diff --git a/textfiles.com/piracy/APPLICATIONS/generic.app b/textfiles.com/piracy/APPLICATIONS/generic.app new file mode 100644 index 00000000..1e261c93 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/generic.app @@ -0,0 +1,61 @@ + Pirates Analyze Warez (PAW) Reviewer Application + +To apply, fill out the required information below and attach a review of +any new warez (preferably using the style of those already in the mag). +Upload this application to the Apocalyptic Teacup BBS at (416) 527-8852. +Other input (ie - new ideas, other articles, art, whatever) can also be +submitted. References are required for permanent BBS membership. + +We are also taking applications for formal distribution sites. Again, +fill out the below application and submit it to A. T. B. with a brief +note detailing what you have to offer instead of a review. Call back +in approximately 24-48 hours for additional information. + +Finally, we are in need of dedicated couriers both to distribute the +magazine and to assist in obtaining the warez in the first place. Again, +interested parties should fill out this application. +__________________________________________________________________________ + +POSITION APPLIED FOR: [_] Reviewer [_] Site + [_] Courier [_] Other ________ + +PERSONAL INFORMATION: + + Alias: ________________________________ + Real Name: ________________________________ + Group Affiliations: ________________________________ + ________________________________ + City, Province: ________________________, ______ + Voice Phone #: (___) ___-____ + Data Phone #: (___) ___-____ + + Source of Warez: ________________________________ + ________________________________ + + Game Types Preferred: 1. _____________________________ + (if reviewer app) 2. _____________________________ + 3. _____________________________ + + References: ________________________________ + ________________________________ + ________________________________ + ________________________________ + + +BBSING INFORMATION: + + Board Name (if any): ________________________________ + Board Number (if any): (___) ___-____ + Board Affiliations: ________________________________ + ________________________________ + Modem Type: ________________________________ + Computer Type: ________________________________ + Meggage: ________________________________ + Software/Mailer: ________________________________ + ________________________________ + + Years BBSing: ________________________________ + + +Attach Sample Review or BBS Information Below +-------------------------------------------------------------------------- diff --git a/textfiles.com/piracy/APPLICATIONS/info.beg b/textfiles.com/piracy/APPLICATIONS/info.beg new file mode 100644 index 00000000..6750051c --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/info.beg @@ -0,0 +1,421 @@ + + <<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>> + <> <> + <> [< ACiD ALLiANCE >] <> + <> <> + <> MOTTO: BEiNG ELiTE SUXS <> + <> <> + <<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>> + + PHiLE: iNFO BEG FORM + + + Ok, so you decided to download the iNFO BEG FORM. Here are the rules of +filling out this form. YOU MUST LEAVE THiS FORM iN THE CONDiTiON iT WAS iN, +the only editing i will except are when you fill in the blanks, if you change, +or upload something else then please delete this phile from your directory +now. YOU MUST ANSWER ALL QUESTiONS TRUTHFULLY OR TO THE BEST OF YOUR +KNOWLEDGE, that's all i ask for. Now here's how you'll get validated(maybe), +we will take you information into account, if all the information is complete +and truthful and correct, you have a pretty good chance. Then i, $ector Not +Found, and White Fang will discuss the possiblity of validating you. + +Off Hand here are the Access Levels of the ACiD ALLiANCE. + + -=ACCESS LEVELS=- + - PREZ - PRESiDENT - + - PHRiER - PREFERED MEMBER - + - SNARF - NORMAL MEMBER - + - LEECH - NEW MEMBER - + + +if you get validated you will recieve LEECH status, at this status you will +have some access to stuff. in order to gain SNARF status, you must prove +yourself to us, by suppling us with with information that is useful to the +rest of us. Such as Text Philes you write, Text Philes you obtain, info on +Ma Bell, any programming ability you have and other of such nature. To become +a prefered user, you must provide us with an outstanding participation toward +the ACiD ALLiANCE. ok this intro is long enuf already. + + Oh yea, one more thing, all information that you release to us will be + Keep confidental from all users except users with PHRiER Status. + ++------------------------------------------------------------------------+ + +1/27/91 + +[< ACiD ALLiANCE >] + iNFO FORM: + + + 1. WHAT iS YOUR HANDLE YOU GO BY MOST + + 2. WHAT iS YOUR REAL NAME (FULL), ADDRESS, STATE, ZiP, VOiCE NUMBER + + + + + + + + 3. WHAT'S YOUR BiRTHDATE 00/00/00 + + + 4. WHAT KiND OF COMPUTER DO YOU OWN + + + 5. WHAT COMPUTERS DO YOU HAVE EXPERiENCE WiTH + + + + 6. DO YOU PROGRAM, AND iF YES, iN WHAT LANGUAGES DO YOU PROGRAM iN + + + + + 7. AND iF YOU PROGRAM, WHAT ARE SOME OF THE PROGRAMS THAT YOU HAVE WRiTTEN + + + + 8. ARE YOU AFFiLATED WiTH ANY LAW ENFORCEMENT AGENCiES, SOFTWARE COMPANiES, + TELEFONE COMPANiES. + + + 9. DO YOU PHREAK, iF YES THEN WHAT DO YOU PHREAK WiTH + + + + 10. DO YOU HACK, WHAT SiSTEMS DO YOU HACK ON + + + + + 11. ARE YOU WiLLiNG TO SHARE iNFORMATiON YOU LEARNED WiTH THE OTHER MEMBERS + + + 12. ARE YOU A LEECH + + + + 13. ARE YOU ELiTE + + + + 14. WHAT DO YOU THiNK OF WAREZ + + + + + 15. DO YOU RUN A BOARD, iF YES PUT YOUR BOARD # DOWN HERE AND NUP. + + + + 16. iF YOU RUN A BOARD, DO YOU WiSH TO HELP DiSTRiBUTE OUT MATERiAL + + + + + 17. ARE YOU iN ANY OTHER GROUPS(Phela, Phrack, NARC, CHiNA) + + + + 18. ARE YOU WiLLiNG TO CONTRiBUTE TO THE GROUP + + + + 19. DO YOU HAVE ANY ARTiSTiC ABiLiTiES + + + 20. NAME SOME THiNGS THAT YOU DO ON YOUR COMPUTER(iF YOU BEAT YERSELF WHiLE + WATCHiNG ANiMATED GiF'S THEN GO TALK TO THG) + + + + + + 21. HAVE PHREAK/HACK MAGS DO YOU READ + + + + 23. NAME SOME TEXT PHiLES YOU HAVE WRiTTEN + + + + + 24. HOW CAN YOU BENiFiT US + + + + + + + + 25. NAME AT LEAST 10 PHRACK BOARDZ THAT YOU ARE ON + + + + + + + + + + + 26. NAME AT LEAST 10 OTHER PHREAKERS, CRACKERS, HACKERS THAT YOU KNOW + + + + + + + + + 27. DO YOU CRASH BOARDZ + + + + + 28. DO YOU CARD + + + + 29. DO YOU HAVE ELECTRONiC ABiLiTY + + + + + + 30. DO YOU PROGRAM ViRii, iF YES WiLL YOU UPLOAD YOUR SOURCE TO US AND NAME + A FEW THAT YOU HAVE WRiTTEN. + + + + + + + 31. DO YOU HAVE A VMB, iF YES PUT iT DOWN HERE + + + + + 32. NOW PUT DOWN ANYTHiNG ELSE THAT i MiGHT OF MiSSED THAT CAN HELP YOU + OBTAiN MEMBERSHiP. + + + + + + + + + + + + + +-========================================- + +OK NOW FOR THE VOCABULARY QUiZ(AND YOU THOUGHT THiS iS PHOR ONLY ENGLiSH) + + + DEFiNE THE FOLLOWiNG: + + 1. CHiNA + + 2. NARC + + 3. PHRACK + + 4. PHREAK + + 5. PHREAKiNG + + 6. HACKiNG + + 7. HACKER + + 8. ELiTE + + 9. ESS + + 10. CNA + + 11. BLUE BOX + + 12. BLACK BOX + + 13. SiLVER BOX + + 14. RED BOXiNG + + 15. GREEN BOXiNG + + 16. CAPTAiN CRUNCH + + 17. 2600 MAG + + 18. 2600 HZ + + 19. MF TONES + + 20. TROJAN + + 21. ViRii + + 22. ANSi BOMB + + 23. VMB + + 24. VMS + + 25. UNiX + + 26. LoD + + 27. CODE THiEF + + 28. TiMNET + + 29. TELENET + + 30. CARDiNG + + 31. CARDER + + 32. LEECH + + 33. LOOP + + 34. PBX + + 35. 950 + + 36. WHAT iS THE PURPOSE OF PHREAKiNG TO YOU + + 37. THG + + 38. iNC + + 39. PE + + 40. BRiDGE + + 41. NUA + + 42. NUi + + 43. OD + + 44. GOD + + 46. CiS + + 47. VAX + + 48. HP 3000 + + 49. HP 2000 + + 50. BOUNCE SiSTEM + + 51. TRW + + 52. CBi + + 53. NUP + + 54. MSC + + 55. WAT + + 56. SWEEP + + 57. EXTENDER + + 58. CODE + + 59. TRUNK + + 60. WHiTE BOX + + 61. YELLOW BOX + + 62. SCARLET BOX + + 63. BUD BOX + + 64. LUNCH BOX + + 65. LUTZiFER + + 66. QSD + + 67. PAD + + 68. PSN + + 69. CHEESE BOX + + 70. BREWER ASSOCiATES + + 71. EASiEST WAY TO CRASH TELEGAURD 2.5i + + + + 72. EASiEST WAY TO CARSH WWiV 4.10 - 4.12 + + + 73. AFTERSHOCK + + 74. ANi + + 75. COSMO + + 76. CYBER SYSTEM + + 77. ACD + + 78. CAMA + + 79. CCiS + + 80. FAST BUSY + + 81. CO + + 82. ETS + + 83. NPA + + 84. SF + + 85. KP + + 86. CLEAR BOX + + 87. BEiGE BOX + + 88. PURPLE BOX + + OK THAT'S ENUF DEFiNiTiONS GOT LOTS MORE BUT iF YOU KNOW THiS MUCH MAYBE YOU + MiGHT MAKE iT. EH? + + + WELL GUYS HERE YOU HAVE COMPLETED THiS iNFO BEG FORM. NOW UPLOAD THiS BACK + TO THE WOLF'S DEN AT 602-241-1898 AND WE'LL GET TO YOU AS SOON AS POSSiBLE JUST KEEP CALLiNG. + + + ]>amaged $ectorz + + +-=EOF=- + + + + + + + + + + \ No newline at end of file diff --git a/textfiles.com/piracy/APPLICATIONS/kortapp.nfo b/textfiles.com/piracy/APPLICATIONS/kortapp.nfo new file mode 100644 index 00000000..0a046739 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/kortapp.nfo @@ -0,0 +1,102 @@ + ܱ + ܱ ܰ ߰߰ ߰߰ + ۲۰ ܰ ߲ ߲ + ޱ ް ޱ ޱ + ܱ ޲ ߱ + ۲޲ ۲ ۲ + ۲ + + + K N I G H T S O F T H E R O U N D T A B L E + + /\pplication Form + + + User Handle...................| + Real First and Last name......| + Adress........................| + Zipcode.......................| + Country.......................| + Home/Voice Number.............| + Group Affiliations............| + Modem Type and Max. Baud Rate.| + Age...........................| + Sex...........................| + + Where are you applying for? + + Courier [ ] Memberboard [ ] Dist. Board [ ] + Cracker [ ] Supplier [ ] + + Board References + ---------------- + + Board 1.......................| + Board 2.......................| + Board 3.......................| + Board 4.......................| + Board 5.......................| + + User References + --------------- + + User 1........................| + User 2........................| + User 3........................| + User 4........................| + User 5........................| + + Sysop References + --------------- + + Sysop 1.......................| + Sysop 2.......................| + Sysop 3.......................| + Sysop 4.......................| + Sysop 5.......................| + + Do you have any contact with Software Companies..........[Y/N] + Do you have any contact with Telecommunicaton Companies..[Y/N] + + Any comments to the Staff before we call you voice and discuss + your application..............................................| + + + + + + + + + + Upload this application with your own NAME.APP Private to + The Gravestone + [CHQ] or to Bedlam [WHQ/313-699-2718]. + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/textfiles.com/piracy/APPLICATIONS/modreq.txt b/textfiles.com/piracy/APPLICATIONS/modreq.txt new file mode 100644 index 00000000..73b32bec --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/modreq.txt @@ -0,0 +1,58 @@ +R + + +[ 6/ 6]: Here is the [MoD] application...fill it out... +From : Spider Man #1 @2110 [Fair Lawn, NJ] +Date : Saturday, July 13, 1991 at 2:28 pm +Origin: The Spider Web [201-797-3166] + [Newark, New Jersey] +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Ŀ + + + REGISTRATION FORM + + + [MoD] is an acronym for Modders on Drugs, a modding group formed by Spider + Man. [MoD] membership allows you to use the [MoD] acronym after your name + or your BBS name. Also, there are two mod subs which your board will have + access to through the net (If you are not a sysop, there will be an + arrangement on a [MoD] board to give you access to these two subs. + These subs are "Sub on Drugs" which is the discussion sub, and + "[MoD] Official Releases" where all [MoD] mods are released. + + This is not a way to get an acronym after your name, and if that is all you + want, then [MoD] is not for you. This is a modders group, which means you + must be able to mod WWIV and be able to write your own mods. + Once we have reached 10 members, [MoD] will require an applicant to write + at least one of their own mods to join. + + In order to get into [MoD] you must either extract or somehow capture this + message (If you can't please ask a [MoD] member to put it up and download it) + and fill out the below. Then send the filled out message to one of the [MoD] + members and they will put it up for voting purposes. If you have any reason + to believe the person who you sent the message to will not post it, then + please send me a copy at 1@2110 + +[ Fill out the Bottom Part +] + +What is your BBS handle and number : +What is your real name : +What is your address : +What is your age : +What version WWIV are you running : +Which version of Turbo C do you use : +Describe your modding abilites in the space below.... + +1] +2] +3] +4] +5] +6] +7] +8] +9] + +Electronic Mail (?=Help): \ No newline at end of file diff --git a/textfiles.com/piracy/APPLICATIONS/mrgcour.app b/textfiles.com/piracy/APPLICATIONS/mrgcour.app new file mode 100644 index 00000000..dced581b --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/mrgcour.app @@ -0,0 +1,121 @@ + Ŀ + ij + ij + ڳĿĿĿڿڿĿ + ijڿĿ + ijٳٳ + + ij['93] + ij + + Courier Application + + + + Introduction: + + + Morgue is a textfile writing group dedicated to free speech, and the + support of everything that is illegal. We're basically out to Fuck the + system. Discussion of hacking, phreaking, carding, and virii is typical. + We are always looking for new writers, and new ideas. For site applications, + please fill out the enclosed file MRGSITE.APP and upload it to one of the + boards at the end of this file. + + + Before applying to be a courier, ask yourself these questions: + + 1. Will I be able to call one of the morgue sites every other day? + 2. Will I upload the MoRGUE files to all applicable systems I am on? + 3. Will I courier large files as well as Tfiles? (up to 1m) + + if you answered no to any of the above, forget it.. if not, carry on. + + + Part I. + + +Handle..............................: +Other Aliases.......................: +Legal FULL name.....................: +HOME Phone Number...................: +DATA Number.........................: +Birthdate (MM/DD/YR)................: +Age.................................: +Race................................: +State/City..........................: +Are you a legal U.S. CITIZEN........: +Marital Status......................: +Where are You Currently Employed....: + + + Part II. + + +Modem Brand/Speed...: +Hard Drive Capacity.: + + Part III. + + +Couriering Experience.: + .: + .: + +Current Group Status..: + .: + .: + +Times/Days You can Courier.: + + + + + Comments: + + + + + + Why should we accept this Application and give you status? + + + + + + Take this completed Application and upload it to one of the following boards +renamed to COURIER.APP, with the description "'s Application" + + Morgue Distribution Sites + + + Board Number Modem Status SysOp + + Ionic Destruction 215.722.4534 16.8k DUAL World HQ Phatal Error + The Eastern Alliance 717.BAK.JUNE 16.8k HST! Distro 1 Acidic Nature + Villa StrayLight 215.BAK.SOON 14.4k DUAL Distro 2 Anonymous Caller + Chromatic Death 215.755.9051 16.8k DUAL Distro 3 Emanon + Underworld Legacy 717.566.5750 14.4k v32b Distro 4 Corruptor + + + Morgue Member List + + Senior Members + + Phatal Error - President Acidic Nature - Vice President + Anonymous Caller - Vice President + + + Writers/Staff + + Phatal Error, Acidic Nature, Anonymous Caller, Social Distortion + ASCII Express, MalHavoc + Manifest Destiny + + Couriers + + Social Distortion - Head Courier + + + + \ No newline at end of file diff --git a/textfiles.com/piracy/APPLICATIONS/mrgsite.app b/textfiles.com/piracy/APPLICATIONS/mrgsite.app new file mode 100644 index 00000000..125a4dfb --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/mrgsite.app @@ -0,0 +1,112 @@ + Ŀ + ij + ij + ڳĿĿĿڿڿĿ + ijڿĿ + ijٳٳ + + ij['93] + ij + + Distro Site Application + + + + Introduction: + + + Morgue is a textfile writing group dedicated to free speech, and the + support of everything that is illegal. We're basically out to Fuck the + system. Discussion of hacking, phreaking, carding, and virii is typical. + We are always looking for new writers, and new ideas. + + + Part I. + + +AREA CODE: [xxx] + +Handle..............................: +Other Aliases.......................: +Legal FULL name.....................: +HOME Phone Number...................: +DATA Number.........................: +Birthdate (MM/DD/YR)................: +Age.................................: +State/City..........................: + + Part II. + +Computer Speed/CPU.....: +OS Type and Version....: +Years of Computer Exp..: +Years of Modeming Exp..: + + + Part III. + + +BBS Software......: +Operation Hours...: +Nodes.............: +Megs ONLINE!......: +Modem Type/Speed..: +Number of Users...: + + +Does your board have H/P File/Msg Bases? + +Does your system support virii/Trojans? + +Will you devote a message AND file area for MoRGUE? + +Will you poll NETMail from MoRGUE WHQ or another site, should +we develop it? + + + Comments: + + + + + + Why should we accept this Application and give you status? + + + + Take this completed Application and upload it to one of the following boards +renamed to DISTSITE.APP, with the description "'s Application" + + Morgue Distribution Sites + + + Board Number Modem Status SysOp + + Ionic Destruction 215.722.4534 16.8k DUAL World HQ Phatal Error + The Eastern Alliance 717.BAK.JUNE 16.8k HST! Distro 1 Acidic Nature + Villa StrayLight 215.BAK.SOON 14.4k DUAL Distro 2 Anonymous Caller + Chromatic Death 215.755.9051 16.8k DUAL Distro 3 Emanon + Underworld Legacy 717.566.5750 14.4k v32b Distro 4 Corruptor + + + Morgue Member List + + Senior Members + + Phatal Error - President Acidic Nature - Vice President + Anonymous Caller - Vice President + + + Writers/Staff + + Phatal Error, Acidic Nature, Anonymous Caller, Social Distortion + ASCII Express, MalHavoc + Manifest Destiny + + Couriers + + Social Distortion - Head Courier + + + + \ No newline at end of file diff --git a/textfiles.com/piracy/APPLICATIONS/mrgwrit.app b/textfiles.com/piracy/APPLICATIONS/mrgwrit.app new file mode 100644 index 00000000..91944b51 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/mrgwrit.app @@ -0,0 +1,136 @@ + Ŀ + ij + ij + ڳĿĿĿڿڿĿ + ijڿĿ + ijٳٳ + + ij['93] + ij + + TextWriters Application + + + + Introduction: + + + Morgue is a textfile writing group dedicated to free speech, and the + support of everything that is illegal. We're basically out to Fuck the + system. Discussion of hacking, phreaking, carding, and virii is typical. + We are always looking for new writers, and new ideas. For site applications, + please fill out the enclosed file MRGSITE.APP and upload it to one of the + boards at the end of this file. + + + + Part I. + + +Handle..............................: +Other Aliases.......................: +Legal FULL name.....................: +HOME Phone Number...................: +DATA Number.........................: +Birthdate (MM/DD/YR)................: +Age.................................: +Race................................: +State/City..........................: +Are you a legal U.S. CITIZEN........: +Marital Status......................: +Where are You Currently Employed....: + + Part II. + +Computer Speed/CPU.....: +Modem Type/Brand/Speed.: +Fixed Disk Capacity....: +OS Type and Version....: +Years of Computer Exp..: +Years of Modeming Exp..: +Current Text Editor....: + + Part III. + +# of Languages you can Program in........: +List All Languages you are adequate in...: + 1. + 2. + 3. + 4. + 5. +What have you written?...................: +Can you code Graphics/Music?.............: +Are you interested in ANSi Artist Status?: +Are you interested in VGA Artist Status?.: + + Part IV. + +Do you write Virii?......................: +Do you write Trojans/Bombs?..............: +Do you own any Electro-Boxes?............: +Do you use them?.........................: +What is a PBX?...........................: + +What is a Diverter?......................: + +What is an Extender?.....................: + +What does a Beige box do?................: + +What does a Blue box do?.................: + +What does a Red box do?..................: + +What is a VMB?...........................: + +Do you hack VMBs?........................: +What have you ever hacked?...............: + + + Comments: + + + + + + Why should we accept this Application and give you status? + + + + Take this completed Application and upload it to one of the following boards +renamed to WRITER.APP, with the description "'s Application" + + Morgue Distribution Sites + + + Board Number Modem Status SysOp + + Ionic Destruction 215.722.4534 16.8k DUAL World HQ Phatal Error + The Eastern Alliance 717.BAK.JUNE 16.8k HST! Distro 1 Acidic Nature + Villa StrayLight 215.BAK.SOON 14.4k DUAL Distro 2 Anonymous Caller + Chromatic Death 215.755.9051 16.8k DUAL Distro 3 Emanon + Underworld Legacy 717.566.5750 14.4k v32b Distro 4 Corruptor + + + Morgue Member List + + Senior Members + + Phatal Error - President Acidic Nature - Vice President + Anonymous Caller - Vice President + + + Writers/Staff + + Phatal Error, Acidic Nature, Anonymous Caller, Social Distortion + ASCII Express, MalHavoc + Manifest Destiny + + Couriers + + Social Distortion - Head Courier + + + + \ No newline at end of file diff --git a/textfiles.com/piracy/APPLICATIONS/paw.app b/textfiles.com/piracy/APPLICATIONS/paw.app new file mode 100644 index 00000000..9dc86dd9 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/paw.app @@ -0,0 +1,54 @@ + Pirates Analyze Warez (PAW) Generic Application + +Now on to our fifth issue, PAW continues to grow and, as always, more +staff will always be welcome. Individuals with some degree of writing +skill may wish to apply as Reviewers, those with some bucks as couriers +and any SysOps as sites. To do all this (and much more), simply fill +out the application below and submit it to the Apocalyptic Teacup BBS or +any of our sites. + +__________________________________________________________________________ + +POSITION APPLIED FOR: [_] Reviewer [_] Site + [_] Courier [_] Other ________ + +PERSONAL INFORMATION: + + Alias: ________________________________ + Real Name: ________________________________ + Group Affiliations: ________________________________ + ________________________________ + City, Province: ________________________, ______ + Voice Phone #: (___) ___-____ + Data Phone #: (___) ___-____ + + Source of Warez: ________________________________ + ________________________________ + + Game Types Preferred: 1. _____________________________ + (if reviewer app) 2. _____________________________ + 3. _____________________________ + + References: ________________________________ + ________________________________ + ________________________________ + ________________________________ + + +BBSING INFORMATION: + + Board Name (if any): ________________________________ + Board Number (if any): (___) ___-____ + Board Affiliations: ________________________________ + ________________________________ + Modem Type: ________________________________ + Computer Type: ________________________________ + Meggage: ________________________________ + Software/Mailer: ________________________________ + ________________________________ + + Years BBSing: ________________________________ + + +Attach Sample Review or BBS Information Below +-------------------------------------------------------------------------- diff --git a/textfiles.com/piracy/APPLICATIONS/planet.app b/textfiles.com/piracy/APPLICATIONS/planet.app new file mode 100644 index 00000000..a34a9de0 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/planet.app @@ -0,0 +1,78 @@ + Ŀ + Ŀ Ŀ + o ÿ Ĵ Ŀ + ٳ o + Ĵ o + + The 0fficial NetW3rk of The Phreaks 0f the Industry + +Personal Inf0 + +Real FULL Name: +Handle: +Age: +Home Phone: + +In 5 lines or less, briefly describe yourself, and interests. +1) +2) +3) +4) +5) + + +Bulletin Board Inf0 + +BBS Name: +BBS Phone: +Online Storage: +Specialties (ie. H/P, Warez etc.): + +In 5 lines or less, briefly describe the atmosphere of your board, +and the overall attitude of your users. +1) +2) +3) +4) +5) + + +Network Setup Inf0 + +BBS Software: +Mailer Software: +Modem type: +Modem Speed: + +The Zone Coordinator sends mail between 4 and 5 am, daily. +Is this okay with you?: + +If you are long distance, can you poll at least 3 times a week +between 3 and 4 am?: + +------------------------- + +That's it! rename this file to the first eight letters of your bbs name. +for example, Joe runs Joe's place BBS, so joe calls his .app file + +JOESPLAC.APP + +now zip it up, and name the zip file the same thing. + +Call 4o5.72o.1666 and login as the following: + +UserId: planet +Pass: planet +phone: 6565 + +if asked for Birthday, 01/01/01 + +you will be taken directly to a file base to which you may upload your +application. You can do NOTHING else, so don't waste your time if +you're not serious. + +Thanks for applying to PlaNet. We will contact you voice or data +within 48 hours of reciveing your application. + + -U, Zone Coordinator + POi/PlaNet diff --git a/textfiles.com/piracy/APPLICATIONS/reviewer.app b/textfiles.com/piracy/APPLICATIONS/reviewer.app new file mode 100644 index 00000000..8b5a087b --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/reviewer.app @@ -0,0 +1,68 @@ + Pirates Analyze Warez (PAW) Reviewer Application + +As a new magazine, we are in need of additional reviewers to add to our +current staff. Potential reviewers should have access to the newest warez +(or be willing to call long distance to get them from us), a fair amount +of spare time and a decent amount of writing skill. Group affiliation, +while not a necessity, would be an asset as we are looking for input from +a wide, non-partisan cross-section of the pirate world. + +To apply, fill out the required information below and attach a review of +any new warez (preferably using the style of those already in the mag). +Upload this application to the Apocalyptic Teacup BBS at (416) 527-8852. +Other input (ie - new ideas, other articles, art, whatever) can also be +submitted. References are required for permanent BBS membership. + +We are also taking applications for formal distribution sites. Again, +fill out the below application and submit it to A. T. B. with a brief +note detailing what you have to offer instead of a review. Call back +in approximately 24-48 hours for additional information. + +Finally, we are in need of dedicated couriers both to distribute the +magazine and to assist in obtaining the warez in the first place. Again, +interested parties should fill out this application. +__________________________________________________________________________ + +POSITION APPLIED FOR: [_] Reviewer [_] Site + [_] Courier [_] Other ________ + +PERSONAL INFORMATION: + + Alias: ________________________________ + Real Name: ________________________________ + Group Affiliations: ________________________________ + ________________________________ + City, Province: ________________________, ______ + Voice Phone #: (___) ___-____ + Data Phone #: (___) ___-____ + + Source of Warez: ________________________________ + ________________________________ + + Game Types Preferred: 1. _____________________________ + (if reviewer app) 2. _____________________________ + 3. _____________________________ + + References: ________________________________ + ________________________________ + ________________________________ + ________________________________ + + +BBSING INFORMATION: + + Board Name (if any): ________________________________ + Board Number (if any): (___) ___-____ + Board Affiliations: ________________________________ + ________________________________ + Modem Type: ________________________________ + Computer Type: ________________________________ + Meggage: ________________________________ + Software/Mailer: ________________________________ + ________________________________ + + Years BBSing: ________________________________ + + +Attach Sample Review or BBS Information Below +-------------------------------------------------------------------------- diff --git a/textfiles.com/piracy/APPLICATIONS/rodapp.txt b/textfiles.com/piracy/APPLICATIONS/rodapp.txt new file mode 100644 index 00000000..baf4cd88 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/rodapp.txt @@ -0,0 +1,63 @@ + Riders of Death Application Form +/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ + +Please edit this form with your favorite editor program and upload it to +the RoD home site at 305-885-0409. If you dont have access there,.just +leave me a message saying that you have something to upload me, and that +you are applying for RoD. And just apply for access.. you will get access +as soon as i can get to my computer and validate you! + +Answer these questions truthfully and to the best of your knowledge. + +/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ + +What is the handle you want to use? +: +What is your *REAL* name +: +Do you have anything to do with the FBI, police, cia, or any government +agencies? +: +If yes, which one? +: +Are you into h/p/a? +: +What can you contribute to us that will benefit the RoD? +: +If you are into h/p, please give me an example of an x.25 packet system, +and list 1 company that serves the needs for x.25 packet communications. +: +: +What is your home phone number? (for verification purposes only) +: +We dont need to know your address, but it is better for our records. +please put it here if you want to. +: +Name some people that could vouch for you? +: +: +Please tell me what is a CBI, UNIX system, and Telenet. +: +: +: +What do you like doing in your spare time with your computer +: +what kind of computer do you have? +: +Do you know how to access a board through tymnet/telenet +: + +Okay, that's pretty much it. If you have any questions or comments, feel +free to leave me, Sarah Connor, a message on any of the following boards + +&TOTSE (510) +Rat Head Systems (510) +Reality Check (415) +L I E S U N L I M I T E D +Crunchy Frog (305) + +Untill Next time.. I'll be back! + +Sarah Connor and the rest here at RoD! + + \ No newline at end of file diff --git a/textfiles.com/piracy/APPLICATIONS/rotbapp.txt b/textfiles.com/piracy/APPLICATIONS/rotbapp.txt new file mode 100644 index 00000000..d9c7fa5f --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/rotbapp.txt @@ -0,0 +1,33 @@ + THE + [R o T] + Reign of Terror + SiTE Application Form +============================================================================== +City BBS Located In: +State/Province/Region BBS Located In: +Country BBS Located In: +BBS Name: BBS Number: +NUP/General Password(if needed): +Sysop's Handle: +CoSysop/Sponsor's handles: +Number of Nodes + Modem Types/Speeds: + + +BBS Affiliations: +BBS Mail Nets: +Number of Active Users: +Total Hard Drive Space: +BBS Specialty(eg: H/P, W, etc..): +Other stats(LD users, files online, etc..): +------------------------------------------------------------------------------ + Submit to: + [R o T] [R o T] + WHQ US HQ + 6 T DR The Cellar + [604] 824-0317 [401] PRI-VATE +------------------------------------------------------------------------------ +Your application will be reviewed by the RoT Senior Executives and a RoT +representative will be sent to review your BBS. You will be notified after +a vote of the result. If accepted, the site's status will be discussed (ie: +Dist. Site, Member Board, Regional HQ) + diff --git a/textfiles.com/piracy/APPLICATIONS/rotuapp.txt b/textfiles.com/piracy/APPLICATIONS/rotuapp.txt new file mode 100644 index 00000000..6e668134 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/rotuapp.txt @@ -0,0 +1,53 @@ + THE + [ R o T ] + Reign of Terror + Member Application Form +============================================================================== + [ R o T ] is always looking for membership candidates in the following areas: +Hacking, Phreaking, Programming/Virii Production, ANSI artists, Crackers, +0 Day Suppliers, and Couriers(specify H/P, W, or Both). + If you think you have considerable skill/experience in any of these +categories and would like to join the RoT team, then fill this form out and +return it to one of the HQ's listed after the application form. +============================================================================== +Handle: First Name: +Voice #(NO VMB's): +3 BBS's where we can:1: +contact you, plus :2: +numbers :3: +Specify which form of contact(BBS/Voice) is preferable: +If BBS, inform the sysops of our possible arrival. +------------------------------------------------------------------------------ +Which position/positions are you applying for: +How long have you participated in that activity: +On a 1 to 10 scale how would you rate your skill in that activity: +What affiliations do you have currently: +What speed/type are your modem(s): +Are you now or have you ever been a member of or affiliated with any +goverment agency, software company, or telephone company?: +If Yes, you must now specify exactly how you were affiliated with the afore +mentioned: +------------------------------------------------------------------------------ +<<>> +<<>> +<<>> + + + + + + + + +============================================================================== + SUBMIT THIS TO: + 6 T DR The Cellar + [R o T] [R o T] + WHQ US HQ + [604] 824-0317 [401] PRI-VATE +============================================================================== +Your application will be reviewed, if you are deemed a suitable candidate +an RoT member will contact you in the afore specified manner and an interview +at our WHQ will be set up between you and a RoT Senior Executive. You will +be voted on and notified of the result. Thank you. + diff --git a/textfiles.com/piracy/APPLICATIONS/site.rul b/textfiles.com/piracy/APPLICATIONS/site.rul new file mode 100644 index 00000000..c4779012 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/site.rul @@ -0,0 +1,83 @@ + + +To Become a MoRGUE Distribution Site, you must follow the following guides. + + + +HD Capacity: Hard drive space is not an option. We know not everyone can + afford a gigabyte HD with a 98mb caching EISA/VLB controller, + so there really is no emphasis on HD size. + +Modem Speed: We would prefer all sites to be high speed, but it is not a + prerequisite. We know that 24oo boards have alot to offer, + for example, most H/P boards are 24oo these days. Again, not + everyone can afford a v.fast 28.8k HST Dual. Having a 14.4k + v32bis, 14.4k HST/DUAL, or a 16.8k HST/DUAL would be great. + If you are 96oo+ your chances are good. + +Software: BBS Software may not sound like much to you, but we really + don't want any RBBS sites. If you run PD garbage software, + chances are, you won't get accepted. Renegade, Telegard, + Paragon, Revelation, RiP-X, ViSiON(-X), or any Forum hack + for that matter are acceptable. Don't expect to have a + Searchlight BBS Distro-ing for MoRGUE. + +Operation Hours: This is a biggie. If you don't run a 24/7 bbs, forget it. + I don't need a corny little 10pm-9am board with your parents + picking up every 5 minutes killing an Xfer. + + + + +User Base: We're looking for a board with good, quality users. No PD + shit users. A board with 40 users won't work. One with 140 + is alot more reasonable. + +Files: Boards with warez aren't always bad. We don't want ]<-Ra]) + \/\/arez ])00])s with 9000gig boards. A simple system with + new stuff is adequate. H/P boards really are a first choice + though. + A MoRGUE File area with NO-RATIO Downloads will be required. + +Messages: A MoRGUE Message Base will be a prerequisite. + +NETMail: A Board with HackNET, PhreakNET, ShitNET, etc will probably + get status before Tom's Diner BBS with 3 local bases. In the + future, there may be a MoRGUE Related NET. All sites will be + REQUIRED to poll it from the nearest site, or the WHQ. + +SysOps: Only the respected sysop who's not on every blacklist in the + nation will be given status. SysOps must agree to give all + MoRGUE Members user status on their board, as well as our + courier. If there are any problems here, the status will be + terminated along with the courier feed. + + + + + All sysops will have to set up an account with full access for one of the + two reigning v.p.'s or the president to evaluate it. This will be discussed + on the phone. + + All Boards must display the MoRGUE Distro Status in their advertisements, + zip blurbs etc. + + All Boards must provide basic information to us for the Tfile Member Lists. + Phone Numbers NEED NOT be included. (i.e. The BBS XXX-XXX-XXXX 14.4 HST...) + + All boards must display the morgue logo ansi at logon, or somewhere on the + system. This is not much to ask. + + Only quality users must be given access to the MoRGUE Bases. + + + + + This file should be read thoroughly before you attempt to apply. If you think +you have a chance, apply! We are more or less looking for a few good sites. + + +-Acidic Nature + + + \ No newline at end of file diff --git a/textfiles.com/piracy/APPLICATIONS/siteappt.txt b/textfiles.com/piracy/APPLICATIONS/siteappt.txt new file mode 100644 index 00000000..79511283 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/siteappt.txt @@ -0,0 +1,71 @@ + + + -=[** Ultra Tech **]=- + -=[** The Ultimate Group **]=- + + + Ultra Tech is now taking applications for Ultra Tech BBS'S + The fee is 100 dollars including LSD BBS software and 50 + dollars without LSD software. Among other things you will + recieve for your fee is toll free net-mail rights as well + as 0 day waresuploaded by our ultra baby couriers. + And of course you will part of the most prestiges group in + the Pirate world today + + If you can commit to making this effort successful, then + fill in the application and leave it on Ultra Tech BBS or + Twin Peaks. Starwolf and Captain Tom will be coordinating + things so upload this appt. to either the Ultra Tech BBS + or Twin Peaks BBS + + ****=[ Ultra Tech BBS Application ]=**** + + + Handle........: + + Real 1st Name.: + + Voice Phone #.: + + Time to call..: + + Your BBS Name.: + + Your BBS Num..: + + BBS BAud RAte.: + + BBS NUP:......: + + BBS Reference.: Board Name Number + + 1. + 2. + 3. + + Sysop Reference: (These guys will vouch for me) + + 1. + 2. + 3. + + Groups ........: (I am in the following groups) + + 1. + 2. + 3. + + Remarks........: (Why should we select you????) + + 1. + 2. + 3. + + Ok, that does it. If you are selected you will be contacted + voice by either starwolf or myself. Thanks for supporting + Ultra Tech. + + + + + \ No newline at end of file diff --git a/textfiles.com/piracy/APPLICATIONS/slaveapp.txt b/textfiles.com/piracy/APPLICATIONS/slaveapp.txt new file mode 100644 index 00000000..4ece4af2 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/slaveapp.txt @@ -0,0 +1,101 @@ + +Feb. 24th, 1990 + + TL Here. First off, I want it known, I am not longer TL or The Timelord, but +rather The Slavelord. Good, got it? Great. You can also call me master. Why +the handle change you ask? Well I am now the Slave Driver for The Humble Guys. +If you are reading this, then you are reading an application to be a Slave +for THG. Got it? Good. Let's continue. + + First off, being a THG slave is very simple, prestigious, and alot of +fun. How can being a slave be prestigious? Well simple, slaves will have THG +wares FIRST. And since THG puts out ALL WARES FIRST, then you of course will +have first dibs on the wares. Also, being a slave is an Anonymous job. Your +handle will be simply Humble Slave#xx (where xx is the slave number). However, +like the marines, we are looking for a few good slaves. There are also a few +basic rules to being a THG slave. Most important, remember that myself and ALL +THG members are to be treated as God's. We are your patron diety. Number 2, +you will do anything we ask. If that means name your first born son after us, +then do it. As a matter of fact, I want you all to name your first born son +SL. Got it? Good. Now, how do you become a THG slave? This is the easy part. +Just fill out the application here and send it to either one of these fine +boards: + + The Slave Den + [9O4] 376 1117 + SysOp: The Slavelord + + Candyland \ The Humble Guys / Tye Die Control Center + [615] 333 6561 / World Headquarters \ [615] 832 9277 + + + All of these boards runs at 9600 HST speeds (lock in at 38.4 if you have a +16550 UART chip and a 14.4 or DS). Now, lets get to the application. + + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + Application to be bonded into SLAVERY +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +What is your handle :_________________________ + +What is your REAL NAME :_________________________ + +What is your home phone #:_________________________ + +What is your date of birth:__/__/__ + +What is the make and model of your modem:_____________________________ + +List the top boards you are on and their phone numbers (5 lines) + + Board Name Board Number SysOp + +1) ________________________ (___)___-____ _____________________ + +2) ________________________ (___)___-____ _____________________ + +3) ________________________ (___)___-____ _____________________ + +4) ________________________ (___)___-____ _____________________ + +5) ________________________ (___)___-____ _____________________ + +Now we have some personal questions to ask you to make sure that you are +slave quality. + +1) If I asked you to jump, what would your reply be? ________________________ + +2) Do you believe in the use of K-Y jelly, or do you like it straight up? ___ + +3) As a slave, would you be willing to sell your mother into prostitution +if I told you to do so? ___ + +4) As a slave, if I told you to send me your computer, would you? ___ + +Now it is essay times kiddies, this essay is real simple. Just go ahead +and tell me WHY I should even go and consider you as a slave. + +Subject:____________________________________ +To :The Slavelord + +______________________________________________________________________ +______________________________________________________________________ +______________________________________________________________________ +______________________________________________________________________ +______________________________________________________________________ +______________________________________________________________________ +______________________________________________________________________ +______________________________________________________________________ + + +Good, now that you have successfully finished filling out this application, +make sure to send it to one of the 3 boards listed above. Make sure to +leave it for The Slavelord. + + The Slavelord + + + + + diff --git a/textfiles.com/piracy/APPLICATIONS/tasd.app b/textfiles.com/piracy/APPLICATIONS/tasd.app new file mode 100644 index 00000000..5334ef1a --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/tasd.app @@ -0,0 +1,139 @@ + + + .ijĿij Ŀ ij . + ij Ŀ ij. Ŀ + ڳ ij ij + ij + ٳ Ŀ . ijĿ Ĵ + . ij ij. + . ó . + ۰ . ܰ + .۱ . ߱ ۰ . . + . . + . + . . + + - The Association of Social Disorder - + +[ APPLICATIONS FOR DISTRO/COURIER/WRITER ] + + The following form is to be filled out and returned in email to Wilco on any +of the following boards : + +͸ + Realm of Warriors (201) 728.0941 NUP:Darkness + Countdownt to Extinction (212) 765.1701 + Lineman's Lair (417) 883-1137 NUP:Betatest +; + +NOTE : You can also return this to any TASD member and it will be taken to + me for review. + +Real name [.....................................] +Handle(s) [.....................................] +Voice phone number [............] +Address [.......................................] + [.......................................] +Country [............] +Zip code [......] +Modem speed [......] + +If you run a board please fill in the following info + +Board name [..............................................] +Board number [............] +Board BPS speed [......] +NUP [....................] + + Network Name - Zone:Host/Node.Point # +Specify network [.............................................] +affiliations [.............................................] + [.............................................] + + +What posistion in TASD are you applying for? +[..........................................] + +Are you a member of any other HPA related groups? ( If so, list ) +[............................................................................] + +If Answer to above question was yes, what is your posistion(s)? +[............................................................................] + +What do you have to offer TASD in your posistion? +[............................................................................] +[............................................................................] + +Name some of the best HPA boards that you frequent - + + Name Number NUP +[...........................] [............] [...........] +[...........................] [............] [...........] +[...........................] [............] [...........] + +-[ Knowledge questions ]- + + In the following listing of subjects please place an number between 1 and +4 by each one with a 1 representing no knowledge of a subject to a 4 being an +expert on the topic. + +1 = Know nothing about it +2 = Aware of the basic ideas and concepts +3 = Fairly good, but could be better +4 = Pretty much know it all + +PBX/CBX computer hacking [.] +General micro computer BBS hacking [.] +General mini computer hacking [.] +General mainframe computer hacking [.] +General electronic circuitry [.] +Cellular phone phreaking [.] +Virus/Trojan writing-information [.] +General scams for money [.] +Carding [.] +Phreaking via non-PBX/950 ways [.] +Chemistry in terror/fun [.] +Legal issues concerning computers [.] +General computer programming [.] +Assembler programming [.] +C programming [.] +TP programming [.] +Music programming/writing [.] +VGA/MCGA/Mode X programming [.] +Radio/Ham/Scanners [.] +Presonal information dbases [.] +Packet radio [.] +General info on telco systems [.] +Drug production [.] +Other drug information [.] +Encryption/Decryption [.] +Audio survailiance [.] +Burglery [.] +Shoplifting [.] +Personal property destruction [.] +Trashing [.] +Cable phreaking [.] +Stealth covert operations [.] +COCOT phones [.] + + If there is any other 'special' area of expertise you have please list on +the next few lines... + +[1.] +[2.] +[3.] +[4.] +[5.] + + How should I get in contact with you to explain the status of your membership? + +[1.] +[2.] + +Note - Not a good idea to make me call boards I am not on to get in response + with you. This takes way too much of my time up. + + This concludes the application procedure, now just call, find a TASD board or +member and give this to them. (Refer to the opening statements) + [ May 25 1993 ] + [ Wilco -Founder of TASD ] diff --git a/textfiles.com/piracy/APPLICATIONS/usacour.app b/textfiles.com/piracy/APPLICATIONS/usacour.app new file mode 100644 index 00000000..e95296e6 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/usacour.app @@ -0,0 +1,93 @@ + + USA Courier Application + + + So, you're thinking of becoming a courier? + Before you bother to fill out this application, + and possibly waste my time and yours, let me + fill you in on what we're looking for in our + couriers. When you become a USA courier, it + means that you are donating your time(and this + job is very time consuming) to USA in exchange + for the privelage of being associated with a + highly respected national level group. It will + be required that you are available to courier + at all hours of the night and be able to be + reached regularly in the afternoon and evenings + usually from 3pm to 10pm. If you have a daily + engagement such as a job or school, this must + be specified upfront, and you will be required + to call one of several pre-specified boards to + check on any new wares several times a day. + Feel free to fill out this application, and if + you think you are worthy of being a USA courier, + then send the application up to The BBS-A-Holic + or Enterprize Elite in the form: YOURNAME.APP + + + + Enter your full legal name: ................................. + Home Voice Phone: (...) ...-.... Data Phone (...) ...-.... + Office Voice Phone: (...) ...-.... + Street Address: ....................................... + City, State ZIP: ....................................... + Birthday: (../../..) Age: .. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Please list the USA affiliated boards that you have already recieved full + validation on: .......................................................... + .............................................................. + List the 10 best boards that are not affiliated with USA that you have full + access on: + Board Name Sysop Phone Number Group affiliation + 1> + 2> + 3> + 4> + 5> + 6> + 7> + 8> + 9> + 10> + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Do you have the means of making multiple long distance calls at extended + lengths of time at least 4 days out of every week? (Y/N) + + Do you have any form of employment? If so, what is your current job? + ...................................................................... + + If you are a student, what grade or level are you at, and at what time + do you arrive home? + ...................................................................... + + What other computer oriented groups(if any) have you been affiliated + with in the past? + ..................................................................... + + How often do you call out by means of modem? + ................................... + + When are you usually available? (Please fill in times of the day) + Monday - Tuesday - Wednesday - + Thursday - Friday - + Weekends - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + And finally, please leave any additional comments as to what expierience + you have, and anything that may sway my decision towards making you a + USA courier: + ........................................................................ + ........................................................................ + ........................................................................ + ........................................................................ + ........................................................................ + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Thank you for supporting USA, we will try to get back to you as soon as + possible. + -Suicidal + -USA Member + + + + + diff --git a/textfiles.com/piracy/APPLICATIONS/wizapp.txt b/textfiles.com/piracy/APPLICATIONS/wizapp.txt new file mode 100644 index 00000000..dacb7d74 --- /dev/null +++ b/textfiles.com/piracy/APPLICATIONS/wizapp.txt @@ -0,0 +1,112 @@ + + _--_|\ + WizNet / \ WizNet : 237:1313/1 + Roleplaying is \/--\__/ OPEN : 37:300/100 + our speciality! \/ NuitNet : 666:4310/0 + VampNet : 300:6103/18 + FidoNet : 3:632/362 + Phone : 613-882-1217 + + NEW NODE APPLICATION + + + + The answers given will remain STRICTLY confidential and will not be + made public. The information is sought in order for the network to + streamline the flow of mail. It is MANDATORY to return this form + by way of netmail in order to prove that your system is able to + send and receive netmail, since this ability is a pre-requisite for + your participation in the network. + + I look forward to having you in the network! + Morticia + + + + Please crash mail the completed form to 237:1313/1. You should use + the WizNet address 237:1313/999 to send it, no session password is + necessary. You are required to crash mail this as a file attach to + prove you have mailer capabilities. + + + + + Tear off here! - - + +SysOp Real Name : + +SysOp Alias : + +Home Phone : + +9am-5pm phone : +(not compulsary) + +BBS Phone(s) : + +Postal Address : + : + +BBS Name : + +BBS Location : + +Computer type/ +operating system : + +BBS Software : + (SBBS, RA, Ezycomm, etc) + +Average daily volume of mail (if known): (in Kb or messages) + +Other private network(s) or other BBSs with which you are currently +exchanging mail. Please also supply other node number(s): + + + + +Where do you currently get/deliver mail (if applicable): + + + + +Frontdoor 2.02 (Used by Wizard's Tower) . . .[ ] +Other (specify) . . .[ ] .............. + +Does it support WaZOO file requests? Y/N . . .[ ] + +What is your maximum baud rate: + + 1200 . . .[ ] 2400 . . .[ ] + 9600 . . .[ ] 12000 . . .[ ] + 14400 . . .[ ] 19200 . . .[ ] + 24400 . . .[ ] 28800 . . .[ ] + +Modem Protocol(s): + + v21 . . .[ ] v22 . . .[ ] + v22bis . . .[ ] v23 . . .[ ] + v32 . . .[ ] v32bis . . .[ ] + v42 . . .[ ] v42bis . . .[ ] + Hayes v9600 . . .[ ] HST . . .[ ] + PEP . . .[ ] MNP4 . . .[ ] + MNP5 . . .[ ] V.FC . . .[ ] + Other . . .[ ] ................ + +Operational detail(s): + +Mail Only (No human callers) . . .[ ] +Continuous Mail . . .[ ] +Limited Hours (please specify) . . .[ ] ................ + +Any other information you'd like to tell me? + + + + + + + End of the questionnaire - Thanks! + + +Copyright (c) WizNet, 1994. All rights reserved. diff --git a/textfiles.com/piracy/COURIERS.1 b/textfiles.com/piracy/COURIERS.1 new file mode 100644 index 00000000..1e6517df --- /dev/null +++ b/textfiles.com/piracy/COURIERS.1 @@ -0,0 +1,66 @@ + +T E X T F I L E S + +

