Welcome to Cracking Tutorial #98! Hiya guys, Sorry for delays, again I was busy with coding and all shit.. Here's a tut98.tKC... OK, let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) --------------------------------------------------- ---------- DnNukeīs CRACKING TUTORIAL #9 ---------- // // // Getting a serial from pop3connector ver. 4.10 \\ \\ \\ ------------------------------------------------------------------ \ --------- ------------------------- | About | - / Location - Download.com \ ---------\ --------------------------- |-----------------------------------------\ | Tools required: Softice | | | | Difficult level: | | Easy ( X ) Medium ( ) Hard ( ) | |_________________________________________/ -Finding the Correct Key------ Ok cRACKERS, LTNS=(Long Time No See :P). Letīs see if the software dudes has gotten any better of hiding the serial from us young/beautiful crackers/gfxers :P First open up the program goto "Help/Registration" enter "User Name - Whatever" "E-mail - whatever" "Product Key - 1133557799" DONīT click on the registerbutton button.. First goto softice "ctrl-D" and make a breakpoint on hmemcpy like this "bpx hmemcpy" wow hi-tech :) now you hit the button. And you land in sice! Press F11 once and then F12 until you see yer pass lenght in EAX.. that means 1133557799 = 10 char 10 = 0A in hex... so when EAX=0000000A "and lighted" wich means that the EAX has been updated.. so now we trace down "F10" and come to a nice code that looks like: :004AAFAD 8D45F0 lea eax, dword ptr [ebp-10] :004AAFB0 50 push eax :004AAFB1 8B4DF8 mov ecx, dword ptr [ebp-08] :004AAFB4 8B55FC mov edx, dword ptr [ebp-04] :004AAFB7 8BC3 mov eax, ebx :004AAFB9 E81EFEFFFF call 004AADDC :004AAFBE 8B45F0 mov eax, dword ptr [ebp-10] ---> eax = the right key? try it and find out.. :004AAFC1 8B55F8 mov edx, dword ptr [ebp-08] ---> edx = your fake key :004AAFC4 E8278FF5FF call 00403EF0 ---> The checking of what the right serial is.. :004AAFC9 0F85F5000000 jne 004AB0C4 ---> if serial wrong = 0 then show bad nag else show good :) to see whatīs in eax or edi the only thing you have to do is having the blue marker on it "trace on it" and write d eax or, d edx. || || \||/ \/ so the "eax" key was right :( that sux. That means we cracked it... 2 bad.. oh well enjoy this nice app. And remember if you realy like it you should give the coder.. So that he can make a better protection :D -Endings------ Hope Youīve Learned Something From This Tutor.. Bye For Now -Greets------- All greets are @ DnNuke.Net . . . -Closing------------- DongJong's NEWBIE TUTORIAL DongJong's How to get a MACHINE SERIAL for Keno Reeves Video Bingo v2.5 Tools to use ~~~~~~~~~~~~ SmartCheck 6.01 Where to get Tools ~~~~~~~~~~~~~~~~~~ http://cracking.home.ml.org http://surt.to/HarvestR http://crackstore.com http://www.pepsoft.com Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ Keno Reeves Video Bingo v2.5 http://www.cyrens.com/kenoreeves/krvb25.zip Program description ~~~~~~~~~~~~~~~~~~~ Keno Reeves Video Bingo lets you play your own four cards against a variable number of other Bingo players. It offers manual or automatic play modes. Start by generating numbers on your cards and anywhere from 10 to 100 total Bingo cards. Then the caller will start calling numbers. Click to cover or simply let the computer do the work. You can vary the pot size and, after you register, play all the Bingo options, such as 4-corner, postage stamp, cover-all, and T. The interface is clear, with excellent online help and lots of sounds to add to the action. You can pause the call if you get behind. If you can't get enough Bingo at the local parlor, try this one at home. Procedures ~~~~~~~~~~ Start SmartCheck (SC) and open KRBingo.exe, run the program by pressing F5, as usual, you need to click only the "ACKNOWLEDGE" button when SC is running and gives you option buttons to click to, until we came when SC now loads the program. There are lots of features that are disabled for the unregisterd version of this