to re-register the program by using another fake S/N ( in this regard username is still Pirates Order ), just enable the previous breakpoint and repeat the step 7 you'll get another real valid registration code. END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] [EOF] July 31,2000 01:00:08AM WHY PATCHING WHILE SERIAL NUMBER IS FISHY SAFETYSCAN v2.5J A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM AniChoice - Install animated cursors by drag and drop, watch previews and let AniChoice exchange your favourite cursors automatically at every interval you want. Minutes, hours, days ... As if by magic your cursors periodically change and so you can watch all your favourite cursors without doing any manual work ... Random generator included.. WHERE TO DOWNLOAD Author : IOLO Technologies Homepage : http://www.iolo.com URL : http://ftp.loop.com/~unisyn/ss.exe http://ftp.loop.com/~unisyn/safetyscan.exe Size : KB HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run SAFESCAN.EXE, click REGISTER NOW button. In the registration dialog box type these below informations : Registration Code: 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now it's time to click OK button... you must get into SoftIce! In within SoftIce press F12 several times ( 12 times - if I had no mistaken ) until you see and landed at : 0044FDF5: E8BA03FDFF call 0004201B4 <== You land here 0044FDFA: 8B45F0 mov eax,[ebp][-0010] 0044FDFD: 50 push eax 0044FDFE: FF75FC push d,[ebp][-0004] 0044FE01: FF75F8 push d,[ebp][-0008] 0044FE04: 8D45EC lea eax,[ebp][-0014] 0044FE07: E840030000 call 00045014C ---- 0044FE0C: 8B55EC mov edx,[ebp][-0014] 0044FE0F: 58 pop eax <======== the real code 0044FE10: E80F3FFBFF call 000403D24 <== fake code 0044FE15: 0F85B9000000 jne 00044FED4 0044FE1B: B890000000 mov eax,000000090 4. Press F10 8 ( eight ) times and stop at 0137:0044FE0F, dump EDX register by typing D EDX [enter] Look at the Data Window, did you see 8560836 ? suspicious .... 5. Press F10 again, at 0137:0044FE10 dump EAX register by typing D EAX [enter] The Data Window shows your fake serial number 73881050 6. If you continue tracing you'll find that jump if not equal instruction at 0137:0044FE15 will return to as 'beggar-off' message. Now, you know that 8560836 is your potential valid registration code. Disable all breakpoints by typing BD * [enter] and press F5 to return to registration window. Keyed-in 8560836 as your registration code, click OK ...... you're illegaly registered! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] [EOF] REV: 5/29/00 4:34:49 PM Name : WinZip Version : 8.0 Target : Winzip32.exe Tools : SoftICE Brain Cracker : KlimaX v2000 Get it at, http://www.winzip.com ==>DISCLAIMER<== For educational purposes ONLY! I hold NO responsibility for the misuse of this material! This is my very first tutorial, so there'll probably be a couple of hundred other (easier ways) to crack this program, but bear with me :) Alright, enough chit-chat, let's get down and dirty! 1. Open WinZip and press "Enter Registration Code" 2. Enter => Name : KlimaX v2000 Reg.# : 12345 Hit OK. Damn..."Incomplete or Incorrect information". Well come on man!, let's fix this damn bug! 3. Press Ctrl+D to access SoftICE, and set a breakpoint on GetdlgItemTextA => bpx GetdlgItemTextA Press F5 to return to WinZip 4. Now press OK again, and SICE pops up. You see, the first breakpoint has been reached, so we can press F5 again because there were two textfields => 1. Name, and => 2. Reg.# Great!, now press F11 to get to the caller of this function. 5. Now you should see this, but before you touch anything, notice EAX=00000005 in the top left corner of SICE. That's right!, the same number of digits as in our code. 00407F8F CALL [USER32!GETDLGITEMTEXTA] 00407F95 PUSH ESI <==You should be here 00407F96 CALL 0043F89A 00407F9B PUSH ESI 00407F9C CALL 0043F8C3 00407FA1 CMP BYTE PTR [0048CD78],00 00407FA8 POP ECX 00407FA9 POP ECX 00407FAA JZ 00408005 00407FAC CMP BYTE PTR [0048CDA4],00 00407FB3 JZ 00408005 00407FB5 CALL 004079D5 <==F8 00407FBA TEST EAX,EAX 00407FBC JZ 00408005 00407FBE PUSH EDI etc. 6. Press F10 till you reach 00407FBE, now press F8 to trace into the call. Now you should see this: 004079D2 RET 0004 004079D5 PUSH EBP <== You should end up here 004079D6 MOV EBP,ESP 004079D8 SUB ESP, 00000208 004079DE PUSH EBX 004079DF PUSH ESI 004079E0 XOR ESI,ESI 004079E2 CMP BYTE PTR [0048CD78],00 004079E9 PUSH EDI 7. Heavy stuff man! Now press F10 about 58 times, and after a while of pressing you should be here: 00407A91 LEA EAX,[EBP-0140] 00407A97 PUSH EAX 00407A98 PUSH EDI 00407A99 CALL 00407B47 00407A9E MOV ESI,0048CDA4 00407AA3 LEA EAX,[EBP-0140] 00407AA9 PUSH ESI 00407AAA PUSH EAX <== d eax 00407AAB CALL 004692D0 00407AB0 ADD ESP,10 When standing at 00407AAA type d esi, and you'll see our nasty invented code (12345), we don't want that silly code right!. OK type d eax and there you go, the real, original, unrememberable code right in front of you. Cool Huh! Name : KlimaX v2000 Reg.