_CbD_ Tutorial 01
                                          _CbD_ vs. Ultisoft, Inc.

Ok I know the title sounds strange, _CbD_ vs. Ultisoft, Inc.  but i decide this would be a good title for this tutorial seeing how i will be attacking 5 of there programs in this tutorial. Well let me tell you how this war began, I know you dont care, but i am going to tell you anyway. Well I was on Windows95.com and was looking for a good casino game, well what i found was a lot of programs by this Ultisoft, Inc., and the bad part is that they were mostly slot games, NO FUN. well i also seen that some of them where VB4 programs so i thought ok this might be a good program to practice what (razzia) said about VB4 protections. Ok so i downloaded a few of them.
I then unzipped and checked to see if they would aloow me to register them, guess what as soon as i started the program a big blue screen pops up asking me to register, hmm ok that answers that question. Well now lets see if the program is any good. Ha Ha Ha this games sucks, well i decided to crack it anyway. so now on to the cracks


target #1 
Name: Cherry Slots
Author: Ultisoft, Inc.
Tools: Softice 3.xx
you can get it at (http://wwwsoftsite.com/ulti/95chry44.zip) 

ok i will do this crack in several steps so even the newest of crackers can follow, before i start i want to thank razzia for his exellent tutorial on VB4 , so Thanks. Ok now go get the program from softsite.com (it is small like 150k)
ok you got it. lets crack it.

Step #1
	Lets look at the File. So in Explorer select it and do  QuickView (right click select quickview)	
	now scroll down and see what the Import Table says, Hmm VB40032.DLL. Ah this is a VB4 
	program. Ok now we know that or GetWindowTextA and GetDlgItemTextA wont work for us
	so we will have to use HMEMCPY to get into the program. Wait didnt i read a tutorial by razzia
	talking about VB4 programs hmm, yeah now i remember. ok lets try and recall what it was he wrote
	(if you never read it you should, but i will use alot of his methods here for those of you who have
	no idea).

Step #2
	ok lets start this little puppy, so run cherry.exe. OK now a big ugly blue screen pops up and what is
	this the middle button is (REGISTATION CODE) hmm wonder what that does. So click on it and find out
	ah the old enter your registration Number box (Like you would really buy this game). ok first lets type in
	a few numers to see if it has a pre-set length for the reg number 12345678901244567865, hmm 
	nope has no pre-set length. Ok that is fine lets just clear that text out and enter hmm 7777777
	seven 7's (my favorite) and then press REGISTER. hmm We get the old faithfull Registration Failed
	thats fine just click ok. hmm or box is gone now   What they only give us one chance (assholes).
	
Step #3
	Ok now  look in the menu and you will see Register so click on it, What is this  our box is back. Good lets 	enter 7777777 again now DONT PRESS REGISTER YET now we need to get in Softice and set some 
	BreakPoints so Press Ctrl-D, boom. Into Softice we go now lets set some BreakPonits.
	so at the ---> :    type       BPX HMEMCPY and press [ENTER] ok now we have a BreakPoint set
	on the HMEMCPY fuction. ok now press Ctrl-D again and boom back to Cherry Slots we go
	Now you can press REGISTER and continue on to step 4.

Step #4
	Ok if you done it right you should be looking at the softice screen, and if not then go back and start over 
	from step #1. Ok now we are looking at the call made to HMEMCPY so lets get out of that as we need
	not be there. but first lets disable that BreakPoint as we dont need it anymore so do a --> BD 0 <--- now 	press F11 and then softice should blink and then pop you right back in. Ok now we are
	in the Fuction that made the call well this to is not really that important to us. What we need to be in is the 
	VB40032.DLL so press F10 til you see the text (on the line between the Code window and the command 	window) VB4xxxxxxx ok now that should look like somthing this (Address's may look different)

0137:0F730116		CALL	EBP
0137:0F730118		MOV	[ESP+14] , EAX
0137:0F73011C		CMP	DWORD PTR  [ESP+2C] , 00
0137:0F730121		JNZ	0F73070C
0137:0F730127		MOV	EAX, [ESP+14]
0137:0F73012B		POP	EBP
0137:0F73012C		POP	EDI
0137:0F73012D		POP	ESI
		
	Yours may differ just a bit. Ok now we are in the VB4xxxx section of the code. Next we will look at some 
	of razzia's VB tutorial 
	
	razzia  has done all the hard work for us and found the VB4 dll code
	that compares two strings (in WideChar format !).
	Here is what it looks like

