
                                        
                         ܰ              
                           ܰ            
                           ݰ            
                             ۱            
                              ۲        
                            ۲     
                             ۲ ݰ      
                                  
                                   ݰ
                                   
                 ݱ         ݱ
                 ۲ ۲        ۱
                  ۲۲       ۱
                    ۱         ۲
                                                    ۲
                                                       

	 -͹ Crackers in Action presents: - 
                    Ľ                              
                   VERY EASY CRACKING TUTORIAL BY : BuLLeT
                                                              March 2 - 1999

Heya !

Once again i'm back. Stronger and more powerfull/describing than ever :)
Actually i didn't think this NEW basic tutorial would be necessary to write
after the last one, cause i thought that i wrote it in a language and at such
a low level that everyone would understand...but i was wrong :( Since the day
i released it i have gotten many emails with questions that are so low that i
almost don't know how to answer. (No offence).

When writing the last basic tutorial i didn't ask ppl what they wanted, and i
guess that was my mistake. Sorry. But i've learned from it and therefore i
asked ppl in #CRACKS what they wanted. Actually i was a little disappointed by
the number of requests cause i only got 3 (THREE) requests. I guess the ppl
who wrote emails to me weren't present at that time ;) But what the hell.. i'm
a nice person and i will help you anyway by, once again, trying to cover the
most frequently asked questions concerning cracking.

In this tutorial you will (hopefully) learn:

 1) The VERY basics of cracking using Windows 32 Disassember (W32Dasm)
 2) The VERY basics of cracking using SoftIce (SICE)
 3) How to make a patch when you've finally found that little (damn) byte (TP)
 4) Then i will try to answer these questions in the best possible way:

    4.1) Basics of Visual Basic (VB) cracking (Req. by EagleWolf)
    4.2) The program is not registered when i restart it?? (Req. by IceFlame)
    4.3) Something about Anti-Softice (Req. by FunkyZero)
    4.4) Basics of encryption (Req. by Z-Wing)

 5) Source-Code for a keygen made in Delphi by BuLLeT & Nobody
 6) Finally i'll tell about why it's so hard to crack...is it?

To follow this tutorial in the best way you must have:
   * Windows 32 Disassembler (required for: 1, 3)
   * SoftIce (required for: 2, 3, 4.3)
   * HIEW (required for: 1, 2, 3)
   * Delphi (required for: 5)

So..ready to go? I hope so cause i'm gonna start now. Or d'ya want just one
minute to catch your breath and start the appz...ok...GO!

1) <----------------

W32Dasm is a disassembler which is perfect if you want to patch a program in
the way that it'll accept ANY name/serial. It's also perfect for removing
those annoying 30 days limit and some other stuff. Generally it's perfect!
But now that you have installed it and you've tried to disassemble a program
you are lost when you see the first piece of code. Don't be..i'll explain.
W32Dasm works in the way that you basicly have two choices. Either you select
the String Data Reference (SDR) and find a piece of text in the program, or
you load the program and break at a NAG-screen. The first example is the most
used, i dunno why cause they're both easy.

When cracking using SDR (you'll find it in the REFS-menu) you will need a
piece of text from the program. This you can find by launcing the program and
watch carefully what it says. Try to enter your own name and a random serial
and note the error-message the program gives you. This is usually:

 * Invalid serial...
 * Incorrect serial...
 * Wrong Serial...

You get the idea. Note it, but don't stop looking. Take a look in the About-
box which almost every program has. There it will probably say:

 * Unregistered Version...
 * Evaluation...
 * NOT registered...

Got it? (if you don't understand what you read until now then you might as
well just skip this and forget about being a cracker :P ) Note that too cause
we'll need that later. Ok..so now you ave two notes messages. That should be
enough to start with. So you may now quit the program and disassemble the EXE-
file in W32Dasm. (select: Open File To Disassemble from the Disassembler-menu)
It will probably take a while to load....wait....ZZZZzzzz..done? Good.

