Welcome to Cracking Tutorial #111! Hiya guys, Hmm from Tuts #105-110 it seemed I forgot to replace Tutor #numbers in Welcome Screen. So excuse me please :) Well, here is another tut111.tKC... Let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) ======================================================================= Welcome To Neo's WorlD. ======================================================================= Level : Newbie Proggie : WinRAR 2.70 Beta 3 Nags : Pop up REMINDER every time u start winrar + Evaluation copy in the title bar + 40 days trial copy message in the about dialog Tools : W32Dasm 8 and above Hex Editor (I use Hiew 6.16) Brains,Patience........ ----------------------------------------------------------------------- !MPORTANT MY TUT IS JUST FOR SECURITY KNOWLEDGE. IF YOU LIKE A SOFTWARE THEN PLS BUY IT. SOMETIMES THE SOFTWARE AUTHORS REALLY DESERVE UR MONEY... ----------------------------------------------------------------------- ======================================================================= HEY kLIMAx 2000 , READ UR TUT ON WINRAR 2.70.U MENTIONED THE TWO NAGS TO BE REMOVED BUT DIDNT SHOW HOW TO REMOVE THE ABOUT BOX NAG.I JUST ADDED IT HERE. ADD IT TO UR TUT IF U LIKE. YOUR TUT WAS A GREAT ONE AND WORKS ALMOST ON ALL 2.70+ VERSIONS OF WINRAR.THIS IS JUST AN ADDN TO UR TUT. ======================================================================= INTRO: Winrar is a rar archiever that has support for .zip,.rar,.ace,etc....{latest addition is .ace in 2.70+ versions} when u start winrar a pop up dialog hits ur face saying to register.of course u can choose to close it.then as u start using winrar u find that there is that nasty "Evaluation copy" written in the title bar. In the Help->About Winrar You can see "40 days trial copy" enough nags to eat my head....uuurrrrggghhhhhhh..... Ok Lets Rave well, as u must be knowing by now, our target is winrar.exe so go to the winrar program folder and make a copy of winrar.exe somewhere. hey NeO...but why????? glad u asked. well if u mess things up horribly then u could well replace the damaged exe by its copy...that answers it. ok now start winrar... as usual the reminder hits u right in the face saying Please Register..... close the dialog and exit winrar fire up w32dasm.goto Disassembler->Open file to disassemble choose winrar.exe wait........ ok now its disassembled completely after a couple of secs. goto Refs->String data refs a list appears.scroll down till u see a "REMINDER" (u nearly reach the end of the list!) err...Hey NeO..why "REMINDER" only???? Again, glad u asked well these sort of proggies usually have a dialog called REMINDER that calculates the days remaining (Remember the pop up box that hit u in the face) Now that u know whats the bug, lets fix it.dbl click on the REMINDER and close the sdr window. you will now be somewhere here * Possible StringData Ref from Data Obj ->"REMINDER" | :00401544 68DF3B4600 push 00463BDF<<-- Here :00401549 8B0DFCCB4600 mov ecx, dword ptr [0046CBFC] :0040154F 51 push ecx you wont find anything there.so scroll up a bit till u see this * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401529(C)<<---intresting! | :0040152F C6057430460001 mov byte ptr [00463074], 01 :00401536 6A00 push 00000000 :00401538 68A8BC4000 push 0040BCA8 :0040153D 8B15DCB84600 mov edx, dword ptr [0046B8DC] :00401543 52 push edx there is a call that is referencing this location.thats our target.press shift+F12 and enter 00401529 in the box.press enter.you will land somewhere here :0040150F 803D7430460000 cmp byte ptr [00463074], 00 :00401516 753D jne 00401555 :00401518 803D846C460000 cmp byte ptr [00466C84], 00 :0040151F 7534 jne 00401555 :00401521 