157 lines
9.8 KiB
Plaintext
157 lines
9.8 KiB
Plaintext
_CbD_'s Tutorial #2
|
|
Rummy 500
|
|
|
|
Well here is a look a at different way for Cracking VB3 programs
|
|
Target: RUMMY 500 (Version 3.8)
|
|
Get it Here:Comes with the Tutorial
|
|
Tools Needed: Softice v3.xx
|
|
|
|
Ok Lets talk about the program first. Well it is ok for a VB3 game and considering it was
|
|
done by women. ( Not a sexest remark) ;-) anyway this is really a nice game if you like
|
|
the card game rummy, BUT this lady seems to think that she must put nag screens
|
|
everywhere. Hmmm I hate that so that is what is driving this crack. There are nags
|
|
at the end of every hand (with a 10sec delay) and this is just not fair to us who wish
|
|
to evaluate it at its full. ;-). Ok that is enough about the program.
|
|
|
|
Now as always we will be doning this in steps, so lets get started.
|
|
|
|
Step #1
|
|
Ok we have to find out a little info about the program so we use QuickView
|
|
(See Tut #1 for info on QuickView) to find out a little about our pup here.
|
|
Hmm looks like a VB3 file. Ok well that takes care of that cause we know
|
|
we cant crack VB programs cause they dont use any of the normal fuctions
|
|
that we set our BreakPoints on right? WRONG if you have read my tut #1 or
|
|
razzia's VB tut's you will know we can crack VB programs just as if not
|
|
faster than any other... Ok Now lets do a little searching to see if we can find out
|
|
any info on the program, so we look in the dir that we installed to and Whats this
|
|
2 files that might be of some use one is Rummy500.faq and the other is Readme.txt
|
|
so lets see whats in them First the Faq. hmm nothing there that seems to help
|
|
so next the Readme.txt..... Whats this do you see what i see
|
|
|
|
****************************************************************************
|
|
IMPORTANT NOTE: MeggieSoft Games does not process any registrations between
|
|
December 15th and January 15th. Any registrations received during this
|
|
period will be processed after January 15th. The registration reminder
|
|
will not be displayed between December 20th and January 15th.
|
|
****************************************************************************
|
|
|
|
No way it cant be that simple not with a program that has so many nags
|
|
well lets try anyway. Change you systems date to say January 1 that would
|
|
give us 15 days. Hmm well they are right no 10 sec delays but yup
|
|
there is still a nag screen and we just cant live with this can we ;-)
|
|
but it was nice of them to tell us anyway. So change your date back
|
|
so we can enter a Reg Number and crack it.
|
|
|
|
Step #2
|
|
Ok now we have not found anything that we can really use to help us other
|
|
than knowing that it is a VB3 program so lets get started cracking it
|
|
first lets start the program and wait for that nagging 10sec delay to go by
|
|
and then press register, Damn more screens what is this shit...
|
|
ok press Enter Registration, Hmm Name and number well that is not good
|
|
that means most likely this wont be just some serial number for us to
|
|
find in softice that was hardcoded in, Not that this will make it any harder
|
|
just take a few more minutes.
|
|
|
|
Step #3
|
|
Ok now enter a name i use (CbD! Cracked) Dont use this cause you are
|
|
cracking it not me ;-) . Now enter a Serial number i use (7777777) now
|
|
press enter and see what happens. Hmm not a good serial number
|
|
well shit we knew that already so press ok. Hmm well we get another shot
|
|
at it with out haveing to start over good i like this.
|
|
|
|
Step #4
|
|
Press Ctrl-D and pop into softice ( If you dont have softice you cant do this crack)
|
|
now lets set a BreakPoint on hmemcpy so do this BPX HMEMCPY and press
|
|
enter. now we have a Breakpoint that should pop us into SI(SoftIce) when we
|
|
hit enter in the registration screen so now (If you didnt have any other BreakPoints
|
|
Set and if you did Clear Them before you go on you can do a BC * and then press
|
|
enter and reset the HMEMCPY breakpoint so it is your only one) press Ctrl-D
|
|
and you should land back in the registration srceen
|
|
|
|
Step #5
|
|
Press enter Boom back to SoftIce we go ok now we are in the HMEMCPY fuction
|
|
we dont want to be here so we press F11 to get back to the fuction that called HMEMCPY
|
|
but wait this little program had 2 boxes remember 1 for the Name 1 for the number
|
|
so this is most likely the Name fuction and this (You can crack it from here but takes forever)
|
|
is not what we want , we want the serial number right. Ok so press F5 and Pop right
|
|
back in SoftIce we go and Yes back to the HMEMCPY function so Press F11 again
|
|
to get out of it. Now we should be looking at something like this
|
|
|
|
17CF:0B40 CALL KERNEL!HMEMCPY
|
|
17CF:0B45 PUSH WORD PTR [DI]
|
|
17CF:0B47 CALL KERNEL!LOCALUNLOCK
|
|
17CF:0B4C MOV AX,SI
|
|
|
|
Ok the Address's may differ but the code should look the same, Well this dont look to
|
|
intresting to us right now so lets step in the code a bit with F10 so press F10
|
|
you see the lines advancing as you press the key, ok well you will see a few POP's
|
|
and then LEAVE and RET <---(interesting) we are in a fuction that called HMEMCPY
|
|
and now we seem the be fixing to return from the one that called this one hmm ok
|
|
lets keep pressing F10 do this about 10 times or so or until you see the code below
|
|
(Note You should Press F10 a total of 14 times after the last F11) there will be a RET
|
|
that will land you at
|
|
0C0D POP DS <------ Should land here
|
|
0C0E POP BP <----- Hmm what is this ?
