Welcome to Cracking Tutorial #104! Hiya guys, Well, here is another tut104.tKC... Let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) WHY PATCHING WHILE SERIAL NUMBER IS FISHY StartUp Deluxe v1.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM StartUp Deluxe allows you to quickly add or remove applications from your windows startup group...easy. StartUp Deluxe is fully functional shareware that will allow thirty (30) launches before registration is required. WHERE TO DOWNLOAD Author : G Pearson Homepage : http://www.gpcom.f2s.com URL : http://www.downloadit.gr/~v_gpearson/supd10.zip Size : 810 KB as of September 04,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This program is packed with UPX. Unpack the program FIRST ! Iam warning you not to follow this tute that might caused improperly done in your PC. Iam doing this because intentionally and ashamed not to do care with the program protection, and this kind of negligence is not good for NEWBIES! I recommend you to read TUTE-QUIKCLEAN11B.TXT ( c_tkc10x.zip ) before applying this tutorial. 1. Run STARTUPD.EXE ( 224,256 bytes, packed .EXE file ). You cannot found registration window right ? ... nice try Pearson ! Look at the title bar, did you see " Shareware Version ( 31 uses left ) " ? That means you should elapsed that limitation usage. Just do it ! Go and quit the program for 31 times until you get " The trial period of this shareware version has expired " msg. ( Later on I will tell how to skip this damneD hell procedure ). Click OK, and registration window will appear on your screen. In the registration dialog box type these below informations : Registration Key: 73881050 Do not click OK/REGISTER button yet 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Click OK button... you'll return back into SoftIce. In within SoftIce press F11 then press F12 several times until you see and landed at : _____________________________________________________________________ 004516D5: E89E33FCFF call 000414A78 <==== you break here 004516DA: 837DFC00 cmp d,[ebp][-0004],000 004516DE: 750C jne 0004516EC 004516E0: B820174500 mov eax,000451720 ;" E 004516E5: E80AD7FDFF call 00042EDF4 004516EA: EB07 jmps 0004516F3 004516EC: 8BC3 mov eax,ebx 004516EE: E849000000 call 00045173C <==== press F8 here 004516F3: 33C0 xor eax,eax _____________________________________________________________________ Disable previous breakpoint, and set a new one as follow : bd* [enter] bpx 015F:004516D5 [enter] 4. Press F10 4 times and stop at 015F:004516EE , press F8 to follow this CALL instruction. If nothing goes wrong, you'll break at these below snippet codes : __________________________________________________________________ 0045173C: 55 push ebp <==== you break here 0045173D: 8BEC mov ebp,esp 0045173F: 6A00 push 000 00451741: 6A00 push 000 00451743: 53 push ebx 00451744: 56 push esi 00451745: 57 push edi 00451746: 8BD8 mov ebx,eax 00451748: 33C0 xor eax,eax 0045174A: 55 push ebp 0045174B: 68E7174500 push 0004517E7 ;" E_ 00451750: 64FF30 push d,fs:[eax] 00451753: 648920 mov fs:[eax],esp 00451756: 8D55FC lea edx,[ebp][-0004] 00451759: 8B83B0010000 mov eax,[ebx][000000 0045175F: 8B80FC000000 mov eax,[eax][000000 00451765: 8B08 mov ecx,[eax] 00451767: FF5118 call d,[ecx][00018] 0045176A: 8B45FC mov eax,[ebp][-0004] 0045176D: 50 push eax <===== d eax here 0045176E: 8D55F8 lea edx,[ebp][-0008] _________________________________________________________________ Press F10 19 times ( stop at 015F:0045176D ), dump/display EAX register by typing : d eax [enter] did you see SUD1-0036521 in the Data Window ? ... ... in my case is at 0167:00BE70A4 ! yes, that's the suspected serial number you're looking for. Write it down the key, disable all breakpoints, press F5 to return to the main program. 5. Repeat registration procedure and keyed-in SUD1-0036521 as your registration key. Click OK ..... you'll get the classic message " Thank you for regis tering..... " . YOU'RE REGISTERED now... However, as a matter of fact it's ILLEGAL REGISTRATION! 