A184F54600 mov eax, dword ptr [0046F584] :00401526 83F828 cmp eax, 00000028 :00401529 7F04 jg 0040152F<<---here :0040152B 85C0 test eax, eax :0040152D 7D26 jge 00401555 thats what we need.you can see the statement :00401526 83F828 cmp eax, 00000028 40 is 28 in hex.so this bit compares (cmp) the contents of eax with 40.if it is greater then jump to bad boy. so we will change the jg to jle(7E).make sure the blue line is on jg. it turns green.now look at the bottom of the window and you find something like @offset 00000b29h.the h stands for hex.remember only b29.close w32dasm.it'll prompt u for exit without saving the disassembly text.choose yes.now fire up hiew and open the winrar.exe.press F4 and choose Decode. now u r in decode mode.press F5 and enter the offset(b29).press enter.now press F3 and type 7E. press F9 to update and F10 to exit hiew. start winrar and voila...!the nags gone.but whats this on the title bar(evaluation copy).we dont want it either do we?so close winrar and start w32dasm. open winrar.exe as before and goto sdr(string data refs).find for the string "evaluation copy" dbl clk it u will land somewhere here * Possible Reference to String Resource ID=00873: "evaluation copy" | :0041BDA6 6869030000 push 00000369 <<--here... :0041BDAB E888C4FEFF call 00408238 :0041BDB0 50 push eax nope.not important to us.scroll up until u see this * Possible StringData Ref from Data Obj ->"%s - WinRAR" | :0041BD89 68AD5F4600 push 00465FAD :0041BD8E 8D9500FEFFFF lea edx, dword ptr [ebp+FFFFFE00] :0041BD94 52 push edx :0041BD95 E842080400 call 0045C5DC :0041BD9A 83C40C add esp, 0000000C :0041BD9D 803D846C460000 cmp byte ptr [00466C84], 00 :0041BDA4 752E jne 0041BDD4 <<-- this we need to fix this baby to remove the title bar nag.note the offset as before.make sure the blue bar is on the je.(turns green)note the offset(1b3a4).dont count the "h" please... now exit w32dasm and fire hiew.goto decode mode press F5 and enter 1b3a4.press enter.press F3 and enter 74.(if u wonder what it is it stands for je).now press F9 to update and F10 to exit hiew.fire up winrar and wow!the title bar nag has gone.just as you were beginning to imagine that u were the proud owner of a fully registered software u find that u are not!goto help-> about."40 days trial copy"....jesus..this things killi me.relax budd!go take a shower if u cant.after regaining ur patience and all that stamina(along with some braincells left) exit winrar.fire up w32dasm and open winrar.exe goto refs>sdr and search for "Registered to" dbl clk it. u land here * Possible Reference to String Resource ID=00960: "Registered to" | :0040B9C4 68C0030000 push 000003C0 <<---here :0040B9C9 E86AC8FFFF call 00408238 :0040B9CE 50 push eax thats not what we need.scroll up a bit till us see this * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B975(C) | :0040B983 803D846C460000 cmp byte ptr [00466C84], 00 :0040B98A 7472 je 0040B9FE <<--hmmm..... :0040B98C 8DBDF0F9FFFF lea edi, dword ptr [ebp+FFFFF9F0] :0040B992 BE98964700 mov esi, 00479698 :0040B997 B981010000 mov ecx, 00000181 :0040B99C 8D85F0F9FFFF lea eax, dword ptr [ebp+FFFFF9F0] :0040B9A2 F3 repz :0040B9A3 A5 movsd :0040B9A4 50 push eax :0040B9A5 8D95F0F9FFFF lea edx, dword ptr [ebp+FFFFF9F0] :0040B9AB 52 push edx we got our guy.we now have to patch it to jne=>74.note down the offset by placing blue line over it(turns green).its af8ah.cut the h.exit w32dasm.fire up hiew.open winrar.exe and goto decode mode.press F5 and enter af8a press enter.press F3 and enter 74.now press F9 to update and F10 to exit hiew. now run winrar and goto help->about ...yes it shows registered to (although it doesnt show any name thats coz it doesnt know any