So knowin ghte two messages you select the SDR from the REFS-menu and search
for the first error-message. (Invalid Serial). Look carefully twice, but if
you can't find it go get another program cause then we're talking encryption
or some other kind of string-hiding, which is too hard for you so far. If you
find it go on reading. Double-click the message and note the offset at the
bottom of the disassembler. It should look like:

Line: xxxx Pg xx and xx of xxx Code Data @:xxxxxxxx @Offset xxxxxxxxh in File xxxxxxxx.exe
                                                                                   |
        |      |      |     |                 |                 |
 The: line   page   page  total           Data Code           Offset             File

Note that you will only see this if the GREEN BAR is placed correctly. If you
don't see it, try scrolling up or down a bit and it should get there.

Now that you have double-clicked it and you're looking at the code you know
that this was the first reference of that text in the program. But there might
be more references, so try to double-click it again and watch if the offset
changes. If it doesn't you can close the SDR window and go on. If the line
changes and you now see another offset there is more than one reference to
that particular text and it's now (often) harder to crack the program.
Assuming that you only got ONE reference you will now be looking at the code
right after the registration process. But is this the place we wanna be? Nah!
We want to be where the registration is calculated/compared. We'll get there
by looking from where it's called. Trace/scroll up till you see something like
this piece of code:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:xxxxxxxx(U/C)

This is the address from where the ERROR-message is called. We need to go
there to envestigate a bit further. But i think it's time to explain a bit
first cause this is a point where many newbies *cough* get confused. They
think that the number on the left of W32Dasm is the offset. It's NOT!!!! Note
it and remember it. THe number on the left is the CODE LOCATION of the code.
You can not use this for anything except to step through the file more easily.
So what i mean is explained by this example:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00001234(C)
|
:00001236 8B4DF4        mov ecx, dword ptr[ebp,0C]  <- Ignore this for now
:00001237 5F            pop edi         <- Ignore this for now / GREEN BAR
:00001238 5E            pop esi                     <- Ignore this for now

and the bottom line looks like: (assuming that the GREEN BAR in on 00001237)
                                        
Line..... Code Data @: 00001237 @Offset 000004C3h in File....

What this means is that on Code Location 00001237, which is the same as
Offset 000004C3 there is the following code: POP EDI. (Ignore the code for
now and consentrade on the code location/offset). Understand??...hope so!
NOTE: THe h at the end of the Offset means that it's HEX and is NOT a part of
the offset itself so ignore that too).

Ok..so now we're at the code just below the registration process, but we want
to modify the registration process so let's trace up a bit. We need to trace
to the Conditional Jump (|:00001234(C)) So scroll up and watch carefully for
Jumps... JE/74 - JNE/75 - JMP/EB, and CALLS. Most likely you will see some
code similar to this:

        CMP EAX,EBX
        JE XXXXXXXX

             or

        CALL XXXXXXXX
        TEST EAX,EAX
        JZ XXXXXXXX
        
This code is the most often used but you may see something similiar too. The
first example compares what is stored in EAX to EBX and jumps if the data is
EQUAL. If it's NOT equal it will jump to the ERROR-message (probably the one
you came from).

The second example first CALLS a procedure/routine/function which will compare
the info you entered to the CORRECT info and return a FLAG. This means that
you, in SoftIce, would be able to trace into that call and find the CORRECT
serial and register in the right way. Well it returns a FLAG which is either
0 or 1, to EAX. (ex: MOV EAX, 00000001). Then the program will TEST if EAX is
0 or 1 and depending on the FLAG it will either take you to the CORRECT or the
WRONG message. This is done in the JZ (Jump Zero) line.