# : Go see for yourself :) hehe Remember to type BC* before exiting SICE, and trying out your cool code. =>LAST WORDS: If you have any comments on this tut, feel free to mail at KlimaX_v2000@mail.com _ _ _ _ _ _ _ _ tKC & LW2000, thanks for releasing those great tut's, keep on making 'em!. They are the BEST! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 4Developers Software Cracking Tutorial + Written By Sako Lee [SDI] + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Welcome to my tutorial on cracking. Today we will learn to cracking all of 4Developers software (www.4developers.com). Ok, just overviewing on this particular company, well, basically *all* of their software have the exact protection scheme.. Well it's typical for a company though but what a lame protection. Ok now lets con- tinue, so we are going to crack all of their software, in this case, all the software of which use the name/serial scheme. For this tutorial, i will be using Registry Crawler v2.1 as the target example. So first of all what we will do is load up the program and attempt to register with a name/serial; enter whatever you want. Now appears the error message box. Take note of it because we will use that info in a minute. Now that we have the error message, lets goto W32Dasm and disassemble our program. After our program has completed being dis- assembled, we goto SDR (String Data References) and locate our error message. If you can't locate it, look carefully and look for this: "The registratio information you " Once string has been found, double-click on it and you will be brought to this section of code. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404C17(C) | :00404CC8 6AFF push FFFFFFFF * Reference To: USER32.MessageBeep, Ord:01BDh | :00404CCA FF15B0654300 Call dword ptr [004365B0] :00404CD0 85F6 test esi, esi :00404CD2 7403 je 00404CD7 :00404CD4 8B761C mov esi, dword ptr [esi+1C] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404CD2(C) | :00404CD7 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"UNREGISTERED User" | :00404CD9 68FC394400 push 004439FC * Possible StringData Ref from Data Obj ->"The registration information you " <-- You'll land ->"have entered could not be validated." here .. | :00404CDE 68BC384400 push 004438BC :00404CE3 56 push esi * Reference To: USER32.MessageBoxA, Ord:01BEh | :00404CE4 FF1540654300 Call dword ptr [00436540] :00404CEA 5E pop esi :00404CEB 5B pop ebx :00404CEC 83C408 add esp, 00000008 :00404CEF C3 ret Now if we study the code just for a few moments, we can see that there is a reference located just above the error message. So this must be where the message is being called from. So now lets goto 00404CD2. To do so, double right click on the address. Once we have done that, we land ourselves in this section of code. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404C17(C) | :00404CC8 6AFF push FFFFFFFF * Reference To: USER32.MessageBeep, Ord:01BDh | :00404CCA FF15B0654300 Call dword ptr [004365B0] :00404CD0 85F6 test esi, esi :00404CD2 7403 je 00404CD7 :00404CD4 8B761C mov esi, dword ptr [esi+1C] As we can see, there's not much here that can be of much use to us. And as we can notice again, we can see that there is a reference to this section of code. So lets goto to this reference by again, double right clicking on the address. And from that we land where we need to be.If you have followed correctly, you should be in this specific section of code. