Cracking Tutorial for Newbies by FlOrEsTaN.


A Cracking Tutorial for Newbies by FlOrEsTaN
Newbies ONLY FlOrEsTaN has sent me this tutorial he wrote a few months back and imho its one of the best how to get " " started"tutorials I've read, I'll certainly be adding this to my recommended newbies reading list. You should easily find the target programs and tools. I hope FlOrEsTaN will go forward to enhance his knowledge further" Slightly edited and commented by CrackZ" ." . You notice the title. I am a beginner. I have been cracking for about a month or 2, with mixed success. It should be noted therefore, lots of what I say may be incomplete or inaccurate. It is the intention of this tutorial to teach *complete* newbies what I have learned so far. (BTW, you'd better read this with word wrap on, or you'll have hell trying to follow the text!!!). The first thing I think you should do is get "W32Dasm". This is one of the tools you will use regularly when cracking. It is a "disassembler". It disassembles files, so you can see how the program is set out, how it works etc. Get this tool from : Just copy and paste that URL into your browser and you should start downloading. Go get this program now, and resume the tutorial when it's installed. When you disassemble a file for the first time, you'll look at the contents of your screen and think, "Oh dear...". Don't be discouraged, what you'll be looking at is the program's "Assembly". You will have to get to know what lots of the stuff means. I'm still struggling, but I'm still learning. The assembly of a program is the listing of all the functions it carries out. Every program you disassemble will look similar. When you disassemble a program using W32Dasm you will notice it takes a long time to load some files, depending on the size of the exe you are disassembling. (Especially on my slow excuse for a PC!) Load "calc.exe" (The Windows Calculator) into the disassembler. The one I have is 92KB, but if yours is different, just apply what I say to your version. (P.S. If you skipped ahead without getting W32Dasm, get it now, you honestly will need it from this point on). Disassembled the calculator? Good. Now, a few basics about the disassembled text. First of all, click on the button on the W32Dasm toolbar that says "Cd Loc". (When you put your mouse over this button it will say "Goto Code Location". Push the button. A window will pop up). Type in the window :"010026A6" (Without Quotes) (Don't worry, it's only a random number I have chosen). Click on OK. All the way down the left side of the page you will see 8 numbers (or letters). These first 8 numbers or letters on each line are the "Addresses" or "Code Locations". Ignore the numbers and letters after the addresses for now. Addresses are used so that if a program says "Carry out the function at address (Whatever the address is)", the program will know where to go next. Things like that. Look at the right hand side of the assembly language. You will see something like the following: (Don't worry if yours isn't the same as what is written here - it's not important).
call 01007387 mov ecx, dword ptr [01013D90] mov dword ptr [ecx+04], eax mov eax, dword ptr [01013D64] mov eax, dword ptr [4*eax+01013CE0]

1 of 9

20/2/2011 3:47 AM

e. In this example. it will compare the value contained in ebx with the value contained in eax. (EAX and EBX are "Registers". If EAX and EBX's value are not equal.htm These are the actual instructions. This means that the program will jump when it reaches the "Jmp" instruction. jmp 01002745 file:///C:/Users/Acer/Desktop/Flores1. Here are some of the most important: "Je" .20) (Which we will be cracking) and "Hackers' View" (or "HIEW" for short. Look at the toolbar of W32Dasm. If you're using the same file as me. There are other jumps. and they don't match. let's do some practical work. but it's the opposite. Without any further ado. Look at where it has taken you. the program will not jump. Put your mouse over it. It will say.g. You will see the compare instruction as "Cmp" followed by two values. Double-Click on the line with the "Jmp". Memorize the address after the "Jmp" (E. but they don't need explaining now. It would be common to find a "Jne" in a relevant part of code in a program you are cracking. See the "Jmp" is followed by an address. There are many other types of jump. no questions asked. You'll find loads of "Cmp" instructions in your file also. You will see a "Jump to" button.. in the above example I mean memorize "01002745"). it will jump to a set of instructions that send you the error message. Scroll up to address "010025C2" if you are using the same version of calc as me.g. ebx je 010028A7 This is a typical example of a "Cmp" instruction followed by a "Je". the instruction will be ignored. Don't worry about it quite yet!) If the values in