Ok..so all of this sounds easy right? Actually it's very logical. Compare two
things, and jump either to the CORRECT or the WRONG place in the code. This
should be easy to understand, but if you of some reason don't, press PgUp and
read from there :)

So, now that you know this and you understand it it should be hard to figure
what to change. Or?? In the first example it jumps if YOUR info equals the
CORRECT info, which it probably won't. So now you have the option of changing
in two ways. You can 1) Change it to say: CMP EAX,EAX, or 2) Reverse the JE to
JNE. The most used way is to reverse the JUMP and that's what we're gonna do
here as well. So what do you do? You plave the GREEN BAR on the JE-line and
notes the OFFSET (at the bottom right ??).

By noting this you have finished my first lesson successfully and you should
now move on to either lesson 2) and learn about SoftIce, or lesson 3) and
learn hw to patch that damn byte using HIEW. What you do is your choice and i
won't leave ya no matter what you do :)


2) <----------------

So, time for some SoftIce basics. First of all you will need to modify the
WINICE.DAT. This is a part that almost EVERYONE forgets and then they can't
get their breakpoints to work. So EDIT WINICE.DAT and look for these lines:

        EXP=c:\windows\system\kernel32.dll
        EXP=c:\windows\system\user32.dll
        EXP=c:\windows\system\gdi32.dll
        EXP=c:\windows\system\msvbvm50.dll
        EXP=c:\windows\system\shell32.dll
        EXP=c:\windows\system\advapi32.dll

Most likely you will have some of these lines but they might have a ; in front
which is the same as disabled. So remove the ; in front of these lines. If
you don't have all these lines you might wanna add them cause you'll sooner or
later need them. Done? Save your work end restart! I'll wait till you get back
for more action...Cya :)

Back? Good. What took you so long???? Well time is relative and so am i so
let's continue this little tut.

Now another problem comes to mind. Cause how do i activate SoftIce? Well one
thing i remember i was asked once is: "But i thought i should use the Symbol-
Loader". NOT!! You don't need to use it. The only thing you need to make sure
is that SoftIce is loaded in your AUTOEXEC.BAT. If it IS mentioned it's loaded
and you should now be ready to go crack da sucka! But before you do anything
i have something to say. SoftIce is an "real-time-debugger" which means that
you can trace through a program line-by-line. This is something that you'll
soon be doing..trust me ;)

One thing you must know is that SoftIce doesn't work like W32dasm. You can not
go back one line if you press the wrong button and finding the offset can be
hard too. This is, however, not something that should terrify you cause you'll
soon see how powerfull and "easy" SoftIce is.

Ok, so the program (the target) is running and you're placed at the REGISTER-
DialogBox. What next? Well as you know SoftIce use breakpoints. We're gonna
use a few of them in a second. What you should see now is something like:

   NAME    : 
   REG NR  : 

   NAME    : 
   COMPANY : 
   SERIAL  : 

This should pretty much cover the often used registrations. So you enter your
OWN name/nick and enter a random chosen serial. (If you have the COMPANY too
then enter your company/group/whatever there). So assuming that this is NOT a
Visual Basic program you now have the following choices. Well actually you
have many more but these are the ones that are often used:

  GetWindowText / GetWindowTextA
  GetDlgItemText / GetDlgItemTextA
  HMEMCPY

These are the breakpoints you'll use in about 95% of the programs you'll meet
in the beginning of your cracking career. The first 4 are the "normal" break-
points which you'll most likely use. The HMEMCPY is a breakpoint which is
called everytime something is copied to/from memory. This breakpoint is not
used THAT often.

So..now all of the inputs are filled and you now need to set a breakpoint. To
do that you will have to enter SoftIce. This is done by pressing CTRL+D. WOW!
what is this? Looks like shit (if it worx). Well maybe not shit but at least
VERY weird in the beginning :P What you need to do now is set the breakpoint.
Do that by typing: BPX breakpoint. (I'm sure someone will enter EXACTLY that
instead of BPX GetWindowText... :) ) But which one should you set? Well this
can be hard to figure so why not set them all? I usually do this and it worx
great so set them all (NOT HMEMCPY) and lemme know when you're done. K? Kay?