Piracy Textfiles: Courier Membership Lists and Introductions

+

+Of of the more intruiging aspects of the microcomputer piracy subculture has +been the rise of "Courier Groups", which are dedicated to the sole purpose of +transporting pirated games from the groups that pirate to high-traffic web +sites and BBSes, often available with a membership fee. This more shark-like +piracy approach rose in the early 1990s with the PC world, and by the +middle of the decade, it was an established near-industry. +

+ + + + + +
+
Filename
Size
Description of the Textfile
9kc0195.nfo 6123
 9000 COURIERS: Introduction, Cast List, BBS List, Ad +
9kc0594.nfo 5991
 9000 COURIERS: Staff List, BBS List, Ad +
9kc1094.nfo 3540
 9000 COURIERS: Staff List, BBS List, Fresh Warez Guaranteed! +
9kc1294.nfo 6754
 9000 COURIERS: Member List, BBS List +
alpha.txt 2566
 ALPHA: Courier Spreader Identifier +
ambition.nfo 5583
 AMBITION: Courier and Trader List, January 1997 +
cocaine.nfo 4344
 COCAINE: Courier List, Members, Greets, Boards +
cod.nfo 3409
 COURIERS OF DARKNESS: Member and BBS List +
courier.app 2370
 PE: Public Enemy Courier Application +
devo0193.nfo 1830
 DEVO Couriers, January 5, 1993 +
devo0195.nfo 4362
 DEVO Couriers, April 1, 1995 +
devo0294.nfo 759
 DEVO Couriers, February, 1994 +
devo0893.nfo 4553
 DEVO Couroiers: AxiS The Movie, Final Release, August 25, 1993 +
fuck.it 248
 Gravity's Pull Courier File from Lightnin Hopkins +
htc-rel.nfo 2948
 HTC: High Tech Couriers, 1995 +
htc1095.nfo 11292
 HTC: High Tech Couriers 10 1995 Member List and Board List +
iit'94.nfo 5354
 IIT: Israel's Internet Traders Courier List +
inc604.txt 1085
 Tag File for the Incarcerated Scarfaces Courier Group +
menace.asc 3774
 MENACE: Courier List +
risc'is 1141
 The Tag for Rise in Superior Couriering +
risc0295.nfo 4864
 RISC: Rise in Superior Couriering 2/1995 +
risc0296.nfo 5841
 RISC: Rise in Superior Couriering 2/1996 +
risc0394.nfo 8484
 RISC: Rise in Superior Couriering 3/1994 +
risc0595.nfo 5327
 RISC: Rise in Superior Couriering 5/1995 +
risc0795.nfo 5742
 RISC: Rise in Superior Couriering 7/1995 +
risc0996.nfo 5593
 RISC: Rise in Superior Couriering 9/1996 +
risc1.nfo 5399
 RISC: Rise in Superior Couriering Member and Board Lists +
risc1293.nfo 7186
 RISC: Rise in Superior Couriering 12/1993 +
risc94.nfo 8423
 RISC: Rise in Superior Couriering, Welcome Alpha Couriering! +
rsc0595.nfo 5326
 RISC: Rise in Superior Couriering 5/1995 +
stealth.nfo 5762
 STEALTH: Stealth Couriers Member and Board List +
t4d.nfo 5666
 GENESIS: Courier/Board List +
tca.nfo 5326
 TCA: The Courier Associated Board and Member List +
therapy.nfo 7169
 THERAPY: Courier and Member List 1995 +
uc.nfo 8548
 UC: United Couriers Third Year Anniversary +
uc1092.nfo 4218
 UC: Uniter Couriers Member and Board List, October 1992 +
uc1093.nfo 6787
 UC: Uniter Couriers, Member and Board List +
uc1094.nfo 8042
 UC: Uniter Couriers Member and Board List 1994 +
wwc93.nfo 7840
 WWC: World Wide Couriers: Member List +
lsd.nfo 9344
 LSD: Light Speed Distributors, the Official Courors of Vision +

There are 40 files for a total of 208,913 bytes.

+Important Credit: A portion of these files came from a site called the +Defacto2 Scene Archive, +and were acquired and saved by the folks of that group. They've done a +wonderful job on the site, and it is highly reccommended that you check +it out. + + diff --git a/textfiles.com/piracy/COURIERS/.windex.html b/textfiles.com/piracy/COURIERS/.windex.html new file mode 100644 index 00000000..73784364 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/.windex.html @@ -0,0 +1,66 @@ + +T E X T F I L E S + +

Piracy Textfiles: Courier Membership Lists and Introductions

+

+Of of the more intruiging aspects of the microcomputer piracy subculture has +been the rise of "Courier Groups", which are dedicated to the sole purpose of +transporting pirated games from the groups that pirate to high-traffic web +sites and BBSes, often available with a membership fee. This more shark-like +piracy approach rose in the early 1990s with the PC world, and by the +middle of the decade, it was an established near-industry. +

+ + + + + +
+
Filename
Size
Description of the Textfile
9kc0195.nfo 6123
 9000 COURIERS: Introduction, Cast List, BBS List, Ad +
9kc0594.nfo 5991
 9000 COURIERS: Staff List, BBS List, Ad +
9kc1094.nfo 3540
 9000 COURIERS: Staff List, BBS List, Fresh Warez Guaranteed! +
9kc1294.nfo 6754
 9000 COURIERS: Member List, BBS List +
alpha.txt 2566
 ALPHA: Courier Spreader Identifier +
ambition.nfo 5583
 AMBITION: Courier and Trader List, January 1997 +
cocaine.nfo 4344
 COCAINE: Courier List, Members, Greets, Boards +
cod.nfo 3409
 COURIERS OF DARKNESS: Member and BBS List +
courier.app 2370
 PE: Public Enemy Courier Application +
devo0193.nfo 1830
 DEVO Couriers, January 5, 1993 +
devo0195.nfo 4362
 DEVO Couriers, April 1, 1995 +
devo0294.nfo 759
 DEVO Couriers, February, 1994 +
devo0893.nfo 4553
 DEVO Couroiers: AxiS The Movie, Final Release, August 25, 1993 +
fuck.it 248
 Gravity's Pull Courier File from Lightnin Hopkins +
htc-rel.nfo 2948
 HTC: High Tech Couriers, 1995 +
htc1095.nfo 11292
 HTC: High Tech Couriers 10 1995 Member List and Board List +
iit'94.nfo 5354
 IIT: Israel's Internet Traders Courier List +
inc604.txt 1085
 Tag File for the Incarcerated Scarfaces Courier Group +
menace.asc 3774
 MENACE: Courier List +
risc'is 1141
 The Tag for Rise in Superior Couriering +
risc0295.nfo 4864
 RISC: Rise in Superior Couriering 2/1995 +
risc0296.nfo 5841
 RISC: Rise in Superior Couriering 2/1996 +
risc0394.nfo 8484
 RISC: Rise in Superior Couriering 3/1994 +
risc0595.nfo 5327
 RISC: Rise in Superior Couriering 5/1995 +
risc0795.nfo 5742
 RISC: Rise in Superior Couriering 7/1995 +
risc0996.nfo 5593
 RISC: Rise in Superior Couriering 9/1996 +
risc1.nfo 5399
 RISC: Rise in Superior Couriering Member and Board Lists +
risc1293.nfo 7186
 RISC: Rise in Superior Couriering 12/1993 +
risc94.nfo 8423
 RISC: Rise in Superior Couriering, Welcome Alpha Couriering! +
rsc0595.nfo 5326
 RISC: Rise in Superior Couriering 5/1995 +
stealth.nfo 5762
 STEALTH: Stealth Couriers Member and Board List +
t4d.nfo 5666
 GENESIS: Courier/Board List +
tca.nfo 5326
 TCA: The Courier Associated Board and Member List +
therapy.nfo 7169
 THERAPY: Courier and Member List 1995 +
uc.nfo 8548
 UC: United Couriers Third Year Anniversary +
uc1092.nfo 4218
 UC: Uniter Couriers Member and Board List, October 1992 +
uc1093.nfo 6787
 UC: Uniter Couriers, Member and Board List +
uc1094.nfo 8042
 UC: Uniter Couriers Member and Board List 1994 +
wwc93.nfo 7840
 WWC: World Wide Couriers: Member List +
lsd.nfo 9344
 LSD: Light Speed Distributors, the Official Courors of Vision +

There are 40 files for a total of 208,913 bytes.