these registers are equal. "Execute Jump". when the program gets to this point. The blue bar should go onto the line and turn green.Cracking Tutorial for Newbies by FlOrEsTaN. I will explain more about these jumps when I try to explain "SoftICE" to you. Here is a good place to explain that "Jmp" means "Jump". The "Jmp" was an "Unconditional Jump". otherwise. in the above example the address is 010026AD) to the address specified in the Jump instruction (e. "Jnz" means Jump if NOT Equal. "Jz" . This means that the program will jump from the address specified on the left (e. the address is the one specified in the Jump instruction. Don't ask me what it all means! I only know the basics right now. so you get used to how jumping and addresses work. just follow what I'm saying. If the answer to the calculation is 0 (Zero). :010025C2 3BC3 :010025C4 0F84DD020000 cmp eax. the program will jump when it reaches the next (Je) instruction. Look on the left.. where if the program compares the registration code you entered with the right code.Jump if Equal This will regularly come after a "Cmp" (Compare) instruction. It jumps if the compared values are not equal. 01002745). Click on the button. Any one you can find. there will be one just below where your blue bar should be ::010026AD E993000000 ^ Address ^ "Hex" jmp 01002745 ^ Instruction Don't worry yourself with hex just yet. Now I'll explain about different jumps. the jump will occur. You will need two programs :"Hex Workshop" (Version 2. "Jne" .g.Jump if NOT Equal This is the same sort of thing as "Je".g. 2 of 9 20/2/2011 3:47 AM . Go to any random parts in the file and try this jumping procedure some more. Look for an instruction that begins with a "Jmp".Jump if Zero This is like "Je" but it is after the program calculates something. (Use your common sense).

bpsoft. Enter "DialogID_0075" and click on find. Write this information down. as this is what the program will refer to when it needs the text for the error message. before you even come to any instructions or addresses.or jne 0041BD4D . Minimize it. Get out of the program. ("You have entered an invalid registration number" will suffice).com (Hex Workshop) Some of the links may be dead by the time you get to read this. It will put you in the section headed "Dialog Information".by/fileecho/MFEDOS/HIEW616. look in the top right hand corner.Cracking Tutorial for Newbies by FlOrEsTaN. From here you can select "Decode Mode" which is where we can change what the program does. This will allow you to change stuff. if that's the case. and "About". Aha.htm This is a tool you will need to start using). http://www. You will see "DialogID_0075". Press F3.w32".ZIP (Hackers' View . Get these programs.exe file and copy it. It shouldn't be far away..bspu. (HWorks32. Enter anything and click on "Register". Click on find.Make sure you put a dot (. When we go to the code location (address) 0041BCEE. IMPORTANT . Click on find on the W32Dasm toolbar. Sure enough: :0041BCCE 0F8479000000 je 0041BD4D Write the address down. so that is "jne 0041BD4D". Got the programs? Good.unibel. Type in "You have entered an invalid".) before the numbers. Load up "HWorks32. file:///C:/Users/Acer/Desktop/Flores1. they should help you get the tools. You will land on a line that says "Possible reference to Dialog: DialogID_0075". All set up? Run Hex Workshop. you notice anything familiar? Yep. you will be staring at an error message.or jz 0041BD4D (you get the picture). http://ftp. Find your original HWorks32. Go to "Help". as if you didn't know).copy and paste the URL and you should start downloading).exe). Put the address you made a note of. Found the address? Look. Rename the other one "HWorks32. Select Decode mode.) that told the program to go to the part of the code that follows the "Referenced by a (U)nconditional or (C)onditional jump at address" text. This helps you remember that this is the file you will disassemble using (.. just find a cracker. Eg. DON'T close W32Dasm yet. Unless you are the luckiest person on earth and guessed the correct code. Sure enough. if we totally screw the program up when we're cracking it. "Unregistered Version". Click on find again. Write the message down. Look up to where it says :Referenced by a (U)nconditional or (C)onditional jump at address: |:0041BCCE(C) This means that the address 0041BCCE had a conditional jump (I.ex_" for backup. We don't like that. Rename one "HWorks32. we should see one of the following lines: je 0041BD4D . So type in (Without quotes of course) ".E a "Je" or "Jne"" and I'll send them by mail. The top line will change colour and you will be able to put the address we wrote down in here.0041BCCE" Press return. You'll be at the line of code we saw in W32Dasm and wanted to change. So lets scroll up to address 0041BCCE. Here you have the chance to enter the serial number. Run HIEW (Hackers' View). Highlight the HWorks32.w32)Dasm. press F4. Be VERY careful you 3 of 9 20/2/2011 3:47 AM .w32" into W32Dasm. Look up 2 lines. When this is done. Make 2 copies of the file. (Write down "0041BCCE") This instruction "je 0041BD4D" we are about to change. (Or you could E-Mail me at "Florestan5@hotmail. Good old assembly! Press F5. (Ctrl-C. Get the message you wrote down.exe file and open it in HIEW.