Now you should be all set. If you got an error saying: Symbol not defined, you
have forgotten to edit the WINICE.DAT. Modify it, as shown above, and read on.
So, you need to return to the program to activate the breakpoints. Do that by
pressing F5 (=GO). Back into the program you press the OK/REGISTER/CHECK/
WHATEVER the button might say, and you should be back in SoftIce. IF you're
not back in SoftIce it means that you have chosen the wrong breakpoints and
you'll have to try the HMEMCPY. Assuming that you're back in SoftIce you're
now almost ready to go. But do you see a window with the REGISTERS? Or the
DATA window? I doubt it, so therefore you should first type: R <enter> This
should bring up (at the top) a window of registers (EAX, EBX, ECX, EDX...).
Now you activated the register window but you need to press ESC to go back
to the place where you are able to type normal text. Only one more thing to
go. Type: DATA <enter> and once again press ESC. Now you should see 4 (FOUR)
windows. Top: REGISTERS, Top-Middle: DATA, Lower-Middle: CODE-WINDOW, Bottom:
PROMPT. (The place where you can type text). If you do NOT see this you can
move/resize using your mouse. How you put them is your choice but the way i
described makes it easier to cover.

So you're ready to go again. The place where the breakpoint was activated was
at the FIRST input-box (NAME). But we also need SoftIce to read the other
input-boxes so press F5 again. (Assuming that you only have a NAME/SERIAL).
You will have to press F5 as many times as you have input-boxes - 1. If you
pressed too many times you will get back to windows and you'll have to start
over.

Ok, now you will have to press F11 to return from the CALL. (Remember the
Unconditional/Conditional jump in W32Dasm?? This is the same as tracing up).
So..you're now ready to go and the CORRECT serial will be right at your face
in a matter of minutes. In SoftIce you'll need to know the meaning of these:

        F8  = Trace Into
        F10 = Trace Through/Over
        F11 = Return
        ? EAX = Show what's in EAX
        D EAX = The same as above
        S 0 L FFFFFFFF 'textstring'
        S 0 L FFFFFFFF FF,FF,FF,FF (FF = HEX numbers)

If you understand and remember this you're well off. But now i've reached the
point from which i can not really guide you. Cause what to do now warries a
LOT depending on the program you have found. There is not TWO programs which
will show the same in SoftIce. Therefore there is no way to tell you; do this,
do that, press that. You're pretty much on your own tracing the code. Inside
CALLS..outside them. I remember when i first started cracking i typed D EAX
every time EAX changed to see if the serial was there. Actually this will work
and you will succeed by doing it this way but it takes for ever and is NOT
a good way.

What you should do is watch the code carefully. Look how your inputs are read/
manipulated. This can be hard at first but you'll soon notice how it
calculates the length of your name/serial etc. Just keep on tracing (F8/F10),
and you'll see that the serial is hiding there somewhere. Just KEEP looking..
just like this little fella  00

If you can not find the serial but you manage to find the byte to patch you
have two choices. Type D XXXX:XXXXXXXX (the number left to the line). This
will often be like: 017F:00001234 or something similar. Now the HEX value of
the line will be shown in the DATA window. So NOTE the bytes. At least note
8 of them (= FF FF FF FF FF FF FF FF). The other choice you have is to NOTE
the line itself (= JE XXXXXXXX) but this is not a good way to do it cause the
program will most likely have several examples of that code elsewhere in the
text. It is, however, possible.

Ok, that was pretty much all i could teach you. You're on your own!


3) <----------------

So you wanna know how to patch? Sure you do cause what else are you gonna do?
You could chose to manually patch the file or you could make a patch to do it
automatically. It should be pretty obvious what to chose and we're of course
gonna chose the easiest one..i'm too lazy :) To make this patch you'll need
Turbo Pascal for DOS. You must also know the basics of TP programming, but
this should lot be hard since it's easy and very logical. Below i will show
you ONE way of making a patch. This if, however, an enhanced version since i
added FileSize check. (This example is originally made by tKC-CiA'99..TNX!):

* Beginning of Turbo Pascal patch Example *

Program PATCH;                                    <--- Program Name!