either).for us its enough coz the proggie now thinks its fully registered.... watch out for more of my tutz.... ending:::: greetz to the legendary tKC and R!SC (two of my all time favourites) for their great tutz.also BuLLeT and kLIMAX 2000 for their tutz. hey Klimax 2K i read ur tut butu didnt include the removal of the about box nag. so i gave it here.loved ur tut...enough said.... nEO. ----------------------------------------------------------------------- How to find sn in SwiffPEG v1.0 by Grooveware Multimedia (for beginners) by whistler Target URL: ----------- http://www.swifftools.com/ Tools: ------ TRW2000 by Liutaotao and Zhunanhao (http://www.knlsoft.com/) DeDe v2.42 IDA v4.04 M$ Notepad A few words from Grooveware Multimedia about this program: "Flash 4 doesn't support the direct input of MP3's into FLA files. SwiffPEG creates a work- around for this problem by enabling you to convert a .MP3 file into a .SWF file instantly. The resulting file can be used as a stand-alone movie or can be incorperated within an existing web-page or application, using the "LoadMovie" Actionscript command. By providing batch-processing for multiple MP3's you can save yourself a lot of time if you do a lot of audio related Flash work." Well let's begin our work. Open TRW, click on 'Browse' and choose our target. When you done click on 'Load' and TRW will pop up at programs entry point. It is 4A86E4. After this press F5 once to return to windows and continue loading our target. When you first start our target you will notice a little nag screen with three buttons. 2 of them are enabled (Exit and Register) and the third is disabled (Continue). 'Continue' is disabled for a few seconds (i don't know how much seconds. I didn't count! :) ) and then we can load SwiffPEG. Now click on 'Register' and there is a dialog window where we can enter our 'User name' and 'Serial number'. Enter some information. When you click 'Register SwiffPEG' you will see a message box telling you that 'The serial number is invalid' and the proggy is loaded. You can try to register again from the menu 'Help'. First we will disassemble our proggy. Open our target in IDA. When IDA disassemble's SwiffPEG, from menu 'View' choose 'Names' and you will find a few very interesting names e.g. str__SoftwareBorlandDelph str__SoftwareBorlandLocal str__SoftwareBorlandDel_0 This means that we are dealing with proggy which is written in Delphi. Great! Means we can use DaFixer's DeDe (thx man). Open DeDe, browse to our target and before you process it, from the menu 'Options' choose 'Symbols' and load all symbols (vcl??.dsf and vclx??.dsf) in DeDe. Now process SwiffPEG. When decompiling is over click on 'Procedures' and you will see 5 procedures: fEditMP3TrackInfoU MpegToSWFu Nagscreen --> INTERESTING! ProgressU Register --> INTERESTING TOO! For now we will not deal with procedure 'Nagscreen'. Instead we will examine procedure 'Register'. Click on 'Register' and then twice on btUnlockClick event. You will see a disassembled function: 0049A938 55 push ebp 0049A939 8BEC mov ebp, esp 0049A93B 33C9 xor ecx, ecx 0049A93D 51 push ecx 0049A93E 51 push ecx 0049A93F 51 push ecx 0049A940 51 push ecx 0049A941 51 push ecx 0049A942 51 push ecx 0049A943 53 push ebx 0049A944 56 push esi 0049A945 8BD8 mov ebx, eax 0049A947 33C0 xor eax, eax 0049A949 55 push ebp 0049A94A 688FAA4900 push $0049AA8F ***** TRY | 0049A94F 64FF30 push dword ptr fs:[eax] 0049A952 648920 mov fs:[eax], esp 0049A955 8D55FC lea edx, [ebp-$04] * Reference to control edUsername : TEdit | 0049A958 8B83D4020000 mov eax, [ebx+$02D4] * Reference to: Controls.TControl.GetText() | 0049A95E E8314AF9FF call 0042F394 0049A963 8B45FC mov