game, like the save and load games and printing of card too :> those menus are grayed out! he he :> Registration is based on the computer and hard drive that the program is installed on. A $15.95 value :> When the 15 play limit has been exhausted, all options except for the Help screens will become disabled. Okey! lets go on, after clicking those SC acknowledge button, the program will load, then choose the Registration menu, click on Enter Registration Code, there you'll see your machine specific code, mine is B$2-2-5-4-K-A-A-0, this software doesn't need any personal name, i mean not needed in the serial computation, but it does ask you your name after you have entered the correct serial, but this one SHOWS your name in the About menu though :> (he he, got you there). Okey, after you have click the Enter registration Code, there's a box for you to enter your suposedly serial, okey, here's the short of it (enter any serial just follow my tut) : Machine Code: B$2-2-5-4-K-A-A-0 Serial: 1434 Then after filling on the details click on OK, and a not so nice message will greet you saying "Invalid Registration Code! ggggrrrrrr! he he :> always a wrong guess huh :> Warning though! he he :> again? well, i've found a way after you have entered your imaginary serial, you can stop the program RUN through the SC menu bar button at the right hand side :> SC would ask you for a confirmation and of course say, I DO! ha ha :> SC stops tracing for us to begin hunting that code :> Ok, so now let's look on the left side of SmartCheck, well no more [+]Timer4_Timer, guess SC hasn't time to react :> near the end look for [+]cmdRegister_Click , after you've click on it, it will be very very long and that browsing thru it, you will noticed that it is just going over and over again, some kind of a loop, but never mind, just go near the end of this menu... of the pack click on it and see the right side of SC and you'll see like this: [+]cmdRegister_Click | | (snip for brevity's sake) | |-- UCase Now after arriving on that menu, there are three of them, choose the one with the right hand side of SC that looks like this details: [+]-- string (variant) | [-]-- String .bstrVal = 0051CC64 | |-- = "MBMCLSS3" Hmm... he he, keep on smiling, as the short run is over :> i'm now ready to have my snack, PINIRITONG SAGING, anyone :> Well, that's it, you've made it! Start KRBingo.exe, and click on the Registration menu and use this info: Registration Code : MBMCLSS3 Click OK and what you got? Caramba! It says "Thank you for your purchase! Your game has been registered! Have fun and enjoy playing Keno Reeves Video Bingo!" wow! ain't that feel nice, kewl :> The registration details is place in the game directory in the kr.ini file. Play on it :> Remember it's machine specific, so follow my tut and get your own machine specific serial for this game :> Maayung Hapon sa tanan! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetings goes to these people: tKC- i would like to thank tKC for his tutors. MsJessca- for hosting the tuts and inspiring tkc :> Albert Alexander Lay- KeWl DuDe! for the computer and Internet, goodluck ;) Ms. KJF- hello 7372122 :-) Let's make a night to remember!I Love You! ;) All cracking groups and cracking fanatics and newbies galores! Have fun :> keep on rockin' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ My good friend Albert Alexander Lay has a mobile phone +639179356877 I'd like to have some international friends all over the world, please text me via that mobile number, please state your full name, age, sex and the place (from where are you), will text you via INTERNET! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hanggang sa Muli... MABUHAY! Another Tutor by DongJong ;-) sutra@goplay.