|
|
0C0F RETF 000C <---- This looks to me like a compare Return cause it loads 2 values then
|
|
Returns most likely to were they are compared
|
|
( I kow this already cause i traced it down for you )
|
|
Now here is what my window looked like when i steped through 14 times
|
|
|
|
EAX=056AOOOB EBX=000275EA ECX=00000000 EDX=06700000 ESI=00021B74
|
|
EDI=00020106 EBP=000062AO RSP=000062AO EIP=OOOOOCOE o d I s Z a P c
|
|
CS=17CF DS=2B57 SS=2B57 ES=3387 FS=059F GS=011B
|
|
|
|
----RUMMY500(02)------------------------------------dword---------------PROT---(0)--
|
|
2B57:000062A0 0F0E:62BC 0000: 1807 3387:115K 000D:000C .b...... ..3....
|
|
2B57:000062B0 0106:OD7C 1B74: 0002 2B57:0002 0381:62D8 ].....t...W+.b..
|
|
2B57:000062C0 0001:1807 115E: 0000 000C:3387 37F4:000D ...... ..3.....7
|
|
2B57:000062D0 0BF4:0002 0386: 17CF 0751:632A 0001:1207 ......*CQ.......
|
|
2B57:000062E0 115E:0000 000C: 3387 0D7C:000D 17CF:OBF4 .....3..........
|
|
2B57:000062F0 0106:2B57 01E6: 0106 0000:33D7 3032:33D7 W+.......3...320
|
|
2B57:00006300 3632:2D30 3933: 2D36 0588:0035 6352:0043 0-266-395...C.Rc
|
|
|
|
----USER!BOZOSLIVEHERE+001C---------------------------------------------------PROT16-
|
|
17CF:OCOA CALL 25C2
|
|
17CF:OCOD POP DS <----- Load Value #1
|
|
17CF:OCOE POP BP <----- Load Value #2
|
|
17CF:OCOF RETF OOOC <---- Go back and caompare them
|
|
17CF:OC12 MOV AX,171F
|
|
17CF:OC15 MOV ES,AX
|
|
|
|
----------------------------------- USER(OA)----------------------------------------
|
|
|
|
Hmm then we should be able to check the values of DS & BP
|
|
(I already know the one that holds the Good Serial #)
|
|
So lets do this ED BP and press enter You should see something like
|
|
the above Data Window . ( Note Make sure you window fairly wide so you can see
|
|
all the data or scroll down. Now I cant say for sure but everytime i have done this
|
|
I have gotten a valid Code (I havent looked very deep into the program yet)
|
|
so i cant give you the exact reason this code is here but i will soon make a key gen
|
|
and give full explanation of the code so look for it soon. Well now if you look you
|
|
will notice that there are a string of numbers divided by a "-" mine is
|
|
3202-266-395 well my code was 202-266-395 This will not werk for you
|
|
as it is different for every computer even if The names are the same (Note
|
|
Do Not use Specail charactors in the name ie _ [ / ] - + < > use only numbers
|
|
or letters) so look to see what yours is. you may or may not have 4 numbers
|
|
in the first part of the string if you do ignore the first number as it is not part of the
|
|
code, if you notice the same number appears just before the string so drop that one
|
|
off and one use xxx-xxx-xxx well that should do it just clear your breakpoints(BC *)
|
|
and return to the program (Ctrl-D) and then enter you Code and Boom there you are
|
|
no more nag srceens.. But please Do register as the Author done a good job one
|
|
this one even if they did put so many nags in it and the Fee is only $12 like that is
|
|
to much.......
|
|
|
|
|
|
Well hope This helped you some and helped you to understand a little
|
|
more about VB programs. and if not atleast you got a cool game, without nags
|
|
(unless you still cant carck it ) and even then you know how to get rid of the
|
|
10 sec delays CHANGE THE DATE... duhhhh ok well thats all for this one
|
|
All tutorials i write will be availible from Http://users.quicklink.net/~cbd/c4n or
|
|
http://mexelite.home.ml.org ENJOY........... _CbD_ [ME/C4N'97]
|
|
|
|
Oh yeah i almost forgot you can change the back of the cards to
|
|
what ever you wish by editing the rummy500.bmp file in a
|
|
editor such as PaintBrush (Comes with windows). Just though
|
|
you might want to know that. Mine say Cracked by CbD ;-)
|
|
|