: 56     		       push esi
: 57     		       push edi
: 8B7C2410      	       mov edi, [esp + 10]
: 8B74240C               mov esi, [esp + 0C]
: 8B4C2414               mov ecx, [esp + 14]
: 33C0          	      xor eax, eax
: F366A7        	     repz cmpsw  ;<-- here the (WideChar) strings at ds:esi
: 7405          	     je 0F79B362 ;    and es:edi get compared
: 1BC0          	    sbb eax, eax
: 83D8FF        	    sbb eax, FFFFFFFF
: 5F            	    pop edi
: 5E           	    pop esi
: C20C00        	    ret 000C

	Now you have enogh to crack this program.
	Ok now for the final step

Step #5
	Now we know the code lets find it in our program so we need to search for it	
	we can do this by typeing the following in the command window
	
	S 0 L FFFFFFFFF 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14   then press [ENTER]
	
	you should get something like this 
	
	Procedure found at 0030:0F79B348 (0F79B348)
	
	Now we set a Break Point on it  BPX 0030:0F79B348 and press F5 we will break again 
	into softice were you should see the above code 

	ok Now we have the question (Does the program have a set serial Number that we have to 
	enter or does it just compare certian letters or numbers of our serial code.)
	well lets just have a look at some of the some of the values here

	So type this ----> ed esi  <-------- and you should see the following in the data window
	
013F : 0044A612   33  00   36   00   32   00 - 34   37  00   00  00  00  60  00     3 . 1 . 6 . 2 . 4 . 7 . . . ' . 

	Well what is this hmm look kinda strange there dont it hmmm could this be the serial number
	hmm well it is 6 numbers long and if you took the spaces out it would read 316247
	well lets see if this could be the serial number. So we do a BD 1 to disable our BreakPoint
	and then press CTRL -D and you should return to Cherry Slots and the Registration Failed 
	box should be up. So clear it and press goto register once more this time enter the code
	we got from VB4xxxxx it should be 316247 and then press register you should get the 	congradulations	you have now registered this peice of shit software.  Blah Blah 
	ok that is it the game is now registered. Ok if you want to distribute your cracked game 
	you can now look in your cherry slots Dir and you should see a file named
	cherry.key this is all you need so pass it around and any needs only to put it in thier
	cherry slots and they are registered to. 
	
	Although this is easy and takes only a few minutes i am going to look at makeing a patch to just get 
	the nag screens to go away without a correct serial numbers just as practice.

	you can use these same steps to crack all of UltiSofts VB games. 


PART 2
	
				The War is Still On
				_CbD_ vs. UltiSoft
	
	
	After looking around there page i found that they also had a few games that was not
	VB games so i decided to check them

	
	

target #2 
Name: Animated Black Jack
Author: Ultisoft, Inc. 
you can get it at (http://wwwsoftsite.com/ulti/95anbj11exe) 
Tools Needed : W32DASM

	Ok I downloaded this one and then used QuickView and then i seen this was not
	a VB Program, so first i ran the program then noticed it had the same old 
	registration box as the others.. Ok well i decided to use softice and Break on 
	the old GetWindowTextA and GetDlgItemTextA well then i tried a fake number
	and nothing i didnt pop into softice hmmm well lets try  GetWindowText and GetDlgItemText
	well nothing still no softice. So i decided to load it in W32DASM and look at the functions
	well i saw tons of them  this program uses everything but is own. Ok well lets have a look at some
	of them (Damn there is so many ) well several look as if we could set breakpoints on and 
	try , but hmm lets look some more . lets look at the string references (the button should
	be [Strn Ref] ) damn so so many wel lets loog for anything dealing with registration
	
	We See ( 2. In the Registered Version) hmm well we could look at that 
	but What is that funny looking one right under it ?
	
	all it says is ("508150") Hmm that looks funny it is 6 numbers and we have seen
	that all of there codes are six numbers. no way it cant be that easy can it ? 
	well lets just check so we start up Black Jack and then we put 508150 for a 
	registration number and press [ENTER] knowing this wont work
	and Boom Thank you for Registering our ShitWare hmm ok now
	I have lost all respect for these guys (not that i ever had any) they have to be 
	very stupid to hard code there # that way hmm i think instead of sending them
	the registration few i will send them Programing For Dummies Books
	Well thats it for that one and any of the other programs they have that are not vb 
	is the same way...
	Oh yeah there installers sux and will hang so just use the task manager and end task on
	the installer  (CTRL + ALT + DEL) End TASK  INSTALLER

	ok this is a list of there programs that i have cracked useing these methods 
	
VB 
Cherry Slots 	#316247
Dynamite Slots	#884916
Extreme Slots	#196458

Other 
Double Wide Slots	# 317541
Animated Black Jack 	# 508150

All there other programs are on the site 
http://www.softsite.com/ulti

	Well I really Hope this helped you in some way if nothing than showing that sometime the protection 
	can be so easy.    


	_CbD_ [ME/C4N'97]