+Important Credit: A portion of these files came from a site called the +Defacto2 Scene Archive, +and were acquired and saved by the folks of that group. They've done a +wonderful job on the site, and it is highly reccommended that you check +it out. + + diff --git a/textfiles.com/piracy/COURIERS/9kc0195.nfo b/textfiles.com/piracy/COURIERS/9kc0195.nfo new file mode 100644 index 00000000..6f3183a5 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/9kc0195.nfo @@ -0,0 +1,79 @@ + 9 0 0 0 c + + DM + + + + + + + + + + + + + + + +< 9 0 0 0 C o U R i E R S >ķ + + -/- HiGH CoUNCiL -\- + + -/\- ToAST -/\- + RAiSTLiN - LiTHIuM - USTASA + + -/- MEMBERS -\- + + FATAL ERRoR - REVANANT + CoRPSE - SWiTCH BLADE - CARNAGE + + -/- ART AND CoDiNG -\- + + KiNSLAYER - FoRD PREFECT - RoSCo - GRiFTER + - DADDYMAC - + + -/- 9000C BoARDS -\- + + CiTADEL OF CHAoS 3 NoDEZ/5.5 iTS-NoT-LAME SWiTCH BLADE WoRLD HQ + MEDUSA'S DoMAiN 7 NoDEZ/9.0 iTS-NoT-LAME MEDUSA CoURiER HQ + + MAXiMUM CARNAGE 2 NoDEZ/3.1 iTS-NoT-LAME CARNAGE AFFiLiATED + + THE NEiTHERWoRLDS 1 NoDE /1.5 iTS-NoT-LAME LiTHIUM MBR BoARD + BEYoND THE CEMETARY 2 NoDEZ/1.0 iTS-NoT-LAME CoRPSE MBR BoARD + ALTERED iNSANiTY 1 NoDE /1.8 iTS-NoT LAME RoSCo MBR BoARD + + THE ToXiC DUMP 2 NoDEZ/1.2 XXX-iTS-9000 DARKWiNG DiSTRo! + BACKSTAGE 2 NoDE /345 XXX-iTS-9000 BLACK FRiDAY DiSTRo! + ACCESS DENiED 2 NoDE /1.2 XXX-iTS-9000 PHANTASM DiSTRo! + CENSoRY ASSAULT 2 NoDEZ/1.2 XXX-iTS-9000 FATAL ERRoR DiSTRo! + THE SUB-ETHA NET 3 NoDEZ/2.0 XXX-iTS-9000 FoRD PREFECT DiSTRo! + + + -/- GRoUP NEWS -\- + + + + + + iNTERESTED iN JoiNiNG 9000 CoURiERS? + + CALL: 905-333-1430 + LoGIN: 9000c + PWoRD: CHiCKEN + + AND UPLoAD ToAST A MESSAGE ABoUT WHAT YoU CAN oFFER 9000C. + + + -/- GREETiNGS Go oUT To -\- + + + + + + AND THE WHoLE ENTiRE SCENE! --- ESPECiALLY THOSE WHo GoT BUSTED! + + -/- THE SCENE WiLL NEVER DiE -\- + -!TWH!- +< TRADING GAME WAREZ ONLY >Ľ diff --git a/textfiles.com/piracy/COURIERS/9kc0594.nfo b/textfiles.com/piracy/COURIERS/9kc0594.nfo new file mode 100644 index 00000000..4419958a --- /dev/null +++ b/textfiles.com/piracy/COURIERS/9kc0594.nfo @@ -0,0 +1,82 @@ + + + ܱ ܱ ܱ ܱ ܱ ܱ +۲ ۲ ۲ ۲ + ۲ ۲ ۲ ۲ + ۲ ۲ ۲ ߲ ߲ ߲ ߲ + m + + ۲ El President ۲ + + THE PREDATOR + + + ۲ Senior Staff ۲ + + + Newton P. Forgery - Gorguts - Rawhead Rex - Wolvy + + + ۲ 9000 Couriering Crew ۲ + + Alternative - Anonymous - Fatal Error - Ford Prefect + Hurricane - Death's Head - Masala - The Overlord - Wiseguy + + ۲۲ + + Greetz to cool 9000c members and our friends! + + ۲۲ + + + ۲ 9000c Bulletin Boards ۲ + + Chronic Addiction 2 NODE/1.0 GIG 905.388.4326 THE PREDATOR WORLD HQ! + + ۲۲ + + Unlimited Power 3 NODE/7.2 GIG 905.XXX.XXXX Raider COURIERHQ + Apocalyptic Teacup 2 NODE/3.1 GIG 905.XXX.XXXX Mad Hatter COURIERHQ + Cryptic Ville 1 NODE/550 MEG 905.XXX.XXXX Rawhead Rex COURIERHQ + + ۲۲ + + The Nocternal Tower 1 NODE/500 MEG 905.XXX.XXXX The Overlord AFFILIATE + Twist of Cain 1 NODE/300 MEG 905.XXX.XXXX Gorguts AFFILIATE + + ۲۲ + + Infinity INC. 2 NODE/500 MEG 905.XXX.XXXX Orion DIST SITE + African Relaxation 1 NODE/210 MEG 905.XXX.XXXX Hipe DIST SITE + Another Dimension 1 NODE/850 MEG 905.XXX.XXXX Jazz DIST SITE + Midnight Sun 1 NODE/500 MEG 905.XXX.XXXX Zarathos DIST SITE + Splendor Solis 1 NODE/1.4 GIG 905.XXX.XXXX Dark Lord DIST SITE + The Collective 2 NODE/625 MEG 905.639.3819 Picard DIST SITE + Armegeddon 1 NODE/450 MEG 905.648.8383 Mac DIST SITE + Order & Chaos 1 NODE/500 MEG 905.XXX.XXXX Devine Chaos DIST SITE + + YOUR BOARD ? NODE/??? ??? ???.???.???? YOUR NAME WILL SEE + + ۲۲ + + SYSOPS: If your board info is incorrect, contact a senior member + + ۲ TRADING GAME WAREZ ONLY ۲ + + 9000 Couriers are dedicated to trading game warez only! + + ۲۲ + + To get in on the 9000 action as a Courier or Distribution Site, + contact one of our Senior Members or get on the horn and dial up + Chronic Addiction for information. + + ۲ Group Greetings: ۲ + + + + ۲ Personal Greetings: ۲ + + Rawhead Rex - Newton P. Forgery + + ۲۲ diff --git a/textfiles.com/piracy/COURIERS/9kc1094.nfo b/textfiles.com/piracy/COURIERS/9kc1094.nfo new file mode 100644 index 00000000..cba80069 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/9kc1094.nfo @@ -0,0 +1,57 @@ + +< 9 0 0 0 C O U R I E R S >ķ + + El President + + Wolvy + + Senior Staff + + Switch Blade - Newton P. Forgery - Raider + + Courier Co-Ordinators + + THE PREDATOR - Rawhead Rex + + Couriers + + Alternative - Anonymous - Fatal Error - Toast - Wiseguy + Raistlin - Ford Prefect - Lithium + + 9000 HEADQUARTERS + + Unlimited Power 4 NODE/10.5 905-XXX-XXXX Raider 9000C WHQ! + + Citadel of Chaos 2 NODE/1.6 GIG 905-XXX-XXXX Switch Blade COURIER HQ + The Sub-Etha Net 2 NODE/2.0 GIG 905-XXX-XXXX Ford Prefect LOCAL HQ + + Maximum Carnage 2 NODE/3.1 GIG 905-XXX-XXXX Carnage AFFILIATED + Cryptic Ville 1 NODE/550 MEG 905-XXX-XXXX Rawhead Rex AFFILIATED + + The Toxic Dump 2 NODE/1.2 GIG 905-XXX-XXXX Darkwing DISTRO! +< TRADING GAME WAREZ ONLY >Ľ + + 9000 Couriers are dedicated to trading game warez only! + + `Fresh Warez GUARANTEED!' + + Need to contact 9000 Couriers? Call ANY 9000 Couriers + board and leave E-Mail to THE PREDATOR! We're looking + for Distribution Sites at the moment, 2 more sites are + availale at this time! + + Greetings & Such: + + Wiseguy - Thats it! YOUR OUT! + Rawhead Rex - BRE cheat! + Newton P. - Coolness as usual.. :) + Raider - Grab your 28.8's today!! + Toast - Welcome to the group. + Lithium - Ditto. + Switch Blade - Thanks for the support. + Wolvy - Excellent job, as usual.. + Wiseguy - OK, your back in.. + *Nine Continents* - Go back to Toronto, lamer.. + + + THE PREDATOR diff --git a/textfiles.com/piracy/COURIERS/9kc1294.nfo b/textfiles.com/piracy/COURIERS/9kc1294.nfo new file mode 100644 index 00000000..9f9deb38 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/9kc1294.nfo @@ -0,0 +1,86 @@ + 9 0 0 0 c + + DM + + + + + + + + + + + + + + +< 9 0 0 0 C O U R i E R S >ķ + + -/- MEMBERS -\- + + RAiSTLiN -/\- TOAST -/\- USTASA + WiSEGUY - LiTHiUM - FATAL ERROR - KiNSLAYER + ViOLENT FURY - REVENANT - DESTROYER - RAiDER + SWiTCH BLADE - FORD PREFECT - CARNAGE + + -/- ART AND CODiNG -\- + + KiNSLAYER - FORD PREFECT - ROSCO - GRiFTER + - DADDYMAC - + + -/- UPLOAD YOUR APPLiCATiON TODAY! -\- + + -/- GROUP AFFiLiATiONS -\- + + - NARC - + + -/- 9000C BOARDS -\- + + UNLiMiTED POWER 5 NODEZ/10.5 V34 iTS-TOO-COOL RAiDER W H Q! + + CiTADEL OF CHAOS 4 NODEZ/5.5 V34 iTS-NOT-LAME SWiTCH BLADE COURiER HQ + THE SUB-ETHA NET 3 NODEZ/2.0 VFC iTS-NOT-LAME FORD PREFECT LOCAL HQ + + MEDUSA'S DOMAiN 7 NODEZ/9.0 V34 iTS-NOT-LAME MEDUSA AFFiLiATED + MAXiMUM CARNAGE 4 NODEZ/3.1 VFC iTS-NOT-LAME CARNAGE AFFiLiATED + + DESTROYER'S REALM 2 NODEZ/500 V32 iTS-NOT-LAME DESTROYER MBR BOARD + KiLLER iNSTiNCT 1 NODE /450 V32 iTS-NOT-LAME iMPACT MBR BOARD + + THE TOXiC DUMP 2 NODEZ/1.2 V32 XXX-iTS-9000 DARKWiNG DiSTRO! + ELECTRiFiED 1 NODE /340 VFC XXX-iTS-9000 HiGH VOLTAGE DiSTRO! + HALLUCiNATiONS 1 NODE /350 V32 905-525-6236 FLASHBACK DiSTRO! + CRiME SYNDROME 1 NODE /1.6 VFC 519-iTS-9000 SYNDYCOMM DiSTRO! + TERROR iNC. 1 NODE /250 V32 XXX-iTS-9000 GENOCiDE DiSTRO! + TOXiC POiSON 1 NODE /400 V32 XXX-iTS-9000 TiMBER WOLF DiSTRO! + BACKSTAGE 1 NODE /345 V34 905-332-9013 BLACK FRiDAY DiSTRO! + iNSOMNiA 1 NODE /3.3 V34 XXX-XXX-XXXX MASS MURDERER DiSTRO! + + + -/- GROUP NEWS -\- + 9000C NOW SPORTS A NEW DiViSiON! 9000C ART AND CODiNG! + SUPPORTiNG ALL 9000C BOARDS WiTH ANY TYPE OF ART OR CODiNG + RELATED DATA! ALL THiS ADDED ON TO OUR REPUTATiON OF DELiVERiNG + FAST WAREZ TO ALL OUR SiTES! ..COULD YOU ASK FOR ANYTHiNG MORE? + + iNTERESTED iN JOiNiNG 9000 COURiERS? + + CALL: 905-546-0597 + LOGIN: 9000c + PWORD: CHiCKEN + + AND UPLOAD TOAST A MESSAGE ABOUT WHAT YOU CAN OFFER 9000C. + iF YOU ARE APPLYiNG FOR ART, UPLOAD A ZiP OF SAMPLES WiTH THE MESSAGE. + + -/- GREETiNGS GO OUT TO -\- + + THE PREDATOR, WOLVY, BERSERKER, RAiDER, NEWTON P. FORGERY, SHARDiK, + SCORPiON, COLOR CRiMSON, MASS MURDERER, DEATH JESTER, USTASA, ELF, PSYCHO, + LiQUiD PLUMBER, TiM iTHY, LiViNG SACRiFiCE, RAWHEAD REX, NiNE CONTiNENTS! + + AND THE WHOLE ENTiRE SCENE! --- ESPECiALLY THOSE WHO GOT BUSTED! + + -/- THE SCENE WiLL NEVER DiE -\- + -!TWH!- +< TRADING GAME WAREZ ONLY >Ľ diff --git a/textfiles.com/piracy/COURIERS/alpha.txt b/textfiles.com/piracy/COURIERS/alpha.txt new file mode 100644 index 00000000..376799fc --- /dev/null +++ b/textfiles.com/piracy/COURIERS/alpha.txt @@ -0,0 +1,42 @@ + + + + + + + + + + + ۲ ۲ ۲ ۲ ۲ ۲ ۲ + ۲ ۲ ۲ ۲ ۲ ۲ ۲ + ۲ ۲ ۲ ۲ ۲ ۲ ۲ ۲ + ۲ Atxs + + + this file was SPREAD by a + ܱ + ۲ + ۲ ۲ + + ۲ ۲ + ۲ + + S P R E A D E R + + + + +X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X + Another file downloaded from: The NIRVANAnet(tm) Seven + + & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 + Burn This Flag Zardoz 408/363-9766 + realitycheck Poindexter Fortran 510/527-1662 + Lies Unlimited Mick Freen 801/278-2699 + The New Dork Sublime Biffnix 415/864-DORK + The Shrine Rif Raf 206/794-6674 + Planet Mirth Simon Jester 510/786-6560 + + "Raw Data for Raw Nerves" +X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X diff --git a/textfiles.com/piracy/COURIERS/ambition.nfo b/textfiles.com/piracy/COURIERS/ambition.nfo new file mode 100644 index 00000000..88773912 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/ambition.nfo @@ -0,0 +1,84 @@ + + + + ܲ + ܲ ߲ܲ + ۲ ۲ + ߲ ߲ + ޲ ܲ + ۲ ۲ ۲۲ ۲ݲ + ݰ ۲ ۲ ۲ ۲ ۲ +۲ ۲ ۲ ۲ ۲ ۲ ۲ ۲ + ۲ ۲ ۲ ۲ ۲۲ +۲ ۲߲ ߲ ۲۲ ۲ ۲۲ ۲ ۲߲ ߲ + ߲ ߲ ߲ ߲߲ ߲߲ ߲ ߲߲߲ ߲߲ ߲ ߲ + D!S + ߲ܲ ߲߲ + ܲ + + "Ambition Trading - January 13, 1997" + + + + [ COUNCIL ] [ COUNCIL ] + + + ..darkman..marbitoz..the wicked one.. + + + [ EXECUTIVES ] [ EXECUTIVES ] + + + ..darkwave..johnny lennon..shiffie.. + + + [ TRADERS ] [ TRADERS ] + + + ..akasha..bassmaster..claw finger..davey jones..drax.. + ..maverick..mr saint..night..night crawler..ones wally.. + ..paradyme..rockman..self destruct..the fiend..the jerk.. + ..the terminator..toothpaste..uncle john..white lightning.. + + + [ MEMBERS ] [ MEMBERS ] + + + ..bishop..dark rebellion..mario..nite owl.. + + ķ +Ľ + Ľ + + [ AMBITION BOARDS ]͸ + ͸ + ALL SYSOPS ARE FULL MEMBERS OF AMBITION TRADERS +͸ + < BOARD NAME > < NUMBER > < SYSOP(s) > < POSITION > +͵ + OPEN................. WHQ-PRI-VATE ............. WORLD HQ +͵ + Maximum Security..... CHQ-PRI-VATE MS Staff..... Canadian HQ +͵ + Southern Comfort..... USA-PRI-VATE Cobra/Staff.. USA HQ +; +; + ; + + [ AMBITION FTP SITES ]͸ + ͸ + ALL SITEOPS ARE FULL MEMBERS OF AMBITION TRADERS +͸ + < SITE NAME > < IP > < SITEOP(s) > < POSITION > +͵ + Sxxxx Ox Hxxxxx...... xxx-xxx-xxxx Vxxxx./.Cxxxxx AMBITION HQ +͵ + Sxxxxx Pxxxxxxx ..... xxx-xxx-xxxx Bxxxxxxxxx AMBITION HQ +͵ +; + ; + + UPDATED 04/11/97 by Marbitoz ķ +Ľ + Ľ + - AMBITION TRADERS 1997 - diff --git a/textfiles.com/piracy/COURIERS/cocaine.nfo b/textfiles.com/piracy/COURIERS/cocaine.nfo new file mode 100644 index 00000000..53711354 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/cocaine.nfo @@ -0,0 +1,61 @@ + + Ck + + + + + + + + + + + C O U R I E R S + + Ķ M E M B E R S Ŀ + Ŀ + ڳ + DEVIL'S EYE + + CRACK - PAPA - SOUNDWAVE - TEQUILA - TRIANGLE - WIDGET + + + + + Ķ G R E E T S Ŀ + Ŀ + ڳ + LOST - PARTNERS IN CRIME - RAGE 1995 - STONEHENGE + + + + + Ķ B O A R D S Ŀ + Ŀ + ڳ + Ķ HEADQUARTERS Ŀ + + THE WIZARDS GUILD DEVIL'S EYE ITS-PRI-VATE 1 NODE WORLD HQ + CENTRAL STATION WIDGET ITS-PRI-VATE 2 NODES EURO HQ + BERMUDA HOLLAND TRIANGLE ITS-PRI-VATE 2 NODES DUTCH HQ + + Ķ MEMBERBOARDS Ŀ + + INACCESSIBLE TEQUILA +31-NOT-4YOU 1 NODE + THE WILDERNESS SOUNDWAVE +31-NOT-4YOU 1 NODE + + + + + + Ķ I N F O Ŀ + Ŀ + ڳ + WANT TO JOIN US? CALL +31-70-3988665 AND LOGIN WITH THE ACCOUNT: + NAME : COCAINE + PW : CC + AND LEAVE THERE A MESSAGE TO DEVIL'S EYE WITH AS MUCH INFO ABOUT + YOURSELF AS POSSIBLE. + + + diff --git a/textfiles.com/piracy/COURIERS/cod.nfo b/textfiles.com/piracy/COURIERS/cod.nfo new file mode 100644 index 00000000..2c589c92 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/cod.nfo @@ -0,0 +1,64 @@ + +This file was brought to you by - + + + ۲ + ۲ + ۲۰ + ۲۰ ۲ + ۲۱ ۲ +۲ ۲ +۲ ۲ + ۲ ۲ + ۰ ۲۰ + ۰ ۲ + ݰ + ۰ ۰ ۰ + ߱ ۰ + ۲ ۰ ۰ + ߱ ۱ ۰ +۱ ۱ ۱ + ۲ ۲ ۲ + ۲ ߰ ۲ ۲ + ۲ ۲ ۲ + + [C]ouriers [O]f [D]arkness + + + COD Presidents + + Satanic Catalyst Razor + + + COD Vice Pres. + + The Mortician + + + COD Members Couriers + + Assassin Ghost Rider Jack Crack Silencer Mr.Spock Sentinels + Rustic Albino Hacker Rush Shocker Nazarene Wayne Campell + Always Dangerous Flaming Torch + Wolfman + + Board Status SysOp Phone # + + Razor's Edge World HQ Razor 805-PRI-VATE + The Burning Church Canadian HQ Always Dangerous 416-HEL-LNO! + Banshee Island Dist Site Rustic Albino 818-YOU-WISH + Pandemonium Courier HQ Hacker 609-GET-REAL + The Towering Inferno Dist Site Flaming Torch 805-GET-LOST + Inhumanity Dist Site Nazarene 908-NO!-WAY! + Wayne's World Dist Site Wayne Campbell TRY-2FI-NDIT + Bladestorm Dist Site Darksider 310-HAH-AHAH + + +Do you want to be a COD courier or a dist site? D/L a COD Application from any +of the boards listed above or any other board that has it. Then, U/L it to the +WHQ, which is Razor's Edge. Or you can try to contact Satanic Catalyst, Razor, +or The Mortician. + + Greets go out to: XPReSS Jester FLT Raging Bull + + \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/courier.app b/textfiles.com/piracy/COURIERS/courier.app new file mode 100644 index 00000000..95420b98 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/courier.app @@ -0,0 +1,138 @@ + Public Enemy Courier Application + + We need help sending the games around. If you can help us send the stuff + around, fill this application out and upload it to your nearest PE site. + Just rename this file to a short abbreviation of your handle. Have fun and + good luck! + +Handle -->_________________________________________________________ + + +First Name -->_________________________________________________________ + + +Phone Number -->_________________________________________________________ + + +5 Boards you call often: + + +___________________________________ + + +___________________________________ + + +___________________________________ + + +___________________________________ + + +___________________________________ + + +3 Modem Users You Know: + + +__________________________ + + + +__________________________ + + + +__________________________ + + +Why do you want to be a PE courier? + + +__________________________ + + + +__________________________ + + + +__________________________ + + + +How long have you been modeming? + +__________________________ + + +What Kind of Computer do you have? + + +__________________________________ + + +What Kind/brand of Modem(s) do you have? + + +___________________________________ + + +When are you availible? + + +_______________________ + + + +Can you supply new uncracked games? + + +________________________ + + +What do you do for a living? + + +________________________ + +Are you affiliated with any other groups? + +__________ + +if so, who? + +_______________________________________ + + + + + +Becoming a PE courier does not mean you get treated like a slave . +Your name is shown on all the cracks, and get all the free downloads you +want. There is a chance to move up to member status, I started as a +courier and am now a member. We are always changing the group around, +so it's not hard to move up. There is no official leader, so everyone gets +a say in what goes on. We appreciate your help. Be honest! you don't +have to be perfect to be a courier! + + + +Alexis Machine/[PE] + + + + +You can send this file filled out to the following boards: + +Theatre of Pain (PE WHQ) 514-661-3077 + +High Intensity (site & my main hang) 512-338-9369 + +The Watchtower (courier's new hang) 514-655-1665 + +C.O.P.S. 416-833-6940 or 416-833-3304 + + +Thanks! + diff --git a/textfiles.com/piracy/COURIERS/devo0193.nfo b/textfiles.com/piracy/COURIERS/devo0193.nfo new file mode 100644 index 00000000..6e97ffe4 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/devo0193.nfo @@ -0,0 +1,26 @@ + + + ߰ + + + + + + + + + + SoI + TRNiTY/DEVO + COURIERS + + + Date: January 05, 1993 + + + + ۲߰ + RCMP, go find out the Members & our AWESOME boards yourself! + ۲ܰ + + \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/devo0195.nfo b/textfiles.com/piracy/COURIERS/devo0195.nfo new file mode 100644 index 00000000..2db733d0 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/devo0195.nfo @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + + + + + +soi +[acid] + + Ŀ + - D E V o c o u r i e r s ' 9 5 - + Ĵ + + Ŀ + Ŀ-- w e a r e D E V o --Ĵ + president ....... Dr. Death + Ŀ--- -- + senior staff .... Cyberkinetic, iCeFlame + Ŀ--- -- + members ......... Blood Scream, Flamethrower, Wizard + Ŀ--- -- + the DEVo ........ Coolmax, D'Artagnan, Feanor, Headhunter(JCL), Aqueous, + courier ......... Jaw, Perfect Courier, Scorpion, Formula One + team ........... Tetsuo, The Irish One, Zardoz, Pirate Pete + ij--- -- + Ŀ + --- D E V o s i t e l i s t i n g -- + Bulletin Board Name Status Nodes System Operator + ijij + Flatliners World HQ [4] Cyberkinetic + -ijij-- + The Castle Member Board [7] Wizard + The Darker Image Member Board [2] Blood Scream + Distilled Bleach Member Board [2] Spirit of Illusion + -ijij-- + Chernobyl Distribution [1] Atomic + Desert Moon Distribution [1] Moon Shot + Shades of a Shade Distribution [1] Ghost Writer + Utopian Revolt Distribution [2] Kropotkin + The Warlord's Fortress.. Distribution .. [1] The Warlord ........... + ijij + Ŀ + c o n t a c t i n g u s + If you wish to support DEVo as a courier, please contact any DEVo member + on any board you wish. If you would like to become a distribution site + for DEVo, please contact Dr. Death or any senior staff member. + + c l o s i n g n o t e s Ŀ + + Please support the software companies! If you enjoy using a program or + using a utility, please consider buying it! Someone's got to make it worth + the programmers efforts to keep up the high standards... They made it, so + they DESERVE it! + + April 1/95 + \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/devo0294.nfo b/textfiles.com/piracy/COURIERS/devo0294.nfo new file mode 100644 index 00000000..82f2b5fd --- /dev/null +++ b/textfiles.com/piracy/COURIERS/devo0294.nfo @@ -0,0 +1,12 @@ + + ߲ ߲ܰ ߲۰ + ___߲۰_________߲____________ܲ_________߰ ___ + : ߰ ߰ ޲ ߲ ; + : ߲ ıı Ŀ ޱ ; + : ޱ ޱ ڰݳ ۰ ; + : ۰İ ܰ ްޱ ۰ ; + ޱ ۰ޱ ܳ İݳ ް ; + : ްIJ ܰ߰ ܿ ; + : ܰ ܰ ܰ ߲ ܰ ; + :______ܰ_______߰_____________߰_____SiDE___߰_______; + ߰ diff --git a/textfiles.com/piracy/COURIERS/devo0893.nfo b/textfiles.com/piracy/COURIERS/devo0893.nfo new file mode 100644 index 00000000..9d3dd06b --- /dev/null +++ b/textfiles.com/piracy/COURIERS/devo0893.nfo @@ -0,0 +1,65 @@ + + + + + + ۱ + ۱ + ۱ + ߱ ۱ + ߱ ۱ + ߱ ۱ + ߱ + ߱ + ߱ Flamethrower + + + + COURIERS + + + + AXiS: The Movie -Final Release- + + + + Released By: ???????? Date: AUGUST 25, 1993 + + Notes: + + + Prince of Death + + + + he >eVo SpReaDing eam + + Bone Crusher Leader Flamethrower Courer Head + Dope Man SpReaD /\/\aster Crzy Joe PC GaMeZ + ShyLocK ConSoleZ The Great One On \/acation + Fusion ce Courer Magma ce Courer + Hellraiser ce Courer Nuclear Fallout /\/\r Phreak + Jaw ce Courer Dark Wizard /\/\eMBeR + Side Swiper PanTeR Jinks /\/\eMBeR + Prince of Death ce Courer + + + + he >eVo /\/\eMbeR Boards + + Physical Damage WHQ Bone Crusher ITS-PRI-VATE + The Ultimate Courier HQ Flamethrower (2 Nodes) 6o4-PRI-VATE + + Phone Henge Member Jinks (2 Nodes) 4o7-PRI-VATE + Liquid Radiation Member Nuclear Fallout 2o3-PRI-VATE + The Depths of Hell Member Dark Wizard ITS-PRI-VATE + + The Castle Afflate The Wizard (3 Nodes) ALL-PRI-VATE + + + + + If you are looking to be a >eVo Courer or Site, please contact any + >eVo Member ASAP! We support IBM PC (Games/Utilities) and SNES + Console warez. + diff --git a/textfiles.com/piracy/COURIERS/fuck.it b/textfiles.com/piracy/COURIERS/fuck.it new file mode 100644 index 00000000..80c0da3f --- /dev/null +++ b/textfiles.com/piracy/COURIERS/fuck.it @@ -0,0 +1,14 @@ + + + + G R A V I T Y ' S P U L L + + + + SysOp: Lightnin Hopkins + + + I couriered this file so fuck you all. + + + diff --git a/textfiles.com/piracy/COURIERS/htc-rel.nfo b/textfiles.com/piracy/COURIERS/htc-rel.nfo new file mode 100644 index 00000000..295b95b4 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/htc-rel.nfo @@ -0,0 +1,41 @@ + + + + + + ݲ + + + + ݲ ݲ ݰ + + + + + ݰ ݱ ݱ + ݲ ݲ + + ݰ + + + + + + + + + [HiGH TeCH CouRieRS/CoDeRS 1995]Ŀ + Ŀ + Ŀ + Title : Login ppe For Pcb 15.21 + Release Date : 07/30/95 + Supplied By : Firet + Cracked By : None + Packaged By : Charger & Ratz +Ŀ + + + +RELEASE NOTES: This is A great ppe for pcb.. has Alterable Board +and handle configuration.. Thanxs Firet..... + diff --git a/textfiles.com/piracy/COURIERS/htc1095.nfo b/textfiles.com/piracy/COURIERS/htc1095.nfo new file mode 100644 index 00000000..023f249d --- /dev/null +++ b/textfiles.com/piracy/COURIERS/htc1095.nfo @@ -0,0 +1,147 @@ + + + + + + + ۲ + + 95' + + + + + + + +[HtC Seniorz]ij[HtC Council]Ŀ + White Cracker Rats Blooodd Ratphour Spyder-X Lightning +ij +[HtC Senior Courierz]Ŀ + Wreaking - Havok + +[Site Crew]Ŀ + Site Crew Cheifs - Cray Flatliner + + Distortion Racjam Devaste Ssilence Distortion *Pascal + +[HTC Traderz]Ŀ + + Rats Blooodd Racjam Liquid Metal Simage Riot White Cracker + Fahrenheit Ratphour Violent CCx Devaste Mr.