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=( Cracking The Customizer 2000 v5.0 )=- -=( A tutorial by hmemcpy/[CiA] )=- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Hello boys and girls. In this tutorial I'll show you how to crack The Customizer. The Customizer is a tweaking utility for the pc. Anyhow, you can find out for yourself what it does. Protection: Nag Screen w/ serial, disabled checkbox for canceling the nag, "unregistered" caption in the About box. Tools: W32Dasm Hiew Brain ;) You should have all those tools by now, if not, check the tools section in the tutorial. Some mental support: Cradle of Filth - From cradle to enslaved EP ;) Let's rock! Hmm.. annoying nag. Instead of patching the serial routine, the program offers the user to "Disable Splash Screen" (located in the Customizer menu), but the checkbox is disabled. Let's begin by disassembling the file with W32Dasm. Make a copy of Customizer.exe, and disassemble it. Hmm... done. Now let's explore a little. The strings, indicating that this is a shareware, are nowhere to be found. Instead, double click on a line "Thank you for buying Customizer". Here is where you land (scroll up to get the full view): * Referenced by a CALL at Address: |:004654DB <-- hmm ;) | :00464F44 53 push ebx :00464F45 8BD8 mov ebx, eax :00464F47 8B8358050000 mov eax, dword ptr [ebx+00000558] :00464F4D 8B8008020000 mov eax, dword ptr [eax+00000208] :00464F53 8B10 mov edx, dword ptr [eax] :00464F55 FF5240 call [edx+40] :00464F58 8B8358050000 mov eax, dword ptr [ebx+00000558] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00464EF0(C) | :00464F5E 8B8008020000 mov eax, dword ptr [eax+00000208] * Possible StringData Ref from Code Obj ->"Thank you for buying Customizer " ->"2000!" | :00464F64 BA14504600 mov edx, 00465014 <--- you are here Ok.. we can see that this thing comes from a call. Let's trace back to the call. This is where you land: :004654C9 E852070000 call 00465C20 :004654CE 833DF8ED470000 cmp dword ptr [0047EDF8], 00000000 :004654D5 7509 jne 004654E0 <--- nice ;) :004654D7 8BD6 mov edx, esi :004654D9 8BC3 mov eax, ebx :004654DB E864FAFFFF call 00464F44 <--- the call Ok. This is pretty clear. The call is never executed, because of the conditional jump. This is what we need to do: NOP the jump at 4654D5 (you should know already how to). Start the patched exe. Click on the Customizer menu. Well... the program thinks it's registered. Check the "Disable Splash Screen" checkbox, and exit the program. Start it again, and voilla: No nag ;) Almost done now... if you click the "About" button, you will see: (Unregistered Trial Version) Let's remove it too. Since there is no string like that in SDR, double click on: (Registered Version) string: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00460F33(C) | :00460F9E 648920 mov dword ptr fs:[eax], esp :00460FA1 A138CF4700 mov eax, dword ptr [0047CF38] :00460FA6 833800 cmp dword ptr [eax], 00000000 :00460FA9 7510 jne 00460FBB <--- gotcha ;) * Possible StringData Ref from Code Obj ->"(Registered Version)" | :00460FAB BA44114600 mov edx, 00461144 <--- you're here Looks like another conditional jump that needs NOPing. Nop it, then run the patched exe. No nag + the about screen says now we're registered. Done ;) -=-=-=-=-=-=-=-=-=-=-=-=- Here comes the pain... :) Greetings to ALL the crackers in the world, and especially those who teach, and patient to newbies :) Special greet to tKC. You are the best man I've ever met. Thank you for everything, and I hope your life is back on the right track. Good luck, mate ;) Mass Hello flys to all of CiA, and everyone who knows me. -=-=-=-=-=-=-=-=-=-=-=-=- >> EOF << Program: AuctionTamer v 4.2.0 Homepage: www.auctiontamer.com/auction/index.htm Size: 2.2 Mb Prog Synopsis: A prog that deals with auctions and the tracking of items offered on-line. Registration fee approx. $20 Tools needed: NuMega's SmartCheck - you can get it loads of places - just type SmartCheck in your search engine. W32Dasm - not really needed but you ought to have it anyway :-) Method: This tut may appear long but you can crack this babe in a few minutes!. OK if you load up the proggie in W32Dasm (it takes a while so go for a beer, ciggie, sex ;-) and you will see that it is a Visual Basic prog since you see such references as MSVBVM60.DLL. Now we have established that, we can close W32Dasm. Don't ask me anything about Visual Basic - I haven't a clue (I'm only a "newbie" - this is my 2nd tut!) but I know a program that does - SmartCheck - great prog from NuMega. Load and run AuctionTamer and click on Help-Enter Registration Key. Your E-Mail Address: jkon7@hotmail.com Enter Key Here: 12121212 Click on OK and you get "Invalid Key, try again!" - grrr! *@!