Welcome to Cracking Tutorial #103! Hiya guys, Well, here is another tut103.tKC... Let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) DongJong's NEWBIE TUTORIAL DongJong's How to get a MACHINE SERIAL for Tenant Billing v1.13 Tools to use ~~~~~~~~~~~~ SmartCheck 6.01 Where to get Tools ~~~~~~~~~~~~~~~~~~ http://cracking.home.ml.org http://surt.to/HarvestR http://crackstore.com http://www.pepsoft.com http://protools.cjb.net Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ Tenant Billing v1.13 http://home.iprimus.com.au/russg/tbill113.exe Program description ~~~~~~~~~~~~~~~~~~~ TENANT BILLING is an excellent computer package for maintaining records and producing bills for properties. Suit owners/managers of factories, houses, flats, condominiums etc. This is one of the simplest packages available which the first time user should have little trouble using. "Regular Charges" and "One-Time Charges" are catered for, plus full history details on all rental properties. Procedures ~~~~~~~~~~ Start SmartCheck (SC) and open TenantBilling.exe, run the program by pressing F5, as usual, you need to click only the "ACKNOWLEDGE" button when SC is running and gives you option buttons to click to, until we came when SC now loads the program. This is a full working version, a few non-essential features are disabled until registered :> Well, sounds familiar isn't it, that's why we need to say, make a workaround to test it's security :> he he, funny for me to say that :> he he :> Registration is based on the computer and hard drive that the program is installed on. A $20.00 value :> Okey! lets go on, after clicking those SC acknowledge button, the program will load, then this program will display at the left hand corner your machine specific serial number, and below it is the "Enter Registration Number" tab, so click on it, and enter any number, this software doesn't need any personal name, i mean not needed in the serial computation, but it does ask you your name after you have entered the correct serial. Okey, after you have click the Enter registration Code, there's a box for you to enter your suposedly serial, okey, here's the short of it (enter any serial just follow my tut) : Serial Number : 000508 Registration Number: 1434 Then after filling on the details click on OK, well what did you OBSERVE? :> he he, i didn't observe anything either, he he , it simply doesn't show any sign or error messages :> it kinda only sit there and let you click your hearts out :> Anyway, after you have already input your suppose registration number, you can exit the program so SC stops tracing and we began fishing :> SC stops tracing for us to begin hunting that code :> Ok, so now let's look on the left side of SmartCheck, near the end look for [+]cmdEnterRegNum_Click , after you've click on it, by the way, there are two of it, but i think they are almost the same and that it also has the right serial for me, i'll choose the second one as it displays my input false serial :< this time we're not gonna look on the right pane of SC, the answers are all displayed right up to your face :> Now look at this line : [+]lblSerialNum.Caption <-- "000508" (String) That was my machine specific serial number :> hmm... look at the end ... [+]Double (16678) --> Single (16678) Well, what else did we missed, hmmm... come on help me think ... he ehe he, think no more as we don't have anything to think anymore, as this IT! We've found my machine specific registration number :> YEHEY! Well, that's it, you've made it! Start TenantBilling.exe, and click on the Registration menu and use this info: Serial Number : 000508 Registration Number : 16678 Click on the "Save Registration Number" tab and what have you got? Whoa! It really is what it is, a silent type, it just pops out without saying anything and goes to the program proper, click EXIT and it says THANK YOU :) Restart TenantBilling.exe and no more annoying registration wall to face it just went direct to the program proper :> Have fun billing your tenants :> he he :> BUT! be cool give discounts ;-) Play on it :> Remember it's machine specific, so follow my tut and get your own machine specific serial for this utility :> Maayung Gabi-i sa tanan! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetings goes to these people: tkc- i would like to thank tKC for his tutors. MsJessca- for hosting the tuts and inspiring tkc :> Albert Alexander Lay- KeWl DuDe! for the computer and Internet, goodluck ;) Ms. KJF- hello 7372122 :-) Let's make a night to remember!I Love You! ;) All cracking groups and cracking fanatics and newbies galores! Have fun :> keep on rockin' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ My good friend Albert Alexander Lay has a mobile phone +639179356877 I'd like to have some international friends all over the world, please text me via that mobile number, please state your full name, age, sex and the place (from where are you), will text you via INTERNET! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hanggang sa Muli... MABUHAY! Another Tutor by DongJong ;-) sutra@goplay.com WHY PATCHING WHILE SERIAL NUMBER IS FISHY 1toX v2.01 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM 1toX is a 32 bit software for Windows 95, 98 and NT 4.x used to split big files into several smaller files. 1toX cuts a file by different ways: - 1toX adds to each cut file (called 1toX file) a small header describing the file - Each 1toX file is a simple part of the original file (production of a batch 1toX). .... .... WHERE TO DOWNLOAD Author : Jean Piquemal Homepage : http://www.logipole.com URL : http://j.piquemal.free.fr/1toxe.zip Size : 366 KB - as of October 11,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run 1TOX.EXE, in the main program click on HELP/REGISTER submenu. In the registration dialog box type these below informations : Name : Order First : Pirates Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow: BPX MessageBoxA [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, then click OK to confirm 'Invalid Key .... ' message. Again, you'll return back into SoftIce and landed at MessageBoxA call instruction at 015F:00414127. Now, scroll up several line above by pressing [Ctrl+Up arrow], did you interesting CMP ( Compare ) instruction at 015F:00409D37 ? Scroll up again until you see CALL instruction at 015F:00409D29. Here you know where the call instruction being called and compari son between EAX and ECX register were made. Disable previous breakpoint and set a new breakpoint : bd * [enter] bpx 015F:00409D29 [enter] Press F5 to return to the main program 4. Repeat registration procedure Step 1, click OK button. If nothing goes wrong, you'll see these below following snippet codes : ___________________________________________________________________ 00409D29: E81A100100 call 00041AD48 <-- you land here 00409D2E: 8B0DD8D94200 mov ecx,[00042D9D8] 00409D34: 83C404 add esp,004 ;"" 00409D37: 3BC1 cmp eax,ecx <---! 00409D39: 742E je 000409D69 00409D3B: 6A10 push 010 00409D3D: 68BCA54200 push 00042A5BC ;" B+ 00409D42: 6814A54200 push 00042A514 ;" B 00409D47: 55 push ebp 00409D48: FF15E8614200 call MessageBoxA ; <==== 3rd step 00409D4E: 6A01 push 001 ___________________________________________________________________ Press F10 3 times ( stop at 015F:00409D37 ), dump/display EAX and ECX register by typing : ? EAX [enter] SoftIce will response : 26A6F012 0648474642 ooops it wasn't your fake code .... ? ECX [enter] SoftIce will response : DB97427B 3684123259 well... what the heck is this ? However, write down those two suspicious number for further usage. Press F10 again around 6 times, you'll jump pass call instruction at 015F:00409D48 and got beggar-off message " Invalid Key .... ". Click OK button, Press F5 and disable all breakpoints, press F5 again to return to the main program. 5. Let's think a while why at 00409D39: 742E je 000409D69 instruction we didn't get that beggar-off message ? Does the program doesn't have classic message " Thank you for regis tering .... " when the correct key is entered ? What will happen if we enter 0648474642 and/or 3684123259 as your serial number ? 6. Just do it! Repeat registration procedure and keyed-in 0648474642 and/or 3684123259 as your serial number respectively. Did you feel the difference ? The first one you'll face beggar-off message, and the last one you will have just a splash screen.... but look at the title bar..... the "( Unregistered )" text is gone. Upto this step you can noticed that this program doesn't have " Thank you for registering .... " as we expected. 7. To ensure you're registered or not, click HELP/ABOUT submenu. Yes, you're illegaly registered and your key is 3684123259! 8. Where the hell is my registration code is stored ?? - The correct registration code is encrypted and stored in the file called 1TOX.LIC which located in your 1TOX directory. 