6. Let's recap your job. FIRST, are you frustrated to reach 31 usage until they're elapsed ? Sure. Here is how to cheat them, run REGEDIT.COM , search and edit these below registry entries to be as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Sud] [HKEY_CURRENT_USER\Software\Microsoft\Sud\Break] "TimesUsed"="31" ( create registry key "TimesUsed" + value 31 if necessary ) Re-run the program, enter fake reg.key and load SoftIce. Repeat step 1 upto 5 accordingly. Another way, during trial period click "?" icon in upper right corner of the title bar, then click REGISTER button. ..... again, WHATTA nice try Pearson! SECOND, Do you remember when you dump/display EAX register at 015F: 0045176D ? In the Data Window there are another posible valid reg. key i.e SUD1-XXXXXXX, SUD1-YYYYYYY etc., that you can use to regis ter this program. The point is if you trace the codes between 0045173C upto 0045176D and display EDX or ECX register you'll see a string " .../STARTUPD.LIC " which can be interpreted the prog create this file to hold valid reg.key and stored somewhere in the program's folder or in the Windows directory. Upon successfull registration, you'll not found STARTUPD.LIC anywhere in your harddisk! So, you can't experiment with another posible registration key as you see at the memory address 0167:0167:BD70E4. 7. Where the hell is my registration key is stored ?? - The correct registration code is stored in the registry as follow : REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Sud] [HKEY_CURRENT_USER\Software\Microsoft\Sud\Break] "TimesUsed"="-1" - If you delete value "-1" in the registry key "TimesUsed" , the program returned UNREGISTERED. 8. How can I practise with another registration key ? - I strongly recommended you not to do this ! 9. If you had finished reading this tute, run HIEW and go to hex address #80494 upto #8062A( unpacked STARTUPD.EXE - 555,520 bytes ) you'll see more valid registration keys - 'ol cracker said " IT'S HARD CODED inside the program !". END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-StartUpDeluxe10.zip [EOF] 10/17/00 10:37:00 AM WHY PATCHING WHILE SERIAL NUMBER IS FISHY ABC 95 v2.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM ABC 95 is a control panel applet that you use to manage fonts in Windows 95/98 and Windows NT 4.0. It's a more comfortable replacement for the built in "Fonts" Shortcut, found in Windows 95 Control Panel. The Windows built in "Fonts" Shortcut will not be removed and can still be used if desired. Features : ABC 95 makes font management as easy as possible. ABC 95 does every thing that the built in "Fonts" Shortcut in Windows 95 Control Panel does, plus ABC 95 allows you to. View installed fonts immediately (name and sample). Preview fonts before installing them. Choose fonts to be installed by adding them to a "selection" list. Change the size of the font samples. WHERE TO DOWNLOAD Author : Michael Weingartner ( HITECH Software GmbH ) Homepage : http://www.hitech.ch/Products/ABC95/abc95.htm URL : http://www.hitech.ch/Products/ABC95/abc95inst.exe Size : 826 KB as of October 17,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run Abc95app.exe, In the registration dialog box type these below informations : Full Name : Pirates Order Company : Carribean Buccaneer Registration ID : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5, F11, F5, and F11 then press F12 several times until you see and landed at : _____________________________________________________________ 0048400E: E829A4FAFF call 00042E43C 00484013: 8B45EC mov eax,[ebp][-0014] 00484016: 8D4DF0 lea ecx,[ebp][-0010] 00484019: B220 mov dl,020 ;" " 0048401B: E86080FEFF call 00046C080 00484020: 8B45F0 mov eax,[ebp][-0010] 00484023: 50 push eax 00484024: 8D45E8 lea eax,[ebp][-0018] 00484027: 50 push eax 00484028: B909000000 mov ecx,000000009 ;" 0048402D: BA01000000 mov edx,000000001 ;" 00484032: 8B45F8 mov eax,[ebp][-0008] 00484035: E8D200F8FF call 00040410C 0048403A: 8B55E8 mov edx,[ebp][-0018] 0048403D: 58 pop eax 0048403E: E8D5FFF7FF call 000404018 ______________________________________________________________ Disable previous breakpoint, and set a new one as follow : bd* [enter] bpx 015F:0048400E [enter] 4. Press F10 once and stop at 015F:00484016 , dump/display EAX register by typing : d eax [enter] your fake code appear in the Data Window. Press F10 10 times and at 015F:00484035 , dump/display EAX register