Welcome to Cracking Tutorial #101! Hiya guys, Well, here is another tut101.tKC... Let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) WHY PATCHING WHILE SERIAL NUMBER IS FISHY Desktop Theme v1.89 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM A Desktop Theme is a collection of wallpaper, mouse pointers, sound effects, colors, fonts, screensavers and startup/shutdown screens, all bundled together into a convenient package. It lets you totally alter the appearance of your desktop in one go. There are thousands of themes available free on the Internet. To use these themes you need a theme manager, and the best one available is Desktop Themes by Left Side Software. It is totally free to download and use, and at only $US15 to register if you decide to keep it, it is significantly cheaper than Microsoft Plus! and other theme solutions available. As well as being a theme manager, Desktop Themes is also a full theme creator and editor, letting you create themes to give to your friends, family or the world in just a few easy steps! WHERE TO DOWNLOAD Author : Jonathan Potter / Left Side Software Homepage : http://www.lss.com.au URL : ftp://ftp.lss.com.au/desktopt.zip Size : 149 KB as of August 01,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce Unlike the previous version v1.85/1.86 , it was very easy to get a valid serial number for this program by only set a very common breakpoint within SoftIce. Now, the Author had blacklisted many many user ( Crackers ) name i.e romeo [d4c], StarrDog, fACTOR98, etc., even the Co-Author ( Ronald J Southar ) of this program! Further, the Author had changed the routine but unbelievable he didn't change the code pattern at least for the first 5 digits. If you observe later on , the valid serial number always in the form of " 21073XXXXX ". 1. Run DESKTOP THEME.EXE, in the main program click Edit Theme tab. In the registration dialog box type these below informations : Name : Pirates Order Code : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], well ... this time I just wanna bring you directly to the address where the S/N were calculated. ( note : you can also set a breakpoint i.e GetDlgItemTextA or MessageBoxA ). BPX GetDlgItemTextA [enter] and F5 to return to the main program 3. Now it's time to click OK button... you must returned back into SoftIce! In within SoftIce press F11, F5, and F11 until you see and landed at : ______________________________________________________________ well, i don't think it is necessary to show the snippet code since we continue to next step ..... ______________________________________________________________ 4. Do a search string by typing : s 0 l fffffffffffffffff e8 f7 90 01 00 59 [enter] Softice will response : Pattern found at 015F:00405874 Now, clear/disable previous breakpoint by typing : bc 00 [enter] Create a new breakpoint by typing : bpx 015F:00405874 [enter] u 015F:00405874 [enter] Now, press Ctrl+D to return to the registration dialog box. Press OK button to confirm the " incorrect code " message. 5. If nothing goes wrong, you'll be returned back into SoftIce and landed at : 00405874: E8F7900100 call 00041E970 <== HERE 00405879: 59 pop ecx 0040587A: 85C0 test eax,eax 0040587C: 59 pop ecx 0040587D: 0F8531010000 jne 0004059B4 00405883: 8B4DD0 mov ecx,[ebp][-0030] 00405886: 49 dec ecx 00405887: 85C9 test ecx,ecx 00405889: 7618 jbe 0004058A3 0040588B: 0FBE5405D4 movsx edx,b,[ebp][eax][-002C] 00405890: 8BF8 mov edi,eax 00405892: 83E701 and edi,001 ;"" 00405895: 47 inc edi 00405896: 0FAFD7 imul edx,edi 00405899: 03D0 add edx,eax 0040589B: 0155FC add [ebp][-0004],edx 0040589E: 40 inc eax 0040589F: 3BC1 cmp eax,ecx 004058A1: 72E8 jb 00040588B 004058A3: 8175FC04446482 xor d,[ebp][-0004],082644404 004058AA: 7D08 jge 0004058B4 004058AC: 8B45FC mov eax,[ebp][-0004] 004058AF: F7D8 neg eax 004058B1: 8945FC mov [ebp][-0004],eax <=== STOP HERE 004058B4: 807DD454 cmp b,[ebp][-002C],054 ;"T" 004058B8: 7513 jne 0004058CD 6. Look at the Register Window, did you notice that the value of EAX register often changed during the loop ? It's around the memory address of 40588B upto 405874. To me this snippet code(s) is where the valid serial number is being