9. How can I practise with my own user name ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-1toX201.zip [EOF] October 11,2000 12:45:24 PM 10/10/00 WHY PATCHING WHILE SERIAL NUMBER IS FISHY AS-Util98 v1.76 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM AS-Util98 ist das WIN98 Systemtool der Spitzenklasse! AS-Util98 beherrscht nahezu alle undokumentierten Funktionen von WIN98! Mit AS-Util98 erleichtern Sie sich das Arbeiten mit Windows98 und bekommen hilfreiche Tips sowie Zusatzfunktion in die Hand . Alle Administratorfunktionen die Sie vielleicht bereits von AS-UTIL95 kennen sind ebenfalls integriert! Es handelt sich hierbei um ein mchtiges Systemtool speziell fr Windows98. Das bedeutet aber auch fr den Anwender, da er sich im Klaren darber sein mu, da nicht jede Funktion des Programmes immer 100%-ig getestet sein kann... Dafr bentigt man Rechner mit verschiedenen Konfigurationen und jede Menge Zeit. Das heit aber dann auch die Kosten fr das Programm wrden sich in Hhen bewegen, die ein "normaler" Anwender kaum zahlen wrde! WHERE TO DOWNLOAD Author : Andreas Schrder Homepage : www.fantastic-art.com/team/asware/index.htm http://www.as-tools.de/ URL : http://www.as-tools.de/AndreasSchroeder/asutil98.exe Size : 1,157,408 Bytez as of Oct 10,2000 Release Date : August 01,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run UTIL98.EXE, in the main program click XTRASS!+ZUSATZ PROGRAMME check box then click on REGISTRIERUNG submenu. In the right panel / registration dialog box type these below informations : Name : Pirates Order Code : 7388105099 Do not click UBERNEHMEN/OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], set a new breakpoint in the Command Line : BPX HMEMCPY [enter] and F5 to return to the main program 3. Click OK button now, you'll return back into SoftIce. Press F11, F5, F11 once again and F12 several times until you reach the main program codes as follows : ___________________________________________________________________ 00469001: E8B626FBFF call 00041B6BC <=== you land HERE 00469006: 8B95E8FEFFFF mov edx,[ebp][0FFFFFEE8] 0046900C: 8D85ECFEFFFF lea eax,[ebp][0FFFFFEEC] 00469012: B9FF000000 mov ecx,0000000FF 00469017: E848ABF9FF call 000403B64 0046901C: 8D95ECFEFFFF lea edx,[ebp][0FFFFFEEC] 00469022: 8B8344080000 mov eax,[ebx][000000844] 00469028: 8A8871030000 mov cl,[eax][000000371] 0046902E: 8B8344080000 mov eax,[ebx][000000844] 00469034: E86769FEFF call 00044F9A0 00469039: 8D55EC lea edx,[ebp][-0014] <== d edx 0046903C: 8D45F8 lea eax,[ebp][-0008] ___________________________________________________________________ Disable/clear previous breakpoint ( bd or bc * [enter] ) Set a new breakpoint : bpx 015F:00469001 [enter] NOTE : Otherwise you can do a search string to locate the address as follow : s 0 l fffffffffffffffff e8 b6 26 fb ff 8b 95 e8 [enter] SoftIce will response : Pattern found at xxxx:00469001 (00469001) 4. Now, let's start tracing the codes. Press F10 10 times, after jump pass the CALL instruction at 015F:00469034 ( stop at 015F:00469039 ) dump/display EDX register by typing : d edx [enter] Look at the Data Window (0167:73F5E4), did you see $03FB82BA ? 5. Write down this suspected registration code and disable all break points : bd * [enter] F5 to return to registration window 6. Just click the "beggar-off" message, typed-in $03FB82BA as your code number. " Vielen Dank fr die Registrierung " will appear on the screen, then continue by clicking OK button. But WAIT, don't you see in the NAME and CODE field box showed ' *UNREGISTRIERT*! ' and ' Danken fr die Registrierung ' ???? What the heck is this ? the OK button got dimmed also! 7. Dont be panic, just click SCHLIEEN button to quit the program. Restart UTIL98.EXE, look at the left panel "AS-UTIL98 INFOFEN STER" and the right panel "REGISTRIERT AUF: Pirates Order"! Hehehehe ...... you're ILLEGALLY REGISTERED now ...... da hast Du Dich aber anscheien lassen!. 7. Where the hell is my registration code is stored ?? - The correct registration code is encrypted and stored in the file called UTIL98.KEY which located in your AS-UTIL98 directory. 8. How can I practise with my own user name ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-asutil98.zip [EOF] October 10,2000 12:45:24 PM 10/10/00 WHY PATCHING WHILE SERIAL NUMBER IS FISHY HappyIcon v2.01 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM HappyIcon is a 32 bit software for Windows 9x, 2000 and NT 4.x creating icons, cursors and animated cursors by converting graphic files or scannered documents. HappyIcon converts the following file types:  AVI Windows Audio Video Interleave  AVS AVS X Image  BMP bitmap Windows/OS2 (bmp, bga, dib)  DCM Dicom  FTS FITS - Flexible Image Transport System  GIF Compuserve Graphic Interchange Format .... AND MORE WHERE TO DOWNLOAD Author : Jean Piquemal Homepage : http://www.logipole.com URL : http://happyicon.free.fr/happyicone.zip Size : KB - as of October 11,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run HAPPYICON.EXE, in the main program click on HELP/REGISTER submenu. In the registration dialog box type these below informations : Name : Order First : Pirates Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX MessageBoxA [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, then click OK to confirm 'Invalid Key .... ' message. Again, you'll return back into SoftIce and landed at MessageBoxA call instruction at 015F:00414127. Now, scroll up several line above by pressing [Ctrl+Up arrow], did you interesting CMP ( Compare ) instruction at 015F:00414116 ? Scroll up again until you see CALL instruction at 015F:00414104. Here you know where the call instruction being called and compari son between EAX and ECX register were made. Disable previous breakpoint and set a new breakpoint : bd * [enter] bpx 015F:00414104 [enter] Press F5 to return to the main program 4. Repeat registration procedure Step 1, click OK button. If nothing goes wrong, you'll see these below following snippet codes : ___________________________________________________________________ 00414104: E873220000 call 00041637C <--- you land here 00414109: 8B4C2414 mov ecx,[esp][000 0041410D: 83C404 add esp,004 ;"" 00414110: 81F1F0BD6824 xor ecx,02468BDF0 00414116: 3BC1 cmp eax,ecx <---! 00414118: 742E je 000414148 0041411A: 6A10 push 010 0041411C: 680C494200 push 00042490C ; 00414121: 6864484200 push 000424864 ; 00414126: 55 push ebp 00414127: FF15AC024200 call MessageBoxA ; <==== 3rd step 0041412D: 6A01 push 001 ___________________________________________________________________ Press F10 4 times ( stop at 015F:00414116 ), dump/display EAX and ECX register by typing : ? EAX [enter] SoftIce will response : 89AD8092 2309849234 ooops it wasn't your fake code .... ? ECX [enter] SoftIce will response : C8C0D8BC 3368081596 well... what the heck is this ? However, write down those two suspicious number for further usage. Press F10 again around 6 times, you'll jump pass call instruction at 015F:00414127 and got beggar-off message " Invalid Key .... ". Click OK button, Press F5 and disable all breakpoints, press F5 again to return to the main program. 5. Let's think a while why at 00414118: 742E je 000414148 instruction we didn't get that beggar-off message ? Does the program doesn't have classic message " Thank you for regis tering .... " when the correct key is entered ? What will happen if we enter 2309849234 and/or 3368081596 as your serial number ? 6. Just do it! Repeat registration procedure and keyed-in 2309849234 and/or 3368081596 as your serial number respectively. Did you feel the difference ? The first one you'll face beggar-off message, and the last one you will have just a splash screen.... but look at the title bar..... the "( Unregistered )" text is gone. Upto this step you can noticed that this program doesn't have " Thank you for registering .... " as we expected. 7. To ensure you're registered or not, click HELP/ABOUT submenu. Yes, you're illegaly registered and your key is 3368081596! 8. Where the hell is my registration code is stored ?? - The correct registration code is encrypted and stored in the file called HAPPYICON.LIC which located in your HAPPYICON directory. 9. How can I practise with my own user name ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-happyicon201.zip [EOF] October 11,2000 12:45:24 PM 10/10/00 WHY PATCHING WHILE SERIAL NUMBER IS FISHY QuikClean v1.1B A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM QuikClean is a simple, quick, efficient and inexpensive redundant file scanner and remover. QuikClean scans your fixed disks for redundant, temporary and unused files, freeing up precious hard disk space...you will be surprised just how much space is taken up by these files. QuikClean will never remove Windows essential files, nor files created by recovery software. WHERE TO DOWNLOAD Author : G Pearson Homepage : http://www.gpcom.f2s.com URL : http://www.downloadit.gr/~v_gpearson/qc11b.zip Size : 836 KB as of September 04,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce I just realized this program was packed with UPX within SoftIce, but to be honest I forced myself to stay and continue tracing the codes just to cover my embarashing why didn't I checked the program at the first time. This is another tips for newbies to check the prog whether they're packed or not. You can easily noticed it by using HIEW, usually there is a descript ion in front program entry code i.e : " This file is packed with the UPX executable packer ...." ; another packer ( Petite, ASPack, etc. ) do the same thing. Once you noticed this, run unpacker program ( I suggest you to use ProcDump ) then load into SoftIce. 