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404BFF(C) | :00404C10 E8ABFCFFFF call 004048C0 :00404C15 85C0 test eax, eax :00404C17 0F84AB000000 je 00404CC8 <-- You land right here * Possible StringData Ref from Data Obj ->"Software\4Developers\RCrawler" | :00404C1D 8B1558344400 mov edx, dword ptr [00443458] :00404C23 8D44240C lea eax, dword ptr [esp+0C] :00404C27 8D4C2408 lea ecx, dword ptr [esp+08] :00404C2B 33DB xor ebx, ebx :00404C2D 50 push eax :00404C2E 51 push ecx :00404C2F 53 push ebx :00404C30 683F000F00 push 000F003F :00404C35 53 push ebx :00404C36 53 push ebx :00404C37 53 push ebx :00404C38 52 push edx :00404C39 6802000080 push 80000002 :00404C3E 895C2430 mov dword ptr [esp+30], ebx :00404C42 895C242C mov dword ptr [esp+2C], ebx * Reference To: ADVAPI32.RegCreateKeyExA, Ord:015Fh | :00404C46 FF1528604300 Call dword ptr [00436028] :00404C4C 3BC3 cmp eax, ebx :00404C4E 7531 jne 00404C81 So look at the code yet ..? Figured out on what to do or where to go yet ..? No .? Then so lets continue. If we look carefully, and study the area in which i have labeled then we can work out on what to do from here. So lets now take a closer look. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404BFF(C) | :00404C10 E8ABFCFFFF call 004048C0 :00404C15 85C0 test eax, eax :00404C17 0F84AB000000 je 00404CC8 <--- Here you are .. So here we are right on the 'JE' instruction. So what do we do ? Change the JE to JNE ? Definately no, it just will not work that way. Now lets continue. Now so if we can't just alter the JE command, then what can we do? Well if we look again, we can see a call. Hmm... lets enter it and see what we find. Place the bar on the call so that the bar is green and then press the Call button. The code you are looking at should be this: * Referenced by a CALL at Addresses: |:004048B3 , :00404C10 | :004048C0 64A100000000 mov eax, dword ptr fs:[00000000] <--- Important .. :004048C6 6AFF push FFFFFFFF :004048C8 68803E4300 push 00433E80 :004048CD 50 push eax :004048CE 64892500000000 mov dword ptr fs:[00000000], esp :004048D5 83EC10 sub esp, 00000010 :004048D8 83C9FF or ecx, FFFFFFFF :004048DB 33C0 xor eax, eax :004048DD 56 push esi :004048DE 57 push edi :004048DF BF205E4400 mov edi, 00445E20 :004048E4 F2 repnz :004048E5 AE scasb :004048E6 F7D1 not ecx :004048E8 49 dec ecx :004048E9 83F908 cmp ecx, 00000008 :004048EC 7311 jnb 004048FF :004048EE 5F pop edi :004048EF 5E pop esi :004048F0 8B4C2410 mov ecx, dword ptr [esp+10] :004048F4 64890D00000000 mov dword ptr fs:[00000000], ecx :004048FB 83C41C add esp, 0000001C :004048FE C3 Hmmm...have any ideas? Well look at the start of this section of code. Since this is the call in which the registration routine uses, we could set EAX to 1, so that everytime the program comes in the call to check the instruction; Mov Eax,1 ..it would make the program registered. So lets give it a try eh ..Ok find the offset.. @48C0 ..Now go into Hiew and load up the program and press F4 then select decode then press F5 and enter the offset. Now editing time. Press F3 and now enter: B801000000 (Moves 1 to EAX) And for the line after that enter: C3 (Means return - In this case, to return out of call) Now press F9 to update and then just press ESC to exit. Now lets test our code changing and see if it has worked. Load up the program and the Registration dialogue pops up. So lets enter our info (Anything you want you can enter in both fields). Now press UNLOCK. And what do you see ? The successful registration Messagebox. Restart the program just in case there are other checks and still, You are registered..! Congratulations You have just cracked Registry Crawler!.. Now you can go and crack all the other 4Developers Software using this method.. It all works, I know, because I've cracked them already ..hehe ...Good Luck And Happy Cracking..! ...Hope this tutorial has been a help in your cracking career and has taught you something new, if not then, why did you read it? :î ...... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Any suggestions, requests, comments...etc ... plzz address them to: sako@phayze.com ... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ..:. Greets to all Crackers ....Especially the Master tKC .... :) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=( Cracking CoffeeCup Editor v8.2 )=- -=( A tutorial by hmemcpy/[CiA] )=- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Hello boys and girls. Today I'm going to show you one of the most stupid protections I've ever seen. Target: CoffeeCup Editor v8.2 URL: http://www.coffeecup.com Protection: (Stupid) Nag, only 10 javascripts supported (the 1st in each category), yellow bar. Tools: W32Dasm and Hiew (you should have those by now, else look in the Tools section) Some beer, some ciggys and... music of course. I'll be humping this stupid (Delphi) progam to the sound of "Death - Symbolic" CD Ok... let's see now. Make a backup of Coffee.exe (I named mine CC.exe). This is a 3.26MB exe file, so... if you have to take a shower, or walk the dog (or call your girlfriend ;) - this is the time to do it, cause we're gonna disassemble. Ok.. bbl (disassembling the damn file). about 20 minutes later...........ZZzzzZzz w00.. done! Ok... there is no screen where I can put a serial number.. hmm... I think I'll remove the javascript limit 1st. Double click on the string "Only Available in Registered Version!". You will land here: :0060B01A E80D94FCFF call 005D442C <--- nice ;) :0060B01F 84C0 test al, al :0060B021 7459 je 0060B07C <--- DUH ;) :0060B023 83FB01 cmp ebx, 00000001 <--- hmm.. what's this? :0060B026 7C54 jl 0060B07C <--- jump if larger then 1 :0060B028 8D45F8 lea eax, dword ptr [ebp-08] * Possible StringData Ref from Code Obj ->"Only Available in Registered Version!" | :0060B02B BAB0B16000 mov edx, 0060B1B0 :0060B030 E8378EDFFF call 00403E6C :0060B035 8D45F8 lea eax, dword ptr [ebp-08] * Possible StringData Ref from Code Obj ->"The Shareware version of the Editor" Trace into the call, and watch the stupidity: * Referenced by a CALL at Addresses: |:005FCED0 , :005FE83D , :00603F0F , :006040C2 , :00604836 |:00607F72 , :006089AE , :0060B01A , :00610003 | :005D442C 55 push ebp :005D442D 8BEC mov ebp, esp :005D442F 6A00 push 00000000 :005D4431 6A00 push 00000000 :005D4433 53 push ebx :005D4434 33C0 xor eax, eax :005D4436 55 push ebp :005D4437 689A445D00 push 005D449A :005D443C 64FF30 push dword ptr fs:[eax] :005D443F 648920 mov dword ptr fs:[eax], esp :005D4442 E80DFDFFFF call 005D4154 <--- call regcheck :005D4447 803DECEE610000 cmp byte ptr [0061EEEC], 00 :005D444E 7404 je 005D4454 <--- if 0, then jump.... :005D4450 33DB xor ebx, ebx :005D4452 EB02 jmp 005D4456 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:005D444E(C) | :005D4454 B301 mov bl, 01 <--- here * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:005D4452(U) | :005D4456 8D55FC lea edx, dword ptr [ebp-04] :005D4459 B801000000 mov eax, 00000001 :005D445E E8C9E5E2FF call 00402A2C <--- what's in here? :005D4463 8D55F8 lea edx, dword ptr [ebp-08] :005D4466 8B45FC mov eax, dword ptr [ebp-04] :005D4469 E86647E3FF call 00408BD4 :005D446E 8B45F8 mov eax, dword ptr [ebp-08] * Possible StringData Ref from Code Obj ->"/SHAREWARE" <--- THE MOST STUPID AWARD BY +HCU | :005D4471 BAB0445D00 mov edx, 005D44B0 :005D4476 E8E5FCE2FF call 00404160 :005D447B 7502 jne 005D447F :005D447D B301 mov bl, 01 If you trace into the call at 5D445E, this is what you'll see: * Referenced by a CALL at Addresses: |:0045355B , :005D445E , :00608900 | :00402A2C 53 push ebx .................. .................. .................. .................. .................. :00402A46 50 push eax :00402A47 6A00 push 00000000 * Reference To: kernel32.GetModuleFileNameA, Ord:0000h | :00402A49 E8DAE8FFFF Call 00401328 .................. .................. .................. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402A3B(C) | * Reference To: kernel32.GetCommandLineA, Ord:0000h | :00402A5B E8B0E8FFFF Call 00401310 :00402A60 8BF8 mov edi, eax It seems that this program uses command line switch '/SHAREWARE'. To crack this HUGE (and 45$) program, all we have to do is: NOP the je at: 5D444E You should know how to do this by now, if not - read ALL the tKC tutors 1-94 (94 is the latest at this time). Run the shit... easy, eh? :) -=-=-=-=-=-=-=-=-=-=-=-=- Here comes the pain... :) Greetings to ALL the crackers in the world and especially those who teach, and patient to newbies :) Special greet to tKC, because he's a great man. Mass Hello flys to all of CiA, and everyone who knows me. -=-=-=-=-=-=-=-=-=-=-=-=- >> EOF << I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #97 soon! ;) Credits goto: Sir DawG for Splash Logo. ASTAGA for providing 2 tuts in this version. KlimaX for providing a tut in this version. Sako Lee for providing a tut in this version. hmemcpy for providing a tut in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 11 August 2000 Cracking Tutorial #96 is dedicated to Snoekie my dog who has died on 29 July 2000...