calculated. ( hehehe ... do you wanna try to make a keygen ??? ) . Keep continue tracing the code(s) by pressing F10, then stop at the address of 015F:004058B1 . Now, check the value of EAX register ( EAX=7D9BBC94) by typing ? EAX [enter] 7D9BBC94 2107358356 "}ô_”" 7. Disable all breakpoint by typing BC * [enter] Press F5 or X to return to the main program 8. Repeat registration procedure and keyed-in 2107358356 as your S/N Click OK ..... you'll get the classic message ' Your Copy of DeskTop Theme is now Unlocked. Thank you ..... '. Simply, YOU'RE REGISTERED now... da hast Du Dich aber anscheiáen lassen!. However, as a matter of fact it's ILLEGAL REGISTRATION! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-desktoptheme189.zip [EOF] Sep 30,2000 01:00:08AM WHY PATCHING WHILE SERIAL NUMBER IS FISHY Ergonomic Timer v3.2 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM The Ergonomic Timer(tm) provides relief from repetitive stress problems by monitoring the mouse, the keyboard and the time spent at the workstation. When the programmable number of mouse clicks, mouse moves, keystrokes or minutes occur, a break screen pops up with a countdown timer. The operation can also be password protected to enforce medical compliance. WHERE TO DOWNLOAD Author : Silvio Kuczynski / Tropical Software Homepage : http://www.tropsoft.com/ergtimer/main.htm URL : http://www.tropsoft.com/ergt32d.exe Size : KB HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run ERGTIMER.EXE, in the main program click HELP/REGISTER button. In the registration dialog box type these below informations : Name : Pirates Order Code : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing Ctrl + D , create a new breakpoint i.e GetWindowTextA by typing : bpx GetWindowTextA [enter] Press F5 to return to the main program. 3. Click OK button now, you'll return back into SoftIce. Press F11, F5, and F11 once again to get into the main program codes as follow : 0041D543: FF1584CC4400 call GetWindowTextA <=== you 0041D549: 8B4C2408 mov ecx,[esp][00008] 0041D54D: 6AFF push 0FF 0041D54F: E8A22F0000 call 0004204F6 0041D554: EB0C jmps 00041D562 0041D556: 8B01 mov eax,[ecx] 0041D558: FF742408 push d,[esp][00008] 0041D55C: FF9090000000 call d,[eax][00000009 ...... ...... Keep continue pressing F10 around 22 times until you reach this below snippet codes : ______________________________________________________________ 00407831: E8FA090000 call 000408230 <== you land HERE 00407836: 83C408 add esp,008 ; <== d edx HERE 00407839: 85C0 test eax,eax ______________________________________________________________ Press F10 once ( stop at 015F:00407836 ), dump/display EDX register by typing : D EDX [enter] Did you see 373E5C5396 ( located at the memory address ) in the Data Window ?? Scroll up one line or dump/display ECX register, you'll see your fake S/N together with the real one. Now, disable current existing breakpoint ( BD * [enter ), press F5 to return to the main program. 4. Soon you're return back to the program, the 'beggar-off' msg appear on the screen, just click OK to confirm and quit the application ( nice try .... Kuczynski! ). 5. Re-run the program, repeat registration procedure and keyed-in 373E5C5396 as your valid serial number. Successful registration will appear on the screen, you're illegaly registered now. 6. Let's recap your job with the following questions : - can I have a shortway to reach the desired CALL instruction without pressing F10 22 times ?? - where the hell is my registration code is stored ?? 7. Take these following answers : - Make sure that previous breakpoint ( GetWindowTextA ) is not active/disable. Make sure that GERGRE23.DRU file is deleted. Run the program, keyed-in new User name and fake S/N. Create a new breakpoint at the address 015F:00407831 bpx 015F:00407831 [enter] Press F5 to return to the registration window Click OK You'll break in SoftIce at the address 015F:00407831 Press F10 once , keep on eye in the Data Window ... new S/N copied to the memory address ....... or type D EDX or D ECX [enter] Repeat Step 4 and 5 in the above section. - The correct registration code is encrypted and stored in the file called GERGRE23.DRU which located in