# OK quit prog and fire up SmartCheck. Press File-Open and locate AuctionTamer (something like c:\Program Files\AucTamer\auctamer.exe). Press F5 to start the prog running. Now you will see MANY! program error detected boxes - just click on acknowledge. Eventually the Dial-up connection box appears - click on Cancel. Another box appears asking if you would like to use AuctionTamer offline - click Yes, then OK - click on Help-Enter Registration Key. Your E-mail Address: jkon7@hotmail.com Entery Key Here: 12121212 (You will get some more error detected boxes - just click on acknowledge). Click on OK. You get the "Invalid Key, try again!" box. DON'T click on OK, just go back to SmartCheck and click on Program-End and then Yes. OK, now we start to locate the 'echo' that is the 'real' serial number. In the left hand pane of the SmartCheck window you will see a whole load of various things such as Thread, API failure etc. Don't worry about these just drag the scroll bar right to the bottom of the listing. Right at the bottom you will see a load of _Timer comments and at the bottom is _Click. Click on the + box to expand it and then you will see another load of _Timer(s) and at the bottom of this is another _Click. Again click on the + box to expand it and scroll down to the bottom (go past things such as Mod$, ASC returns, Interger:xxx) until you get to: Replace Long (0) --> Integer (0) Long (0) --> Integer (0) Len returns LONG:12 Double (4245) --> Long (4245) Long (1522) --> Integer (1522) Long (2) --> Integer (2) Integer (0) --> String (0) " " " " " " Just left click your mouse button on the first "Replace" above Long (0) --> Integer (0). Look in the right hand pane. Whoa! what do we see here ;-) We see String Expression = 005C493C |______ = "794-811-761" Well, what do you know! - write down this number - shut down SmartCheck. Reload AuctionTamer and enter your new found number. Job done. Hope this helps. Many thanks to tKC and the crew - you really are the best! Best Wishes jkon7 Title: Serial Fishing Level: Piss Easy Target: EasyCD v2.0 URL: http://www.is.lt/linas/easycd/ Ok guyz...believe me, I'm a little bored today, so I looked at EasyCD to play cd's. And noticed it's written in Delphi. So I thought I'll write a quick tutor how to use DeDe and TRW2000. Oh yes, yesterday I installed Windows2000 since WinME sux big..bad or not, I didn't uninstall WinME, so with dual boot to WinME, I can use TRW2000 now *bleh* What we'll need: DeDe v2.34 TRW2000 v1.22 And 5 minz to spend your time! Step 1. Now run EasyCD and look what it says...oh "Imcomplete or incorrect information" after you entered your name/code.. Okay, now run your DeDe and click Process! Step 2. Done? Fast eh? Kool, now click Procedures and look in the window on the left. Did you see what I saw? "RegKey"! Now click it, on the right you'll see Button1Click, it's a procedure to tell the application what it should do when you click a button in EasyCD. Also click Controls above, and you'll see "Button1, Button2, ERegKey, ERegName, Label1, Label2"...so we know we're entering the bitch's nest =) Step 3. Now DoubleClick on Button1Click, you'll see: ***** TRY | 0047CCAB 64FF30 push dword ptr fs:[eax] 0047CCAE 648920 mov fs:[eax], esp 0047CCB1 8D55FC lea edx, [ebp-$04] * Possible Reference to Control 'ERegName:TEdit' <--- editbox where you enter your name | 0047CCB4 8B83C4020000 mov eax, [ebx+$02C4] 0047CCBA E89133FBFF call 00430050 0047CCBF 8D55F8 lea edx, [ebp-$08] * Possible Reference to Control 'ERegKey:TEdit' <--- editbox