eax, [ebp-$04] * Reference to: System..DynArrayLength() | or: System..LStrLen() | 0049A966 E83594F6FF call 00403DA0 0049A96B 83F803 cmp eax, +$03 0049A96E 0F8E00010000 jle 0049AA74 0049A974 8D55F8 lea edx, [ebp-$08] * Reference to control edSerialNr : TEdit | 0049A977 8B83DC020000 mov eax, [ebx+$02DC] * Reference to: Controls.TControl.GetText() | 0049A97D E8124AF9FF call 0042F394 0049A982 8B45F8 mov eax, [ebp-$08] * Reference to: System..DynArrayLength() | or: System..LStrLen() | 0049A985 E81694F6FF call 00403DA0 0049A98A 83F803 cmp eax, +$03 0049A98D 0F8EE1000000 jle 0049AA74 0049A993 8D55F4 lea edx, [ebp-$0C] * Reference to control edSerialNr : TEdit | 0049A996 8B83DC020000 mov eax, [ebx+$02DC] * Reference to: Controls.TControl.GetText() | 0049A99C E8F349F9FF call 0042F394 0049A9A1 8B45F4 mov eax, [ebp-$0C] 0049A9A4 50 push eax 0049A9A5 8D55F0 lea edx, [ebp-$10] * Reference to control edUsername : TEdit | 0049A9A8 8B83D4020000 mov eax, [ebx+$02D4] * Reference to: Controls.TControl.GetText() | 0049A9AE E8E149F9FF call 0042F394 0049A9B3 8B55F0 mov edx, [ebp-$10] 0049A9B6 8BC3 mov eax, ebx 0049A9B8 59 pop ecx | 0049A9B9 E832FCFFFF call 0049A5F0 0049A9BE 84C0 test al, al 0049A9C0 0F8492000000 jz 0049AA58 0049A9C6 6A00 push $00 0049A9C8 668B0D9CAA4900 mov cx, word ptr [$49AA9C] 0049A9CF B202 mov dl, $02 * Possible String Reference to: 'Thank you for registering SwiffPEG' | 0049A9D1 B8A8AA4900 mov eax, $0049AAA8 * Reference to: Dialogs.MessageDlg(System.AnsiString; Dialogs.TMsgDlgType; System.[Dialogs.TMsgDlgBtn]; Integer) | 0049A9D6 E8F9A9FBFF call 004553D4 0049A9DB B201 mov dl, $01 * Possible reference to class TRegistry | 0049A9DD A138F64400 mov eax, dword ptr [$44F638] * Reference to: Registry.TRegistry.Create() | 0049A9E2 E8BD4DFBFF call 0044F7A4 0049A9E7 8BF0 mov esi, eax 0049A9E9 BA01000080 mov edx, $80000001 0049A9EE 8BC6 mov eax, esi * Reference to: Registry.TRegistry.SetRootKey(Cardinal) | 0049A9F0 E88B4EFBFF call 0044F880 * Reference to field TRegistry.OFFS_000C | 0049A9F5 C6460C01 mov byte ptr [esi+$0C], $01 0049A9F9 B101 mov cl, $01 * Possible String Reference to: 'Software\Grooveware Multimedia\Swif | fPEG\Registration' | 0049A9FB BAD4AA4900 mov edx, $0049AAD4 0049AA00 8BC6 mov eax, esi * Reference to: Registry.TRegistry.OpenKey(System.AnsiString) | 0049AA02 E8BD4FFBFF call 0044F9C4 0049AA07 8D55EC lea edx, [ebp-$14] * Reference to control edUsername : TEdit | 0049AA0A 8B83D4020000 mov eax, [ebx+$02D4] * Reference to: Controls.TControl.GetText() | 0049AA10 E87F49F9FF call 0042F394 0049AA15 8B4DEC mov ecx, [ebp-$14] * Possible String Reference to: 'Name' | 0049AA18 BA14AB4900 mov edx, $0049AB14 0049AA1D 8BC6 mov eax, esi * Reference to: Registry.TRegistry.WriteString(System.AnsiString; ) | 0049AA1F E81C53FBFF call 0044FD40 0049AA24 8D55E8 lea edx, [ebp-$18] * Reference to control edSerialNr : TEdit | 0049AA27 8B83DC020000 mov eax, [ebx+$02DC] * Reference to: Controls.TControl.GetText() | 0049AA2D E86249F9FF call 0042F394 0049AA32 8B4DE8 mov ecx, [ebp-$18] * Possible String Reference to: 'Serial' | 0049AA35 BA24AB4900 mov edx, $0049AB24 0049AA3A 8BC6 mov eax, esi * Reference to: Registry.TRegistry.WriteString(System.AnsiString; ) | 0049AA3C E8FF52FBFF call 0044FD40 0049AA41 8BC6 mov eax, esi * Reference to: Registry.TRegistry.CloseKey() | 0049AA43 E8084EFBFF call 0044F850 0049AA48 8BC6 mov eax, esi * Reference to: System.TObject.Free() | 0049AA4A E80984F6FF call 00402E58 0049AA4F 8BC3 mov eax, ebx * Reference to: Forms.TCustomForm.Close() | 0049AA51 E8D6FAFAFF call 0044A52C 0049AA56 EB1C jmp 0049AA74 0049AA58 6A00 push $00 0049AA5A 668B0D9CAA4900 mov cx, word ptr [$49AA9C] 0049AA61 B201 mov dl, $01 * Possible String Reference to: 'The serial number is invalid.' | 0049AA63 B834AB4900 mov eax, $0049AB34 * Reference to: Dialogs.MessageDlg(System.AnsiString; Dialogs.TMsgDlgType; System.