Welcome to Cracking Tutorial #104! Hiya guys, Well, here is another tut104.tKC... Let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) WHY PATCHING WHILE SERIAL NUMBER IS FISHY revised : 11/9/00 6:43:01 PM AdRegCln v2.1 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM AdRegCln is a small program, that allows You to revise system registry for entries, that seem to be incorrect. It helps You to wipe out some garbage from Your system registry. Features available:  Detailed registry checking (CLSID,FILES, Interfaces, ...)  Search options file - knowbase.ini  RegEdit smart calls  Common file for back-ups (.REG-file (REGEDIT4), safely to be viewed by RegEditor http://www.nit.mk.ua/regeditr/index.html) Search options file (knowbase.ini) allows You to select starting positions for checking, desired searching options. RegEdit smart calls allows You to edit selected entries from standard RegEdit directly. WHERE TO DOWNLOAD Author : NIT Limited Homepage : http://www.nit.mk.ua/adregcln/index.html URL : http://www.nit.mk.ua/adregcln/adregcln.zip Size : 429 KB - as of September 12,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This program will create self program ID based on Window's default user name. My ID looks like as follow : AdvRegCln License number: 58C0-0802-1BF7 <== may differ in your PC Name: Pirates Order Country: United States E-Mail address: privateering@iname.com Comments: Secondly, this program is packed with UPX and I didn't unpacking it as their normally should be. So, if you follow my step an unexpected occurances may posibly performed. 1. Run ADREGCLN.EXE, in the main program click on ENTER REG CODE button. In the registration dialog box type these below information : Registration Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, then press F12 several times until you see these below following snippet codes : ( note : If you cannot reach the snippet codes as I explained, try to get into main program's code by using another breakpoint. Do a search string by typing : s 0 l ffffffff E8C4BAFDFF8B55 [enter] Pattern found at 0167:00XXXXXX <=== bpx this location : bpx 0167:00XXXXXX [enter] then continue tracing the codes ). ___________________________________________________________________ 015F:0045207F E8C4BAFDFF CALL 0042DB48 <== break here 015F:00452084 8B55D4 MOV EDX,[EBP-2C] 015F:00452087 8B45F8 MOV EAX,[EBP-08] ==> d edx 015F:0045208A E8F51AFBFF CALL 00403B84 015F:0045208F C645F701 MOV BYTE PTR [EBP-09],01 015F:00452093 33C0 XOR EAX,EAX ..... ..... ______________________ADREGCLN!UPX0+0005107D_______________________ Clear previous breakpoint because you don't need anymore : : BC * [enter] Create new breakpoint as follow : : bpx 015F:0045207F [enter] : x or F5 Break due to BPX #015F:0045207F (ET=717.34 milliseconds) Press F10 2 times - stop at 015F:00452087 - display EDX register : : d edx [enter] ==> your fake code appear in the Data Window at virtual address 0167:00C05CD8 . Set a new breakpoint at location where your fake code being copied to : : bpm 0167:00C05CD8 [enter] : x [enter] 4. If nothing goes wrong you'll break at these below snippet codes : _______________________________________________________________ 015F:00403EEB 8B1F MOV EBX,[EDI] 015F:00403EED 39D9 CMP ECX,EBX <== BREAK HERE 015F:00403EEF 7558 JNZ 00403F49 015F:00403EF1 4A DEC EDX ..... ..... ______________________ADREGCLN!UPX0+2EEB_______________________ Break due to BPMB #0167:00C05CD8 RW DR2 Did you recognize the CMP instruction at 015F:00403EED ? Let's check what are the contents of those two registers : : ? ecx [enter] 30413437 0809579575 "0A47" ==> posible valid reg.code in reverse order : ? ebx [enter] 38383337 0943207223 "8837" ==> your fake code in reverse order So, where is the real code is located ? Just display ESI and EDI registers as follows : : d esi [enter] ==> lookie the Data Window, did you see 74A0-0C03-160C at virtual address 0167:00C05E98 ???? 