1. Run QUIKCLEAN.EXE ( 187,392 bytes, packed .EXE file ), in the main program click HELP/REGISTER submenu. In the registration dialog box type these below informations : Registration Key: 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Click OK button... you'll return back into SoftIce. In within SoftIce press F11 then press F12 several times until you see and landed at : _____________________________________________________________________ 0043DC35: E85251FDFF call 000412D8C <==== you break here 0043DC3A: 837DFC00 cmp d,[ebp][-0004], 0043DC3E: 7407 je 00043DC47 0043DC40: 8BC3 mov eax,ebx 0043DC42: E825000000 call 00043DC6C <==== press F8 here 0043DC47: 33C0 xor eax,eax _____________________________________________________________________ Disable previous breakpoint, and set a new one as follow : bd* [enter] bpx 015F:0043DC35 [enter] 4. Press F10 4 times and stop at 015F:0043DC42 , press F8 to follow this CALL instruction. If nothing goes wrong, you'll break at these below snippet codes : __________________________________________________________________ 0043DC6C: 55 push ebp <==== you break here 0043DC6D: 8BEC mov ebp,esp 0043DC6F: 6A00 push 000 0043DC71: 6A00 push 000 0043DC73: 53 push ebx 0043DC74: 56 push esi 0043DC75: 57 push edi 0043DC76: 8BD8 mov ebx,eax 0043DC78: 33C0 xor eax,eax 0043DC7A: 55 push ebp 0043DC7B: 6817DD4300 push 00043DD17 ;" C| 0043DC80: 64FF30 push d,fs:[eax] 0043DC83: 648920 mov fs:[eax],esp 0043DC86: 8D55FC lea edx,[ebp][-0004] 0043DC89: 8B83B0010000 mov eax,[ebx][000000 0043DC8F: 8B80FC000000 mov eax,[eax][000000 0043DC95: 8B08 mov ecx,[eax] 0043DC97: FF5118 call d,[ecx][00018] 0043DC9A: 8B45FC mov eax,[ebp][-0004] 0043DC9D: 50 push eax <===== d eax here 0043DC9E: 8D55F8 lea edx,[ebp][-0008] _________________________________________________________________ Press F10 19 times ( stop at 015F:0043DC9D ), dump/display EAX register by typing : d eax [enter] did you see QC11B-3256511 in the Data Window ? ... ... in my case is at 0167:BD70E4! yes, that's the suspected serial number you're looking for. Write it down the key, disable all breakpoints, press F5 to return to the main program. 5. Repeat registration procedure and keyed-in QC11B-3256511 as your registration key. Click OK ..... you'll get the classic message " Thank you for regis tering..... " . YOU'RE REGISTERED now... However, as a matter of fact it's ILLEGAL REGISTRATION! 6. Let's recap your job. Do you remember when you dump/display EAX register at 015F:0043DC9D ? In the Data Window there are another posible valid reg.key i.e QC11B-621114, QC11B-01115888 etc., that you can use to register this program. The point is if you trace the codes between 0043DC6C upto 0043DC9D and display EDX or ECX register you'll see a string " .../quikclean.lic " which can be interpreted the prog create this file to hold valid reg.key and stored somewhere in the program's folder or in the Windows directory. Upon successfull registration, you'll not found QUIKCLEAN.LIC anywhere in your harddisk! So, you can't experiment with another posible registration key as you see at the memory address 0167:0167:BD70E4. 7. Where the hell is my registration key is stored ?? - The correct registration code is stored in the registry as follow : REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\TQC] [HKEY_CURRENT_USER\Software\Microsoft\TQC\Used Times Stop] "TimesUsed"="-1" - If you delete value "-1" in the registry key "TimesUsed" , the program returned UNREGISTERED. 8. How can I practise with another registration key ? - I strongly recommended you not to do this! 9. If you had finished reading this tute, run HIEW and go to hex address #54638 upto #547CD( unpacked quikclean.exe - 518,144 bytes ) you'll see more valid registration keys - 'ol cracker said " IT'S HARD CODED inside the program!". END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-QuikClean11b.zip [EOF] 10/17/00 7:08:09 AM I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #104 soon! ;) Credits goto: bM[tgfx] for Splash Logo. DongJong for providing a tut in this version. ASTAGA for providing 4 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 20 October 2000 Cracking Tutorial #103 is dedicated to CiA, all new and old members, for the support they gave me all the years!