by typing : d eax [enter] look at the Data Window, did you see A22DCF55C9F21C 8467FBDBD0FC047F07 at virtual address 0167:01161EB8 ? Is that serial number that you're looking for ?, however, write it down that suspicious long serial number ( hehehehe ... i've seen longest serial num ber than this before on CIA's crackme#3 ). Upto this step you can disable all breakpoint(s), and try your luck by entering the abovementioned S/N as your registration ID. ( note : check out step #7 in the below section ) 5. Actually, iam so curious, then continue trace the code. Press F10 again and stop at memory address 015F:0048403D, dump/display EDX register by typing : d edx [enter] look at the Data Window, did you see A22DCF55C at virtual address 0167:1161F00 ? ( if you display EAX register you'll see your fake code ). Don't forget to write down this code. If you continue pressing F10 you'll get beggar-off message. 6. Disable all breakpoint, and return to registration dialog box. Keyed-in A22DCF55C as your registration ID. The classic message " Thank you for registering..... " pops up. da hast Du Dich aber anscheiáen lassen !. However, as a matter of fact it's ILLEGAL REGISTRATION! 7. Where the hell is my registration info is stored ?? - The correct registration code is stored in the registry as follow : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Hitech] [HKEY_LOCAL_MACHINE\Software\Hitech\ABC95] [HKEY_LOCAL_MACHINE\Software\Hitech\ABC95\CurrentVersion] "Name"="Pirates Order" "Company"="Carribean Buccaneer" "SN"="A22DCF55C9F21C8467FBDBD0FC047F07" "AppDir"="C:\\Program Files\\ABC95" 8. How can I practise with another registration key ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-abc95v20.zip [EOF] 10/17/00 1:13:15 PM WHY PATCHING WHILE SERIAL NUMBER IS FISHY Irfan View v3.25 ( English ) A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM IrfanView is a fast FREEWARE image viewer/converter for Win9x/NT and Windows 2000. Supported file formats: AIF, ANI/CUR, AU/SND, AVI, BMP/DIB, CAM (Casio), CLP, DAT (VideoCD), Dicom/ACR, DJVU, EMF/WMF, EPS, FlashPix (FPX), G3, GIF, ICO/ICL/EXE/ DLL,IFF/LBM, IMG (GEM), JPG/JPEG, KDC, LDF, LWF, MID/RMI, MOV, MP3, MPG/MPEG, PBM/PGM/PPM, PCX/DCX, PhotoCD, PNG, PSD, PSP, RAS/SUN, RealAudio (RA), SFW, SGI/RGB, SWF (Flash/Shockwave), TGA, TIF/TIFF, WAV, WBMP, XBM, XPM. .... .... WHERE TO DOWNLOAD Author : Irfan Skiljan Homepage : http://www.irfanview.com URL : http://stud1.tuwien.ac.at/~e9227474/iview325.zip Size : 571 KB - as of October 17,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This program is packed with ASPack. 1. Run I_VIEW32.EXE, in the main program click on HELP/REGISTER submenu. In the registration dialog box type these below informations : Your Name : Pirates Order Your Code : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX MessageBoxA [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, then click OK to confirm 'Invalid Key .... ' message. Again, you'll return back into SoftIce and landed at MessageBoxA call instruction at 015F:004457C5. Now, scroll up several line above by pressing [Ctrl+Up arrow], did you see CALL instruction at 015F:004457A2 ? Disable previous breakpoint and set a new breakpoint : bd * [enter] bpx 015F:004457A2 [enter] Press F5 to return to the main program 4. Repeat registration procedure Step 1, click OK button. If nothing goes wrong, you'll see these below following snippet codes : ___________________________________________________________________ 004457A2: E8293EFEFF call 0004295D0 <-- you land here 004457A7: 83C408 add esp,008 ;"" <== D EDX HERE! 004457AA: 85C0 test eax,eax 004457AC: 752C jne 0004457DA 004457AE: A1CCCD4C00 mov eax,[0004CCDCC] 004457B3: 8B0D80F64D00 mov ecx,[0004DF680] 004457B9: 6830200000 push 000002030 ;" 0" 004457BE: 68C0074E00 push 0004E07C0 ;" N+" 004457C3: 50 push eax 004457C4: 51 push ecx 004457C5: FF1558A34A00 call MessageBoxA ; <== read STEP #3 ___________________________________________________________________ Press F10 ONCE ( stop at 015F:004457A7 ), dump/display EDX register by typing : D EDX [enter] Look at the Data Window, you should see 633234800 at virtual address of 0167:73C59C. Wasn't it looks like a serial number ? write down this suspi cious number. Disable all breakpoint, press F5 to return to main program. 