Cracking Tutorial for TORN@DO┤s ID CrackMe 2.0
 
 

Target Program:TORN@DO┤s ID CRACK ME 2.0
Description:TORN@DO┤s ID CRACK ME 2.0 is a little program on which you can try your skillz!
Protection:Registration Code
Tools needed:SoftICE 3.24, W32Dasm 8.9
Ob duh:Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
BTW, It's illegal to use cracked Software!
 
If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info:Brand and product names are trademarks or registered trademarks of their respective holders.
Notes:- My$ticL has written this tutorial on 27th January 1999.
- Tutorial slightly edited by TORN@DO.
Level:(X)Beginner ( )Intermediate ( )Advanced ( )Expert
Open the file IDCRKME20.exe with W32Dasm. We have to look for something like "Registered Successfully" in the "String Data References". I found "REGISTERED!".
 
* Referenced by a CALL at Address:
|:004012BA   
|
:00401520 83EC10                  sub esp, 00000010
:00401523 8B0D70974000            mov ecx, dword ptr [00409770]
:00401529 030DAC974000            add ecx, dword ptr [004097AC]
:0040152F 53                      push ebx
:00401530 56                      push esi
:00401531 81F9FFFFFF7F            cmp ecx, 7FFFFFFF
:00401537 57                      push edi
:00401538 7606                    jbe 00401540
:0040153A 81E9FFFFFF7F            sub ecx, 7FFFFFFF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401538(C)
|
:00401540 890D70974000            mov dword ptr [00409770], ecx
:00401546 390D88974000            cmp dword ptr [00409788], ecx
:0040154C 7563                    jne 004015B1
:0040154E 8D44240C                lea eax, dword ptr [esp+0C]

* Possible StringData Ref from Data Obj ->"REGISTERED!"
                                  |
:00401552 686C844000              push 0040846C
:00401557 50                      push eax

At 401531 ECX is compared with 7FFFFFFF. If ECX is below or equal a jump to 401540 is executed. Here [00409770] is moved to ECX and then ECX gets compared with [00409788]. So we start the CRACK ME, type in our name, group and the serial. I used "My$ticL" as name ,"RULES" as groupname and "1234567890" as serial. Now we enter SoftICE and set a breakpoint on execute (BPX) on HMEMCPY. Press CTRL-D to leave SoftICE and then press the "CHECK"-button. SoftICE pops up. As we know that there are 3 INPUT fields we press CTRL-D twice again. Press "F12" about 9 times till we┤re in PROT32! Type: g 00401531. We┤ll get to 00401531 where we press "F10" twice to execute the jump at 00401538. At 00401546 ECX gets compared with [00409788]. So we type ? ECX and there it is. My serial for this tutorial was 23144075! Clear up all your breakpoints and type in your serial. The program jumps to registered and a nice window pops up "CONGRATULATIONS!". NOW OUR JOB IS DONE!!!

Copyright © 1999 by My$ticL. All Rights Reserved.