5. Disable all current existing breakpoint(s) : : bd * [enter] : x or F5 to return to registration dialog box 6. Repeat registration procedure, and keyed-in 74A0-0C03-160C as your registration key. Click OK button ....... you're registered! 7. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry CLSID as follow ( nice try Bro .... ) : REGEDIT4 [HKEY_CLASSES_ROOT\CLSID\{EC5811A0-00F1-11D4-9395-CE85BCDF585A}] [HKEY_CLASSES_ROOT\CLSID\{EC5811A0-00F1-11D4-9395-CE85BCDF585A}\ InprocServer32] @="shell32.dll" [HKEY_CLASSES_ROOT\CLSID\{EC5811A0-00F1-11D4-9395-CE85BCDF585A}\ Version] @="FFFF" 8. How can I practise with my own reg. key ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-adregclean21.zip [EOF] October 16,2000 12:45:24 PM Revised/Updated : Nov 09, 2000 WHY PATCHING WHILE SERIAL NUMBER IS FISHY B-Puzzle v2.0 A Cracking Tutorial by ASTAGA [WWF/WTF] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM B-Puzzle is combination of sliding puzzle and jigsaw puzzle. This game allows you to create sliding and jigsaw puzzles with your own BMP and JPEG files. You can scramble them into amount of pieces, from 9 to 400 pieces. In addition, if you select sliding puzzle, you can also play with alphabet and numeric puzzle. The object of these two games is to rearrange all pieces so that they are in ascending order, that is A, B, C, ... or 1, 2, 3, .... WHERE TO DOWNLOAD Author : Antony Pranata ( IndoWarez ) Homepage : http://www.antonypr.pair.com/bpuzzle.html URL : maybe available in your CHIP CD Size : ??? KB as of , HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run the program, wait 5 seconds for the tick count, click REGISTER NOW button, type these below informations : User name : Chris Raw Jericho Reg code : 73881050 Do not click OK button yet. 2. Load SoftIce then set a new berakpoint as follow : bpx getwindowtexta [enter] F5 to return to prog's registration window 3. Hit OK button, you'll return back in SoftIce. Press F11, F5, F11 until you break and found these below snippet codes : _____________________________________________________________________ 015F:00402FB9 E8F6CF0500 CALL USER32!GetWindowTextA <== HERE 015F:00402FBE 8D45E8 LEA EAX,[EBP-18] 015F:00402FC1 50 PUSH EAX 015F:00402FC2 8D55C8 LEA EDX,[EBP-38] 015F:00402FC5 52 PUSH EDX 015F:00402FC6 E8A9F4FFFF CALL 00402474 015F:00402FCB 83C408 ADD ESP,08 015F:00402FCE 8BF0 MOV ESI,EAX 015F:00402FD0 8D4DF4 LEA ECX,[EBP-0C] .... _________________________BPUZZLE!.text+1FB9__________________________ Break due to BPX USER32!GetWindowTextA Press F10 - stop at 015F:00402FC1 - display EAX register : : d eax [enter] ==> your fake code appear in the Data Window Press F10 once - stop at 015F:00402FC2 - display EDX register : : d eax [enter] ==> your name appear in the Data Window Press F10 again - stop at 015F:00402FCB - did you feel a splash when jump over the CALL instruction at 015F:00402FC6 ? Lookie the Data Window ... at virtual address 0167:006BEB20 did you see 91056598 ? Press F10 once - stop at 015F:00402FCB - display EAX register, you'll see again 91056598 . Don't you think this is a valid registration code ? WRITE it DOWN! Disable current existing breakpoint : bd * [enter] : F5 to return to main program : 4. Repeat registration procedure, keyed-in 91056598 as your registration code. Click OK button ..... you're registered! 5. Where the hell is my registration info is stored ?? - The correct registration code is stored in the BPUZZLE. INI as follows : [REGISTRATION] NAME=Chris Raw Jericho CODE=91056598 [BPUZZLE] FIRST=1 COLOR=8421440 ... ... 