Uses
    Crt;                                          <--- Uses the Crt unit!

Const A: Array[1..1] of Record                    
                        A : Longint;                  
                        B : Byte;                     
                        End=((A:$FFFF;B:$FF));    <--- A = Offset, B = Byte    
                                                      
      C: Array[1..1] of Record                        
                        D : Longint;                  
                        E : Byte;                     
                        End=((D:$FFFF;E:$FF));    <--- D = Offset, E = Byte

      txt:array[0..3] of byte =($FF,$FF,$FF,$FF); <--- Text (HEX)


Var Ch:Char;
    I:Byte;
    F:File;
    Size:Longint;
{   GemExitProc: Pointer;}

begin
Assign(F,'FILENAME.EXE');
{$I-} Reset(F,1);{$I+}
If IOResult <> 0 then
   begin
   writeln('Can''t find FILENAME.EXE');
   halt(1);
   end;
For I:=1 to 1 do                                  <---|
begin                                                 |
 Seek(F,A[I].A);                                      |_ First Offset/Byte
 ch:=Char(A[I].B);                                    |
 Blockwrite(F,Ch,1);                                  |
end;                                              <---|
For I:=1 to 1 do                                  <---|
begin                                                 |
 Seek(F,C[I].D);                                      |_ Second Offset/Byte
 ch:=Char(C[I].E);                                    |
 Blockwrite(F,Ch,1);                                  |
end;                                              <---|
begin                                             <---|
 seek(f,$FFFF);                                       |_ Patch the text
 blockwrite(f,txt,4);                                 |
end;                                              <---|
Writeln('Patching complete!');
end.

* End of Turbo Pascal patch Example *

So, this should pretty much cover it. But i'll give a short explanation to you
who do not understand it. First we have the constants which represents the
Offset/Byte to patch. (In this case Offset:FFFF / Byte:FF). So what you need
to do it find the offset and put it in instead of FFFF and also instead of the
FF by the byte. (Could be 74 / 75 / EB / C3). The second part of this patch
gives you the option the change a string in a program. This can sometimes be
usefull if you want to change a text to say: Cracked by... This is, however,
not something that is used very often but i thought i'd include that too. To
patch a text you'll need to get the text in HEX. Then you change the $FF,$FF
to the bytes and change the numbers of the array. This can be a bit tough, but
never the less you should be able to make it work after a lil' while. By doing
this you'll also have to change the FFFF at the seek(f,$FFFF) to match the
offset of where you cant to change the text. Note that you will also have to
change the number at the end of the blockwrite command to fit the array.

When everything is done correctly you can add a bit text or just compile the
program and you'll have a working patch. Note that before you even think of
distributing it you MUST test it so you don't spread a NOT working crack.

I hope this helped you a bit on the way of making a patch. If you for some
reason don't have Turbo Pascal then please don't come bugging me for it.
Search the Warez sitez or something, i do NOT provide that kind of help!
Once again tnx to tKC for providing me with this code in the first place.

4) <----------------

Well, this part is actually new. Usually i just write tutorials for programs
that i've cracked myself, but this time i figured that if i could help people
to learn by answering their own questions it would be much better. So that's
why i've made this section. If i get more subject-requests i will of course
continue this section in the future tutorials.

4.1) <----------------

EagleWolf old buddy old pal..finally you got the guts to ask for help :) j/k
You wanted to know the basics of Visual Basic (VB) cracking. Normally i would
advice you to skip VB cracking until you get better and more experienced,
cause VB cracking can really be a bitch sometimes. Never the less i'm kind
and wanna help an old friend - not to mention all the other ppl out there who
is also interested in this subject.