your Windows directory ( usually C:\WINDOWS ). END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-ergtimer32.zip [EOF] Sep 30,2000 01:00:08AM WHY PATCHING WHILE SERIAL NUMBER IS FISHY PC Security v4.11 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM The PC Security for Windows (tm) utilities are custom designed to help you protect your system against such intrusions. The PC Security for Windows (tm) offers comprehensive data security protection by performing the following functionality: FileLock. System Lock. Window Lock. Explorer Control. Shortcut/Program lock. Restricted System. Folder Lock. Intruder Detection with Alarm. Flexible and complete password protection. WHERE TO DOWNLOAD Author : Silvio Kuczynski / Tropical Software Homepage : http://tropsoft.com/ URL : http://tropsoft.com/pcsec32.exe Size : 535.497 Bytez as of Oct 10,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run SECURITY.EXE, type SECURITY as your password on the screen, in the main program click REGISTER menu. In the registration dialog box type these below informations : Registered User : Pirates Order Registration Key: 7388105099 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is GetWindowTextA : BPX GetWindowTextA [enter] and F5 to return to the main program 3. Click OK button now, you'll return back into SoftIce. Press F11, F5, and F11 once again to get into the main program codes as follows : ___________________________________________________________________ 004284D1: FF15D8454400 call GetWindowTextA <== you land 004284D7: 8B4C2408 mov ecx,[esp][00008] <== here 004284DB: 6AFF push 0FF 004284DD: E8103B0000 call 00042BFF2 004284E2: EB0C jmps 0004284F0 ___________________________________________________________________ 4. Iam not going into detail because I've been traced for you. The details can be read in my tute called TUTE-STEALTH33.TXT ( c_tkc10x.zip ) for which this program have similar protection. 5. Now do a search string to locate the address where your valid S/N copied ( echoed ? ) into memory address : s 0 l fffffffffffffffff e8 c7 13 00 00 59 59 85 c0 [enter] SoftIce will response : Pattern found at 0167:0040E804 G 0167:0040E804 [enter] If nothing goes wrong your Code Window will look as follow : 0040E803: 51 push ecx <== you land here 0040E804: E8C7130000 call 00040FBD0 0040E809: 59 pop ecx 0040E80A: 59 pop ecx 0040E80B: 85C0 est eax,eax Press F10 once and after jump pass CALL instruction at 015F:0040E804 ( or stop at 015F:0040E809 ) dump/display ECX or EDX register by typing : d ecx or d edx [enter] Now, look at the Data Window .... what the hell is CAB8152102 near your fake serial number ? It was in the memory address of 0167:6AEEBD0! 6. Write down this suspected registration code and disable all break points : bd * [enter] F5 to return to registration window 7. Soon you're return back to the program, the 'beggar-off' msg appear on the screen, just click OK to confirm and quit the application ( nice try .... Kuczynski! ). 6. Re-run the program, repeat registration procedure and keyed-in CAB8152102 as your serial number. Successful registration will appear on the screen, you're illegaly registered now. 7. Where the hell is my registration code is stored ?? - The correct registration code is encrypted and stored in the file called GERHTS23.DRU which located in your Windows directory ( usually C:\WINDOWS ). 8. How can I practise with my own user name ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-PCSecurity411.zip [EOF] Sep 30,2000 01:00:08AM WHY PATCHING WHILE SERIAL NUMBER IS FISHY Private Desktop v1.6 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM Private Desktop(tm) is the ultimate tool to insure your privacy at your computer. Its functionality provides instant transfer of any two screens you wish to maintain at the same time. While you view the screen you do not wish anyone else to see, another screen can be in the holding to make a quick switch within a split second. It doesn't stop here. You create your own series of personal passwords to make Private Desktop(tm) impenetrable. WHERE TO DOWNLOAD Author : Silvio Kuczynski / Tropical Software Homepage : http://www.tropsoft.com/privdesk/main.htm URL : http://www.tropsoft.com/privdesk.exe Size : KB HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run PRIVDSK.EXE, Drag your mouse cursor to the right corner of the traybar, right click and choose SETTINGS submenu. In the main program's window click CLICK HERE TO.. button. ( Remember the rule of this program, default password is PRIVATE ) In the registration dialog box type these below informations : Name : Pirates Order Key : 7388105099 Do not click OK button yet 2. Fire up SoftIce by pressing Ctrl + D , create a new breakpoint in this regard iam using HMEMCY by typing : bpx hmemcpy [enter] Press F5 to return to the main program. 3. Click OK button now, you'll return back into SoftIce. Press F11, F5, F11 once again, to get into the main program press F12 several times until you get these below snippet codes : _____________________________________________________________________ 0040230F: E8DCF9FFFF call 000401CF0 <=== you land HERE 00402314: 83C410 add esp,010 ;"" 00402317: 8D4C2424 lea ecx,[esp][000 0040231B: 51 push ecx <== d ecx here 0040231C: E81FFAFFFF call 000401D40 00402321: 83C404 add esp,004 ;"" 00402324: 8D542410 lea edx,[esp][000 00402328: 52 push edx <=== d edx here 00402329: E812FAFFFF call 000401D40 0040232E: 8A442428 mov al,[esp][0002 00402332: 83C404 add esp,004 ;"" 00402335: 84C0 test al,al 00402337: 7524 jne 00040235D <=== jump if not equal ...... ...... Clear HMEMCPY breakpoint because you don't any longer. Set a new breakpoint at the main program code : bc * [enter] bpx 015F:0040230F [enter] Press F10 3 times ( stop at 015F:0040231B ), dump/display ECX Register by typing : d ecx [enter] user name appear in the Data Window Press F10 7 times ( stop at 015F:00402328 ), dump/display EDX Register by typing : d edx [enter] fake s/n appear in the Data Window at 0167:64F7E4 Press F10 12 times ( stop at 015F:00402337 ) ... just follow this JUMP ( JNE ) instruction until you landed at : 0040235D: 8A442410 mov al,[esp][000 00402361: 84C0 test al,al 00402363: 7525 jne 00040238A <=== jump if not equal ...... ...... Press F10 3 times and just follow this JUMP ( JNE ) instruction at 015F:00402363 until you landed at : 0040238A: 8D542424 lea edx,[esp][00 0040238E: 8D442410 lea eax,[esp][00 00402392: 52 push edx 00402393: 50 push eax 00402394: E8770C0000 call 000403010 00402399: 83C408 add esp,008 ;"" 0040239C: 85C0 test eax,eax ...... ...... Press F10 7 times until jump pass the call instruction at 015F:00402394 or stop at 015F:00402399 , dump/display EDX register by typing : D EDX [enter] Did you see 8DA005E002 ( located at the memory address 0167:64F7A8 ) in the Data Window ?? Scroll up one line above or dump/display ECX register, you'll see your fake S/N together with the real one. Upto this step you can consider that 8DA005E002 is your suspected real key ... so, just give it a try ... 4. Now, disable current existing breakpoint ( BD * [enter ), press F5 to return to the main program. 5. Soon you're return back to the program, the 'beggar-off' msg appear on the screen, just click OK to confirm and quit the application ( nice try .... Kuczynski! ). 6. Re-run the program, repeat registration procedure and keyed-in 8DA005E002 as your valid serial number. Successful registration will appear on the screen, you're illegaly registered now. 6. Let's recap your job with the following questions : - can I have a shortway to reach the desired CALL instruction without pressing F10 21 times ?? - where the hell is my registration code is stored ?? 7. Take these following answers : - Make sure that previous breakpoint ( bpx 015F:0040230F ) is not active/disable. Make sure that GERKSEDS.DRU file is deleted. Run the program, keyed-in new User name and fake S/N. Create a new breakpoint at the address 015F:00402394 ( why here ?? ask by yourself ......... ) bpx 015F:00402394 [enter] Press F5 to return to the registration window Click OK You'll break in SoftIce at the address 015F:00402394 Press F10 once , keep on eye in the Data Window ... new S/N copied to the memory address 0167:64F7A8 or type D EDX or D ECX [enter] Repeat Step 4 and 5 in the above section. - The correct registration code is encrypted and stored in the file called GERKSEDS.DRU