6. How can I practise with another registration key ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-bpuzzle20.zip [EOF] 11/3/00 5:33:03 PM . This section is for 100 % NEWBIES : EAX=006BEB20 EBX=006BEECC ECX=00000034 EDX=006BEA80 ESI=006BEF02 EDI=00000001 EBP=006BEB38 ESP=006BEAF0 EIP=00402FCB o d I s z A P c CS=015F DS=0167 SS=0167 ES=0167 FS=0F6F GS=0000 ŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽbyteŽŽŽŽŽŽŽŽŽŽŽŽŽŽPROTŽŽŽ(0)ŽŽ 0167:006BEB00 43 68 72 69 73 20 52 61-77 20 4A 65 72 69 63 68 Chris Raw Jerich 0167:006BEB10 6F 00 00 00 02 00 2A C0-00 00 05 00 8C 2D FF 16 o.....*......-.. 0167:006BEB20 39 31 30 35 36 35 39 38-00 EB 6B 00 37 33 38 38 91056598..k.7388 0167:006BEB30 31 30 35 30 00 EB 6B 00-44 EB 6B 00 76 92 42 00 1050..k.D.k.v.B. 0167:006BEB40 CC EE 6B 00 64 EB 6B 00-44 F8 42 00 CC EE 6B 00 ..k.d.k.D.B...k. 0167:006BEB50 8D 2F 40 00 00 00 00 00-00 00 00 00 01 00 00 00 ./@............. ... ... ______________________________________________________________________ ASTAGA [D4C/C4A] tute-bpuzzle20.zip [EOF] 11/3/00 5:33:03 PM WHY PATCHING WHILE SERIAL NUMBER IS FISHY CleanReg v3.25/3.26 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM CleanReg is best used as a registry monitor program. Running CleanReg can alert you to registry intrusions and help clean up after uninstalling programs or systems. Normally when something is installed on the computer, it is associated with one or more files on a disk. These files usually have the extension EXE or DLL. Also, files used by the program are added to the registry and can have have any extension. Files are added to the registry by the programs that use them and the use is defined by that program. So only the developer of the program knows if the reference is required for proper operation or was added for another reason and is not required. The excellent program ICQ is an example of a program that adds many files to the registry and I have know idea why so I to leave them alone. CleanReg scans for the files referenced in the registry and provides and easy method to eliminate the reference. In some cases just the reference should be removed by zapping the name, and in other cases an entire high level key needs to be deleted. In other cases the file reference should not be changed. File names that have the extension DLL or EXE are located by testing the system directories and the system PATH environment variable. Not all files, especially DLL's and EXE's need to be in a system defined path, they may located by the using program with the using programs search criteria. WHERE TO DOWNLOAD Author : Armstrong Systems House, Inc Homepage : http://www.CleanReg.com URL : http://www.armstrongsystems.bizland.com/free/CleanReg3.exe Size : 1.5 MB as of August 08,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This program is packed with UPX. I suggest you to unpack the .exe file before you practise by yourself. In this tute I didn't unpack them att all, so, unexpected occurance (s) might be happened on your PC. 1. Run CLEANREG.EXE, click OPTIONS/ENTER REG CODE submenu, in the registration dialog box type these below informations : Name : Chavit 'Jueteng' Singson Code : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX hmemcpy [enter] and F5 to return to the main program 3. Now it's time to click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11, then F12 11 times until you see and break at : ______________________________________________________________ 015F:004062E7 E8D0B90000 CALL 00411CBC 015F:004062EC 8BF8 MOV EDI,EAX 015F:004062EE 85FF TEST EDI,EDI 015F:004062F0 745C JZ 0040634E 015F:004062F2 8B4C2408 MOV ECX,[ESP+08] 015F:004062F6 8B41F8 MOV EAX,[ECX-08] 015F:004062F9 85C0 TEST EAX,EAX 