VB cracking can be approached in two ways. Well actually several ways, but the
only ways you need to know are the following: SmartCheck (SC) / SoftIce.
Cracking a VB app using SC can sometimes be VERY easy and it is just a matter
of minutes before you have the correct serial right in your face. This you
will some day see cause there are a lot of bad programmers out there :P
In SC you will not have to set any breakpoints or anything else that might
make you give up. You will only have to launch SC, load the file and RUN it.
It will then pop up and a dialog will be showed to you. On this dialog there
is a button called "Acknowledge", which you will, sometimes, have to click
MANY times. But for now you launch the program, run the file and click that
button until you're inside the program. Then you go to the REGISTER screen and
like before you enter your OWN name and a random serial. Then you click the
REGISTER/CHECK/WHATEVER button there might be and go back to SC. The window
on the left should now have expanded a bit and you should see something like:
+Register_Button_Click, or something similar. What next? Well you see the +
in front of the line? I wonder what that means...why not click it? Done? Good!
Now you have expanded the things that happens when you press that button. The
list of actions taken after clicking REGISTER can sometimes be very long and
complicated but most often it's rather small and easy to attack.

What to do next is hard to tell. Well actually it's not, but i can't say that
you have to do this and that and stuff, cause not TWO programs are the same.
You will simply have to click the actions you expanded and look at the window
on the right to see if there is a suspicious number. This number will most
likely appear right after the random number YOU entered, since they'll need to
be compared. Look carefully and note any suspicious number you find. If you
can not find any numbers, look again VERY carefully. If you still can't find
any number then the programmer thinks he's a smart ass and you'll now need
a stronger and more powerfull toy of this world.....

So what are you waiting for??? Launch SoftIce and let's crack that sucka!
(load Softice the way i described earlier in this text).

Cracking VB appz using Softice can also be hard but never the less it's
possible. One reason why so many ppl give up on a VB app is that they don't
respond to normal breakpoints. Then ppl don't know what to do and they delete
the program instead of KEEP trying!! When cracking VB you will VERY often use
the breakpoint called: HMEMCPY. This breakpoint will break every time data is
copied to/from memory, so thre must be an easier way. Lucky you...there IS!!
Almost all VB appz also use the breakpoint: MultiByteToWideChar, cause that's
the way VB reads the input. It converts all input to WideChar. As an example
of this: 'BuLLeT'  will be 'B u L L e T'. This process is called MultiByte...
So if you want to search for your name while cracking a VB app you'll not find
anything unless you type: S 0 L FFFFFFFF 'B u L L e T' If you forget the
spaces you will not get an answer to the search.

So where do i want to go with this? Well since 99% of all VB appz do this, it
may be a good idea to use it. Or am i wrong? You tell me! Since it converts
ALL your input to WideChar you will be, using this, able to break right in
front of where your name/serial is converted. This means that you may break
almost right in front of the REAL serial!! Great eh? How you find the serial
after setting this breakpoint is up to you, but try to read the part about
SoftIce in this text for further information.

4.2) <----------------

(In this part i assume that you have succesfully cracked a program into
accepting ANY name/serial but that it's not registered when you restart it).

A program not being registered is one of the most common questions, cause how
do you attack such a program? This scares a lot of ppl away but why? Is it
really THAT hard to crack? You'll soon learn that it's NOT! Again you need to
think logical. How come the program is not regged when you restart? Well it
must have some kind of check upon startup to see if the info is correct. But
where is that info stored? Well, some programmers hide the info, and maybe
even encrypt it, in the EXE-file itself. If you have such a program i would
advice you to go on to another program since that's way above your level YET!
The most commonly used place is INI-files or the Registry. The program will
most likely write the info you type into one of these and check when you
restart it. So what we need to do it remove that check right? Yep :) Finding
this check can some times be hard, but in 90% of the cases it's pretty easy.
You can not find such a check by searching for .INI / Reg in the SDR part
of W32Dasm, but what you need to do is find a piece of text in the program
which shows that it's IS/NOT registered. An example of this could be:

        * Evaluation Copy
        * Trial Version
        * 30 days period
        * Licensed to:
        * Registered to:

The most used is the Lincensed to:/Registered to:. This text you'll probably
find in SDR. So double-click it and trace up like before. Now you should see
some references and other stuff that might not be important but somewhere in
that code you'll see a CALL in which the INI/Registry is called. When/if you
find that particular CALL you'll see something like: GetPrivateProfileString,
RegQueryValue. You will of course not be able to find this ALWAYS but in the
cases where you find it you should also see a JE / JNE / JZ / JNZ command
very close. What this means is that it reads your input, calculates it and
compares it to the number it SHOULD have been. So like before you will need to
reverse that Jump.