where you enter your code | 0047CCC2 8B83C8020000 mov eax, [ebx+$02C8] 0047CCC8 E88333FBFF call 00430050 0047CCCD 837DFC00 cmp dword ptr [ebp-$04], +$00 0047CCD1 0F84B8000000 jz 0047CD8F <--- bad boy 0047CCD7 837DF800 cmp dword ptr [ebp-$08], +$00 0047CCDB 0F84AE000000 jz 0047CD8F <--- bad boy 0047CCE1 8D4DF4 lea ecx, [ebp-$0C] 0047CCE4 A1BCD54900 mov eax, dword ptr [$49D5BC] 0047CCE9 8B00 mov eax, [eax] 0047CCEB 8B55FC mov edx, [ebp-$04] <--- your name 0047CCEE E859130100 call 0048E04C 0047CCF3 8B55F4 mov edx, [ebp-$0C] <--- real code 0047CCF6 8B45F8 mov eax, [ebp-$08] <--- your bad code 0047CCF9 E88672F8FF call 00403F84 0047CCFE 7575 jnz 0047CD75 <--- also bad boy 0047CD00 A1B4D64900 mov eax, dword ptr [$49D6B4] 0047CD05 C60001 mov byte ptr [eax], $01 0047CD08 A1DCD34900 mov eax, dword ptr [$49D3DC] 0047CD0D 8B55FC mov edx, [ebp-$04] 0047CD10 E8376FF8FF call 00403C4C 0047CD15 A1D4D24900 mov eax, dword ptr [$49D2D4] 0047CD1A 8B55F8 mov edx, [ebp-$08] 0047CD1D E82A6FF8FF call 00403C4C 0047CD22 A10CD74900 mov eax, dword ptr [$49D70C] 0047CD27 8B00 mov eax, [eax] 0047CD29 8BD6 mov edx, esi * Reference to : TFAbout.FormCreate | 0047CD2B E860050000 call 0047D290 0047CD30 A1BCD54900 mov eax, dword ptr [$49D5BC] 0047CD35 8B00 mov eax, [eax] 0047CD37 8B4DF8 mov ecx, [ebp-$08] 0047CD3A 8B55FC mov edx, [ebp-$04] 0047CD3D E8164D0100 call 00491A58 0047CD42 6A40 push $40 * Possible String Reference to: "EasyCD" | 0047CD44 B9D0CD4700 mov ecx, $0047CDD0 * Possible String Reference to: "Thank You for registering EasyCD." <--- good boy | 0047CD49 BAD8CD4700 mov edx, $0047CDD8 0047CD4E A14CD54900 mov eax, dword ptr [$49D54C] 0047CD53 8B00 mov eax, [eax] 0047CD55 E85AF3FCFF call 0044C0B4 0047CD5A A1C8D64900 mov eax, dword ptr [$49D6C8] 0047CD5F 8B00 mov eax, [eax] 0047CD61 80784700 cmp byte ptr [eax+$47], $00 0047CD65 7440 jz 0047CDA7 0047CD67 A1C8D64900 mov eax, dword ptr [$49D6C8] 0047CD6C 8B00 mov eax, [eax] 0047CD6E E8C5C0FCFF call 00448E38 0047CD73 EB32 jmp 0047CDA7 0047CD75 6A10 push $10 * Possible String Reference to: "EasyCD" | 0047CD77 B9D0CD4700 mov ecx, $0047CDD0 * Possible String Reference to: "Incomplete or incorrect information | ." | 0047CD7C BAFCCD4700 mov edx, $0047CDFC 0047CD81 A14CD54900 mov eax, dword ptr [$49D54C] 0047CD86 8B00 mov eax, [eax] 0047CD88 E827F3FCFF call 0044C0B4 0047CD8D EB18 jmp 0047CDA7 0047CD8F 6A10 push $10 * Possible String Reference to: "EasyCD" | 0047CD91 B9D0CD4700 mov ecx, $0047CDD0 * Possible String Reference to: "Incomplete or incorrect information | ." | 0047CD96 BAFCCD4700 mov edx, $0047CDFC 0047CD9B A14CD54900 mov eax, dword ptr [$49D54C] 0047CDA0 8B00 mov eax, [eax] 0047CDA2 E80DF3FCFF call 0044C0B4 0047CDA7 33C0 xor eax, eax 0047CDA9 5A pop edx 0047CDAA 59 pop ecx 0047CDAB 59 pop ecx 0047CDAC 648910 mov fs:[eax], edx ****** FINALLY Step 4. Ok, great...above you'll see where you have to fish your babe in the nest. What we have to do is to write down Virtual Address (47CCEB). Now it's time to run your TRW2000. Step 5. In TRW2000, click Browse and find EasyCD.EXE, then click Load....When TRW2000 pops up, simply press F5. This time EasyCD will pop up. Goto About, then enter you name/code. Just don't click OK yet! Press CTRL-N to bring up TRW2000. Now type G 47CCEB. Step 6. Now you can click OK...*gasp gasp* you've entered the nest! =) Okay, back to TRW2000, press F10 to trace down. At 47CCF6, type d edx....that's your babe....piss easy eh? yea right! Enjoy it, tKC....................tkc@reaper.org PS. If you know how to tackle your SoftICE, you should tackle TRW2000 easily too! I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #99 soon! ;) Credits goto: bM[tgfx] for Splash Logo. DnNuke/CiA for providing a tut in this version. DongJong for providing a tut in this version. hmemcpy/CiA for providing a tut in this version. jkon7 for providing a tut in this version. tKC for providing a tut in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 23 September 2000 Cracking Tutorial #98 is dedicated to hmemcpy...