015F:004062FB 7E51 JLE 0040634E 015F:004062FD 8D542410 LEA EDX,[ESP+10] 015F:00406301 8D44240C LEA EAX,[ESP+0C] 015F:00406305 52 PUSH EDX 015F:00406306 8D4C240C LEA ECX,[ESP+0C] 015F:0040630A 50 PUSH EAX 015F:0040630B 51 PUSH ECX 015F:0040630C E83FB20000 CALL 00411550 015F:00406311 83C40C ADD ESP,0C 015F:00406314 85C0 TEST EAX,EAX 015F:00406316 7436 JZ 0040634E 015F:00406318 397C2410 CMP [ESP+10],EDI 015F:0040631C 7530 JNZ 0040634E _________________________CLEANREG3!UPX0+52E7___________________ Now, clear/disable previous breakpoint by typing : bc 00 [enter] Create a new breakpoint by typing : bpx 015F:004062E7 [enter] u 015F:004062E7 [enter] 4. Press F10 once - stop at 015F:004062EE - look at the REgister Window don't you think strange that the contents of EAX and EDI register are remain the same ? Let's check it out what was in there .... ? EAX [enter] and/or ? EDI SoftIce will response : 046755DA 0073881050 " gU " ... that's your fake reg code Here you can pressume that if your fake code more than 10 characters length, you'll be throw into another location as instructed by JZ instruction at 015F:004062F0. 5. Press F10 4 times - stop at 015F:004062F6 - display ECX regis ter by typing : D ECX [enter] Did you see your user name appear in the Data Window ? 6. Keep continue pressing F10 and stop at 015F:00406318 , then look at the Register Window ... in my case SS register are looks like as follow : ....... FS=35E7 GS=0000 SS:0066F3E0=0FC7E2B4 Let's check the contents of SS register : ? 0FC7E2B4 [enter] SoftIce will response : 0FC7E2B4 0264757940 " " Write down 0264757940 as your suspicious reg code, because if you press F10 once again you'll jump pass JNZ instruction at 015F:0040631C and get the beggar-off message. During this step you will not see the SS contents load into any register flags ... that's the reason i called this number suspicious. To prove this situation, try your fake reg code in 10 charac ters length, right after JZ instruction at 015F:004062F0 you'll throw into 015F:0040634E rather than continue to the next memory address. Later you'll find again the same JZ instruction at 015F:00406316. 7. Disable all breakpoints by typing BC * [enter] Press F5 or X to return to the main program 8. Repeat registration procedure and keyed-in 0264757940 as your S/N Click OK/REGISTER button ..... ouchh! the screen splash and there is no classic message " thank you .... " ?? . Just quit the application, re-run again the program, did you see your name in the opening window ? Simply, YOU'RE REGISTERED now... as a matter of fact it's ILLEGAL REGISTRATION! 10. Where the hell is my registration info is stored ?? - The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\ArmstrongSystems\CleanReg3\ Registered] "CodeB"=hex:14,00,00,00,03,02,05,00,c1,e2,d4,0f,60,f5, 4c,4c,05,40,c0,01 "User"="Chavit 'Jueteng' Singson" 11. How can I practise with another registration key ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-CleanReg325.zip [EOF] 10/27/00 6:27:09 PM WHY PATCHING WHILE SERIAL NUMBER IS FISHY PasteLister Version 2.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM PasteLister is ideal for text/graphic editing (and Web forms) as it eliminates repetitive tasks. By storing data copied to the clipboard in a customizable list history, it allows you to easily paste data back to any application at any time. The basic idea behind PasteLister is that when you press CTRL-V (or the specified hotkey) to paste to an application, a pop-up list will appear under the cursor allowing you to choose from your customizable list. This way it conveniently stays out of your way until you NEED it. Easy to use, extremely flexible and powerful! WHERE TO DOWNLOAD Author : J. Elaraj ( Progency