exe". Congrats. Press the right arrow key twice so the underscore is under the 8. It should be noted Je is not always 84 and Jne 85.ivanovo.wc 22. we won't be able to get out of SoftICE of it'll ruin our work. ---------------------------------------START PRINTING HERE--------------------------------------Press Ctrl+D and you'll see SoftICE in all it's glory. That's the best. but then when you run them after you exit.. Presto! Registered! Choose a name and company and press OK. It's also the type of cracking you'll get to feel you've really achieved something. where you find registration codes. Go get this superb program.EXP=".. This makes sure that when we restart our computer and go into SoftICE we can set "Breakpoints" on the windows "API" (Which is vital to us!) Save the file and restart your computer.. You have changed the second byte in our instruction.wd 22.exe and then run it again to make sure it stays cracked. When SoftICE is installed. Get out of HWorks32. Follow the instructions and install.bat. Tutorial for Newbies by FlOrEsTaN.. You'll need it if you want to do "proper" cracking.dat" file with notepad. However cracking SoftICE requires specialist tools.. Go and run "HWorks32. It varies depending on how many bytes are in the instruction. and in that case... Registers are places in memory.. (We just kept it open in case the byte we changed didn't do anything). and About again. Now go down to where it says "Examples of Export symbols" and there will be a list of files starting with ". Go to Help. That has changed je to jne. The line 4 of 9 20/2/2011 3:47 AM . (12 Characters). The next thing I'm going to do is show you "SoftICE"..I used a code that I got passed on to me by another cracker by way of a tutorial. Change that line to the following :INIT="lines 60.. and when we start cracking. Type 85..color f a 4f 1f e. (That's not the only way they work.. Remove all of the if you haven't got it (copy and paste the URL into the browser to start downloading) You'll also need a program called "WinRAR".. the first byte is the one you will modify. waaaaaaay beyond your (and mine!) capability. That's what lamers do who can't crack programs. and is I expect. because when you're in SoftICE. Type in any code. The top section with the first line of text starting with "EAX=" is the section of SoftICE for registers. Yep. press F9 to update the file and get out of editing mode. Click "Register". It might be a good idea to print out the next few paragraphs (Until I say "Stop Printing").htm don't accidentally change things you're not meant to. So the line we are editing has 6 bytes.code on. Register it. You've just cracked your first program!!! Now you can close W32Dasm. symbols from the beginning of those lines.. Usually you shouldn't use other peoples' reg info to reg programs. go to the SoftICE directory and open the "winice.. it'll say it's unregistered again). Get SoftICE. Memory is where all the information is kept.. Press F10 to get out of HIEW.. This is still regged. It can be found at: http://soft. for example when there is only 2 bytes in the jump instruction. je will be 74.." This just tells the program how many lines to allow to each "section" of SoftICE. you can't access any other programs until you leave. You changed Je (84) to Jne (85).. You can get it from www.. SoftICE is a tool you WILL need to crack programs efficiently. This is the file you just changed. file:///C:/Users/Acer/Desktop/Flores1. and we'll have to start again. Once you start installing it you'll be asked to enter your name and registration info... Find the line that says "INIT=Code On" or similar. as it needs to be loaded as a program before windows starts. and jne would be 75. Other It's only £30. your back. not the second. without even modifying the program. and we don't want to be going back and forth between SICE (SoftICE) and Notepad all the time. (You'll find a lot of programs you think you'll have cracked this way. and it gives it some more interesting colours than the boring ones the installation gives it.. and registers save the addresses of the places in memory that are important to the program at that time. But let's not go into that right now. Let it make changes to your autoexec. but it's all you need to know for now). Use the following registration number: "1907-0000DD-99". "Bytes" consist of two hex characters. cleanest type of cracking you can do.