This is the most used way of reading registration upon startup, but of course
there are many more. Unfortunately i don't have time to describe all of them
but read and learn !! Luck coming at ya !


4.3) <----------------

FunkyZero, i'm actually kinda lost here cause i don't really know what you
want me to write about. How to remove a Softice check? How to code it? Well i
think that you wanna know how to remove it so that's what i'm gonna try to
tell ya.

First of all; if you, as one of your first programs, get a program which has
anti-softice code i would advice you to skip it. Removing such a check CAN be
REALLY hard, and there is actually no way to describe how to remove such a
check. This is because there are several ways to code such a check and
programmers do not code alike. There is, however, in some cases a way to do it
rather easily. This is when the program crashes and gives you a GPF (=General
Protection Fault). When you get this message a Code Location/Offset will be
given to you and this is exactly what you need. Cause as you see the check
must have been performed right before this GPF. Therefore you will note the
location and disassemble in W32Dasm. Then go to that location and look
carefully. You will look for code looking like:

        Cmp xxxxxxxxxxxxx, 01   (note the 01)
        Jz xxxxxxxx

                 or

        Cmp xxxxxxxxxxxxx, 00   (note the 00)
        Jz xxxxxxxx

When checking for Softice a FLAG is set (0/1) to tell the program whether the
check was successfull or a failure. This is the 00 / 01 that desides that.
Then the program checks (in the lines above) and jumps if the result is Zero.
This means that if you reverse the Jump the check will be removed. You can
also change the 00 to 01 in the Cmp-line to make it perform a reversed check.

But now you might encounter another problem, cause what if the program is
encrypted/packed.....

4.4) <----------------

Tnx for leading me on to this Z-Wing!

IF the program you're trying to crack is encrypted/packed you can not just
disassemble in W32dasm and change the code cause that might crash the program.
So what you need to do is decrypt/unpack it first. But before you do that you
will have to check how it is protected. By this i mean that it's no good to
decrypt a packed program nor is it any good to unpack an encrypted program.

So you need to see how it is protected first. This can, in one way, be done by
HIEW the file and look at the first page. There you'll see info like:
.data / .text / .rsrc. If you see this the program is most likely not
encrypted. Another way is to search for text in the program. Like: Registered,
Unregistered etc. If you see this text the chance that the program is
encrypted is rather small. There is, however, a chance that the author has
used some other kind of encryption but patching should now be possible. (Note
that if the program has CRC-check patching will not work).

Let's assume that the program is packed we will now need to unpack it. There
are many ways to unpack a program. Manually is, if you're good, the best way,
but if you suck you should use an unpacker instead. Like ProcDump. For further
info on using procdump read the manual included in the procdump archive.

Procdump supports unpacking of several packers so the chance that yours is in
there is rather big. So you run ProcDump, select Unpack, select the FILE,
unpack and try to patch again. If you succeed CONGRATULATIONS! If you don't...
..well then try another program ;)

This was the first part of encryption in programs. The next part i'm gonna
describe is how to encrypt text in a Delphi application. Encrypting text in
a program is actually a good way of confusing crackers cause they can lot,
like i mentioned earlier, search for the text in SDR. They'll only find some
strange things which they can not seperate. Therefore use encryption when you
code. An example of such a procedure could be this:

Procedure TXTCRP(Var S: String);
Var
   X: Byte;
Begin
    RandSeed := Length(S);
    FOR X := 1 TO length(s) DO
      S[X] := Chr(Ord(S[X]) XOR (Random(512) OR 512));
End;

Var Name: String;
Begin
   Name := edit1.text;
   TXTCRP(NAME);
   edit1.text := Name;
End.


