_CbD_'s Tutorial #2
Rummy 500
Well here is a look a at different way for Cracking VB3 programs
Target: RUMMY 500 (Version 3.8)
Get it Here:Comes with the Tutorial
Tools Needed: Softice v3.xx
Ok Lets talk about the program first. Well it is ok for a VB3 game and considering it was
done by women. ( Not a sexest remark) ;-) anyway this is really a nice game if you like
the card game rummy, BUT this lady seems to think that she must put nag screens
everywhere. Hmmm I hate that so that is what is driving this crack. There are nags
at the end of every hand (with a 10sec delay) and this is just not fair to us who wish
to evaluate it at its full. ;-). Ok that is enough about the program.
Now as always we will be doning this in steps, so lets get started.
Step #1
Ok we have to find out a little info about the program so we use QuickView
(See Tut #1 for info on QuickView) to find out a little about our pup here.
Hmm looks like a VB3 file. Ok well that takes care of that cause we know
we cant crack VB programs cause they dont use any of the normal fuctions
that we set our BreakPoints on right? WRONG if you have read my tut #1 or
razzia's VB tut's you will know we can crack VB programs just as if not
faster than any other... Ok Now lets do a little searching to see if we can find out
any info on the program, so we look in the dir that we installed to and Whats this
2 files that might be of some use one is Rummy500.faq and the other is Readme.txt
so lets see whats in them First the Faq. hmm nothing there that seems to help
so next the Readme.txt..... Whats this do you see what i see
****************************************************************************
IMPORTANT NOTE: MeggieSoft Games does not process any registrations between
December 15th and January 15th. Any registrations received during this
period will be processed after January 15th. The registration reminder
will not be displayed between December 20th and January 15th.
****************************************************************************
No way it cant be that simple not with a program that has so many nags
well lets try anyway. Change you systems date to say January 1 that would
give us 15 days. Hmm well they are right no 10 sec delays but yup
there is still a nag screen and we just cant live with this can we ;-)
but it was nice of them to tell us anyway. So change your date back
so we can enter a Reg Number and crack it.
Step #2
Ok now we have not found anything that we can really use to help us other
than knowing that it is a VB3 program so lets get started cracking it
first lets start the program and wait for that nagging 10sec delay to go by
and then press register, Damn more screens what is this shit...
ok press Enter Registration, Hmm Name and number well that is not good
that means most likely this wont be just some serial number for us to
find in softice that was hardcoded in, Not that this will make it any harder
just take a few more minutes.
Step #3
Ok now enter a name i use (CbD! Cracked) Dont use this cause you are
cracking it not me ;-) . Now enter a Serial number i use (7777777) now
press enter and see what happens. Hmm not a good serial number
well shit we knew that already so press ok. Hmm well we get another shot
at it with out haveing to start over good i like this.
Step #4
Press Ctrl-D and pop into softice ( If you dont have softice you cant do this crack)
now lets set a BreakPoint on hmemcpy so do this BPX HMEMCPY and press
enter. now we have a Breakpoint that should pop us into SI(SoftIce) when we
hit enter in the registration screen so now (If you didnt have any other BreakPoints
Set and if you did Clear Them before you go on you can do a BC * and then press
enter and reset the HMEMCPY breakpoint so it is your only one) press Ctrl-D
and you should land back in the registration srceen
Step #5
Press enter Boom back to SoftIce we go ok now we are in the HMEMCPY fuction
we dont want to be here so we press F11 to get back to the fuction that called HMEMCPY
but wait this little program had 2 boxes remember 1 for the Name 1 for the number
so this is most likely the Name fuction and this (You can crack it from here but takes forever)
is not what we want , we want the serial number right. Ok so press F5 and Pop right
back in SoftIce we go and Yes back to the HMEMCPY function so Press F11 again
to get out of it. Now we should be looking at something like this
17CF:0B40 CALL KERNEL!HMEMCPY
17CF:0B45 PUSH WORD PTR [DI]
17CF:0B47 CALL KERNEL!LOCALUNLOCK
17CF:0B4C MOV AX,SI
Ok the Address's may differ but the code should look the same, Well this dont look to
intresting to us right now so lets step in the code a bit with F10 so press F10
you see the lines advancing as you press the key, ok well you will see a few POP's
and then LEAVE and RET <---(interesting) we are in a fuction that called HMEMCPY
and now we seem the be fixing to return from the one that called this one hmm ok
lets keep pressing F10 do this about 10 times or so or until you see the code below
(Note You should Press F10 a total of 14 times after the last F11) there will be a RET
that will land you at
0C0D POP DS <------ Should land here
0C0E POP BP <----- Hmm what is this ?