5. Repeat registration procedure and keyed-in 633234800 as your serial number. " Succesful registration... " appear as we expected. 6. Where the hell is my registration code is stored ?? - The correct registration code is stored in the file called I_VIEW32.INI which located in your WINDOWS directory. 9. How can I practise with my own user name ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-irfanview325.zip [EOF] October 17,2000 10/17/00 1:48:39 PM WHY PATCHING WHILE SERIAL NUMBER IS FISHY Desktop Cycler 2000 v1.5 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM Desktop Cycler is a utility to help you managing and changing your desktop items easily. It can change and cycle wallpapers, screen savers, desktop themes, start menu icons, IE's toolbar wallpapers (hotbars), and also all of startup/shutdown logos. It also contains list of hundreds resource sites that will help you easily getting all great and free desktop goodies. WHERE TO DOWNLOAD Author : Magellass Corp Homepage : http://www.magellass.com URL : http://www.magellass.com/dc2000.zip Size : 923 KB - as of August 8, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce FIRSTLY, this program protected with AntiDebugging trick. NO RESPONSE when clicking .EXE file or " No Debug Allowed " message always appear even I had loaded the well known utilities to hide SoftIce from this kind of protection. WDASM83 got stunned when I tried to diassemble and debug this program.... sigh! Until this morning I talk with Carpathia in the IRC, which tell me to download and try small and useful prog called... ... JUST ASK HER ! This small prog is great, I can even run another program i.e CXIE which has similar protection. Iam not stingy to not to tell you, I have 2B patience and wait until I can solve my stupidity and write this tute... see ... I downloaded this DESKTOPCYCLER2000 2 months ago. Again, thank you Carphatia... without your help I still deepsinked in the darkness. SECONDLY, I personally expressed my sincere salutation to the Author at Magellass Corp. You guys ... Indonesian and Sundanese people do the great job since you released Win Boost in the mid 1997. You never gave up fighting against the crackers all over the Net. And by the way, send my regards to Dani ( one of the Author (?) who made a sticky note in the virtual address like " Horee Mas Dani deui ..... " that means " Horay .. it's Mr Dani again " in Sundanese language. Further, whatta nice try hiding in the CLSID's registry .. ........ HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run MEMONSTER.EXE, in the opening nag screen click that REGISTER button; In the registration dialog box type these below informations : User Name : Pirates Order Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5,and F11 once again. Press F12 several times until you reach the main program's code as follow : _________________________________________________________________ 015F:004632C1 E8BA83FCFF CALL 0042B680 015F:004632C6 8B55F4 MOV EDX,[EBP-0C] 015F:004632C9 B85C094700 MOV EAX,0047095C 015F:004632CE E87106FAFF CALL 00403944 015F:004632D3 33C0 XOR EAX,EAX 015F:004632D5 5A POP EDX ... ... __________________DCYCLER!CODE+000622BB______________________ Disable previous breakpoint and create a new breakpoint : bd * [enter] bpx 015F:004632C1 [enter] I just wanna straight to the groin and brings you to where the potential were copied (echoed (?) into virtual address. Remember, I have traced for you. In the SoftIce's Command Line type as follows : Do a search string like this : s 0 l fffffffffffff FF 56 0C 8B 55 F8 [enter] SoftIce will respons : Pattern found at 0030:0046320D (46320D) bpx 0030:0046320D [enter] u 0030:0046320D [enter] Press F5 or X, to let SoftIce break in this location 4. If you do the right thing, you'll these below snippet codes : ___________________________________________________________ 015F:0046320D FF560C CALL [ESI+0C] <=== here 015F:00463210 8B55F8 MOV EDX,[EBP-08] 015F:00463213 A15C094700 MOV EAX,[0047095C] 015F:00463218 E85F0AFAFF CALL 00403C7C <=== d edx ___________________DCYCLER!CODE+0006220D___________________ Press F10 2 times - stop at 015F:00463218 - and dump/display EDX register : d edx [enter] Look at the Data Window, at virtual address of 0167:00CD1F6C did you see AD5T2-T747-UL95-CW6R ? Don't you think that's too suspicious for a serial number ? .... Scroll up/down the Data Window, you'll find another potential valid serial number. For example, I'll show you the contents of the Data Window as follows ( this is only a part ) : 0167:00CD1F6C 41 44 35 54 32 2D.. -34 37 AD5T2-T747-UL95- 0167:00CD1F7C 43 57 36 52 00 00.. -26 00 CW6R....