Software ) Homepage : http://www.progency.com URL : Size : 1.2 MB as of ,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. To enter the information, just click Help and Register! from the system tray icon menu (also find information about registering there as well). User Name : Pirates Order Reg Number : 73881050 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5, F11, then press F12 11 times until you break at and see these below snippet code : _____________________________________________________________ 015F:00488146 E8757AF9FF CALL 0041FBC0 <== break here 015F:0048814B 8B95F8FDFFFF MOV EDX,[EBP-0208] 015F:00488151 8D85FCFDFFFF LEA EAX,[EBP-0204] 015F:00488157 B9FF000000 MOV ECX,000000FF 015F:0048815C E843BBF7FF CALL 00403CA4 015F:00488161 8D85FCFDFFFF LEA EAX,[EBP-0204] 015F:00488167 5A POP EDX 015F:00488168 E8FF0A0000 CALL 00488C6C <== F8 here ... _______________________ PLISTER!CODE+00087146 _______________ Disable/clear previous breakpoint, and create a new like this bc * [enter] BPX 015F:00488146 [enter] <== just for further practise Press F10 and stop at 015F:00488161 , display EDX register : d edx [enter] Look at the Data Window, did you see your user name and fake code between virtual address of 0167:006FF7E1 and 0167:006FF8E1 ?? Press F10 again and stop at 015F:00488168, follow this CALL instruction by pressing F8 key. Keep on continue tracing the codes until you reach these below snippet codes : 015F:00488E2A E989000000 JMP 00488EB8 015F:00488E2F 8D85FCFDFFFF LEA EAX,[EBP-0204] 015F:00488E35 8D9500FEFFFF LEA EDX,[EBP-0200] 015F:00488E3B E82CAEF7FF CALL 00403C6C 015F:00488E40 8B85FCFDFFFF MOV EAX,[EBP-0204] 015F:00488E46 50 PUSH EAX <== D EAX here 015F:00488E47 8D85F4FCFFFF LEA EAX,[EBP-030C] ---------------- PLISTER!CODE+00087E2A ------------------- Stop at 015F:00488E46 and display EAX register : d eax [enter] Look at the DAta Window, that's your fake code at virtual address 0167:00C4699C Located it and create a new breakpoint as follow : bpr 0167:00C4699C 0167:00C4699C+12 rw [enter] Press X [enter] to let SoftIce break at new location SoftIce will response : Break due to BPR #0167:00C4699C #0167:00C469AE RW 4. If nothing goes wrong, you'll break in the memory location and see these below snippet codes : __________________________________________________________ 015F:00403DFF 7426 JZ 00403E27 015F:00403E01 8B0E MOV ECX,[ESI] <== you break here 015F:00403E03 8B1F MOV EBX,[EDI] 015F:00403E05 39D9 CMP ECX,EBX <== D EDI HERE ... ... ___________________PLISTER!CODE+2DFF______________________ Press F10 2 times and stop at 015F:00403E05 ... a CMP instruction! Let us know what are the contents of ECX and EBX registers, in the Command Line type as follows : ? ecx [enter] SoftIce will response : 38383337 0943207223 "8837" ... wasn't it a part of your fake code in reverse order ? ? ebx [enter] SoftIce will response : 2D534C50 0760433744 "-SLP" ... what the hell is this ? Okay, don't be panic. Still in the Command Line type as follows : d edi [enter] Look at the Data Window at 0167:00C45A5C did you see PLS-1846-1260 ? d esi [enter] Look at the Data Window 0167:00C4699C did you see 73881050 ? Disable all breakpoints. Press F5 to return to the main program. 5. Repeat registration procedure. Keyed-in PLS-1846-1260 as your registration number, then click OK/REGISTER ME button. The classic " thank you for registering " pops up on your screen. Hell... you're registered now, but it's ILLEGAL! 6. Where the hell is my registration info is stored ?? - The correct registration code is stored in the hidden file called ERROR24$.SYS at your Windows directory. 