[Dialogs.TMsgDlgBtn]; Integer) | 0049AA68 E867A9FBFF call 004553D4 0049AA6D 8BC3 mov eax, ebx * Reference to: Forms.TCustomForm.Close() | 0049AA6F E8B8FAFAFF call 0044A52C 0049AA74 33C0 xor eax, eax 0049AA76 5A pop edx 0049AA77 59 pop ecx 0049AA78 59 pop ecx 0049AA79 648910 mov fs:[eax], edx ****** FINALLY | 0049AA7C 6896AA4900 push $0049AA96 0049AA81 8D45E8 lea eax, [ebp-$18] 0049AA84 BA06000000 mov edx, $00000006 * Reference to: System..LStrArrayClr() | 0049AA89 E8B690F6FF call 00403B44 0049AA8E C3 ret 0049AA8F E9248BF6FF jmp 004035B8 0049AA94 EBEB jmp 0049AA81 ****** END | 0049AA96 5E pop esi 0049AA97 5B pop ebx 0049AA98 8BE5 mov esp, ebp 0049AA9A 5D pop ebp 0049AA9B C3 ret I have never programming in Delphi but we can see a lot of interesting stuff here. e.g.Taking our 'User name': 0049A958 8B83D4020000 mov eax, [ebx+$02D4] * Reference to: Controls.TControl.GetText() | 0049A95E E8314AF9FF call 0042F394 and then calculating its length: * Reference to: System..DynArrayLength() | or: System..LStrLen() | 0049A966 E83594F6FF call 00403DA0 0049A96B 83F803 cmp eax, +$03 ; Length_Of_Our_Name <= 3 0049A96E 0F8E00010000 jle 0049AA74 ; then jump and after that the same with our 'Serial number'. Then there is a calculation and after that a registering key 'Software\Grooveware Multimedia\SwiffPEG\Registration' which is in our registry. Then closing key and closing this register form. Now you will probably notice this: 0049A9AE E8E149F9FF call 0042F394 0049A9B3 8B55F0 mov edx, [ebp-$10] 0049A9B6 8BC3 mov eax, ebx 0049A9B8 59 pop ecx 0049A9B9 E832FCFFFF call 0049A5F0 ; PROBABLY CALC. ROUTINE 0049A9BE 84C0 test al, al 0049A9C0 0F8492000000 jz 0049AA58 0049A9C6 6A00 push $00 0049A9C8 668B0D9CAA4900 mov cx, word ptr [$49AA9C] 0049A9CF B202 mov dl, $02 * Possible String Reference to: 'Thank you for registering SwiffPEG' We can place our break point at e.g. 0049A9B3 (mov edx,[ebp-$10]) to see what is happening. Open our TRW and type: bpx 0049A9B3 Press F5 and click on 'Register SwiffPEG'. TRW will pop up at 0049A9B3. Press F10 until you land at 0049A9B9. Now press F8. We land here (a listing from IDA): 0049A5F0 push ebp 0049A5F1 004 8B+ mov ebp, esp 0049A5F3 004 6A+ push 0 ... 0049A60A 02C 8B+ mov eax, [ebp+var_4] ; in EAX 'User name' 0049A60D 02C E8+ call sub_403F54 0049A612 02C 8B+ mov eax, [ebp+var_8] ; in EAX 'Reg. number' 0049A615 02C E8+ call sub_403F54 ... 0049A652 044 BA+ mov edx, offset str__090a56838a26572a1189 ; "090A56838A26572A11- 89A85" ... 0049A66E 044 E8+ call sub_4944C0 0049A673 044 BA+ mov edx, offset str__Dbwjweghfi834583432t ; "dbwjweghfi834583432tr2h71" ... 0049A6AB 048 E8+ call sub_403F70 ; after this call EAX and EDX have same 'strange string' ... 0049A6CD 044 8B+ mov edx, [ebp+var_1C] ; in EDX real Reg. number 0049A6D0 044 8B+ mov eax, [ebp+var_8] ; in EAX fake Reg. number 0049A6D3 044 E8+ call sub_403EB0 ; compare them 0049A6D8 044 75+ jnz short loc_49A6DE 0049A6DA 044 B3+ mov bl, 1 0049A6DC 044 EB+ jmp short loc_49A6E0 Well, that's it. At 0049A6CD type d edx and you will see our real registration number (in hex), and if you type d eax (at 0049A6D0) you will see our fake registration number. whistler hmm.. is that you, cracker? ;) ok, i had a supply to crack today, so... here we go: =============================================================================== Program : Freecell 2000 v2.2_win9x_nt_2000 Publisher : ? Price : 10USDollar URL : http://freecell2000.tripod.com/ Protection(s) : NagSerial Possible Release Type(s): CrackRegged Supplier : ******* Last Time