*****************************************************************************
*Subject: Cracking							    *
*Target: Qoole 2.50 (Quake II editor)	    				    *
*Author: BlackB								    *
*Date: 1999-02-14							    *
*Tools used: W32DSM89, HEX WORKSHOP 2.54				    *
*Difficulty (scale 1-5): 2						    *
*Requirements: Basic knowledge of cracking				    *
*****************************************************************************

1. Introduction
~~~~~~~~~~~~~~~

Hi there! This is my first tutorial on cracking. I've been cracking for 2
months now, and it works out quite well! I've 'registered' quite some 
programs in those 2 months and I started to think: why not writing an easy
to understand tutorial.....well here I am.....enjoy :-)

If you're interested (probably not): I'm 17, live in Belgium, and my 
computer"knowledge" covers Assembler, Pascal, viruses, IRC(war), cracking,
etc... .
Enough lameness...let's crack!

2. Qoole 2.50
~~~~~~~~~~~~~

In my (modest) opinion, Qoole is the best Quake II editor available. Of
course, if u download it from www.qoole.com, the version is shareware: u can
use it for 14 days only (don't know if Qoole checks this) and there's a 300
brush limit....not enough for big levels! So.....it had to be cracked :-)
When I first ran the program, I saw a nice registering screen that asked for
a username and serial. And I thought: "Oh, this 's gonna be easy". So I 
started to "bpx getdlgitemtexta" and "bpx getwindowtexta".......unfortunately
Qoole uses its own procedures, so Softice didn't pop. (if u don't know what
Softice and/or bpx is then stop reading this tutorial and start learning 
about cracking tools)
Finding the serial didn't work out as I expected....so I gave it a try with
W32DSM89....

- Run GlideQoole, click Options-Register Qoole.
- Fill in a bogus user and serial
- Click OK and write the following message down: "Invalid registration code"

Interesting :) The string will probably be in the disassembly file:

- Run W32DSM89, disassemble GlideQoole.exe
- Click Search-Find text
- Type "Invalid registration" and click "Find next"

The only thing we have to do is that Qoole doesn't execute the "Invalid
registration..." (without actually deleting the message of course!) So let's
look above if we can find some je/jne instructions...

---------------------------Start of partial code-----------------------------

:0040DAC3 83C242                  add edx, 00000042
:0040DAC6 3BCA                    cmp ecx, edx
:0040DAC8 7544                    jne 0040DB0E <- *First jump instruction*
:0040DACA 0FBE4DA7                movsx ecx, byte ptr [ebp-59]
:0040DACE A164854C00              mov eax, dword ptr [004C8564]
:0040DAD3 99                      cdq
:0040DAD4 BE1A000000              mov esi, 0000001A
:0040DAD9 F7FE                    idiv esi
:0040DADB 83C241                  add edx, 00000041
:0040DADE 3BCA                    cmp ecx, edx 
:0040DAE0 752C                    jne 0040DB0E <- *Second jump instruction*
:0040DAE2 6A04                    push 00000004
:0040DAE4 8D55D0                  lea edx, dword ptr [ebp-30]
:0040DAE7 52                      push edx
:0040DAE8 8D45C8                  lea eax, dword ptr [ebp-38]
:0040DAEB 50                      push eax
:0040DAEC E88FD80800              call 0049B380
:0040DAF1 83C40C                  add esp, 0000000C
:0040DAF4 85C0                    test eax, eax
:0040DAF6 7516                    jne 0040DB0E <- *Third jump instruction*
:0040DAF8 6A04                    push 00000004
:0040DAFA 8D4DF4                  lea ecx, dword ptr [ebp-0C]
:0040DAFD 51                      push ecx
:0040DAFE 8D55C0                  lea edx, dword ptr [ebp-40]
:0040DB01 52                      push edx
:0040DB02 E879D80800              call 0049B380
:0040DB07 83C40C                  add esp, 0000000C
:0040DB0A 85C0                    test eax, eax
:0040DB0C 7467                    je 0040DB75 <- *Fourth jump instruction*

