_CbD_'s Tutorial #2 Rummy 500 Well here is a look a at different way for Cracking VB3 programs Target: RUMMY 500 (Version 3.8) Get it Here:Comes with the Tutorial Tools Needed: Softice v3.xx Ok Lets talk about the program first. Well it is ok for a VB3 game and considering it was done by women. ( Not a sexest remark) ;-) anyway this is really a nice game if you like the card game rummy, BUT this lady seems to think that she must put nag screens everywhere. Hmmm I hate that so that is what is driving this crack. There are nags at the end of every hand (with a 10sec delay) and this is just not fair to us who wish to evaluate it at its full. ;-). Ok that is enough about the program. Now as always we will be doning this in steps, so lets get started. Step #1 Ok we have to find out a little info about the program so we use QuickView (See Tut #1 for info on QuickView) to find out a little about our pup here. Hmm looks like a VB3 file. Ok well that takes care of that cause we know we cant crack VB programs cause they dont use any of the normal fuctions that we set our BreakPoints on right? WRONG if you have read my tut #1 or razzia's VB tut's you will know we can crack VB programs just as if not faster than any other... Ok Now lets do a little searching to see if we can find out any info on the program, so we look in the dir that we installed to and Whats this 2 files that might be of some use one is Rummy500.faq and the other is Readme.txt so lets see whats in them First the Faq. hmm nothing there that seems to help so next the Readme.txt..... Whats this do you see what i see **************************************************************************** IMPORTANT NOTE: MeggieSoft Games does not process any registrations between December 15th and January 15th. Any registrations received during this period will be processed after January 15th. The registration reminder will not be displayed between December 20th and January 15th. **************************************************************************** No way it cant be that simple not with a program that has so many nags well lets try anyway. Change you systems date to say January 1 that would give us 15 days. Hmm well they are right no 10 sec delays but yup there is still a nag screen and we just cant live with this can we ;-) but it was nice of them to tell us anyway. So change your date back so we can enter a Reg Number and crack it. Step #2 Ok now we have not found anything that we can really use to help us other than knowing that it is a VB3 program so lets get started cracking it first lets start the program and wait for that nagging 10sec delay to go by and then press register, Damn more screens what is this shit... ok press Enter Registration, Hmm Name and number well that is not good that means most likely this wont be just some serial number for us to find in softice that was hardcoded in, Not that this will make it any harder just take a few more minutes. Step #3 Ok now enter a name i use (CbD! Cracked) Dont use this cause you are cracking it not me ;-) . Now enter a Serial number i use (7777777) now press enter and see what happens. Hmm not a good serial number well shit we knew that already so press ok. Hmm well we get another shot at it with out haveing to start over good i like this. Step #4 Press Ctrl-D and pop into softice ( If you dont have softice you cant do this crack) now lets set a BreakPoint on hmemcpy so do this BPX HMEMCPY and press enter. now we have a Breakpoint that should pop us into SI(SoftIce) when we hit enter in the registration screen so now (If you didnt have any other BreakPoints Set and if you did Clear Them before you go on you can do a BC * and then press enter and reset the HMEMCPY breakpoint so it is your only one) press Ctrl-D and you should land back in the registration srceen Step #5 Press enter Boom back to SoftIce we go ok now we are in the HMEMCPY fuction we dont want to be here so we press F11 to get back to the fuction that called HMEMCPY but wait this little program had 2 boxes remember 1 for the Name 1 for the number so this is most likely the Name fuction and this (You can crack it from here but takes forever) is not what we want , we want the serial number right. Ok so press F5 and Pop right back in SoftIce we go and Yes back to the HMEMCPY function so Press F11 again to get out of it. Now we should