&....... 0167:00CD1F8C 14 00 00 00 32 5A.. -41 2D ....2ZACA-D78A-S 0167:00CD1F9C 4B 33 37 2D 35 44.. -00 00 K37-5D9V....&... 0167:00CD1FAC 01 00 00 00 14 00.. -34 56 ........4V6V7-EA 0167:00CD1FBC 35 32 2D 57 59 41.. -33 4A 52-WYA5-3J4L.... 0167:00CD1FCC 26 00 00 00 01 00.. -14 00 &...........6E4U 0167:00CD1FDC 35 2D 4E 41 34 33.. -47 32 5-NA43-FG25-5F5U 0167:00CD1FEC 00 00 00 00 26 00.. -01 00 ....&........... 0167:00CD1FFC 34 52 39 47 38 2D.. -37 41 4R9G8-L77A-XD85- 0167:00CD200C 37 4C 39 58 00 00.. -26 00 7L9X....&....... 0167:00CD201C 14 00 00 00 33 44.. -41 2D ....3DAGA-P838-U 0167:00CD202C 41 33 32 2D 37 43.. -00 00 A32-7C5C....&... 0167:00CD203C 01 00 00 00 14 00.. -39 58 ........9X6J2-R5 0167:00CD204C 32 34 2D 4C 44 32.. -33 50 24-LD29-3PCX.... 0167:00CD205C 26 00 00 00 01 00.. -14 00 &...........9D4U 0167:00CD206C 36 2D 50 41 36 34.. -58 33 6-PA64-CX3A-6J9J 0167:00CD207C 00 00 00 00 26 00.. -01 00 ....&........... 0167:00CD208C 35 45 41 56 32 2D.. -41 41 5EAV2-K9AA-EZ43- 0167:00CD209C 36 53 38 46 00 00.. -26 00 6S8F....&....... Disable current existing breakpoint, press F5 to return to the registration window. 5. Repeat registration procedure, and keyed-in AD5T2-T747-UL95-CW6R as your serial number (actually iam using 5EAV2-K9AA-EZ43-6S8F). Click OK button, soon you'll see the classic " Desktop Cycler 2000 has been registered successfully ". 5. Where the hell is my registration code is stored ?? Hahaha gotcha ! .... how hard you're using WXIR/WXIO and REGMON ... you'll never found anywhere in your harddisk. Read my preface in the above ... if you have enough time try search and delete this suspicious \CLSID\{FD853CDD-7 F86-11d0-8252-0134940705AB4}. Nice try Mang Dani anu kasep tea euy ... again and again. Beside, once you're registered they're registered forever, one strange occurances is that if you manually edited registry key and value in the "RegisteredOwner" with your own desired name ..... the prog still accepted ! Upon succesful registration, DesktopCycler creates two registry entries as follows : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass\Desktop Cycler 2000] "RegisteredOwner"="Pirates Order" <== you can change it. and This below registry entry ... IS JUST COSMETIC! REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass Corp.\Desktop Cycler 2000] [HKEY_LOCAL_MACHINE\Software\Magellass Corp.\Desktop Cycler 2000\1.50] "Name"="" "Company"="" 9. How can I practise with my own user name ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-desktopcycler15.zip [EOF] 10/20/00 11:54:23 AM WHY PATCHING WHILE SERIAL NUMBER IS FISHY Font Creator Program v3.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM The Font Creator Program puts font creation within the grasp of the average PC user, would-be typographers and graphic designers. With this application you can create and edit TrueType font files. You can use the modified fonts in Windows 3.11 and higher. Features include the ability to convert (scanned) bitmaps (.bmp files) to TrueType outlines, thus enabling you to create your own signature, logo and handwriting. In addition, unlimited undo and redo and repeat options are available. The modified fonts can be saved and then used in popular word processing and illustration programs. The editor lets you easily select any installed font, display ing the entire character set complete with descriptions of every letter, number, and special character. Once you've perfected your work of art, a click on the program's toolbar will install your creation. The Font Creator Program allows would-be typographers to load existing ttf files and modify them until the desired results are achieved. The modified fonts can be saved and then used in popular word