Edited : ******* =============================================================================== Freecell 2000 is the highest rated Freecell on the web. It is having lots of cool features like 3 million Starting positions, Undo, Redo, Undoall, Redoall, Replay Forward and Back, Snapshot, Favorites, Autosave, Adjustable card speed, Game saving, Global and General history, Detailed Scoreboard with Statistics and Top Score, Automatic Game Loading, Possible Moves Display, Fading Background Color Schemes and Color, Sound Schemes, Session and Game timer, View and Export Game source, File association. so.. now you know... download the app, and you'll see.. it is VB6 (open exe in hiew, you'll see reference to ms dll for VB6 - installation points on VB.. , and you'll see THE ms vb dll passing by in the installation..) now open smartcheck (yes, we're going visual! ;) open the executable, and "play" it... it took some time, and there was something on television, so i left for about half an hour.. it was ready (so i don't know how long it takes).. depends on processor etc.. so, it pops up (make sure you have everything minimised.. press REGISTER, and enter a (fake) serial number (i did 22446688) press "ok" or "register" or whatever it was... and it will give an error.. who cares! press the STOP button in s'check, and scroll down, then, scroll up untill you see: + _Click press the button, and scroll down again (this will be a long list)... when you're at the end of "_Click" you'll see Left(Variant:String:"552...") << this CAN be diferent on your computer +MsgBox(VARIANT:String:"Invalid ..."... --END OF CLICK HERE click on left(variant:string:"..") and in your right window you'll see: - string (variant) - unsigned short * * .... - String = 00... = "5524594581A9A113AB726AC507099496031DE498" (can be other number on your machine) Long lengt = 16 0x00.. ok.. that 55245945.. seems interesting (can be other number on your machine) why not trying to register with it? It works! (you also can try with first 16 characters of this number.. will work too.. I THINK (didn't try it)) so.. enjoy the registered program.. and remember.. buy it! // iNNU3NDo greets to: CiA crew (yes.. a tut from me tKC, to thank you for these 2 you did for me last nite!) NLiSO/NLRiP/RiSCiSO/DiSTiNCT/UCF/PC/FAiTH2000/EXECUTiON/CORE/2db/BMi/.... our fans! "You can't be yourself 365 days a year.." hiyas! my second tut, ON the SAME program.. but now how to get a keygen (yeah.. indeed, to get, not to create!) so, I got your serial number from smartcheck, but that's not enough, I want .... A keygen! that works for multiple boxes, so what did i do? In the code in s'check i found a weird string (which i have seen some times before.. but this time i wanted a keygen, so.. i study'ed it..) "/\/e7C0$0fT\/\/ArE" is the string.. Netcosoftware in decent ascii ;) so, i started browsing the registry, and found a reference to nslock15vb6.ocx (in c:\winnt\system)... nslock.. looked in the file with hiew, and found "ActiveLock".. i heared around, nobody that knew anything, so.. i searched it on altavista.. and i came on: http://www.insite.com.br/activelock/ You'll see when you go to the download area, that it is FREEWARE, and you can dl example (do it!) >> http://www.insite.com.br/~nferraz/activelock/download/nslock15.zip when it's downloaded open it, and run KeyGenerator.exe There will be a Password, liberationKeyLenght,& software code field.. now, read the help file included in that zip, etc, etc.. now you know you'll need a password, but how to get it? Launch Hiew, open the exe (from freecell), and press F7.. enter "password".. you'll find NOTHiNG.. damn... but.. hey, let's search for "P A S S W O R