which located in your Windows directory ( usually C:\WINDOWS ). END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-PrivateDeskto16.zip [EOF] Sep 30,2000 01:00:08AM WHY PATCHING WHILE SERIAL NUMBER IS FISHY Private Pix v1.30 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM Private Pix (tm) is the ultimate tool to insure your privacy of your pictures. Private Pix (tm) uses advanced encryption to protect your pictures and keep your data safe. Private Pix also encrypts the name of your pictures and allows the user to view them while they are encrytped! Private Pix also offers a hot key for quick escape using your keyboard. WHERE TO DOWNLOAD Author : Silvio Kuczynski / Tropical Software Homepage : http://www.tropsoft.com/privpix/main.htm URL : http://www.tropsoft.com/privpixd.exe Size : KB HOW TO GET VALID SERIAL NUMBER by using SoftIce Unlike the other product ( i.e Private Desktop, ErgTimer, Stealth ) from the same Author, Private Pix is visual basic (VB5) based program. To my surprise Razzia's tute doesn't work here ( do you remember his magic search string to locate where the EDI and ESI register being compared ? ) and I decide to not patching my own MSVBVM50.DLL as described in the CrackZ's BPINT 3 approach. However, I suggest you to read those two usefull tutorials, which possibly can be downloaded from : http://www.shield.or.jp/crackz/Index2.htm or http://www.idca.com/~thesandman 1. Run PRIVP.EXE, type PRIVATE as your default password to enter the main program, then click on the REGISTER menu. In the registration dialog box type these below informations : Name : Pirates Order Code : 7388105099 Do not click OK button yet 2. Fire up SoftIce by pressing Ctrl + D , create a new breakpoint by typing : bpx __vbaStrToAnsi [enter] Press F5 to return to the main program. Note : 1. at the first time I create two breakpoints that are bpx __vbastrcomp and bpx __vbahresultcheckobj simul taneously and took around 30 times of pressing F10 to get correct serial number. 2. You will not find suspected S/N in wide format as their should be ( which common in VB prog ) except your User Name. That was strange to me ..... it's your turn to check it out Bud ..... 3. Click OK button now, you'll return back into SoftIce. Press F11, F5, and F11 once again to get into the main program codes as follows : ___________________________________________________________________ 00450C88: FFD6 call esi 00450C8A: 50 push eax <==== you land HERE 00450C8B: E8A8AAFBFF call 00040B738 00450C90: 8BF0 mov esi,eax _______________________PRIVP! . text + 0004FC88____________________ Just press F10 2 times, and after you jump pass the CALL instruction at 015F:00450C8B ( or stop at 015F:00450C90 ) dump/display EDX register by typing : D EDX [enter] Did you see 0A7597C904 ( located at the memory address 0167:0069F96C ) in the Data Window ?? Scroll up one line above you'll see your fake S/N together with the real one. 4. Write down this posible valid serial number. 5. Now, disable current existing breakpoint ( BD * [enter ), press F5 to return to the main program. 6. Soon you're return back to the program, the 'beggar-off' msg appear on the screen, just click OK to confirm and quit the application ( nice try .... Kuczynski! ). 7. Re-run the program, repeat registration procedure and keyed-in 0A7597C904 as your serial number. Successful registration will appear on the screen, you're illegaly registered now. 8. Let's recap your job with the following question : - where the hell is my registration code is stored ?? 9. Take this following answer : - The correct registration code is encrypted and stored in the file called GERPVIRP.DRU which located in your Windows directory ( usually C:\WINDOWS ). END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-privatepix130.zip [EOF] Sep 30,2000 01:00:08AM I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #102 soon! ;) Credits goto: FuzzyCat for Splash Logo. ASTAGA for providing 5 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them... see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 12 October 2000 Cracking Tutorial #100 is dedicated to CiA, all new and old members for the support they gave me all the years!