be looking at something like this 17CF:0B40 CALL KERNEL!HMEMCPY 17CF:0B45 PUSH WORD PTR [DI] 17CF:0B47 CALL KERNEL!LOCALUNLOCK 17CF:0B4C MOV AX,SI Ok the Address's may differ but the code should look the same, Well this dont look to intresting to us right now so lets step in the code a bit with F10 so press F10 you see the lines advancing as you press the key, ok well you will see a few POP's and then LEAVE and RET <---(interesting) we are in a fuction that called HMEMCPY and now we seem the be fixing to return from the one that called this one hmm ok lets keep pressing F10 do this about 10 times or so or until you see the code below (Note You should Press F10 a total of 14 times after the last F11) there will be a RET that will land you at 0C0D POP DS <------ Should land here 0C0E POP BP <----- Hmm what is this ? 0C0F RETF 000C <---- This looks to me like a compare Return cause it loads 2 values then Returns most likely to were they are compared ( I kow this already cause i traced it down for you ) Now here is what my window looked like when i steped through 14 times EAX=056AOOOB EBX=000275EA ECX=00000000 EDX=06700000 ESI=00021B74 EDI=00020106 EBP=000062AO RSP=000062AO EIP=OOOOOCOE o d I s Z a P c CS=17CF DS=2B57 SS=2B57 ES=3387 FS=059F GS=011B ----RUMMY500(02)------------------------------------dword---------------PROT---(0)-- 2B57:000062A0 0F0E:62BC 0000: 1807 3387:115K 000D:000C .b...... ..3.... 2B57:000062B0 0106:OD7C 1B74: 0002 2B57:0002 0381:62D8 ].....t...W+.b.. 2B57:000062C0 0001:1807 115E: 0000 000C:3387 37F4:000D ...... ..3.....7 2B57:000062D0 0BF4:0002 0386: 17CF 0751:632A 0001:1207 ......*CQ....... 2B57:000062E0 115E:0000 000C: 3387 0D7C:000D 17CF:OBF4 .....3.......... 2B57:000062F0 0106:2B57 01E6: 0106 0000:33D7 3032:33D7 W+.......3...320 2B57:00006300 3632:2D30 3933: 2D36 0588:0035 6352:0043 0-266-395...C.Rc ----USER!BOZOSLIVEHERE+001C---------------------------------------------------PROT16- 17CF:OCOA CALL 25C2 17CF:OCOD POP DS <----- Load Value #1 17CF:OCOE POP BP <----- Load Value #2 17CF:OCOF RETF OOOC <---- Go back and caompare them 17CF:OC12 MOV AX,171F 17CF:OC15 MOV ES,AX ----------------------------------- USER(OA)---------------------------------------- Hmm then we should be able to check the values of DS & BP (I already know the one that holds the Good Serial #) So lets do this ED BP and press enter You should see something like the above Data Window . ( Note Make sure you window fairly wide so you can see all the data or scroll down. Now I cant say for sure but everytime i have done this I have gotten a valid Code (I havent looked very deep into the program yet) so i cant give you the exact reason this code is here but i will soon make a key gen and give full explanation of the code so look for it soon. Well now if you look you will notice that there are a string of numbers divided by a "-" mine is 3202-266-395 well my code was 202-266-395 This will not werk for you as it is different for every computer even if The names are the same (Note Do Not use Specail charactors in the name ie _ [ / ] - + < > use only numbers or letters) so look to see what yours is. you may or may not have 4 numbers in the first part of the string if you do ignore the first number as it is not part of the code, if you notice the same number appears just before the string so drop that one off and one use xxx-xxx-xxx well that should do it just clear your breakpoints(BC *) and return to the program (Ctrl-D) and then enter you Code and Boom there you are no more nag srceens.. But please Do register as the Author done a good job one this one even if they did put so many nags in it and the Fee is only $12 like that is to much....... Well hope This helped you some and helped you to understand a little more about VB programs. and if not atleast you got a cool game, without nags (unless you still cant carck it ) and even then you know how to get rid of the 10 sec delays CHANGE THE DATE... duhhhh ok well thats all for this one All tutorials i write will be availible from Http://users.quicklink.net/~cbd/c4n or http://mexelite.home.ml.org ENJOY........... _CbD_ [ME/C4N'97] Oh yeah i almost forgot you can change the back of the cards to what ever you wish by editing the rummy500.bmp file in a editor such as PaintBrush (Comes with windows). Just though you might want to know that. Mine say Cracked by CbD ;-)