D" (IMPORTANT** 70 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 **IMPORTANT is what you need, so no spaces, but "" blank fields... now do a search for this and you'll see: some shit "H A R I P A D 0 8 0 4 7 5 U N N I".. so if we remove spaces that is: "HARIPAD080475UNNI" now.. the lenght.. haven't you read something about "16" in the previous tut?? so enter 16 and the software code.. well, that depends.. from box to box, so you'll need to fill THAT in ;) Result, that's the keygen.. now know how to "touch" the ocx and you're set ;) So, this is how the keygen works: Run the keygen (or code yourself with this info), and enter: Password: HARIPAD080475UNNI LiberationKeyLength: 16 Software Code: click generate! copy the LeberationKey and paste it in the serial field, register and it's ok ;) enjoy.. tKC.. you needed 3.. this is 2.. but can't make third ;) DumDiDum.. so there is a 3th tut (you never know ;) so.. let's download our target: AuctionTamer v4.2.4 http://tucows.yourprovider.com ... get ready.. we're going to get two (2!) valid serials for your name.... so... install the tool, and you'll see.. ViSUAL BASiC!... Let's launch smartcheck.. THE tool for vb (mostly ;) open the AuctionTamer executable, press play, and.. go! You'll see the program starts up slowly.. and when it's open, try to register (i entered: innuendo@CiA as e-mail and 22446688 as *fake* serial number).. *flash*.. error message, so press "stop" in smartcheck! now.. what do you have.. alot of shit.. but.. let's make the shit usefull.. Scroll down, and then look up untill you see a "_Click".. click on it.. it will get longer.. you'll see a LCase() click on it.. you will see your input (innuendo@CiA), then a trim(innuendo@cia).. so.. if you know vb you'll remember: lcase() << lowercase trim() << remove spaces around it len() << gives lenght mid(string, position, length) << takes out x chars asc() << gives asc vallue of ** so.. a trim of our e-mail, and a trim of our (fake) serial... then it gives the LENGTH of our e-mail, and next to that the lenght of our e-mail + a new string.. "AUCTIONSELLER". Then it converts that long to a integer, and it start looping... if you study the loop good, you'll see he starts looping from the LAST letter, untill the first letter, and skips 1 character every time.. A second loop will go from the first to the last character, while doing all of the characters, not even skipping 1.. The third loop will start in front, and loop untill the last character, with skipping 1 character every time.. so.. after that you'll see some "format" and "replace" things.. and at the last replace (before there is a len() again, you'll see the serial number! (1) 644-827-461 .. so this is serial number 1 for this app.. now.. you can scroll down and have completly the same routine, except... instead of adding "AUCTIONSELLER" it will add "AUCTIONTAMER", then all the routines, and then the second good serial number: 664-966-633 it is.. 2 serial numbers, one name, one program.. let's say "Cracked?"... enjoy it, and remember.. pay the fee if you like tool ps: If you understand what i said above, you'll know how to keygen it.. mail keygen (source) to me when you succeed in it.. then i know this tut was usefull ;) iNNU3NDo@crackersinaction.com enjoy life.. and remember.. "you can't be yourself 365 days a year" I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #112 soon! ;) Credits goto: IC_666 for Splash Logo. nEO for providing a tut in this version. whistler for providing a tut in this version. iNNU3NDo for providing 3 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 12 November 2000 Cracking Tutorial #111 is dedicated to iNNU3NDo... u deserved it ;)