-X Drapper + The Hydra Alien Son Tech Xyo SpaceAce Mafia Ktulu Dupree + Gunga Fat Trance - 10 Rejector Toxic Avenger The Violator + Suspicious Image Havok _ERASER_ Juno Ssilence Space Cadet + Serenity Lighting Formula MoonChild Mercury Deviator Ravy + Wreaking Speedoman Fulgore Drake Thunder Dragon Mudslush + -45 Active HtC Traderz + Inactive Courier's For HtC below... + + *Nero *Unconvicted Felon *Doomed Testicle *Tanis *Formerly Known + *Baby Giant *Gloom *Akira *Ash *Nardo + -10 Inactive HtC Traderz + +[HtC Memberz]Ŀ + + Digivamp Alien Son Bane Casper Dark Angel Escher ICJ RI-X + Raptor Mantis The Captain Zoola Black Guardian Zeus + Mindreader Cbk Stratocaster Blazing Shadow Tanis Mach One + Dr. Death Anubis Third Son Starmaster Rejector Technician + Ravimx SilverB Liquid Metal MacDaddy Bitchin Crew Rats Blooodd + Paracelsius Crazy Horse + +[HtC Artists/Coderz]Ŀ + Mad Max Digivamp White Cracker The Complicator Satan's Creator + SpaceAce Liquid Metal Code Zero Spyder-X Twister + -10 Active Coderz + + *Epidemic *Disorted Silence *Black Acid *Pagan *Blitz + *Hectic *Wave Rider *Firet *Absolute *Wiz + -10 Inactive Coderz + +[We Welcome...]Ŀ + Mad Max Violent Mercury Serenity Ktulu + MoonChild Paracelsius Digivamp Mindreader Toxic Avenger +[To HtC...] +[Trial]Ŀ + Alchemist NightHawk *Einstein *DarkEvil *Jackrip + Parac Vertigox The Finn *Whispering Death *Fightin Cow *Fur + + +[HtC Newz]Ŀ + + - Better then ever and keep getting stronger...1 year + 4 month Achivment and growing... + -[*] = People who need to start couriering or coding in HtC...If you do + not courier and sit on yer ass like you are doing now then you will be + *DROPED* from htc. We are cleaning out deadweight in the group..When we see + that you have gotten off yer ass and started doing something the * will be + taken off your handle. If you dont show activity by the next time the nfo + is done again or the next meeting on irc you will be dismissed from the + group. *Sysop's are exemped from this note* + + - We greet Havok who has come along way by couriering to the sites and + supplying #HTC people with files to [HTC] SENiOR COURiER.. He is now in + charge of couriers and to check up on them to make sure they are moving + files. + + - PPE Coder's Needed for HtC .. Intrested? Well just join IRC and go to + #htc and we will take your app...Or E-Mail cracker@magg.net + + - The HtC Coderz wanted... + + -We also greet Lightning and Spyder-X to HTC SENiORS... + -Send Questions/Comments to lightnin@garlic.com + + -News Section done by: Lightning and White Cracker -=[HTC]=- + + + +[HtC HQ's Members and Distro Boardz]Ŀ +[Board][Sysop][AC!][Nodes][Rank]Ĵ + + Da Crazy House MacDaddy 415 07 USA World HQ + The Ghostship The Captain 613 10 Canada HQ + Shadowdy Decent Blazing Shadow 615 04 Central USA HQ + The Rock Third Son 305 03 Eastern HQ + + Twisted System MoonChild 972 04 Isreal HQ + System One Rejector +46 03 Sweden HQ + Flip Fantasia Ravimx 617 02 Australian HQ + + Software Evoloution SilverB 718 17 Distribution Site + Rat Hole Rats Blooodd 407 03 Distribution Site + The Vault ][ Technician 503 04 Distribution Site + Serenity Tanis 904 02 Distribution Site + The New Order Mack Daddy 305 02 Distribution Site + Big Bobbers Alien Son 305 02 Distribution Site + Helium Highgrounds RI-x 515 03 Distribution Site + The Silver Bullet Mantis 702 03 Distribution Site + Zoola's Resort Zoola 972 02 Distribution Site + Carnel Influxation Stratocaster 713 05 Distribution Site + The Colisevm The Dragon 201 05 Distribution Site + Shot Glass Cobra 803 06 Distribution Site + The Sanitarium The Sage 303 02 Distribution Site + Aesir Crazy Horse 404 05 Distribution Site + Galaxy Alliance Starmaster 403 06 Distribution Site + Bitch-X Bitchin Crew 514 03 Distribution Site + LightStorm Zeus 414 04 Distribution Site + Nuclear Insemination Drake 508 04 Distribution Site + Aryan Alliance Toxic Avenger 908 02 Distribution Site + Flatliner Dr. Death 604 05 Distribution Site + State Of Mind Mind Reader +46 02 Distribution Site + Digital Deluisons Digivamp 315 04 Distribution Site + The Dead End Liquid Metal 972 03 Distribution Site + Synthetic Zone Paracelsius +41 02 Distribution Site + + + "Death Before Dishonor..." [UPDATED BY]: White Cracker DATE: [10/15/95] + + If You Like It Buy it! + If You hate Delete it! + Support Software that works.... + + HtC is not a profitable group.. Merly just a bunch of lad's couriering + 0-Day. We do not accept money nor donations in any which way.......... +==EOF=================================================================EOF===== + diff --git a/textfiles.com/piracy/COURIERS/iit'94.nfo b/textfiles.com/piracy/COURIERS/iit'94.nfo new file mode 100644 index 00000000..c58403f4 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/iit'94.nfo @@ -0,0 +1,77 @@ + + + + + + + + + + + + + + + (Created by : + DoLittle (tm)) + + + I.I.T. - Israel's InterNet Traders + + + + + Supplied : [Couriering ONLY] + Packed : DoLittle + + + + + + Senior Staff + + DoLittle Nightfall + + Members Staff + + Sgt. Slat ZedZap Iron Man Zino Raiden + + + + + + Escape from Reality [972]-Israel-HQ DoLittle + Sea of Tears [972]-Dist-Site Zino + Horror Pit [972]-Dist-Site Iron Man / Pro Man + Eternal Darkness [972]-Dist-Site Sgt. Slaughter + + iiT Site netvision.net.il iiT FTP site + + iiTBot IRC - iiT channel iiT IRC files spreding BOT + + + + + + Greets : Stubborn , DragonM , J-Jamez , Jebadiah , VGM , Shaw , Plugh , + Ordnance , BGI , Raiden + + Group greets : RTS , DoD , Entropy , Fatal , Legend , Razor , Scum + Trsi + + + + + + I would like to welcome Raiden to iiT , may he serve the group well. + I would like to thank DragonM for the BOT, Cris-DD for the moral support, + VGM for some of the files he offered me and SinjinS for the huge release. + + + + + + If you are interstead in joining this growning group I can be contacted + trough InterNet on IRC or by e-mail an123015@anon.penet.fi + + diff --git a/textfiles.com/piracy/COURIERS/inc604.txt b/textfiles.com/piracy/COURIERS/inc604.txt new file mode 100644 index 00000000..bb44aa58 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/inc604.txt @@ -0,0 +1,20 @@ + + + i n c a r c e r a t e d + ____________________________________________________________________________ + \___ _____ ___/______ \_ _____/ _________ \_ ____/_ ________ ____/ + _\___ \ / / / \_ _ \ __/ / \_ / / ___/_\____ \ + _/ / \_ / _/ / / \_ \_ _/ / / / / / \_ + \__________/____/____\____/___/______/____/__\_____/______/_________/________/ + ---------------------------------------------------------------------(feral)-- + incarcerated scarfaces - ops; lethal injection, ghost and keyser soze + ------------------------------------------------------------------------------ + + Reflux Member Board (RLX) Really Into Spreading Elite (RiSE) + Warez On Demand Member Board (W0D) Creators of Intense Art (CiA) + Magical Force Distro (MF) Pinnacle Releasers Member (PNC) + Next Generation Traders Member (NGT) Affinity Emag Member (AFT) + Flava Hip Hop Magazine (FLV) Rapid Distrobuters Member (RPD) +. + + \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/menace.asc b/textfiles.com/piracy/COURIERS/menace.asc new file mode 100644 index 00000000..80be8580 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/menace.asc @@ -0,0 +1,74 @@ + + ܰ ܰ + ۲ ۲ ۲ ۲ ܲ ۲ ۲ + ۱ ۱ ۱ ۱ ܱް ۱ ۱ + ۰ ۰ ۰ ܰ ۰ ۰ ܰ ۰ ܰ + ܰ ۰ ܰ ܰ + + ViO + + [MENACE COURIERS '94] + + BRiNGiNG THE BEST iN NEW WAREZ TO EUROPE AND THE U.S. + + NoTe! Menace is looking FOR GOOD quality traders, + + +GreetZ to : GeN-X - ACE - DVS Project - LeGeND - FLC - PWA - SLA - PNX - CcC + +Personal Greetz: CAiN - Evil Ernie - T/E - Hell Spawn - Strider + + +  + SENiOR STAFF +  + + CAiN ~ Classic ~ Mr. Menor + +  + AFFiLATESMEMBERS +  + + Hellcat ~ Analyzer ~ OffRoader + Evil Ernie ~ Rage ~ Thorn + Ixcalthar ~ Rigor Mortis ~ Gee + The Exorcist ~ Tae + +  + COURiER TEAM +  + + CAiN ~ Mr. Menor + + Kaana ~ Rawhide + Magic ~ Klipsch ~ Chronic + ~ Legion ~ Bad Influence + + + THE HEADQUARTER BOARDS + + NaMe PoSiTiOn NuMBeR SyZo NoDeS + + Menace ][ World HQ +31206411370 CAiN 2 + CyberCrime Courier HQ +31.25.1011157 Mr. Menor 1 + ThunderDome Dutch HQ +31.50.416221 Gee 5 + BrainStorm Latin HQ +55217144697 Classic 1 + Skully Bros U.S East HQ +12o3857o459 Rage/Thorn 2 + Shelter Swiss HQ +41.1.371.3443 Kaana 2 + + MEMBER/DiSTSiTE BOARDS + + NaMe PoSiTiOn NuMBeR SyZo NoDeS + + Phantom Member +31KeePWiSHinG Hellcat 1 + Safari Member +31NoLaMeRs! OffRoader 1 + The Kaoz Landz Member +31.4120.52026 Rigor Mortis 1 + Da Underground U.S. DiST +1XxXXxXxxXx The Exorcist 1 + The Lost Temple U.S. DiST +18o12555251 T/E 1 + Fatal Error U.S. DiST +19143443830 Evil Ernie 1 + The Falcons Eye U.S. DiST +14145NoDeS! Ixcalthar 5 + Traders OutPost U.S. DiST +1.201.SCuMWHQ Liquidator 6 + + + iNFOFORM DESiGN BY: Pr0ZaC ADDiCt +  94! diff --git a/textfiles.com/piracy/COURIERS/risc'is b/textfiles.com/piracy/COURIERS/risc'is new file mode 100644 index 00000000..943f54f0 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/risc'is @@ -0,0 +1,19 @@ + + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + =/\/\= RiSE iN SUPERiOR COURiERiNG =/\/\= + + -= RiSC '94 =- + \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/risc0295.nfo b/textfiles.com/piracy/COURIERS/risc0295.nfo new file mode 100644 index 00000000..8b29aa5c --- /dev/null +++ b/textfiles.com/piracy/COURIERS/risc0295.nfo @@ -0,0 +1,98 @@ + + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + /\/ RiSE iN SUPERiOR COURiERiNG \/\ + + /\/ O-12 HOUR WAREZ \/\ + + + -----/\/ SENiOR STAFF \/\------ + + Crackpot Eagle 1 Mikeysoft + + -----/\/ COORDiNATORS \/\------ + + Bball Oyl Patch Star Gazor + + -----/\/ TRADERS \/\------ + + Alexis Machine Big Dumper Black Mantle Beelzebub Chaft + Dark Soul Colt Python Cruger Disk Killer Elvin Nox . Faldo + Hellhound Jopiter Legion Lunatic Genius Maverick Myst + Shawn Skybum Stingray6 The Dutchmen The Dreamer The Outlaws + + -----/\/ MEMBERS \/\------ + + Beachboy CaStero Chronus G-Man Messenger of Death + Milo Minderbinder Ragnarok Rude Boy ShadowFax + Sigh Technomancer Wayward + + * NOTE: All Sysops of RiSC boards are full members. * + + -----/\/ GROUP NOTES \/\------ + + + We welcome our most recent additons to our World Class Trading Team: + + DARK SOUL, MAVERICK, SHAWN, and THE DUTCHMEN! + + We also welcome our new Western Headquarters, RiP! + + + -----/\/ GREETS \/\------ + + GENESiS, NTA, and SiLiCON! + + -----/\/ HEADQUARTER BOARDS \/\------ + + Final Frontier World HQ 6 Nodes MikeySoft + Park Central U.S.A HQ 15 Nodes Silver V & Crackpot + X-Factor Courier HQ 10 Nodes Blaster + Rest In Peace Western HQ 15 Nodes RiP Staff + Twenty One Twelve Eastern HQ 7 Nodes Analog Kid + Akira Canada HQ 10 Nodes Pharoah + + -----/\/ MEMBER BOARDS \/\------ + + Dark Angel 2 Nodes [+32] XXXXXXX Felix + Gangland Chicago 8 Nodes [305] XXXXXXX The Untimed + Silverado 3 Nodes [+31] XXXXXXX Blue Sky + Southern Wastelands 4 Nodes [XXX] XXXXXXX Legion + The Eclipse 6 Nodes [805] XXXXXXX The Mustang + The General 6 Nodes [713] XXXXXXX OylPatch / General + Touchdown 4+ISDN [+49] XXXXXXX Ask Hellhound! + + -----/\/ AFFiLiATE BOARDS \/\------ + + Cocanut Bungalo 3 Nodes [313] XXXXXXX Moongola + Ground Zero 3 Nodes [801] XXXXXXX Nitro + Hangar 18 2 Nodes [602] XXXXXXX Royce + The Shallow Grave 4 Nodes [804] XXXXXXX Lord Rook / Grady + The Hacked Root 3 Nodes [317] XXXXXXX The G-Man + Zen 6 Nodes [410] XXXXXXX Sigh + + -----/\/ PLEASE NOTE \/\------ + + If you are interested in joining RiSC, either as a TRADER + or as an AFFiLiATE BOARD, contact one of our people. + We are only accepting a very small percentage of those interested in + joining, so please make sure you have something to offer the group. + + RiSC does not take donations of any sort for our services. + We work on merit alone, the way the scene should be run. + + --/\/ (1995)(C) RiSE iN SUPERiOR COURiERiNG (C)(1995) \/\-- + -----/\/ FEBRUARY 27TH 1995 \/\------ + \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/risc0296.nfo b/textfiles.com/piracy/COURIERS/risc0296.nfo new file mode 100644 index 00000000..065caf68 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/risc0296.nfo @@ -0,0 +1,110 @@ + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + /\/ RiSE iN SUPERiOR COURiERiNG \/\ + + /\/ O-12 HOUR WAREZ \/\ + + + -----/\/ SENiOR STAFF \/\------ + + Crackpot Eagle 1 + + -----/\/ COORDiNATORS \/\------ + + Darkhosis Oyl Patch + + -----/\/ TRADERS \/\------ + + Aeon & Flux Anthrax Bababoey Beelzebub Bleeding Bluewater + Chaft Chainsaw Massacre Cruger Darkside + Darth Vador Demon Lord Duro Elvin Nox Frank Rizzo + Immortal LoLo Maverick Phat Prophet Rage Shatter Star + Skybum Stingray 6 Studster Suspicious Image + The Dutchmen The Outlaws The Punisher Toast Tornado + Ustasa White Knight + + -----/\/ MEMBERS \/\------ + + Analog Kid Bball Beachboy Celestial Wizard Chronus + Dark Star Darkforce Daviolator Dream G-Man Ice Jex Mann + Lenon Lunatic Genius Mach One Milo Minderbinder + Mr. Blazer & Yum Yum Myst Photon Torpedo Processor + Shadowfax Spoonman Technomancer The Druid + Viper Krynn Warblade Yazoo + + * NOTE: All Sysops of RiSC boards are Full Members. * + + -----/\/ GROUP NOTES \/\------ + + RiSC continues it's long time tradition of dominating the scene with + it's superior couriering and unique attitude! + + Time for some winter cleaning! If you still think you should be a part + of our Killer Crew then email one of our people and explain why! + + We have removed quite a few inactive members, if these members become + active again then please feel free to reapply and we will consider + reactivating your membership. + + We welcome our most recent additions to our World Class Trading Team: + IMMORTAL, PHOTON TORPEDO, RAGE, THE DUTCHMAN, AND WHITE KNIGHT! + + -----/\/ GREETS \/\------ + + HYBRiD, PWA, CoRP, DoD, ROR, RAZOR 1911, and X-FORCE! + + -----/\/ HEADQUARTER BOARDS \/\------ + + Park Central World HQ 16 Nodes Crackpot / SV + Twenty One Twelve U.S. HQ 7 Nodes Analog Kid + X-Factor Courier HQ 10 Nodes Longshot + The Wall Eastern HQ 7 Nodes Roland + Beyond Akira Canadian HQ 10 Nodes Pharaoh + + -----/\/ MEMBER BOARDS \/\------ + + Chronic Disorder 2 Nodes [XXX] XXXXXXX Beelzebub + CoC 6 Nodes [XXX] XXXXXXX CoC STAFF + Dead Pirates Soc. 3 Nodes [XXX] XXXXXXX Corpse + Druids^Keep 7 Nodes [+61] XXXXXXX The Druid + The Eclipse 6 Nodes [805] XXXXXXX The Mustang + Manifest Destiny 3 Nodes [XXX] XXXXXXX Tornado + Spellbound 7+ISDN [XXX] XXXXXXX Cruger + System 75 7 Nodes [202] XXXXXXX Dark Star + Touchdown 4+ISDN [+49] XXXXXXX Ask Hellhound! + Undergrnd Insanity 5 Nodes [XXX] XXXXXXX Duro + + -----/\/ AFFiLiATE BOARDS \/\------ + + Acheron 3 Nodes [214] XXXXXXX Bababoey + Cheap Talk 3 Nodes [770] XXXXXXX Brad Carlton + Coconut Bungalo 3 Nodes [313] XXXXXXX Mongoola + The Shallow Grave 4 Nodes [804] XXXXXXX Lord Rook / Grady + The Hacked Root 3 Nodes [XXX] XXXXXXX The G-Man + The General 6 Nodes [713] XXXXXXX General + Zen 6 Nodes [410] XXXXXXX Sigh + + -----/\/ PLEASE NOTE \/\------ + + If you are interested in joining RiSC, either as a TRADER + or as an AFFiLiATE BOARD, contact one of our people. + We are only accepting a very small percentage of those interested in + joining, so please make sure you have something to offer the group. + + RiSC does not take donations of any sort for our services. + We work on merit alone, the way the scene should be run. + + --/\/ (1996)(C) RiSE iN SUPERiOR COURiERiNG (C)(1996) \/\-- + -----/\/ FEBRUARY 12TH 1996 \/\-----  diff --git a/textfiles.com/piracy/COURIERS/risc0394.nfo b/textfiles.com/piracy/COURIERS/risc0394.nfo new file mode 100644 index 00000000..37b8f9f7 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/risc0394.nfo @@ -0,0 +1,131 @@ +RiSC COURiERiNG and Alpha Couriering have merged to form a NEW and IMPROVED +RiSC! RiSC welcomes all its new members to the #1 Courier group! + + WK [iCE] 8/2/93 + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + =/\/\= RiSE iN SUPERiOR COURiERiNG =/\/\= + The Official Couriers of NTA & Pentagram! + + -*- 0-12 HOUR WAREZ -*- + + + Senior Staff + + CHESSKiNG  Eagle 1  The Enforcer  Prophet  WiLKiNS + + + Regional Coordinators + + Chronus  Fatal Spirit  Fiona  King Lear + Ningauble  Oyl Patch  Prince of Thieves  The Drunkard  WayWard + + + Elite Traders + + Akira  Bitmaster  Black Jack  Digital Interface  Dizzy + Jopiter  Felix  Fozzy  Hell Hound  LoLo  MooN  Mr Axxess + Royal Knight  SkyBum  The Master  Techno J  Timebuster  YaZoO + + + Members + + Analog Kid  Broker  Chainsaw  Count Hackula  Dalamar  Darion + Dr. Insanity  G-Man  Hades  Hurricane  K0mrad + Milo MinderBinder  Messenger of Death  Red Bear  RetsaM ehT + RifleMan  Sector9  Stingray  The TechnoMancer + + + Console + + Bball  Butch  Moebius  Nostromo  Sigmund Freud  Wolverine + + + Couriers + + Alexis Machine  Chuckle Bunny  Crackpot + Factory  The Gnostic  Ixcalthar  Primal Scream  Ragnarok  Raven + Seoman  Shadowfax  Skywalker  The WildCard + + + RiSC GREETiNGS Major Theft, Big Boss, Butcher + GO OUT + TO: NTA, Pentagram, Razor 1911, TRSi, Nexus, TMM + + + --------------------------------------------------------------- + | If you are interested in joining RiSC, either as a COURiER or | + | as a DiSTRiBUTiON SiTE, call our Application Headquarters, | + | Twenty One Twelve (518) 272-8753 | + | | + | LOGiN: RiSC | + | PASSWORD: RiSC | + | Download the file RiSCAPPS.ZIP, fill out the appropriate | + | application, and Upload it to the RiSC Conference. | + | Or email the app to Enforcer on any major bbs. | + --------------------------------------------------------------- + + /=HEADQUARTER BOARDS=\ķ + The Final Frontier World HQ 4 Node ...-...-.... MikeySoft + Moral Decay U.S. HQ 6 Node ...-...-.... Corrupt + Eleventh Hour Courier HQ 10Node ...-...-.... MKo! + Unlawful Entry HQ 10Node ...-...-.... Major Theft + Digital Underground Eastern HQ 5 Node ...-...-.... Dr. Insanity + Dawn of Eternity Central HQ 7 Node ...-...-.... Skeleton + Manhattan Project Western HQ 4 Node ...-...-.... Rifleman + Ľ + /=MEMBER BOARDS=\ķ + Silverado 3 Node +(31) ...-.... Blue Sky + Dark Angel 2 Node +(32) ...-.... Felix + At the Beach! 3+ISDN +(49) ASK-FiONA FiONA + The Haunted House 4 Node +(49) ...-.... The Master + City Of Chaos 1 Node (212) ...-.... Prophet + Twenty One Twelve 3 Node (518) 272-8753 Analog Kid + Fractal Mode 2 Node (619) ...-.... Chronus + The General 6 Node (713) ...-.... OylPatch + Orion's Belt 1 Node (718) ...-.... The Drunkard + Ľ + /=iNTERNATiONAL SiTES=\ķ + Flying Saucer Belgium 4 Node +32-ASK-Fozzy ULi + Extasy World Spain 4 Node +34-1345-5208 Quasar + MadMan's Sanktuary Germany 3 Node +49-ASK-WiLK STB + Oceanary Germany 4+ISDN +49-...-.... Ask Hellhound! + Beyond Akira Canada 5 Node 416-...-.... Pharaoh + Ľ + ķ/=AFFiLiATE BOARDS=\ķ + Dimention XXX 2 Node (215) ...-.... Dr. Anarchy + The Sanitarium BBS 2 Node (317) ...-.... The G-Man + Street Spyders 5 Node (713) ...-.... Maverick + Joshua 3 Node (716) ...-.... Abuse + New World Order 1 Node (908) ...-.... Polaris + Ľ + /=DiSTRiBUTiON SiTES=\ķ + The AfterMath 2 Node (206) ...-.... Paradigm + Brotherhood of Thieves 2 Node (215) ...-.... The WildCard + Dimension Hatrss II 2 Node (216) ...-.... Dalamar Do'Urden + Gangland Chicago 3 Node (305) ...-.... Untouchable + Coconut Bungalo 1 Node (313) ...-.... Mongoola + The Falcon's Eye 3 Node (414) ...-.... Ixcalthar + Zero Gravity 1 Node (415) ...-.... Velocity + Skitzo BBS 2 Node (512) ...-.... Waysted + Hangar 18 2 Node (602) ...-.... Royce + Park Central 8 Node (708) ...-.... Silver V + Community Blowtorch 4 Node (716) ...-.... Quadrant + The Temples of Syrinx 4 Node (813) ...