SoftICE has broken twice. AND a company. You should see the Data Window change. Most programs will use one of the following functions: "GetWindowText" "GetDlgItemText" "GetWindowTextA" "GetDlgItemTextA" The ones without the A's are for 16 bit programs.Cracking Tutorial for Newbies by FlOrEsTaN. a code. some flags will be highlighted. What you've just told SICE to do is "Display EDX". You'll see "EVALUATION COPY" at the top of the window. and since programs are not much made in 16 bit any more.e. Remember when we were talking about jumps. If you got a message saying "Invalid Address". We will need to tell SoftICE to come to life when a program uses one of these functions. the program breaks when it executes the api function or call. This is the "Data Window". Now lets do a real crack! Get "5 or More" version 2. you will have to let SoftICE break however many boxes you have to fill in. For example if in SoftICE we came across a piece of code that had a "jz" in it. just use my example with EAX or ESI etc. SoftICE showed you the memory at EDX. I checked and this program uses "GetDlgItemTextA". !BAM! You're in SoftICE! You're at the point in the program where the program is calling the api function "GetDlgItemTextA" to get the name you entered. set the program up and run it. Click OK. So you're in SICE. press OK. The next thing we do is "Break" into SoftICE when the program reads in what we enter. I'm just trying to explain registers. they should be yellow) lines separate the sections of SICE). 5 of 9 20/2/2011 3:47 AM . it's usually just safe to use the ones with the A's. and when you exit SICE. The code window should look familiar. (I'll talk about the 2nd section in a minute). This is because EDX is storing the address in memory that you have just told SoftICE to display.0a from :http://www. so it would need to call the function 3 times. This is one of the reasons SICE is so powerful.. don't worry.. and we would know it the program would jump or not! Cool eh? While we are talking about code. Anyway. The difference between the code here.) The only important one to us right now is the "Zero" flag. good! Then let's begin. We see two boxes to enter the information that is needed to register the program. type anything in the two boxes I used "Liszt" for my name. and "12345" for my code. These are the flags that are active. file:///C:/Users/Acer/Desktop/Flores1. and then get out of SoftICE again. This is the memory basically. Anyway. If in a program you had to enter a name. For the program to get the information we enter into the boxes. and we talked about "jz" (Jump if Zero) and "jnz" (Jump if not Zero). for example.htm of characters "o d i s z a p c" are all flags. Look at the 2nd section. Type in: d edx and press Enter. (The yellow (Well. i. That's the "z". Look at the Registers Window where it says EDX=(whatever). this time to get the code you entered. This 3rd section is the "Code Window". it will need to use the windows API functions. Press Ctrl+D to get out of SoftICE and you should be immediately brought back to SoftICE where the function is called again. "d" is a flag etc. and the code in W32Dasm. If you try to use "GetWindowTextA" you just get confused! So type in "bpx getdlgitemtexta" [Return] Bpx simply is the instruction to "BreakPoint on eXecute". ("o" is a flag. We are now at the beginning of the "GetDlgItemTextA" function. You notice. you would set the BreakPoint. the highlighted (red) line of code will be executed straight away. but they are always there. You will notice that the number after EDX is the first number in the Data Window.midstream. Go into SICE (Ctrl+D remember). is that the code here in SICE is actually being executed. get out of SoftICE. This is what it looks at. let's look at the code section of SICE. That is how the Data Window works. because it would have 3 boxes to read from. These flags are either active or inactive. Remember for the future. The last section is just where you type in Got the program. we could look at the zero flag just before that function was carried out. Go to "Help" and click on "Register". The A at the end of functions means it's for use with a 32 bit program only.