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040DAC8(C), :0040DAE0(C), :0040DAF6(C)
|

* Possible StringData Ref from Data Obj ->"qoole.reg"
                                  |
:0040DB0E 68A8514B00              push 004B51A8
:0040DB13 E838D80800              call 0049B350
:0040DB18 83C404                  add esp, 00000004

* Possible StringData Ref from Data Obj ->"Invalid registration code"

---------------------------End of partial code-------------------------------

To avoid the "Invalid registration code" message, a jump should be beyond
0040DB18. So lets change all four the jump instructions to there opposits:
- jne=75 => 74
- je=74 => 75

Final result:

:0040DAE0 742C                    je 0040DB0E <- first jump
:0040DAE0 742C                    je 0040DB0E <- second jump
:0040DAF6 7416                    je 0040DB0E <- third jump
:0040DB0C 7567                    jne 0040DB75<- fourth jump

Change the instructions in Hex Workshop or another hex editor and save the
changes. (if u don't know how to work with a hex editor....learn!)

Optimistic that we are, we think we cracked Qoole......so we re-run Qoole,
type a bogus name and serial....click ok and...."Qoole registered, thanks! 
(Qoole.reg created)". YES, it's cracked...........naaaaaaah no way!! Before
you click OK, you can know it won't work:

-it's obvious that if Qoole creates a .REG file with our (wrong) 
 name and decoded serial, it'll check the reg file every time Qoole 
 is executed and will give an error.....even worse, it checks the
 .REG file just after you've registered!

-Click OK and......."Bad registration key file". U have to click OK and the
program exits.
-Restart GlideQoole....it'll give the same message and delete the bad ..REG
-Restart GlideQoole.......it works again, but isn't registered.

Okay, there is a procedure that checks the qoole.reg file. Let's get back to
W32DSM89 and let's search for "Bad registration key file". You should see
this:

---------------------------Start of partial code-----------------------------
* Referenced by a CALL at Addresses:
|:0040E423   , :0040E43D   , :0040E457   , :0040E4EE   , :0040E509   
|
:0040DC0B 55                      push ebp
:0040DC0C 8BEC                    mov ebp, esp

* Possible StringData Ref from Data Obj ->"qoole.reg"
                                  |
:0040DC0E 68A8514B00              push 004B51A8
:0040DC13 E838D70800              call 0049B350
:0040DC18 83C404                  add esp, 00000004

* Possible StringData Ref from Data Obj ->"Bad registration key file!"
---------------------------End of partial code-------------------------------

Hmmmmm, how can I exit a procedure in assembler.......oh u can't be serious..
....with a 'ret' instruction???!! :pp Okay, let's change the code in such
way it just exits the procedure :-)) As u should now, the hex code for 'ret'
is C3. The best instruction to change is the push ebp (55).
Open you hex editor, goto that push ebp, and change the 55 into C3. Save it
and run GlideQoole. Register and enjoy.......u've cracked Qoole 2.50! ;-)

3. Summary
~~~~~~~~~~

-Change the four jump instructions before the "Invalid registration code"
into their opposits
-Change the push ebp instruction (55) into the ret instruction (C3) before
the "Bad registration key file!"


4. Outtro
~~~~~~~~~

Yup, I know there's also WinQoole, but that's exactly the same 'protection'
as GlideQoole, it's up to u cracking it :-)
If u have any questions, comments, etc... mail me on BlackBir@mail.dma.be
U can also visit my homepage at http://myplace.to.be/blackb. It's an anti-
virus site....no cracking stuff.

Thanks goto: +ORC, tKC, Qapla and all other fantastic tutorial writers who
teached me cracking! :-)

*****************************************************************************
*Qoole 2.50 is a great program. The author deserves the money he asks!!!    *
*****************************************************************************

BlackB