0C0F RETF 000C <---- This looks to me like a compare Return cause it loads 2 values then
Returns most likely to were they are compared
( I kow this already cause i traced it down for you )
Now here is what my window looked like when i steped through 14 times
EAX=056AOOOB EBX=000275EA ECX=00000000 EDX=06700000 ESI=00021B74
EDI=00020106 EBP=000062AO RSP=000062AO EIP=OOOOOCOE o d I s Z a P c
CS=17CF DS=2B57 SS=2B57 ES=3387 FS=059F GS=011B
----RUMMY500(02)------------------------------------dword---------------PROT---(0)--
2B57:000062A0 0F0E:62BC 0000: 1807 3387:115K 000D:000C .b...... ..3....
2B57:000062B0 0106:OD7C 1B74: 0002 2B57:0002 0381:62D8 ].....t...W+.b..
2B57:000062C0 0001:1807 115E: 0000 000C:3387 37F4:000D ...... ..3.....7
2B57:000062D0 0BF4:0002 0386: 17CF 0751:632A 0001:1207 ......*CQ.......
2B57:000062E0 115E:0000 000C: 3387 0D7C:000D 17CF:OBF4 .....3..........
2B57:000062F0 0106:2B57 01E6: 0106 0000:33D7 3032:33D7 W+.......3...320
2B57:00006300 3632:2D30 3933: 2D36 0588:0035 6352:0043 0-266-395...C.Rc
----USER!BOZOSLIVEHERE+001C---------------------------------------------------PROT16-
17CF:OCOA CALL 25C2
17CF:OCOD POP DS <----- Load Value #1
17CF:OCOE POP BP <----- Load Value #2
17CF:OCOF RETF OOOC <---- Go back and caompare them
17CF:OC12 MOV AX,171F
17CF:OC15 MOV ES,AX
----------------------------------- USER(OA)----------------------------------------
Hmm then we should be able to check the values of DS & BP
(I already know the one that holds the Good Serial #)
So lets do this ED BP and press enter You should see something like
the above Data Window . ( Note Make sure you window fairly wide so you can see
all the data or scroll down. Now I cant say for sure but everytime i have done this
I have gotten a valid Code (I havent looked very deep into the program yet)
so i cant give you the exact reason this code is here but i will soon make a key gen
and give full explanation of the code so look for it soon. Well now if you look you
will notice that there are a string of numbers divided by a "-" mine is
3202-266-395 well my code was 202-266-395 This will not werk for you
as it is different for every computer even if The names are the same (Note
Do Not use Specail charactors in the name ie _ [ / ] - + < > use only numbers
or letters) so look to see what yours is. you may or may not have 4 numbers
in the first part of the string if you do ignore the first number as it is not part of the
code, if you notice the same number appears just before the string so drop that one
off and one use xxx-xxx-xxx well that should do it just clear your breakpoints(BC *)
and return to the program (Ctrl-D) and then enter you Code and Boom there you are
no more nag srceens.. But please Do register as the Author done a good job one
this one even if they did put so many nags in it and the Fee is only $12 like that is
to much.......
Well hope This helped you some and helped you to understand a little
more about VB programs. and if not atleast you got a cool game, without nags
(unless you still cant carck it ) and even then you know how to get rid of the
10 sec delays CHANGE THE DATE... duhhhh ok well thats all for this one
All tutorials i write will be availible from Http://users.quicklink.net/~cbd/c4n or
http://mexelite.home.ml.org ENJOY........... _CbD_ [ME/C4N'97]
Oh yeah i almost forgot you can change the back of the cards to
what ever you wish by editing the rummy500.bmp file in a
editor such as PaintBrush (Comes with windows). Just though
you might want to know that. Mine say Cracked by CbD ;-)