press F8. Press F10 until you get to the instruction: call 00405EF0 When that instruction is highlighted. "5 or More".31 JNZ 00405F32 6 of 9 20/2/2011 3:47 AM . You should have just pressed F8 instead of F10.Cracking Tutorial for Newbies by FlOrEsTaN. OK. Example time. When there is a call. Pressing F10 steps over calls. until the program returns to the point where the call was. dword ptr fs:[00000000] push eax mov dword ptr fs:[00000000] push ecx ret This means the program would carry out all of the instructions in this part of code (from 00402630) and when it got to 00402646 (A "Return" instruction) it would go to 004018DE. file:///C:/Users/Acer/Desktop/Flores1. What we have here for example is: :00402630 :00402632 :00402637 :0040263D :0040263E :00402645 :00402646 6AFF 6896CF4000 64A100000000 50 64892500000000 51 C3 push FFFFFFFF push 0040CF96 mov eax.31 JNZ 00405F32 CMP BYTE PTR [EAX+01]. say for example.. You should find that information valuable.. as you press F10 or F8. You should be looking at the following instructions on the right side of the Code Window: MOV EAX. you go inside the code. Press F11. Don't press anything else yet. we was to come across the following: :004018D9 :004018DE :004018E2 E8520D0000 8D4C2414 C684246C02000002 call 00402630 lea ecx.36 JNZ 00405F32 CMP BYTE PTR [EAX+02]. without you having a chance to see what is going on inside the call. back to our example. (The instruction after the call to the above piece of code. I think I'd better explain about calls now. 02 The program goes to the address 00402630. Look at the code. pressing F10 at a call..htm The code in the code window below the highlighted line is the code for the function. There is a good reason for this. Anyway.EAX JZ 00405F32 CMP BYTE PTR [EAX].[ESP+04] TEST EAX. and the instructions are executed one by one. while F8 steps INTO calls. would execute all of the instructions until the return instruction automatically. dword ptr [esp+14] mov byte ptr [esp+0000026C].. This lets the program carry out the function. When you press F8. Now you should be in the 5 or More program code. Pressing F10 will carry out all of the instructions it comes across inside the call. Calls are similar to jumps. but returns you to SoftICE IMMEDIATELY after the function has finished.) In SICE.

