How to find the password for Davids Backgammon by DABERT Hell0 and welcome to my first tutorial.Best viewed in full screen with word wrap on. David's Backgammon Version; 2.7.7 Size; 458 Kb Type of software; Shareware Author: David Byrum David's Backgammon Home Page http://members.aol.com/WinGammon/backgammon/ Tools used; Softice 3.25 Type of protection; serial [three letter password] David's Backgammon is an excellent version of the classic board game played against a friend or a computer opponent. David's Backgammon lets you get advice on moves and the doubling cube, take back moves and doubles of the cube, pick up more than one piece at a time, display the best moves, set up any board situation, change board colors or create your own, choose from multiple board sizes, keep statistics on up to four pairs of players, and more. You can choose from five skill levels for your computer opponent, so all players from beginner to advanced can enjoy the game. It also features an extensive help system including rules of the game, tournament play, an easy-to-use interface with great graphics, sound effects, and more. Limitations in downloadable version: You cannot save games. You are able to finish about only half of the games.Well we're going to fix that are'nt we. Well first of all unzip the game to a directory of your choice and run the game.A little dialog screen pop's up saying that this is a demo version and that you can only finish about half the games you play unless you send the author the three letters shown and $20 so you can receive an unlock code to make the game fully functional.So what we want to do now is click on the ok button and then click on REGISTRATION on the menu bar and down to ENTER PASSWORD.Ok enter any three letters [I done dab] but don't click OK.Enter Softice [ctrl-d] and put a breakpoint on HMEMCPY,just type bpx hmemcpy and hit return,ctrl-d again to get out of softice and return to the game.Now you can hit the OK button and you should be back in softice. KERNELL!HMEMCPY 012F:9E18 55 PUSH BP <-------- WE LAND HERE 012F:9E19 8BEC MOV BP,SP 012F:9E1B 1E PUSH DS 012F:9E1C 6657 PUSH EDI 012F:9E1E 6656 PUSH ESI 012F:9E20 FC CLD 012F:9E21 668B4E06 MOV ECX,[BP+06] 012F:9E25 67E377 JECXZ 9E9F 012F:9E28 6633F6 XOR ESI,ESI 012F:9E2B 668BFE MOV EDI,ESI 012F:9E2E C5760A LDS SI,[BP+0A] 012F:9E31 C47E0E LES DI,[BP+0E] 012F:9E34 668B460A MOV EAX,[BP+0A] 012F:9E38 663B460E CMP EAX,[BP+0E] 012F:9E3C 734E JAE 9E8C Now we'll disable the breakpoint we set like this; type bd 00 and hit return We don't want to be here so press F11 to get out of this function and we should end up here. 17C7:0B40 9A189E2F01 CALL KERNEL!HMEMCPY 17C7:0B45 FF35 PUSH WORD PTR [DI] <-------- WE LAND HERE 17C7:0B47 9AB0013701 CALL KERNEL!LOCALUNLOCK 17C7:0B4C 8BC6 MOV AX,SI 17C7:0B4E 5E POP SI 17C7:0B4F 5F POP DI 17C7:0B50 C9 LEAVE 17C7:0B51 C20A00 RET 000A We don't want to be here also,so we press F12 4 times then F10 a number of times until we end up at this piece of code.You should see DGAMMON!CODE+000214e1 at the bottom of the code window.F10 all the way to where I've marked WE WANT TO FOLLOW THIS CALL. 014F:004224E1 E8937D0400 CALL USER32!SendDlgItemMessageA 014F:004224E6 0FBFD6 MOVSX EDX,SI <--------WE LAND HERE 014F:004224E9 C64415F500 MOV BYTE PTR [EDX+EBP-0B],00 014F:004224EE 6A01 PUSH 01 014F:004224F0 53 PUSH EBX 014F:004224F1 8B4B0C MOV ECX,[EBX+0C] 014F:004224F4 FF5120 CALL [ECX+20] 014F:004224F7 83C408 ADD ESP,08 014F:004224FA 8B4319 MOV EAX,[EBX+19] 014F:004224FD 0584CE0000 ADD EAX,0000CE84 014F:00422502 8D55F4 LEA EDX,[EBP-0C] 014F:00422505 50 PUSH EAX 014F:00422506 52 PUSH EDX 014F:00422507 FF7319 PUSH DWORD PTR [EBX+19] 014F:0042250A E83579FFFF CALL 00419E44 <--------WE WANT TO FOLLOW THIS CALL Press F8 where I've marked FOLLOW THIS CALL and we should end up here at the following piece of code. 014F:00419E44 53 PUSH EBP <--------WE LAND HERE 014F:00419E45 8BEC MOV EBP,ESP 014F:00419E47 51 PUSH ECX 014F:00419E48 53 PUSH EBX 014F:00419E49 8B4508 MOV EAX,[EBP+08] 014F:00419E4C 8D55FC LEA EDX,[EBP-04] 014F:00419E4F 52 PUSH EDX 014F:00419E50 FF7510 PUSH DWORD PTR [EBP+10] 014F:00419E53 50 PUSH EAX 014F:00419E54 E81D020000 CALL 0041A076 014F:00419E59 83C40C ADD ESP,0C 014F:00419E5C 8B5D0C MOV EBX,[EBP+0C] 014F:00419E5F 53 PUSH EBX <--------OUR FAKE PASSWORD 014F:00419E60 8D45FC LEA EAX,[EBP-04] 014F:00419E63 50 PUSH EAX <--------THE GOOD PASSWORD 014F:00419E64 E8EC000500 CALL KERNEL32!lstrcmp 014F:00419E69 85C0 TEST EAX,EAX 014F:00419E6B 7507 JNZ 00419E74 014F:00419E74 33C0 XOR EAX,EAX 014F:00419E76 5B POP EBX 014F:00419E77 59 POP ECX 014F:00419E78 5D POP EBP 014F:00419E79 C3 RET Now if you sit on PUSH EBX and do d ebx you will see your fake password in the data window,F10 down to PUSH EAX and do d eax you will see the correct password in the data window.Make sure you write your 3 letter password down and ctrl-d to get out of softice.Now enter what you found and you will have a fully functional copy of Davids Backgammon,for evaluation of course. I don't have to tell you that if you want to keep this game please send David the $20 he's asking for this excellent backgammon game.He's gone to a lot of trouble to make this one of the best around. Well thats it for my first tutorial,I hope I've helped you out in some way to becoming a cracker.I'm still in the learning stage myself and reading as much as I can. SEEYA; DABERT