processing and illustration programs. WHERE TO DOWNLOAD Author : High-Logic The Netherlands Homepage : http://www.high-logic.com/ URL : http://www.high-logic.com/download.html http://www.high-logic.com/fcp3.exe Size : 1.4 MB - as of October 18,2000 Release : Version 3.0 [October 7, 2000] HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run FCP3.EXE, in the main program click on HELP/REGISTER button. In the registration dialog box type these below informations : Name : High Steppin' Hip Dressin' Fella Company : Pirates Order Reg Password: 738-810-507-361 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now it's time to click OK button... you must returned back into SoftIce! In within SoftIce press F5, F11, F5,and F11 once again. F12 several times until you see the main progs code and landed at : _____________________________________________________________________ 004F5598: E8EFF7F3FF call 000434D8C <==== YOU LAND HERE 004F559D: FF75F0 push d,[ebp][-0010] 004F55A0: 8D55EC lea edx,[ebp][-0014] 004F55A3: 8B8314030000 mov eax,[ebx][000000314] 004F55A9: E8DEF7F3FF call 000434D8C 004F55AE: FF75EC push d,[ebp][-0014] 004F55B1: 8D45FC lea eax,[ebp][-0004] 004F55B4: BA04000000 mov edx,000000004 ;" 004F55B9: E856EBF0FF call 000404114 004F55BE: 8D55E4 lea edx,[ebp][-001C] 004F55C1: 8B830C030000 mov eax,[ebx][00000030C] 004F55C7: E8C0F7F3FF call 000434D8C 004F55CC: 8B45E4 mov eax,[ebp][-001C] 004F55CF: BA03000000 mov edx,000000003 ;" 004F55D4: 4A dec edx 004F55D5: 3B50FC cmp edx,[eax][-0004] 004F55D8: 7205 jb 0004F55DF <==== jump 004F55DA: E8C5D9F0FF call 000402FA4 004F55DF: 42 inc edx <=== YOU LAND HERE 004F55E0: 8A4410FF mov al,[eax][edx][-0001] 004F55E4: 50 push eax 004F55E5: 8D55E0 lea edx,[ebp][-0020] 004F55E8: 8B83E0020000 mov eax,[ebx][0000002E0] 004F55EE: E899F7F3FF call 000434D8C 004F55F3: 8B45E0 mov eax,[ebp][-0020] 004F55F6: 8D4DE8 lea ecx,[ebp][-0018] <==== d eax HERE 004F55F9: 5A pop edx 004F55FA: E88DF7FFFF call 0004F4D8C 004F55FF: 8B45E8 mov eax,[ebp][-0018] 004F5602: 50 push eax <==== d eax HERE 004F5603: 8D55DC lea edx,[ebp][-0024] ____________________________________________________________________ 4. Clear the current existing breakpoint since we don't need anymore bd 00 or bd * [enter] Now we are in the main program codes. 5. Create a new breakpoint at the new location ; bpx 015F:004F5598 [enter] Note : In case of different address do a search string ( as long as you're within main program codes; pls check your lower right corner for sure - the .exe file name SHOULD BE THERE )as follow : s 0 l fffffffffffffffff E8 EF F7 F3 FF FF 75 F0 [enter] SoftIce will report : Address found at 0XYZ:000XXXXXXXXXXX --> bpx this location. 6. Press F10 26 times - until you reach and stop at 015F:004F5602 and dump EAX register by typing : D EAX [enter] Look at the Data Window, at virtual address 0167:00EB6B8C did you see C1V8476R7KPQ ? And several line below - at virtual address 0167:00EB6C7C is your fake S/N. Write it down, that's the reg code you're looking for. 8. Disable all breakpoints : bd * [enter] Press F5 to return to the registration window 9. Repeat registration procedure and keyed-in C1V8476R7KPQ as your registration code. Click OK button ..... you'll get this classic message " Thank you for registering .... " . YOU'RE REGISTERED now... da hast Du Dich aber anscheiáen lassen !. However, as a matter of fact it's ILLEGAL REGISTRATION! 10. Where the hell is my registration info is stored ?? - The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\High-Logic\Font Creator Program\3.0] "RegData"=hex:f0,33,61,42,df,95,26,cb,9a,06,d0,e3,e0,f9,3e,00,d7, e4,a4,93,e1,\67,6b,25,05,bd,8c,ea,d7,d2,a1,70,2a,01,44,e6,3a,df, d7,15,23,5c,52,f0,ce,6f,\51,35,0a,c0,92,61,e2,07,47,2c,c4,..... ...... ...... 11. How can I practise with another registration key ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-fontcreatorprogram30.zip [EOF] 10/20/00 9:51:44 AM I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #105 soon! ;) Credits goto: bM[tgfx] for Splash Logo. ASTAGA for providing 5 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 28 October 2000 Cracking Tutorial #104 is dedicated to CiA, all new and old members, for the support they gave me all the years!