I'll try to explain what's going on here. If the first digit of the code you entered isn't 1. That tells us that the program compares the your first digit to 1. with lots of numbers around 30.Cracking Tutorial for Newbies by FlOrEsTaN. and if this happens. You see that is compares the second digit of the code you entered with 6. if the outcome here isn't zero. We can see EAX in the Data window at the moment. it will jump tp the same address (00405F32). Because it is EAX plus 01 place. the one at the end in the quotation marks is the "Normal Value". which means the second digit of the code you entered. it will jump to 00405F32. and if the outcome of the test is 0 (Zero). Look in EAX by typing "d eax". You can find out what the "ASCII" (Normal) value of hex 31 is by typing in "? 31". We can see that the first number/letter in view is the first digit of the code you entered. The fourth line of the above code CoMPares the byte at EAX with the number 31. file:///C:/Users/Acer/Desktop/Flores1. and didn't 7 of 9 20/2/2011 3:47 AM . If you type in "d eax+01" it will show you the second digit of the code you entered.00000001 JZ 00405F34 XOR EAX. The second line tests EAX with itself. Looking at the next lines of code. EAX+01 is as simple as that . When we see something like this. The next (Sixth) line of code compares EAX+01 to Hex 36.31 JNZ 00405F32 CMP BYTE PTR [EAX+07]. The first line of the above code puts the registration code you entered into EAX. when the program reaches the next line of code. It will show you different values. We see that Hex 31 = Normal 1. By looking at the rest of the code down to the 19th line of the above code. Look at the right side of this window. (I hope you understood that!) type "? 36".EAX+01.htm CMP BYTE PTR [EAX+03]. So we can see that the first two numbers of the valid registration code are 1 and 6. So it's pretty good to assume that the code at 00405F32 is the error message process. which must mean that this is the process that checks the registration code you entered to the valid code.35 JNZ 00405F32 CMP BYTE PTR [EAX+05]. Look at the writing in the DATA Window (The one above the Code Window). So maybe the code at 00405F32 is the code to tell the program to get the error message. of course it hadn't already jumped after the 1st compare!). the program will jump in the fifth line of the above code to the error message (00405F32).35 JNZ 00405F32 CMP BYTE PTR [EAX+06]. it will usually be hex. The code you entered should be at the first line. (Assuming.33 JNZ 00405F32 CMP BYTE PTR [EAX+04]. that means that nothing was entered into the registration box. there is a lot of things compared. we can see that the correct registration code is: 16135510 An important thing to mention is that the valid registration code was already inside the program.30 JNZ 00405F32 CMP BYTE PTR [EAX+08]. and always.EAX RET Okay. This is the number/letter it compares to the number 31.00 MOV EAX.

Before you leave SoftICE. Go to the windows directory and find "5ormore. we'll try that in a minute! You can leave SoftICE now. and then carries out the registration check again on the information to check the information is valid.30 is the last digit of the code. and the code we found out. it gets the registration information you entered last time from the 5ormore. In fact. Now go back to the game directory and make a backup of the 5ormore. Press F5 and type ". To tell the program to jump to the registration check. so it has just canceled the call without doing anything else. Click on find.exe and run the program.. because it doesn't need it anymore (Note from CrackZ . Done? Good. A NOP instruction (No OPeration) only requires 1 byte. Press F10.EAX) zero's EAX. If type "? 00" you'll see that 00 is equal to nothing. make the correct code for the name you entered. Type in any name. so the program is just checking that there wasn't anything entered after the final digit. See how calls work now? When we are sent to the first line of the above code by the call. now close the program. We want to get rid of the call.Cracking Tutorial for Newbies by FlOrEsTaN. it would be possible to crack the program using "Hackers' View" by finding the address of the call to the registration routine. but make sure you clear all of the breakpoints before you leave. Get out of SICE (Ctrl-D). Delete it. so we are going to change the bytes that tell the program what to do.The place we pressed F8). because we don't need them anymore. there aren't any instructions that jump to a good registration message. Look at the E84EFEFFFF. a byte is two characters). (A space is Hex 20) it means Hex 00 is equal to nothing. This means that codes will be different for each name that is entered in harder programs. Press F4 and select Decode Mode. Run HIEW (Hackers' View) and open 5ormore. So we need to make sure we replace exactly 5 bytes. so this must be in case bad crackers try to