-.... Urick + Ľ + -*- No Previews/Demos -*- No Non-English Shit -*- + -*- Games  Utiliites  Applications  Console Warez -*- + + -= RiSC '94 =- \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/risc0595.nfo b/textfiles.com/piracy/COURIERS/risc0595.nfo new file mode 100644 index 00000000..dd0689c0 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/risc0595.nfo @@ -0,0 +1,103 @@ + + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + /\/ RiSE iN SUPERiOR COURiERiNG \/\ + + /\/ O-12 HOUR WAREZ \/\ + + + -----/\/ SENiOR STAFF \/\------ + + Crackpot Eagle 1 Mikeysoft + + -----/\/ COORDiNATORS \/\------ + + Bball Oyl Patch Star Gazor + + -----/\/ TRADERS \/\------ + + Alexis Machine Beelzebub Big Dumper Corpse Chaft Criminal Overlord + Critical Mass Cruger Dark Soul Disk Killer Dr. Death + Elvin Nox Faldo Hellhound Jopiter Kid Creole Lunatic Genius + Maverick Maverick TG Myst Pharaoh Processor Rift Shawn Skybum +Stingray 6 The Dutchmen The Outlaws The Punisher Toast Tomas Ustasa + + -----/\/ MEMBERS \/\------ + + Baked Potato Beachboy CaStero Chronus Colt Python Demon + Demon Lord G-Man Glacius 1 Liquidater Messenger of Death + Milo Minderbinder Rude Boy Rygar ShadowFax Sigh + Supernaut Technomancer Uncle John Wayward + + * NOTE: All Sysops of RiSC boards are Full Members. * + + -----/\/ GROUP NOTES \/\------ + + Park Central is now officially RiSC World Headquarters! + + We welcome our most recent additons to our World Class Trading Team: + + SUPERNAUT and THE PUNISHER! + + + -----/\/ GREETS \/\------ + + SCUM, GNSiS, PROPHECY, RAZOR 1911, NTA, and ZILLIONZ! + + -----/\/ HEADQUARTER BOARDS \/\------ + + Park Central World HQ 15 Nodes Silver V / Crackpot + Final Frontier U.S. HQ 6 Nodes MikeySoft + X-Factor Courier HQ 10 Nodes Blaster + Twenty One Twelve Eastern HQ 7 Nodes Analog Kid + Akira Canada HQ 10 Nodes Pharaoh + + -----/\/ MEMBER BOARDS \/\------ + + BBS to Nowhere 2 Nodes [XXX] XXXXXXX Baked Potato + Dark Angel 2 Nodes [+32] XXXXXXX Felix + Hellraiser 7 Nodes [819] XXXXXXX Rift + Silverado 3 Nodes [+31] XXXXXXX Blue Sky + Southern Wastelands 4 Nodes [XXX] XXXXXXX Legion + The Eclipse 6 Nodes [805] XXXXXXX The Mustang + The General 6 Nodes [713] XXXXXXX OylPatch / General + Touchdown 4+ISDN [+49] XXXXXXX Ask Hellhound! + Trader's Outpost 3 Nodes [201] XXXXXXX Liquidater + + -----/\/ AFFiLiATE BOARDS \/\------ + + Beyond the Cemetery 3 Nodes [905] XXXXXXX Corpse + Cocanut Bungalo 3 Nodes [313] XXXXXXX Moongola + Ground Zero 3 Nodes [801] XXXXXXX Nitro + Hangar 18 2 Nodes [602] XXXXXXX Royce + Temperal Flux 4 Nodes [416] XXXXXXX Critical Mass + The Shallow Grave 4 Nodes [804] XXXXXXX Lord Rook / Grady + The Hacked Root 3 Nodes [XXX] XXXXXXX The G-Man + The Belfry 2 Nodes [+44] XXXXXXX Faldo + The Toxic Dump 2 Nodes [905] XXXXXXX Toast + Zen 6 Nodes [410] XXXXXXX Sigh + + -----/\/ PLEASE NOTE \/\------ + + If you are interested in joining RiSC, either as a TRADER + or as an AFFiLiATE BOARD, contact one of our people. + We are only accepting a very small percentage of those interested in + joining, so please make sure you have something to offer the group. + + RiSC does not take donations of any sort for our services. + We work on merit alone, the way the scene should be run. + + --/\/ (1995)(C) RiSE iN SUPERiOR COURiERiNG (C)(1995) \/\-- + -----/\/ MAY 08TH 1995 \/\------ diff --git a/textfiles.com/piracy/COURIERS/risc0795.nfo b/textfiles.com/piracy/COURIERS/risc0795.nfo new file mode 100644 index 00000000..990d10ad --- /dev/null +++ b/textfiles.com/piracy/COURIERS/risc0795.nfo @@ -0,0 +1,107 @@ + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + /\/ RiSE iN SUPERiOR COURiERiNG \/\ + + /\/ O-12 HOUR WAREZ \/\ + + + -----/\/ SENiOR STAFF \/\------ + + Crackpot Eagle 1 Mikeysoft + + -----/\/ COORDiNATORS \/\------ + + Bball Dark Soul Oyl Patch Star Gazor + + -----/\/ TRADERS \/\------ + + Beelzebub Bluewater Chaft Chainsaw Massacre Criminal Overlord + Cruger Darkhosis Darkside Daviolator Demon Lord Dr. Death + Elvin Nox Flamer Flyer Frank Rizzo Hellhound Jopiter Kid Creole + Lunatic Genius Malicious Intent Maverick Maverick TG Processor + Scorpion Shawn Skybum Stingray 6 The Dutchmen The Outlaws + The Druid Tomas + + -----/\/ MEMBERS \/\------ + + Analog Kid Baked Potato Beachboy Big Dumper CaStero Chronus + Colt Python Critical Mass Disk Killer Faldo G-Man + Kronos Liquidater Milo Minderbinder Myst Prophet Rift Rude Boy + Rygar ShadowFax Sigh Speed Master Studster Supernaut + Mr. Blazer and Yum Yum Technomancer Wayward + + * NOTE: All Sysops of RiSC boards are Full Members. * + + -----/\/ GROUP NOTES \/\------ + + RiSC continues it's long time tradition of dominating the scene with + it's superior couriering and unique attitude! + Time for some spring cleaning! If you still think you should be a part + of our Killer Crew then email one of our people and explain why! + + We welcome our most recent additons to our World Class Trading Team: + + SPEED MASTER and STUDSTER! + + -----/\/ GREETS \/\------ + + PROPHECY, GNSiS, SCuM, ECLiPSE, RAZOR 1911, DYNAMiX, NTA, + PWA, FSW, X-FORCE and ZiLLiONZ! + + -----/\/ HEADQUARTER BOARDS \/\------ + + Park Central World HQ 16 Nodes Silver V / Crackpot + Twenty One Twelve U.S. HQ 7 Nodes Analog Kid + X-Factor Eastern HQ 10 Nodes X-Factor Staff + The Final Frontier Western HQ 4 Nodes Mikeysoft + + -----/\/ MEMBER BOARDS \/\------ + + BBS to Nowhere 2 Nodes [XXX] XXXXXXX Baked Potato + Dark Angel 2 Nodes [+32] XXXXXXX Felix + Druids^Keep 7 Nodes [+61] XXX-XXXX The Druid + Hellraiser 7 Nodes [819] XXXXXXX Rift + Point Blank 3 Nodes [416] XXXXXXX Critical Mass + Silverado 3 Nodes [+31] XXXXXXX Blue Sky + Southern Wastelands 4 Nodes [XXX] XXXXXXX Legion + Speed & Ecstasy 5 Nodes [+49] XXX-XXXX Darkside + The Eclipse 6 Nodes [805] XXXXXXX The Mustang + Touchdown 4+ISDN [+49] XXXXXXX Ask Hellhound! + Trader's Outpost 3 Nodes [201] XXXXXXX Liquidater + + -----/\/ AFFiLiATE BOARDS \/\------ + + Acheron 3 Nodes [214] XXX-XXXX Bababooey + Coconut Bungalo 3 Nodes [313] XXXXXXX Mongoola + Ground Zero 3 Nodes [801] XXXXXXX Nitro + Hangar 18 2 Nodes [602] XXXXXXX Royce + The Shallow Grave 4 Nodes [804] XXXXXXX Lord Rook / Grady + The Hacked Root 3 Nodes [XXX] XXXXXXX The G-Man + The Belfry 2 Nodes [+44] XXXXXXX Faldo + The General 6 Nodes [713] XXXXXXX General + Zen 6 Nodes [410] XXXXXXX Sigh + + -----/\/ PLEASE NOTE \/\------ + + If you are interested in joining RiSC, either as a TRADER + or as an AFFiLiATE BOARD, contact one of our people. + We are only accepting a very small percentage of those interested in + joining, so please make sure you have something to offer the group. + + RiSC does not take donations of any sort for our services. + We work on merit alone, the way the scene should be run. + + --/\/ (1995)(C) RiSE iN SUPERiOR COURiERiNG (C)(1995) \/\-- + -----/\/ JULY 16TH 1995 \/\------  \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/risc0996.nfo b/textfiles.com/piracy/COURIERS/risc0996.nfo new file mode 100644 index 00000000..992dc2e9 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/risc0996.nfo @@ -0,0 +1,105 @@ + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + /\/ RiSE iN SUPERiOR COURiERiNG \/\ + + /\/ O-12 HOUR WAREZ \/\ + + + -----/\/ SENiOR STAFF \/\------ + + Eagle 1 Enforcer Prophet + + -----/\/ COORDiNATORS \/\------ + + Arch-Vile Darkside Suspicious Image + + -----/\/ TRADERS \/\------ + + Bababoey Beelzebub Bizzy Corpse Crazy Cruger Cyberjack + Digivamp Fronthead G-Bit Gremlin Legion Lunatic Genius + Maverick Ones Wally Oyl Patch Razor Sharp Skybum + Slain Stingray 6 Terminator The Comet The Outlaws Xwing + + -----/\/ MEMBERS \/\------ + + Analog Kid Beachboy Bleachboy Captain Haywood Chronus Cirion + Crackpot Daviolator Deepmind Hemp Hoodlum Ice Mach One Marlboro + Milo Minderbinder Mr. Blazer & Yum Yum Shadowfax Scorpion & Subzero + Speedmaster Stingray Technomancer Tornado Widget + + * NOTE: All Sysops of RiSC boards are Full Members. * + + -----/\/ GROUP NOTES \/\------ + + RiSC is the longest lasting courier grp by far, and continues to bring + honor and respect to the courier scene as only RiSC can. + To our supporters we can only say, that YOU are what keeps the group going. + And to our competitors we say, keep trying guys, you can only aspire. + + RiSC wishes to bid a very affectionate and heartfelt farewell to one of + our most loyal and dedicated members, Pharaoh and his awesome bbs, + Beyond Akira, you will be dearly missed. We wish you the best + of luck with your future projects and we hope that everything goes well + for you. + + We have removed quite a few inactive members, if you become active again + then please feel free to reapply and we will consider reactivating + your membership ASAP. + We welcome the most recent additions to our World Class Trading Team: + + CRAZY, LEGION, CAPTAIN HAYWOOD, TERMINATOR, DEEPMIND, AND MARLBORO + + -----/\/ GREETS \/\------ + + RAZOR 1911/RCD, PWA, MTY, DoD, PSG, NAPALM and X-FORCE! + + -----/\/ HEADQUARTER BOARDS \/\------ + + Park Central World HQ 16 Nodes Crackpot / SV + Twenty One Twelve U.S. HQ 7 Nodes Analog Kid + X-Factor Courier HQ 10 Nodes Longshot + + -----/\/ MEMBER BOARDS \/\------ + + Acheron 3 Nodes [214] XXXXXXX Bababoey + Chronic Disorder 2 Nodes [XXX] XXXXXXX Beelzebub + Darklands BBS 6 Nodes [XXX] XXXXXXX Deathwalker + Dead Pirates Soc. 3 Nodes [XXX] XXXXXXX Corpse + The Eclipse 6 Nodes [805] XXXXXXX The Mustang + Spellbound 7+ISDN [XXX] XXXXXXX Cruger + Touch Down 9 Nodes [+XX] XXXXXXX Palladin + Undergrnd Insanity 5 Nodes [XXX] XXXXXXX UI Staff + + -----/\/ AFFiLiATE BOARDS \/\------ + + Cheap Talk 3 Nodes [770] XXXXXXX Brad Carlton + Coconut Bungalo 3 Nodes [313] XXXXXXX Mongoola + Drug Shop 4 Nodes [+XX] XXXXXXX Parker Lewis + The Shallow Grave 6 Nodes [804] XXXXXXX Grady + The General 6 Nodes [713] XXXXXXX General + Zen 6 Nodes [410] XXXXXXX Sigh + + -----/\/ PLEASE NOTE \/\------ + + If you are interested in joining RiSC, either as a TRADER + or as an AFFiLiATE BOARD, contact one of our people. + We are only accepting a very small percentage of those interested in + joining, so please make sure you have something to offer the group. + + RiSC does not take donations of any sort for our services. + We work on merit alone, the way the scene should be run. + + --/\/ (1996)(C) RiSE iN SUPERiOR COURiERiNG (C)(1996) \/\-- + -----/\/ SEPTEMBER 22ND 1996 \/\-----  \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/risc1.nfo b/textfiles.com/piracy/COURIERS/risc1.nfo new file mode 100644 index 00000000..5879927d --- /dev/null +++ b/textfiles.com/piracy/COURIERS/risc1.nfo @@ -0,0 +1,105 @@ + + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + /\/ RiSE iN SUPERiOR COURiERiNG \/\ + + /\/ O-12 HOUR WAREZ \/\ + + + -----/\/ SENiOR STAFF \/\------ + + Crackpot Eagle 1 Mikeysoft + + -----/\/ COORDiNATORS \/\------ + + Bball Oyl Patch Star Gazor + + -----/\/ TRADERS \/\------ + + Alexis Machine Beelzebub Big Dumper Corpse Chaft Colt Python + Criminal Overlord Cruger Dark Soul Disk Killer Dr. Death + Elvin Nox Faldo Hellhound Jopiter Kid Creole Lunatic Genius + Maverick Maverick TG Myst Pharaoh Processor Rift Shawn Skybum + Stingray 6 The Dutchmen The Outlaws Toast Tomas Ustasa + + -----/\/ MEMBERS \/\------ + + Baked Potato Beachboy CaStero Chronus Critical Mass Demon + Demon Lord G-Man Glacius 1 Liquidater Messenger of Death + Milo Minderbinder Ragnarok Rude Boy Rygar ShadowFax Sigh + Technomancer Uncle John Wayward + + * NOTE: All Sysops of RiSC boards are Full Members. * + + -----/\/ GROUP NOTES \/\------ + + Park Central is now officially RiSC World Headquarters! + + We welcome our most recent additons to our World Class Trading Team: + + CORPSE, CRITICAL MASS, RIFT, TOAST, TOMAS and USTASA! + + + -----/\/ GREETS \/\------ + + SCuM, GNSiS, RAZOR 1911, NTA and ZiLLiONZ! + + -----/\/ HEADQUARTER BOARDS \/\------ + + Park Central World HQ 15 Nodes Silver V / Crackpot + Final Frontier U.S. HQ 6 Nodes MikeySoft + X-Factor Courier HQ 10 Nodes Blaster + Twenty One Twelve Eastern HQ 7 Nodes Analog Kid + Akira Canada HQ 10 Nodes Pharaoh + + -----/\/ MEMBER BOARDS \/\------ + + BBS to Nowhere 2 Nodes [XXX] XXXXXXX Baked Potato + Dark Angel 2 Nodes [+32] XXXXXXX Felix + Gargoyle's Peak 5 Nodes [216] XXXXXXX Uncle John + Hellraiser 7 Nodes [819] XXXXXXX Rift + Silverado 3 Nodes [+31] XXXXXXX Blue Sky + Southern Wastelands 4 Nodes [XXX] XXXXXXX Legion + The Eclipse 6 Nodes [805] XXXXXXX The Mustang + The General 6 Nodes [713] XXXXXXX OylPatch / General + Touchdown 4+ISDN [+49] XXXXXXX Ask Hellhound! + Trader's Outpost 3 Nodes [201] XXXXXXX Liquidater + + -----/\/ AFFiLiATE BOARDS \/\------ + + Beyond the Cemetery 3 Nodes [905] XXXXXXX Corpse + Cocanut Bungalo 3 Nodes [313] XXXXXXX Moongola + Ground Zero 3 Nodes [801] XXXXXXX Nitro + Hangar 18 2 Nodes [602] XXXXXXX Royce + Temperal Flux 4 Nodes [416] XXXXXXX Critical Mass + The Shallow Grave 4 Nodes [804] XXXXXXX Lord Rook / Grady + The Hacked Root 3 Nodes [XXX] XXXXXXX The G-Man + The Belfry 2 Nodes [+44] XXXXXXX Faldo + The Toxic Dump 2 Nodes [905] XXXXXXX Toast + Zen 6 Nodes [410] XXXXXXX Sigh + + -----/\/ PLEASE NOTE \/\------ + + If you are interested in joining RiSC, either as a TRADER + or as an AFFiLiATE BOARD, contact one of our people. + We are only accepting a very small percentage of those interested in + joining, so please make sure you have something to offer the group. + + RiSC does not take donations of any sort for our services. + We work on merit alone, the way the scene should be run. + + --/\/ (1995)(C) RiSE iN SUPERiOR COURiERiNG (C)(1995) \/\-- + -----/\/ APRIL 19TH 1995 \/\------ + \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/risc1293.nfo b/textfiles.com/piracy/COURIERS/risc1293.nfo new file mode 100644 index 00000000..e9d9eef2 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/risc1293.nfo @@ -0,0 +1,115 @@ + WK [iCE] 8/2/93 + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + =/\/\= RiSE iN SUPERiOR COURiERiNG =/\/\= + The Official Couriers of iCE & NTA! + The Official Affiliate Couriers of Pentagram! + + -*- 0-12 HOUR WAREZ -*- + + + Senior Staff + + CHESSKiNG  The Drunkard  Eagle 1  The Enforcer  WayWard + + + Senior Members + + Analog Kid  Dr. Insanity  Folksinger  Fiona + Rifleman  Stingray + + + Staff + + Baal Le'Klorin  Bball  Darion  Hurricane + Hades  K0mrad  Prince of Thieves  Red Bear  Red Wizard + Sector 9  Syntax Error + + + Members + + Chronus  Chuckle Bunny  Count Hackula  CRS  Dalamar  DoD + Ice  Jabbah  Marauder  Messenger of Death  Oyl Patch  Polarbear + RetsaM ehT  Skybum  SLAiN  Venom + + + Console + + King Lear  Sigmund Freud  Wolverine + + + Couriers + + Alexis Machine  Chainsaw  Crackpot  DJ-Pain + Elektrik ][ce  The G-Man  Ixcalthar  iNFiLTRaToR  Lord Valgamon + Primal Scream  Ragnarok  Seoman  Shadowfax  Skywalker + Two Gun Mojo  Trickster + + + RiSC GREETiNGS Major Theft, The Skeleton, Mikeysoft, Phone Stud + GO OUT + TO: NTA, Razor 1911, Alpha, Nexus, TRSi + + + --------------------------------------------------------------- + | If you are interested in joining RiSC, either as a COURiER or | + | as a DiSTRiBUTiON SiTE, call our Eastern Headquarters, | + | Twenty One Twelve (518) 272-8753 | + | | + | LOGiN: RiSC | + | PASSWORD: RiSC | + | Download the file RiSCAPPS.ZIP, fill out the appropriate | + | application, and email it to RiSCman. | + --------------------------------------------------------------- + + /=HEADQUARTER BOARDS=\ķ + The Final Frontier World HQ 4 Node ...-...-.... MikeySoft + Dawn of Eternity U.S. HQ 6 Node ...-...-.... Skeleton + Unlawful Entry Courier HQ 8 Node ...-...-.... Major Theft + Manhattan Project Western HQ 3 Node ...-...-.... Rifleman + Twenty One Twelve Eastern HQ 3 Node 518-272-8753 Analog Kid + Ľ + /=MEMBER BOARDS=\ķ + At the Beach! 1 Node +(49) ...-.... BeachBoy + Digital Underground 3 Node (301) ...-.... Dr. Insanity + State of Devolution 4 Node (305) ...-.... Marauder + Fractal Mode 2 Node (619) ...-.... Chronus + Orion's Belt 1 Node (718) ...-.... The Drunkard + Ľ + ķ/=AFFiLiATE BOARDS=\ķ + The Sanitarium BBS 2 Node (317) ...-.... The G-Man + Joshua 3 Node (716) ...-.... Abuse + Ľ + /=DiSTRiBUTiON SiTES=\ķ + The STAR BBS 1 Node +61(9)349-6535 The DUDE + Shadow Realm 1 Node (203) ...-.... Shadow Hawk + Black Unicorn Systems 2 Node (204) ...-.... The Alchemist + The AfterMath 2 Node (206) ...-.... Paradigm + Gangland Chicago 3 Node (305) ...-.... Untouchable + The Rapture 1 Node (306) ...-.... Trickster + Coconut Bungalo 1 Node (313) ...-.... Mongoola + The Falcon's Eye 3 Node (414) ...-.... Ixcalthar + Zero Gravity 1 Node (415) ...-.... Velocity + Skitzo BBS 2 Node (512) 353-0429 Waysted + Hangar 18 1 Node (602) ...-.... Royce + Midwest File Exchange 6 Node (708) ...-.... Silver V + Community Blowtorch 4 Node (716) ...-.... Quadrant + The Temples of Syrinx 2 Node (813) ...-.... Urick + VoiD oF REALItY 1 Node (902) 445-5561 The VoiDMASter + Ľ + -*- No Previews/Demos -*- No Non-English Shit -*- + -*- Games  Utiliites  Applications  Console Warez -*- + + -= RiSC '93 =- diff --git a/textfiles.com/piracy/COURIERS/risc94.nfo b/textfiles.com/piracy/COURIERS/risc94.nfo new file mode 100644 index 00000000..13eaa4fa --- /dev/null +++ b/textfiles.com/piracy/COURIERS/risc94.nfo @@ -0,0 +1,130 @@ +RiSC COURiERiNG and Alpha Couriering have merged to form a NEW and IMPROVED +RiSC! RiSC welcomes all its new members to the #1 Courier group! + + WK [iCE] 8/2/93 + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + =/\/\= RiSE iN SUPERiOR COURiERiNG =/\/\= + The Official Couriers of NTA & Pentagram! + + -*- 0-12 HOUR WAREZ -*- + + + Senior Staff + + CHESSKiNG  Eagle 1  The Enforcer  Prophet  WiLKiNS + + + Regional Coordinators + + Chronus  Fatal Spirit  Fiona  King Lear + Prince of Thieves  Oyl Patch  The Drunkard  WayWard + + + Elite Traders + + Akira  Bitmaster  Black Jack  Dizzy  Jopiter  Felix + Fozzy  Hell Hound  MooN  Mr Axxess  Ningauble + Royal Knight  SkyBum  The Master  Timebuster  YaZoO + + + Members + + Analog Kid  Broker  Count Hackula  Dalamar  Darion + Dr. Insanity  G-Man  Hades  Hurricane  K0mrad + Kid Capri  Messenger of Death  Mr Lamer  Red Bear  RetsaM ehT + RifleMan  Sector9  Stingray + + + Console + + Bball  Butch  Moebius  Nostromo  Sigmund Freud  Wolverine + + + Couriers + + Alexis Machine  Chuckle Bunny  Chainsaw  Crackpot + Factory  The Gnostic  Ixcalthar  Primal Scream  Ragnarok  Seoman + Shadowfax  Skywalker  Surfin Cow  The WildCard + + + RiSC GREETiNGS Major Theft, The Skeleton, Big Boss, Butcher + GO OUT + TO: NTA, Pentagram,Razor 1911, TRSi, Nexus, TMM + + + --------------------------------------------------------------- + | If you are interested in joining RiSC, either as a COURiER or | + | as a DiSTRiBUTiON SiTE, call our Application Headquarters, | + | Twenty One Twelve (518) 272-8753 | + | | + | LOGiN: RiSC | + | PASSWORD: RiSC | + | Download the file RiSCAPPS.ZIP, fill out the appropriate | + | application, and Upload it to the RiSC Conference. | + | Or email the app to Enforcer or Prophet on any major bbs. | + --------------------------------------------------------------- + + /=HEADQUARTER BOARDS=\ķ + The Final Frontier World HQ 4 Node ...-...-.... MikeySoft + Moral Decay U.S. HQ 6 Node ...-...-.... Corrupt + Road Runner Courier HQ 8 Node ...-...-.... Coyote Member + Dawn of Eternity Central HQ 6 Node ...-...-.... Skeleton + Manhattan Project Western HQ 4 Node ...-...-.... Rifleman + Digital Underground Eastern HQ 5 Node ...-...-.... Dr. Insanity + Ľ + /=iNTERNATiONAL HQ's=\ķ + Beyond Akira Canadian HQ 5 Node 416-...-.... Pharaoh + Flying Saucer Belgium HQ 4 Node +32-...-.... ULi + MadMan's Sanktuary German HQ 7 Node +49-...-.... STB + Ľ + /=MEMBER BOARDS=\ķ + Silverado 3 Node +(31) ...-.... Blue Sky + Dark Angel 2 Node +(32) ...-.... Felix + At the Beach! 1 Node +(49) ...-.... BeachBoy + City Of Chaos 1 Node (212) ...-.... Prophet + Twenty One Twelve 3 Node (518) 272-8753 Analog Kid + Fractal Mode 2 Node (619) ...-.... Chronus + The General 6 Node (713) ...-.... OylPatch + Orion's Belt 1 Node (718) ...-.... The Drunkard + The Ghetto 1 node (914) ...-.... Kid Capri + Ľ + ķ/=AFFiLiATE BOARDS=\ķ + Dimention XXX 2 Node (215) ...-.... Dr. Anarchy + The Sanitarium BBS 2 Node (317) ...-.... The G-Man + The Argosy 2 Node (603) ...-.... SpyGlass + Street Spydrs 5 Node (713) ...-.... Maverick + Joshua 3 Node (716) ...-.... Abuse + The Fatal Edge 2 Node (805) ...-.... Mixer + New World Order 1 Node (908) ...-.... Polaris + Ľ + /=DiSTRiBUTiON SiTES=\ķ + The AfterMath 2 Node (206) ...-.... Paradigm + Brotherhood of Thieves 2 Node (215) ...-.... The WildCard + Dimension Hatrss II 2 Node (216) ...-.... Dalamar Do'Urden + Gangland Chicago 3 Node (305) ...-.... Untouchable + Coconut Bungalo 1 Node (313) ...-.... Mongoola + The Falcon's Eye 3 Node (414) ...-.... Ixcalthar + Zero Gravity 1 Node (415) ...-.... Velocity + Skitzo BBS 2 Node (512) ...-.... Waysted + Hangar 18 2 Node (602) ...-.... Royce + Central Park 8 Node (708) ...-.... Silver V + Community Blowtorch 4 Node (716) ...-.... Quadrant + The Temples of Syrinx 4 Node (813) ...-.... Urick + Ľ + -*- No Previews/Demos -*- No Non-English Shit -*- + -*- Games  Utiliites  Applications  Console Warez -*- + + -= RiSC '94 =- diff --git a/textfiles.com/piracy/COURIERS/rsc0595.nfo b/textfiles.com/piracy/COURIERS/rsc0595.nfo new file mode 100644 index 00000000..20c1d9b7 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/rsc0595.nfo @@ -0,0 +1,104 @@ + + ߲ + + ܲ ܲ + + ߲ + ߲ + + + + + ߲ + + + + /\/ RiSE iN SUPERiOR COURiERiNG \/\ + + /\/ O-12 HOUR WAREZ \/\ + + + -----/\/ SENiOR STAFF \/\------ + + Crackpot Eagle 1 Mikeysoft + + -----/\/ COORDiNATORS \/\------ + + Bball Oyl Patch Star Gazor + + -----/\/ TRADERS \/\------ + + Alexis Machine Beelzebub Big Dumper Corpse Chaft Criminal Overlord + Critical Mass Cruger Dark Soul Disk Killer Dr. Death + Elvin Nox Faldo Hellhound Jopiter Kid Creole Lunatic Genius + Maverick Maverick TG Myst Pharaoh Processor Rift Shawn Skybum + Stingray 6 The Outlaws The Punisher Toast Tomas Ustasa + + -----/\/ MEMBERS \/\------ + + Baked Potato Beachboy CaStero Chronus Colt Python Demon + Demon Lord Flyer G-Man Glacius 1 Liquidater Messenger of Death + Milo Minderbinder Rude Boy Rygar ShadowFax Sigh + Supernaut Technomancer Uncle John Wayward + + * NOTE: All Sysops of RiSC boards are Full Members. * + + -----/\/ GROUP NOTES \/\------ + + Park Central is now officially RiSC World Headquarters! + + We welcome our most recent additons to our World Class Trading Team: + + SUPERNAUT and THE PUNISHER! + + + -----/\/ GREETS \/\------ + + SCUM, GNSiS, PROPHECY, RAZOR 1911, NTA, and ZILLIONZ! + + -----/\/ HEADQUARTER BOARDS \/\------ + + Park Central World HQ 15 Nodes Silver V / Crackpot + Final Frontier U.S. HQ 6 Nodes MikeySoft + X-Factor Courier HQ 10 Nodes Blaster + Twenty One Twelve Eastern HQ 7 Nodes Analog Kid + Akira Canada HQ 10 Nodes Pharaoh + + -----/\/ MEMBER BOARDS \/\------ + + BBS to Nowhere 2 Nodes [XXX] XXXXXXX Baked Potato + Dark Angel 2 Nodes [+32] XXXXXXX Felix + Hellraiser 7 Nodes [819] XXXXXXX Rift + Silverado 3 Nodes [+31] XXXXXXX Blue Sky + Southern Wastelands 4 Nodes [XXX] XXXXXXX Legion + The Eclipse 6 Nodes [805] XXXXXXX The Mustang + The General 6 Nodes [713] XXXXXXX OylPatch / General + Touchdown 4+ISDN [+49] XXXXXXX Ask Hellhound! + Trader's Outpost 3 Nodes [201] XXXXXXX Liquidater + + -----/\/ AFFiLiATE BOARDS \/\------ + + Beyond the Cemetery 3 Nodes [905] XXXXXXX Corpse + Cocanut Bungalo 3 Nodes [313] XXXXXXX Moongola + Ground Zero 3 Nodes [801] XXXXXXX Nitro + Hangar 18 2 Nodes [602] XXXXXXX Royce + Temperal Flux 4 Nodes [416] XXXXXXX Critical Mass + The Shallow Grave 4 Nodes [804] XXXXXXX Lord Rook / Grady + The Hacked Root 3 Nodes [XXX] XXXXXXX The G-Man + The Belfry 2 Nodes [+44] XXXXXXX Faldo + The Toxic Dump 2 Nodes [905] XXXXXXX Toast + Zen 6 Nodes [410] XXXXXXX Sigh + + -----/\/ PLEASE NOTE \/\------ + + If you are interested in joining RiSC, either as a TRADER + or as an AFFiLiATE BOARD, contact one of our people. + We are only accepting a very small percentage of those interested in + joining, so please make sure you have something to offer the group. + + RiSC does not take donations of any sort for our services. + We work on merit alone, the way the scene should be run. + + --/\/ (1995)(C) RiSE iN SUPERiOR COURiERiNG (C)(1995) \/\-- + -----/\/ MAY 13TH 1995 \/\------ + \ No newline at end of file diff --git a/textfiles.com/piracy/COURIERS/stealth.nfo b/textfiles.com/piracy/COURIERS/stealth.nfo new file mode 100644 index 00000000..355c67bf --- /dev/null +++ b/textfiles.com/piracy/COURIERS/stealth.nfo @@ -0,0 +1,92 @@ + + + + + + + C O U R I E R S + + + ޱ + ޲ݲ޲ + ݰް + ۲ܲܰ ܲ + ޲ ߰ + +ް ܱ߰ + ߰ ߲ܰ߱ ܲ + ߰ ߰ ߲ + ߱ ߱ + + + ܲ + + + ܱ ޲ ܱ + ۱ + + + + ޲ + ۱ + ۰ + + + ޲ + ޲ + ۱ + ۱ + ۰ + + + + SENIOR MEMBERS + + + -Shadowhawk-- -Vixon-- + MEMBERS + + -Lighting Lord-- + -The General-- -Slayer-- + COURIERS + + -Dream Master-- + -Jimi Hendrix-- -Specs-- -Fletch-- + -D'elagance-- -The Guild Master-- + + STEALTH BOARDS NODES POSITION + + -/The General\- XXX-XXX-XXXX The General 5 World H Q + + -/The Wormhole\- XXX-XXX-XXXX Lightning Lord 1 Member Board + + -/Distant Lands\- 613-NOT-4YOU General Protocal 1 Distro Site + + -/Ride The Lightning\- 713-DIE-KIWI Stringray 1 Distro Site + + -/The Pirates Cove\- 615-GET-LOST The Guardian 1 Distro Site + + -/VMF-214\- 215-EAT-KIWI Pappy Boyington 1 Distro Site + + -/T.H.O.T\- XXX-XXX-XXXX Explorer 1 Distro Site + + We are looking for MORE DISTRIBUTION SITES + and MORE QUALITY COURIERS + contact Shadowhawk on FelonyNet or CelerityNet or + Call 713-728-0380 and log on as STEALTH PW:STEALTH + + STEALTH NOTES + ͸ + Name: [ .....Terminator 2029 disk add ons..........] + + Group: [.Public Enemy...........] Disks: [.. 