This is a simply encryption procedure which will hide a text. This is, however
, not ONLY an encryption procedure but also decryption. If you do the
TXTCRP(NAME) again you'll get the decryption text. This is not a hard way of
encrypting your text but i bet that many ppl will be confused by this. Do this
to all of the text in the program, for example in the Form1.Create so that all
the text is decrypted when the program starts.

I hope that tought you a bit about encryption of files and text within files.


5) <----------------

Actually i didn't really plan to include this, but since Nobody agreed, and
i got an email asking for some keygen source-code in Delphi4, i thought that i
might as well include it. I will not provide any describtion on how to make it
, nor will i help if you can't make this code work. This piece of code is for
a prgoram called HotChrome ScreenSaver. This keygenerator is made by
BuLLeT & Nobody.

procedure TForm1.Button1Click(Sender: TObject);
var
   i, i1 : integer;
   s, s1 : string;
begin
     s := edit1.text;
     i1 := strtoint(s);
     i := ((i1 div 3 And (94917020 + 1949)) Mod 2147483647) + 1;
     s1 := inttostr(i);
     edit2.text := s1;
end;

Hope this will teach someone who just needed the last bit the final stuff so
he'll be able to make a keygen next time himself. :P


6) <----------------

To end this text i would like to say to all the newbies out there:

          ???????????? WHY IS IT SO HARD TO LEARN ????????????

This is is definately not the first tutorial you've read, it might be the
easiest though, but don't you learn anything from reading tutorials? I bet
80% of all of you have every single version of tKC's tutorials volume #1-#15,
and that you have read them several times. But why? Don't you learn anything
from them? Or do you just read them and delete them? Do you quit if you can't
successfully set a breakpoint the first time you try? Don't you ever wanna
become 3l33t? Talk to the vice guys?

This final note is not ment as anything bad, but i just have a hard time
understanding how people could STILL ask questions after they've read my last
tutorial (BASIC). I really tried to go very deep into all areas but still i
get questions like: "Could you take a look at this...i've spend 4 days trying
to crack it but it's TOO HARD!". And then when i crack it i find that i only
had to change 74 to 75 ONE place and it could be found EXACTLY like i told in
the BASIC.

Oh well, i guess i'll just have to drink a beer and calm down or sumfing. As a
final advice i'd like to say: DON'T GIVE UP !!! Even if you have a hard time,
and you've tried to crack 5 programs in one day but none of them worked. Do
NOT give up! Who knows..maybe the next day you'll crack 5 programs. This is
not just something i say to keep you going..this is actually what I did !

* Final Words

Wow..so this was the longest tutorial by me so far huh? Maybe the longest ever
:) I hope you read every single line and that you understood it, cause IF you
understand this text you'll see that it's not that hard to crack after all.

If you think this tutorial is good and you want to contact me don't hesitate
to email me. But when/if you do, please do NOT send me files without my
permission. Another thing you'll need to do is, if it's a program you
need help with, include the name of it. This you'll have to do in every single
email you write me cause i get a LOT of emails and i can't remember which
program belonged to what email. Do this and i'll answer your questions !

Oh yeah before i forget. Those of you who can easier type German, do it! I
both write and understand it. This also goes for Norweigan, Swedish & Danish.


* Greetings fly out to

Z-Wing          -> You'll make it some day dood!
EagleWolf       -> Keep working..on cracking i mean :)
Ms_Jessca       -> *huggz* ;)
Nitallica       -> Nice to have you back.
HarvestR        -> You give me greetz i give you greetz :)
aCD^^^^         -> Ich bin geil auf dich..hehehehe
Nobody          -> Tnx for 50% of keygen source-code


------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------

Written by [BuLLeT-CiA'99]
E-Mail: BuL_LeT@hotmail.com

------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------