modify the contents of the memory. no more. (This program is easy to crack).w32). file:///C:/Users/Acer/Desktop/Flores1. the memory contains more than 8 characters at EAX.htm have to be calculated. Run W32Dasm. Go to help in 5 or More. They are what we change. carefully change the bytes to NOPs by pressing "90" five times. and then start it again to make sure. These are the letters and numbers that tell the program what to do. let's look at the rest of the code above. Open 5ormore.ini". It says regged! Great! Close the program. yeah.ini file in the windows directory. no less. Press F9. It says UNREGISTERED!!!! There is a simple reason for this. only jumps to the bad message. it will go back to the line after the call we pressed F8 at. Go to register and type in a name and any old number (not the correct one). The next line is RET (Return). and mess up. So the CMP BYTE PTR [EAX+07]. When the program (If the code is correct) reaches this. Other more difficult programs will take you're entered code. Look at the disassembly. You are at the line: . Each time the program begins.0040609D E84EFEFFFF call 00405EF0 This is the right line. The 20th line compares EAX+08 to Hex 00. That does NOT mean a space. I'll explain something first. and compare your correct code with the one you entered. Press F3. see the MOV EAX.0040609D" (This is the address that calls the registration check .. and simply replacing the call instruction with NOP (No OPeration) instructions. To do this type "bc *".actually this code is never executed. The actual program won't let you enter more than 8 characters anyway.exe. 1 = good guy and EAX=0 is bad. we have more work to do. EAX's value is checked after the RET).exe in case we screw up (You may want to rename it 5ormore. so theoretically. Now. so we will need to put in 5 NOP instructions. Don't you feel good? You didn't even have to modify the program's code! It's a "Clean Crack"! --------------------------------------STOP PRINTING HERE----------------------------------------Okay.W32 (The backup copy). If for some reason. That tells us that the registration code will work for any name you enter. Go back to 5ormore. WOW! It worked. (16135510). it would jump to a different part of code that I haven't bothered to look at because it is irrelevant. it needs 5 bytes (Remember. and go to register. The next line (XOR EAX. So unless you want to go to register every single time you play the game. Type in: call 00405EF0 8 of 9 20/2/2011 3:47 AM .

exe" Wow! It will stay registered this time! Exit 5 or" If I get enough E-Mails requesting more tutorials. The first address should be "00405EE2". You should find two occurences.htm Now click OK. Press F4 and go to Decode Mode. Run "5ormore. and we won't need it anymore. run 5 or More.exe. remember. and we hadn't changed that file whatsoever with HIEW. questions. we made it so that the program didn't find an error with registration information when it starts. That's because. Now the next address.0040609D" (The other address from W32Dasm).com Newbies Return to Main Index © 1998. E-Mail me at "Florestan5@hotmail. you have to understand these things). Run HIEW and open 5ormore. When W32Dasm has found something. We are going to get rid of both of these calls that we wrote down. Press F5 and type ".00406EE2" (This is the first address you wrote down). run 5 or More. Press F3.Cracking Tutorial for Newbies by FlOrEsTaN. 1999. If you want to learn. If you don't understand something in particular. I hope you all learned something. do that. and the second should be "0040609D". 2000 Hosted by CrackZ.ini" file when it starts. I hope this information has been valuable! It should have! If you couldn't understand it. exit 5 or More. suggestions welcome. You can close W32Dasm if you want. If I get enough requests. where the program has to calculate your own code (much harder most of the time). you already changed this one. I'll certainly consider it. I'll talk more about finding codes in SoftICE. Remember the call to 00405EF0 is the call to the registration check. 22nd April 2000. We saw it as a call in W32Dasm. Type ". write the address down. there's already five NOPs here! Yep. so we will need to type in "90" five times. Yeah. because we loaded the backup file. So close HIEW. because it's so much better than modifying a program. I'm outta here! FlOrEsTaN Florestan5@hotmail. because I know what we have to do.) There we go! If you can find registration codes using SoftICE. (I'm NOT kidding. file:///C:/Users/Acer/Desktop/Flores1. I hope you've enjoyed this tutorial as much as I did writing it. Huh? What's this. before we found out that it checked the "5ormore. (That's because we stopped it from checking the code. go through it all again. Done? Press F9 to update the file. There is 5 bytes in this call instruction. 9 of 9 20/2/2011 3:47 AM . All comments. so it couldn't jump to the unregistered code routine.