2 ..] + + Company: [ Bethesda .....................] Rating: [8/10] + + Notes: 1st part kicked ass this should too + + ; + Greets: UNT, RAZOR, PE, VertigoVixon + GothmogDEViLThe GuardianGreyBeard + + ...Shadowhawk diff --git a/textfiles.com/piracy/COURIERS/t4d.nfo b/textfiles.com/piracy/COURIERS/t4d.nfo new file mode 100644 index 00000000..319661f3 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/t4d.nfo @@ -0,0 +1,86 @@ + + + + + + <1993> + "Putting the base back in 404" + + + + "The Beginning of the End of Couriers as We know it" + + + GENESiS HQ Boards + + TheCrazyWorldBBS(WHQ)404-GEN-ESiS1.0Gigs2NodesCrazyHorse + StratoFortress(DistroHQ)404-565-05951.3Gigs16.8D/SBomber + ExaltedDeath(Mid-WestHQ)314-966-86341.0Gigs2NodesDead Goon + Purgatory(CourierHQ)404-518-64800.7Gigs2NodesBrutalC + MetalWorks(SouthEasternHQ)318-PRI-VATE2.8Gigs2NodesHeavy Metal + + Support Boards + + MetalWorks(SupportSite)318-YOU-WISH2.8Gigs2NodesHeavyMetal + MoonCrowsAeryie(SupportSite)206-NOT-EVER2.5Gigs4NodesMoonCrow + Fate'sWarning(SupportSite)214-864-27331.0Gigs1NodesStiletto + DataDump(SupportSite)DIE-FED-SCUM3.4Gigs3NodesRISC + ExaltedDeath(SupportSite)314-966-68341.0Gigs2NodesDeadGoon + TheFalcon'sEye(SupportSite)414-347-19763.6Gigs3.NodesIxcalthar + + + MEMBER BOARDS + + Hemispheres404-642-95161.3Gigs 2NodesRadaR + Times1&2309-698-14671.2Gigs2NodesDocWho + JaggedEdge305-362-73151.2Gigs1Node JagOne + FileCabinet815-399-89783.6Gigs6NodesFileClerk + + + Distribution Sites + + SurrealisticUnderground404-971-88691.2Gigs1NodeDali + DeepSpaceNine404-432-12621.5Gigs1Node ShadowLord! + Equinox201-670-40321.2Gigs2NodesRexHacker + 4thDimension303-932-90281.0Gigs1Nodepsilon + PhoenixBBS916-487-04171.2Gigs2NodesKiller + LesInnocentsElite404-421-92340.7Gigs1NodeSilk + Deodand404-631-95300.4Gigs1NodeDarkRider + OracleofIllusions404-426-03170.4Gigs1NodeHallusionist + WetWorks404-233-15130.5Gigs1NodeSenna + + + GENESiS' SENIOR STAFF + + Crazy Horse, Nueromage, RadaR(T), Hermes(T) + + Courier/Distro CoOrdinater(s) + + Sonoma + + GENESiS' WAREZ TEAM + + Xenocide(Lead Courier), Proctor(Euro Courier), Raiden, MadMan(LD), + Danse Macabre*, Biofeedback(DS9), Rex Hacker(LD), Falchion(SU), Slasher* + Digital Infiltrator(LIE), Death Weilder(LD), Shinobi(ANSi), Hermes(Scout) + ShadowLord!(Programmer), Stygian One(SU), Chaz(Deo-T), StarDrake(WW), + Identity Crisis(LD), Knighthawk(SU-T), Shock Wave(LD-T), BlackJack(Euro-T) + Sagent(LD-T) * Special Member + + GENESiS Distro Site Sysops + + Rex Hacker, Dali, Bomber, ShadowLord!, Senna, Heavy Metal, Hallusionist, + Brutal C., Doc Who, Jag One, The File Clerk, Silk, Dark Rider, MoonCrow + Killer, Dead Goon, Ixcalthar, Risc, Stiletto, Killer, psilon + + + Special Thanks to: NDN, RAZOR, SKillion, Metal Works, MoonCrow's + Aeryie, ShadowLord!, Friendship, TDT, LEGEND, + MaLaFaCtoR, AND CSC + + "Think GENESiS is great now? Remember, it's only the beginning." + + -Slasher/GENESiS- + +IF You wish to join -=GENESiS=-, Call one of the Boards listed above, +And Leave Mail to Nueromage or Crazy Horse for information. diff --git a/textfiles.com/piracy/COURIERS/tca.nfo b/textfiles.com/piracy/COURIERS/tca.nfo new file mode 100644 index 00000000..d4a85b28 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/tca.nfo @@ -0,0 +1,110 @@ + + _______________ _______ ______ + |-O: -*- // -++\ \ \ + | | \: // :// / \ + |_._ ,// . ./ / | \ + ./ |\__/// |\___/ /. _ \ + /. | /. |_____ // | \ + // | /O+ | \/O- | -O\ + \_____ | \ __________\_____ |______:/[CCa] + \| \| \| . + + -*- KiCKiN' youR aSS '93 -*- + + aRTiST NoTe: NoW oNLy SuPPoRTiN' MoDe 80 50 oR DRoP DeaD! + +Ŀ + THe CouRieR aSSoCiaTioN iS PRouD To CouRieR THiS WaRe +; + + + + + - THe SeNioR STaFF - + + [/] THe BiG oRGaSM - aSHToN - WoNDeRBoY [\] + [/] HaWKeYe - LioN [\] + + + - TCa MeMBeRS - + + [-] AFTeRLiFe - FaiRyLoRD - NiGHTSHaDe - DoC LeCTeR [-] + [-] SPaRKLiNG FLaSH - PaNTHeR - ZoRLaC - FoRD KNoX - CaPT HaRLoCK [-] + [-] GRiM - PoSeiDoN - JeTSTReaM - FRaNKie [-] + [-] ACiD - MiNDBeNDeR [-] + [-] DeaDLy AVeNGeR [-] + + + - INTeRNaTioNaL CouRieRS! - + + [-] HaMLeT - X-BoW NiGHT - THuNDeR [-] + [-] GaNG$Ta - HiTMaN - RaVe DuDe [-] + [-] NiK FieND - MaRauDeR GoBLiN [-] + [-] GLooMy SKy! [-] + + - NaTioNaL CouRieRS - + + [-] FiRST PRiNCe! [-] + + + - CoDiN / GFx / MuSiC - + + [-] THe BRaiN - SouRCeReR CC [-] + + + - CRaCKiNG TeAM - + + * WaReZ/RoI TeAM: * + + [-] SHaDoWLoRD - BLaDeMaN - MaNGy CaT [-] + [-] SPaRKLiNG FLaSH [-] + + + ========================================== + WeLCoMe To Our New Utilities Cracking Team + ========================================== + + Grtx: RAZOR 1911 - SKN - TDT - THG - TPC - UNT - INC + + Ŀ + BoARD NAMe SySoP NuMBeR(s) NoDe(s) + + ERoGeNiC ZoNe [WHQ] THe BiG OrGaSM +31-72-644476 #3 16k8 DS + LiTHiUM [UHQ] PoSEiDoN 313-671-1301 #5 16k8 DS + R.o.I. [UWHQ] SPaRKLiN FLaSH 415-992-1929 #3 16k8 DS + HaDeS [UMHQ] AFTeRLiFe 913-894-1795 #3 16k8 DS + PLaNeT GRooVe [EHQ] ASHToN/PaNTHeR +31-838040916 #2 16k8 DS + WaYNe'S WorLD [DHQ] WoNDeRBoY +31-220744113 #3 14k4 v32 + DeaTH RoW [AHQ] GRiM +61-375-12094 #2 16k8 DS + FaTaL FuTuRe [SHQ] MiNDBeNDeR +46-GUE-SS... #2 14k8 DS + DaRK SiDe [GHQ] DoC LeCTeR +49.GUE-SS... #3 16k8 DS + HouSe oF WaReZ [DST] FRaNKie +61.NoT-YeT.. #2 14k8 v32 + RiGeL IV [DST] DeaDLy AVeNGeR +61.NoT-YeT.. #1 14k4 DS + BoRN iN SiLeNCe [MBR] FAiRYLoRD +31-40--ELiTE #1 14k4 DS + FoRD KNoX [MBR] FoRD KNoX +31-53-323054 #1 19k2 ZxL + TRaNS CeNTRaL [MBR] NiGHtSHaDe +31-43-652085 #1 14k4 DS + IMPeRiuM [DST] ZoRLaC +31-XxX.ELITE #1 14k4 v32 + + + MoRe CHaNGeS CoMMiN' uP! + +Ŀ + WaNNa BeCoMe a TCa CouRieR/DiST SiTe? +; + + DoWNLoaD aN aPPLiCaTioN FRoM : THe ERoGeNiC ZoNe, LiTHiuM, + DeaTH RoW... + FiLL iN THe aPPLiCaTioN aND ReTuRN THiS aT youR CoNViNieNCe To + ONe oF THoSe BoaRDS + +Ŀ + FiNaL NoTe +; + + iF you LiKe aND uSe THe SoFTWaRe THaT iS SPReaD By uS, PLeaSe TaKe + iT uPoN youRSeLF To Buy iT. SuPPoRTiNG QuaLiTy PRoGRaMMeRS iS iN + aLL oF ouR iNTeReST. + + + -*- TCa, THe oNe aND oNLy! -*- + diff --git a/textfiles.com/piracy/COURIERS/therapy.nfo b/textfiles.com/piracy/COURIERS/therapy.nfo new file mode 100644 index 00000000..def3907d --- /dev/null +++ b/textfiles.com/piracy/COURIERS/therapy.nfo @@ -0,0 +1,96 @@ + + ܲ ܱ ܱ ߲ + ܱ ߰ + + + ޲ + ޱ ޱ ޲ ޲ + ް ް ޱ ޲ ޲ ۲ + ܰ ް ޱ ް ޱޱ ޱ + ޱ ް ް ް ް + ޲ ޱ ߰ ޱ ް ް ް ް + ޲ ޲ ް ޲ܱ ޱ ޱ ޱ ޱ + ۲ܰ ۲߱޲ ޱ۲ ޲ ߲ ޱ + ޲ ߰ ޲ܲ ۲ ޲ ޲ ۲ + ۲ + ߲߱ ߱ ߱ + + + [ T HERAPY COURIERING 1 9 9 5 ] + +Ŀ -\/News And Notes\/- ķ +-\/\/-ٺ + + THERAPY is always looking some active members on 90 area. If you're +| interested, just contact Hunter or Mr. death on any HQ Board. | + NOTE: We will not take inactive members, we're require quality + +ڿ ڿ + ٺ +ͼ + +ͻ +Ŀ Ŀ + ٳ + .Founders.of.THERAPY. + -\/\/- + +| Mr. Death And Hunter | + + .Senior.Member.Team!. + -\/\/- + + Impulse + +| .....Member.Team..... | + -\/\/- + + Sector Migrain, Ratter + + .....PPE.Section..... + -\/\/- +| | + Conrad + + - + + .....Our.Boards!..... + -\/\/- +| | + Name Sysop Nodes Status Area Speed + Xtacy Lines Mr.Death [02] WHQ +358-90- 2x28.8k + + Angel Dust Ratter [03] Member +358-90- 2x28.8k+ISDN + +| Crime Wave Brias [01] Dist. +358-90- 28.8k | + 4th Dimension Merlin [02] Dist. +358-14- 28.8k+ISDN + Rainfall Center Jackrip [01] Dist. +358-XX- 28.8k + The Church The God [01] Dist. +358-90- 28.8k + + Magic Node Conrad [01] Coder hq +358-90- 28.8k + +ڿ ڿ + -ٺ +ͼ + +ͻ +Ŀ -Ŀ + ........Greets....... ٳ + + Personal Greets: Cyborg, Hawkeye, Hell Flyer, Contrast and Jackrip +| | + Group Greets: Jihad, Raid, Bsa, Damage, Bytephobia and Lts + + +ڿ ڿ +-------------------------Updated 12.17.95-Ľ + + _________________ ______________ _________________________________ .______ + \____ _____ | / ____/ \ _ ___ / _______________ /____| / + _/ \__\_ /_\ __/_____\ ___/ _/_\ \__ /_ \___/\ | /_ + .:\_______/\_____| ______ /____| /____| /_____| _ _\_____ / + .. ..... |____/ wG!|_____/ |____/ |____/ .._ ___________/ + .:...:: :::::. .......:::. .....:: :: + ...: ::. .:::: :::::. .:::: + :::::: :::::: + diff --git a/textfiles.com/piracy/COURIERS/uc.nfo b/textfiles.com/piracy/COURIERS/uc.nfo new file mode 100644 index 00000000..2e6ee5db --- /dev/null +++ b/textfiles.com/piracy/COURIERS/uc.nfo @@ -0,0 +1,123 @@ + AsciiIcy[iCE] + + ۲ + ۲ ۲ + ۰ ۱ + ۱ ۱ + ۲ ۲ ۰۱ + ۲ ۲ + ۲ ۲ + ۰ ۲ ۲ + ۲ ۲ + ۰ + + + ۰ ۰ + ۲۱ + ۱۰ ۰ + ۰۱ ۱ ۱ + ۲ ۲ ۲۲ + ۲ ۲ ۱ + ۲ ۲ ۲ + + + + -*- THIRD YEAR ANNIVERSARY -*- + -o> UNiTED COURiERS SPREADING TEAM BBS< Spreading Team + Ĵ + Call (718)940-7554 - USER: UNITED COURIERS + PASS: APPLY + + Download UC-APP.EXE, Fill it out, rename it to HANDLE.APP, upload it + and leave a message to GALVATRON and you will be contacted ASAP. + Ĵ + United Couriers >INTERNET< Spreading Team + Ĵ + On Summer Hiatus + + + Don't choose a second rate operation for your courier needs. Go + with the OLDEST and most RESPECTED group in the business. UC '94! + + [ UNITED COURIERS 1994 ] + "In Warez We Trust" for there is always "The Need For Speed" diff --git a/textfiles.com/piracy/COURIERS/uc1092.nfo b/textfiles.com/piracy/COURIERS/uc1092.nfo new file mode 100644 index 00000000..590ef23e --- /dev/null +++ b/textfiles.com/piracy/COURIERS/uc1092.nfo @@ -0,0 +1,53 @@ + ۲ ۲ Icy[MiRAGE] + ۲ ۲ + ܱ۲ + ܰ ۲ + ۲ ۲ + ۰ ۱ + ۱ ۱ + ۲ ۲ ۰۱ + ۲ ߲ + ۲ ۲ + ۰ ۲ ۲ + ۲ + ۰ + ۲ + ۲ + ۰ ۰ ۲ + ۲۱ ܱ + ۱۰ ۰ +۰۱ ۱ ۱ + ۲ ۲ ۲ +۲ ۲ ۲ ߰ +۲ ۲ ۲ + + + U N I T E D C O U R I E R S +ķ + United Couriers Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Ghost Shadow II (3 Nodes) West HQ 213/227.4838 Ghost Master + Imperial City (2 Nodes) Dist Site 818/241.4582 Mara Jade + Beyond the Realm of Reality Dist Site 310/869.9484 Legend Master + The Burrows Dist Site 310/431.8318 Weasel + The Jungle Dist Site 615/758.2876 The Warelord + 4 A.D. Dist Site 818/832.8911 Lord DCD +Ķ + MEMBER POSITION NOTES +Ķ + Speculum PRESIDENT If you are interested in + Venom COORDINATOR becoming a United Courier + Lord DCD MEMBER or want to be a Dist Site, + Legend Master MEMBER contact anyone in the + Ghost Master MEMBER group on any high quality + Mara Jade MEMBER board you see us on. + Galvatron COURIER + Gemini COURIER Greets: FLT TDT INC AN RZR + Dreamevil COURIER EX $YN PiL DRG TRSI + High Density COURIER + Zool COURIER + Havok COURIER +Ľ + UC '92 diff --git a/textfiles.com/piracy/COURIERS/uc1093.nfo b/textfiles.com/piracy/COURIERS/uc1093.nfo new file mode 100644 index 00000000..c66aa6f4 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/uc1093.nfo @@ -0,0 +1,122 @@ + [United Couriers INFOFile, September 15, 1993] + AsciiIcy[iCE] + + ۲ + ۲ ۲ + ۰ ۱ + ۱ ۱ + ۲ ۲ ۰۱ + ۲ ۲ + ۲ ۲ + ۰ ۲ ۲ + ۲ ۲ + ۰ + + + ۰ ۰ + ۲۱ + ۱۰ ۰ + ۰۱ ۱ ۱ + ۲ ۲ ۲۲ + ۲ ۲ ۱ + ۲ ۲ ۲ + + + + + S E N I O R M E M B E R S + + GalvaTron, General Protocol, Havok, + Serpico, Wooly, Sherlock Ohms + + + C O O R D I N A T O R S + + Gemini, The Paladin + + + S E N I O R C O U R I E R S + + Talia, Xuse + + + C O U R I E R S + + Sentinels, Hsing, Digital Wizard, High Density, The Jester, + Lucifer, Rush, Deathrider, Icebreaker, Wild Willie, Assassin, + Venom, Silencer, Partsch, Clint Eastwood, Brimstone, Grim Reeper, + Stinger, Finker, Nocturne, Barbarian, Stone, Wolfman, Joker, + Delta, Two Face, Black Ranger, Genocide, The Undertaker, Biggunn, + The Grim Reaper, Luxor, Phraktal, Elvis, Shaggy, Sampo, Dr. Rat, + Silhouette of Death, Elijah, Ivanhoe, Viper, Trickster, Flagg, + John Lennon, Milamber Condoin, Remote Controlled, Shakattack + + +ķ + H E A D Q U A R T E R S +Ķ + The Eclipse (3 Nodes) XXX The Mustang WORLD + Celtic Path (5 Nodes) +49 Dark Star EUROPEAN + Distant Lands (2 Nodes) 613 General Protocol CANADIAN + Depeche's Violations (3 Nodes) XXX Depeche WESTERN + Wooly's World (4 Nodes) 614 Wooly EASTERN +Ķ + C O U R I E R H E A D Q U A R T E R S +Ķ + Midpoint Void (2 Nodes) 303 Holy Ward WESTERN + The Twilight Zone (3 Nodes) 504 Jack Flash CENTRAL + Hell BBS (3 Nodes) 313 Asmodeus EASTERN + The Relm (2 Nodes) +39 Black Ranger EUROPEAN +Ķ + D I S T R I B U T I O N S I T E S +Ķ + The Battlefield (4 Nodes) 706 Buck Blazer + Red Hot Chilli Peppers (4 Nodes) 203 Salty + Complex Corrosion (5 Nodes) 612 White IC + The Burning Church (2 Nodes) 416 Always Dangerous + Disaster Area (2 Nodes) 818 Aceking + Zero Vector 216 HellSpawn + Beyond the Realm of Reality 310 Legend Master + The Lexicon (2 Nodes) 818 The Byter + Pandemonium BBS 914 Hacker + The Crime Cartel (2 Nodes) 714 Sledge Hammer + Fort Knox 508 The Ninja + 5th Dimension 614 The Warrior + Arrested Development (5 Nodes) 914 Criminal Justice + The Thieves Guild XXX Highlander +Ķ + To Contact United Couriers: + + Phone: (818)799-2129 (USA) / (613)241-7506 (CANADA) + User : 'APPLY' + Pass : 'UC' + + Via Internet: 'eaeu324@orion.oac.uci.edu' +Ľ + + P O S T S C R I P T + + Don't choose a second rate operation for your couriering needs. Go with + the OLDEST and BIGGEST group in the business. United Couriers 1993! + + Special greetings go out to UC Random, RAZOR 1911, Pentagram, THG, + NTA, and all those who work to improve the scene. + +[EOF] + + + + + + + + + + + + + + + + + diff --git a/textfiles.com/piracy/COURIERS/uc1094.nfo b/textfiles.com/piracy/COURIERS/uc1094.nfo new file mode 100644 index 00000000..bed2ab01 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/uc1094.nfo @@ -0,0 +1,115 @@ + ܰ Lord Drakul [/iM Productions 1994] + ߰ ߲ + ܰ ۰۰ ߱۰ ޱ ߰ + ް ܱ ܱ ߰ ߲۲޲ ߰ + ܰ ߲ ۲ + ߱ ۲ ۲ ۲ ܲ۲ ۲ + ۲ ۲޲ݲ ۱ ߱ ۲ ۲ + ۲ ޱݱ ۲ ۲ + ޱ ۰ ߲ LL + ۱ ۰ ۰޲ܲ ܱ + ߰ ܱ ۰ + ܰ + ۰ + ߱ ܲ + ܲ߱ ۰ ߰ ߱ ߰ ߲ܲ + ߲ ۰ޱ ޲ ߱ ߲ + ޱ޲ ۲ޱ ߲۲ ۲ + ܱ ۲ ۲ ۲ + ۲޲ ߱޲ ܲ ߱ ޲ + ۰ ޱ ܲ ߱ ߲ + ް ޱݲ ܱ ܲ + ߰ ܰ ۰ ۰ ܲ ߱ ܰ + + [ UNITED COURIERS TRADING TEAM - 3 YEARS STRONG & GROWING ] + + United Couriers would like to welcome WWC couriers to the family! + More proof that United Couriers continues to grow and flourish in 1994. + + On that note, we'd like to note the many changes in the group, if you're + not in this .NFO then you have been dropped from the group for one reason + or another, remember United Couriers only has room for the best. + + We are always on the lookout for new couriers and systems, if you run a + 2+ node PCE/PCB system, or can spread fast, come and see all the benefits + of being part of the United Couriers spreading team! + +Ŀ + S E N I O R M E M B E R S + ---------------------------- + GalvaTron, Havok, Wooly +Ĵ + C O O R D I N A T O R S + ------------------------- + Chener, Elvis, Scimitar +Ĵ + S T A F F + ----------- + General Protocol, Killerette, Sonny, Split Second + Hsing, Darksider +Ĵ + C O U R I E R S + ----------------- + Storm Master, Lord Styaric, The Jester, Dendybar, The Master, Talia + Digital Wizard, Technoman, Zouk, The Eternal, Vendetta, Shark, + Sandman, Ciez, Biggunn, Ace, Daffy, The Adept, Junkman, Sassy, Tyrant + Nervous Rex, Poker, Magik Man, Homey Clown, Inferno, Novastein, + The Shadow, Alpher, Archmage, Artiface, Bullet, Cthulhu, Pericles, + Shaggy, Shai'Tan, Triton, Woody, Tagger, Death Morrison, Jack Fledsing +Ĵ + T R I A L C O U R I E R S + ---------------------------- + Star, String, Fume, Slane, Phantasm, Roland of Gilead, Shang Tsung + +Ŀ + UNiTED COURiERS BOARD LIST + -------------------------- +Ĵ + CONCEPT ELITE (XXX) 8 NODES WORLD HQ + MASTURBATION STATION (305) 9 NODES COUIRER HQ + DEPECHE'S VIOLATION (XXX) 5 NODES WESTERN HQ + WOOLY'S WORLD (XXX) 5 NODES EASTERN HQ +Ĵ + CELTIC PATH (+XX) 5 NODES EUROPEAN HQ + THE HOOD (XXX) 9 NODES CANADIAN HQ + DRUID'S KEEP (+XX) 4 NODES AUSTRLN HQ +Ĵ + R.I.P. (XXX) 10 NODES MEMBER + DISTANT LANDS (613) 2 NODES MEMBER + LEGATO TIMES (702) 2 NODES MEMBER + THE HAUNTED HOUSE (+49) 4 NODES MEMBER +Ĵ + ARRESTED DEVELOPMENT (914) 3 NODES DISTRIBUTION SITE + THE LEXICON OF THE CABAL (818) 2 NODES DISTRIBUTION SITE + FALSE INTENSIONS (609) 5 NODES DISTRIBUTION SITE + HIGHER GROUND (614) 3 NODES DISTRIBUTION SITE + FORT KNOX (508) 1 NODE DISTRIBUTION SITE + BLADESTORM (310) 2 NODES DISTRIBUTION SITE + THE GRAVE YARD (714) 1 NODE DISTRIBUTION SITE + DEAD MAN'S BLUFF (310) 2 NODES DISTRIBUTION SITE + GRAVESITE (214) 2 NODES DISTRIBUTION SITE + GROUND ZERO (707) 4 NODES DISTRIBUTION SITE + THE MIRAGE (612) 2 NODES DISTRIBUTION SITE + THE SILICON PHALANX (510) 2 NODES DISTRIBUTION SITE + THE VAULT (503) 3 NODES DISTRIBUTION SITE +Ĵ + CYBORG ZONE (514) 2 NODES AFFILIATE + ALTERED STATE (818) 2 NODES AFFILIATE + THE HEAVANS (201) 2 NODES AFFILIATE + THE WARP ZONE (909) 4 NODES AFFILIATE + + + INTERESTED IN JOINING THE BEST COURIERING GROUP TODAY? HERE'S HOW... +Ŀ + Call (718)940-7554 - USER: UNITED COURIERS - PASS: APPLY + + Greetings... + + PWA - UCID - UC Random - KLF - High Voltage - RiSC - TGB + + LoverMan, Depeche, Serpico, Speculum, Quackers, Sherlock Ohms + + -*- + + Don't choose a second rate operation for your courier needs. Go + with the OLDEST and most RESPECTED group in the business. UC '94! diff --git a/textfiles.com/piracy/COURIERS/wwc93.nfo b/textfiles.com/piracy/COURIERS/wwc93.nfo new file mode 100644 index 00000000..93db73d2 --- /dev/null +++ b/textfiles.com/piracy/COURIERS/wwc93.nfo @@ -0,0 +1,123 @@ + + ߱ ߲߱ ߲ ߰ + ߱ + ۲ ۲ ۲ + ܰ + ݰ۲ ݰݰ۲ ݰ ݰ + ۲ ۲ ۲ ۲ + ۱ݲ۲޲ ۱ݲ۲޲ ݲ + ۱ ۰ ۱ ۰ ݱ + ݰ޲ް۲ݰ ݰ޲ް۲ݰݰް ް + ޱܱܱ߱ ޱܱܱ߱ ޱ ߱ + ۲޲޲ ۲޲޲ ޲ܲ + ޱ ޱ ߰ ED + ߲ iCE + + - ] W O R L D W I D E C O U R I E R S [ - + " Join the rising force in PC Couriering " + + + + + + ۱ܰ E M B E R S ۲۲ + ߲ ۲ + + + ۰ + + S E N I O R S T A F F + \ + COOKIE MONSTER THE FOREMAN SHADOWKEEPER RADIATION ۰ + + + S E N I O R C O U R I E R S + \ + EXTRA CREDiT + ۰ + + M E M B E R S + \ + NOMADD SHADOW HUNTER EDUCATED HORMONE + + ۰ ۰ + S Y S O P S + \ + THE WEASEL + Hi Fi DEL TOiLET BOWL + WAYNE ROGUE THE ARMORED SAiNT + ۰ + ۰ + C O U R I E R S + \ + iMAGE + THE PROWLER + RAVEN CRYPT MASTER ۰ + POLARIS MR.EMT LiTTLE T + AGENT-X ZONE MASTER GROUCHO + ۰ + + ۱ܰ WWC Headquarters ۲۲ + ߲ ۲ + + + H E A D Q U A R T E R S + + The Grave Yard (World) (xXx)XxX-xXxX Shadowkeeper + Predatory Nature (West) (206)352-2479 The Foreman + Sessame St. (U.S.A) (714)828-0214 Cookie Monster + ޲ The Back Door (East) (615)245-6617 Nomadd ޲ + Shadow Lands (Canadian) (905)432-7556 Shadow Hunter + + + + + ۱ܰ WWC Distribution ۲۲ + ߲ ۲ + + Intoxiforniaction (713)492-1082 Hi Fi Del + X Marks the Spot (909)681-2385 The Armored Saint + Cable Access Ch.10 (513)321-5171 Wayne + The Burrows (310)597-9666 Weasel + Sea of Hate (319)xXx-XxXx Toilet Bowl + Kiss Of Death (518)xXx-XxXx Rogue + Temple Of Beer +39-(744)xXx-xXxX Kris Of TCB + + Only one per area code, so hurry up! + + + + + + + + + LogaN/iCE + ۲ ۲ + ۱ ۱ + ۰ ۰ + + W o r l d W i d e C o u r i e r s + + NEWS/INFORMATION + +Thanks to iCE for the kick ass ansi/asciis.. you guys rule! + + Shots go out to our brothers in G0D, Global Overdose! + Greets to PTG - Pentagram, kicking major ass in the Cracking Scene! + Special Greets to the fastest spreader in the U.S.: R/\d/\R + Special Thanks to COOKIE MONSTER for his extra hard work! + + Props: UC, SpectruM, QuantuM, CrimsoN, RiSC + THG, iNC, TDT, TRSI, PTG, RZR, FLT, PiL, PE, NX, MGK, and you! + + We Need GOOD Couriers + call: +7i4-999-5556 (USA) + or + call: +905-432-7556 (CAN) + + + "Seasons Greetings" + (c) WWC '93 + + diff --git a/textfiles.com/piracy/CRACKING.1 b/textfiles.com/piracy/CRACKING.1 new file mode 100644 index 00000000..68cceee0 --- /dev/null +++ b/textfiles.com/piracy/CRACKING.1 @@ -0,0 +1,112 @@ + +T E X T F I L E S + +