7. How can I practise with another registration key ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-pastelister20.zip [EOF] 10/20/00 1:13:15 PM WHY PATCHING WHILE SERIAL NUMBER IS FISHY Super Poker '1999 A Cracking Tutorial by ASTAGA [WWF/WTF] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM - This is card game, which comprises all functions of automatic devices in real Casino! - This is the simple way to learn play Poker. - This is a good way to have a rest and test your luck. WHERE TO DOWNLOAD Author : Pete Kotenev ( Hyperactive Abstraction ) Homepage : http://www.sinor.ru/~fregal URL : Size : ????? MB , as of ...... HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run the program, click REGISTER NOW button, type these below informations : First name : PIRATES Last name : ORDER Reg code : 73881050 Do not click OK button yet. 2. Load SoftIce then set a new berakpoint as follow : bpx hmemcpy [enter] F5 to return to prog's registration window 3. Hit OK button, you'll return back in SoftIce. Press F11, F5, F11, F5 and F11 until you break and found these below snippet codes : __________________________________________________________________ 015F:0046C156 E89598FBFF CALL 004259F0 <== HERE 015F:0046C15B 8B45FC MOV EAX,[EBP-04] 015F:0046C15E E8C179F9FF CALL 00403B24 015F:0046C163 8BF0 MOV ESI,EAX ________________________SP1999!CODE+0006B156_____________________ I've been traced the codes for you, so just do a search string in the SoftIce's Command Line as follows : : bd * [enter] : bpx 015F:0046C156 [enter] s 0 l ffffffffffff E8 2D 56 F9 FF 74 2a [enter] SoftIce will response : Pattern found at 0167:0046D35A (0046D35A) : bd * [enter] : bpx 0167:0046D35A [enter] : g 0167:0046D35A [enter] Break due to G Break due to BPX #0167:0046D35A and here's what you see : __________________________________________________________________ 015F:0046D35A E82D56F9FF CALL 0040298C <== HERE 015F:0046D35F 742A JZ 0046D38B <== D edx 015F:0046D361 BA50D44600 MOV EDX,0046D450 015F:0046D366 8B83E0020000 MOV EAX,[EBX+000002E0] 015F:0046D36C E8AF86FBFF CALL 00425A20 015F:0046D371 33D2 XOR EDX,EDX 015F:0046D373 8B83DC020000 MOV EAX,[EBX+000002DC] 015F:0046D379 E86285FBFF CALL 004258E0 015F:0046D37E B201 MOV DL,01 ________________________SP1999!CODE+0006C359______________________ 4. Press F10 once - at the memory address 015F:0046D35F - display EAX register : : d eax [enter] ===> your name/code appear in the Data Window virtual memory 0167:007DF8B8 . : ? ecx [enter] 38333708 0942880520 "837" ==> part of fake code in reverse order : d edx [enter] ===> did you SP99-9032913903 at virtual address 0167:007DF8A8 ? Scroll up one line above you'll see your name in capital letter ( default user name should be in capital letter ). Press F10 once - stop at 015F:0046D361 - display EDX register : d edx [enter] ===> you'll found SP99-9032913903 again. Write down this suspicious reg code. 4. Disable all breakpoints and get back to the main program : bd * [enter] F5 to return to the main program ( note : repeat registration procedure if necessary ) 5. Repeat registration procedure, keyed-in SP99-9032913903 as your password. Click OK button ..... you're registered! 6. Where the hell is my registration info is stored ?? - The correct registration code is stored in the USER.REG file located in /SPOKER/DAT folder as follows : name: PIRATES ORDER sum: 1000 ser.num: SP99-9032913903 7. How can I practise with my own user name ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-superpoker99.zip [EOF] 11/7/00 11:01:11 PM I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #110 soon! ;) Credits goto: IC_666 for Splash Logo. ASTAGA for providing 5 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 12 November 2000 Cracking Tutorial #109 is dedicated to CiA, all new and old members for the support they gave me all the years!