Piracy: The Art of Cracking

+

+ + + + + +
+
Filename
Size
Description of the Textfile
acrpatch.nfo 36217
 The Acura Members Patch List (July 1996) +
act-13.txt 63156
 The Amateur Crackist Tutorial Version 1.3 by Specular Vision of the PTL +
act.txt 63155
 The Amateur Crackist Tutorial Version 1.3 by Specular Vision +
asm_for_.txt 6400
 Assembly for Crackers, by Corn2 +
asmtut.txt 16651
 XLogic's Assembly KeyGen Tutorial +
begcrck.txt 85615
 A Beginner's Guide to Cracking (For the IBM PC) +
budget.txt 12692
 The Association of Software Professionals presents Budget Minder +
bytecatcher.txt 3920
 Tutorial for Using Byte Catcher by Mansion69 (1997) +
c1.txt 22187
 How To Crack pretty Much Anything, by +ORC +
c101-90.000 3938
 Cracking 101: 1990 Edition by Buckaroo Banzai +
c101-90.002 31676
 Cracking 101: 1990 Edition by Buckaroo Banzai (Lesson 2) +
c101-90.003 15105
 Cracking 101: 1990 Edition by Buckaroo Banzai (Lesson 3) +
c101-90.004 56228
 Cracking 101: 1990 Edition by Buckaroo Banzai (Lesson 4) +
c2.txt 26483
 How to Crack Pretty Much Everything Part II, by +ORC +
c3.txt 59665
 How to Crack Pretty Much Anything (Windows) by +ORC +
c4.txt 77364
 How to Crack Just About Anything #4 by +ORC +
c5.txt 24086
 How to Crack Just About Anything, by +ORC (Part 5) +
c6.txt 23418
 How to Crack by +ORC (#6) +
c8a.txt 17636
 How to Crack Windows, by +ORC (Part 8) +
c8b.txt 23927
 How to Crack Windows, by =ORC +
caligo.nfo 3045
 NFO: The Lord KCaligo Univeral Improved Patcher (June 4, 1997) +
cbd-tut01.txt 10041
 _CbD_ vs. Ultisoft, Inc.: Cracking Ultisoft Games, by CbD (1997) +
cbd-tut02.txt 10010
 Cracking Rummy 500, by CbD (1997) +
cbd-tut03.txt 17107
 Function Disabled Protections Defeated by CbD (July 28, 1997) +
cbd-tut04.txt 9835
 Cracking Business Cards 32 v4.18 by CbD (1997) +
cbd-tut05.txt 6136
 A General Cracking Tutorial by CbD (Visual Basic Programs) (1997) +
cbd-tut06.txt 8578
 Modifying DLLs to Give Real Registration Codes by CbD (1997) +
cdwizzard.txt 12453
 A Tutorial on Cracking CD Wizzard by Niabi (July 8, 1997) +
ch2-doc 27212
 CrackerHack Verison 2.0 by No Means No (December 1, 1992) +
check.txt 11394
 Megaton Man Teaches Cracking: Doc Check Protection (May 26, 1989) +
copyprot.pro 11218
 Copy Protection, a History and Overview +
copyprot.txt 11735
 Cracking on the IBMpc Part I by Buckaroo Banzai/Reset Vector +
crack-1.txt 8192
 Cracking on the IBM Pc Part I by Buckaroo Banzai aka the Reset Vector +
crack-2.txt 3840
 Cracking on the IBM Pc Part II by Buckaroo Banzai +
crack.txt 90759
 How to Crack an Amiga Game +
crack1 8736
 Cracking on the Edge, by Buckaroo Banzai/The Reset Vector +
crack1.txt 7850
 Cracking 101, by Buckaroo Banzai (1990) +
crack2.txt 77178
 Cracking 101, by Buckaroo Banzai (1990) Lesson 3 +
crack3.txt 29919
 The Official Unprotection Scheme Library by The PaperBoy and the CopyCats (February 6, 1989) +
crackam2.txt 29030
 Cracking the Amiga Part II +
crackist.hac 63158
 The Amateur Crackist Tutorial by Specular Vision (Version 1.3) +
cracklog.txt 3997
 Some Examples of Cracking by DrLAN (1997) +
crackman.txt 90671
 The Cracking Manual, by the Cyborg (April 3, 1992) +
crak1.txt 15364
 How to Crack by Charles Petzold +
crak2.txt 22182
 Examples of IBM PC Cracks: Mean-18 Golf by Accolade +
crak4.txt 11608
 Chapter 4: Cracking a Self-Booter +
crakhand.txt 17114
 The Cracker Handbook, by Darth Vader, Lord of the Sith +
crkibms2.hac 3465
 Cracking on the IBM PC Part II +
crkibmsw.hac 7479
 Cracking on the IBM PC Part I +
diswin.txt 32497
 How to Disassemble a Windows Program +
diswin2.txt 32979
 How to Disassemble a Windows Program part II +
drlan.txt 4970
 A Tutorial on Cracking TICKLE.EXE using Hmemcpy and Memory Breakpoints by Dr. Lan of Mexelite +
dumpexe.txt 34371
 DOCUMENTATION: EXE-Dumper Version 2.2 by Bugsy (1997) +
exact-in.txt 34372
 An Introduction to Windows 95 Cracking +
firstwin.txt 4447
 Your First Windows Crack by YOSHi of Mexelite (1997) +
hotchil2.txt 1888
 How to Crack Hot Chilli v2.0, by Pain (1997) +
howto1.txt 17336
 How to Crack Lesson 1 By the old Red Cracker +
howto2.txt 24786
 How to Crack Lesson 2 by the old Red Cracker (Tools of the Trade) +
howto3a.txt 5787
 How to Crack Lesson 3a by the Old Red Cracker (Hands-On Cracking) +
howto3b.txt 10626
 How to Crack Lesson 3b by the old Red Cracker (Passwords and Passletters) +
howto5.txt 24084
 How to Crack Lesson 5 by The Old Red Cracker (Handling Disk/CDROM Access) +
howto6.txt 23416
 How to Crack Lesson 6 by Old Red Cracker (Funny Tricks) +
howto8a.txt 17634
 How to Crack Lesson 8.1 by Old Red Cracker (How to Crack Windows) +
howto8b.txt 23925
 How to Crack Lesson 8b by the Old Red Cracker (How to Crack Windows, a Deeper Approach) +
howto9a.txt 30168
 How to Crack Lesson 9a by the Old Red Cracker (Some Tricks) +
howtoa.txt 18595
 How to Crack Advanced Lessons by the Old Red Cracker (Internet Cracking) +
howtoca.txt 22183
 How to Crack As an Art by the Old Red Cracker (Barcodes and Instant Access) +
howtocb.txt 26479
 How to Crack as an Art by the Old Red Cracker (Strainer for the HCU) +
howtocp2 3702
 IBM Disk Cracking Made Simple by Phobos +
howtocrk.txt 299115
 How to Crack by +ORC: A Tutorial +
htc.txt 216684
 A Beginner's Guide to Cracking +
hwoodtut.txt 11853
 How to Crack Hardwood Solitare by JosephCo +
krakerscorner.txt 6827
 The Kraker's Corner, by Mr. Krac-Man (August 1, 1982) +
krakman.txt 5649
 Krak-Man's Parameters: Parameters for Copying Various Apple Disks +
lomt-tsr.txt 1825
 DOCUMENTATION: Legend of Myra Interactive TSR Trainer +
max1.crk 13176
 Max's Cracking Tutorial for the Poor (Registering PCXDump 9.2) +
methods.txt 31520
 Techniques in Cracking by TOP (Tired of Potection) +
mex-c4n.nfo 10049
 An Introduction to Mexelite, a New Cracking Group (July 28, 1997) +
mhpcnws1.txt 20193
 A Cracking Guide for Beginners, by The Psychopath of the Midnight Hackers Private Club +
mhpcnws2.txt 19997
 A Cracking Guide for Advanced Amateurs by The Psychopath of the Midnight Hackers Private Club +
mhpcnws5.txt 16027
 A Cracking Guide for Advanced Amateurs Part II by The Psychopath of Midnight Hackers Private Club +
nags.txt 8155
 How to use Nag Screens (August 24, 1997) +
od-crk1.txt 18170
 Cracking/Patching Softart's Deskey v1.02.010 +
owl-ice.txt 31929
 Cracking: Now More Annoying WinIce, or How to Improve Winice +
pp2t-t&l.txt 3924
 SOFTDOCS: Prince of Persia II Interactive TSR and LOADER Trainer Example Documentation +
psp.nfo 28660
 NFO: The Information File Revision III by Plate Steel Productions (August 1995) +
razzia.nfo 1193
 NFO: Razzia by Kenetic +
romeod4c.txt 6227
 Software Re-Engineering For Dummies: An Overview by Romeo (1997) +
scanf.dox 7679
 DOCUMENTATION: Scanfile 4.0 by Marquis De Soire (July 1996) +
shareman.txt 6208
 How to Crack Shareman 1.6 by pain of Mexelite (July 13, 1997) +
sice3.qrf 14249
 SOFTDOCS: The Softice 3.0 Quick Reference by ZeroDay (February 7, 1997) +
sigma-4f.nfo 2985
 The Universal Improved Patcher Volume by 4Fun +
t!tutor.txt 20259
 An ASM Keygen Tutorial by Teraphy (1997) +
timetrial.txt 18864
 Cracking Tutorial: Wintar Remote (August 24, 1997) +
tsrcrack.txt 2130
 SOFTDOCS: TSR Crack v3.0 by Wong Wing Kin (1994) +
tt-unt.txt 103968
 The Training Tutorial for the PC by Dr. Detergent of UNT (1993) +
unp.txt 31148
 Documentation fo UNP v4.11 by Ben Castricum (May 30, 1995) +
vbtutori.txt 22696
 Razzia's Tutorial for Visual Basic Cracking +
wincrack.txt 13080
 Qapla's Cracking Tutorial Version 0.1 (February 9, 1997) +
cal!go.nfo 284
 NFO: Caligo Cracking (July 9, 1997) +

There are 100 files for a total of 2,687,793 bytes.
\ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/.windex.html b/textfiles.com/piracy/CRACKING/.windex.html new file mode 100644 index 00000000..bde6f3e3 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/.windex.html @@ -0,0 +1,112 @@ + +T E X T F I L E S + +

Piracy: The Art of Cracking

+

+ + + + + +
+
Filename
Size
Description of the Textfile
acrpatch.nfo 36217
 The Acura Members Patch List (July 1996) +
act-13.txt 63156
 The Amateur Crackist Tutorial Version 1.3 by Specular Vision of the PTL +
act.txt 63155
 The Amateur Crackist Tutorial Version 1.3 by Specular Vision +
asm_for_.txt 6400
 Assembly for Crackers, by Corn2 +
asmtut.txt 16651
 XLogic's Assembly KeyGen Tutorial +
begcrck.txt 85615
 A Beginner's Guide to Cracking (For the IBM PC) +
budget.txt 12692
 The Association of Software Professionals presents Budget Minder +
bytecatcher.txt 3920
 Tutorial for Using Byte Catcher by Mansion69 (1997) +
c1.txt 22187
 How To Crack pretty Much Anything, by +ORC +
c101-90.000 3938
 Cracking 101: 1990 Edition by Buckaroo Banzai +
c101-90.002 31676
 Cracking 101: 1990 Edition by Buckaroo Banzai (Lesson 2) +
c101-90.003 15105
 Cracking 101: 1990 Edition by Buckaroo Banzai (Lesson 3) +
c101-90.004 56228
 Cracking 101: 1990 Edition by Buckaroo Banzai (Lesson 4) +
c2.txt 26483
 How to Crack Pretty Much Everything Part II, by +ORC +
c3.txt 59665
 How to Crack Pretty Much Anything (Windows) by +ORC +
c4.txt 77364
 How to Crack Just About Anything #4 by +ORC +
c5.txt 24086
 How to Crack Just About Anything, by +ORC (Part 5) +
c6.txt 23418
 How to Crack by +ORC (#6) +
c8a.txt 17636
 How to Crack Windows, by +ORC (Part 8) +
c8b.txt 23927
 How to Crack Windows, by =ORC +
caligo.nfo 3045
 NFO: The Lord KCaligo Univeral Improved Patcher (June 4, 1997) +
cbd-tut01.txt 10041
 _CbD_ vs. Ultisoft, Inc.: Cracking Ultisoft Games, by CbD (1997) +
cbd-tut02.txt 10010
 Cracking Rummy 500, by CbD (1997) +
cbd-tut03.txt 17107
 Function Disabled Protections Defeated by CbD (July 28, 1997) +
cbd-tut04.txt 9835
 Cracking Business Cards 32 v4.18 by CbD (1997) +
cbd-tut05.txt 6136
 A General Cracking Tutorial by CbD (Visual Basic Programs) (1997) +
cbd-tut06.txt 8578
 Modifying DLLs to Give Real Registration Codes by CbD (1997) +
cdwizzard.txt 12453
 A Tutorial on Cracking CD Wizzard by Niabi (July 8, 1997) +
ch2-doc 27212
 CrackerHack Verison 2.0 by No Means No (December 1, 1992) +
check.txt 11394
 Megaton Man Teaches Cracking: Doc Check Protection (May 26, 1989) +
copyprot.pro 11218
 Copy Protection, a History and Overview +
copyprot.txt 11735
 Cracking on the IBMpc Part I by Buckaroo Banzai/Reset Vector +
crack-1.txt 8192
 Cracking on the IBM Pc Part I by Buckaroo Banzai aka the Reset Vector +
crack-2.txt 3840
 Cracking on the IBM Pc Part II by Buckaroo Banzai +
crack.txt 90759
 How to Crack an Amiga Game +
crack1 8736
 Cracking on the Edge, by Buckaroo Banzai/The Reset Vector +
crack1.txt 7850
 Cracking 101, by Buckaroo Banzai (1990) +
crack2.txt 77178
 Cracking 101, by Buckaroo Banzai (1990) Lesson 3 +
crack3.txt 29919
 The Official Unprotection Scheme Library by The PaperBoy and the CopyCats (February 6, 1989) +
crackam2.txt 29030
 Cracking the Amiga Part II +
crackist.hac 63158
 The Amateur Crackist Tutorial by Specular Vision (Version 1.3) +
cracklog.txt 3997
 Some Examples of Cracking by DrLAN (1997) +
crackman.txt 90671
 The Cracking Manual, by the Cyborg (April 3, 1992) +
crak1.txt 15364
 How to Crack by Charles Petzold +
crak2.txt 22182
 Examples of IBM PC Cracks: Mean-18 Golf by Accolade +
crak4.txt 11608
 Chapter 4: Cracking a Self-Booter +
crakhand.txt 17114
 The Cracker Handbook, by Darth Vader, Lord of the Sith +
crkibms2.hac 3465
 Cracking on the IBM PC Part II +
crkibmsw.hac 7479
 Cracking on the IBM PC Part I +
diswin.txt 32497
 How to Disassemble a Windows Program +
diswin2.txt 32979
 How to Disassemble a Windows Program part II +
drlan.txt 4970
 A Tutorial on Cracking TICKLE.EXE using Hmemcpy and Memory Breakpoints by Dr. Lan of Mexelite +
dumpexe.txt 34371
 DOCUMENTATION: EXE-Dumper Version 2.2 by Bugsy (1997) +
exact-in.txt 34372
 An Introduction to Windows 95 Cracking +
firstwin.txt 4447
 Your First Windows Crack by YOSHi of Mexelite (1997) +
hotchil2.txt 1888
 How to Crack Hot Chilli v2.0, by Pain (1997) +
howto1.txt 17336
 How to Crack Lesson 1 By the old Red Cracker +
howto2.txt 24786
 How to Crack Lesson 2 by the old Red Cracker (Tools of the Trade) +
howto3a.txt 5787
 How to Crack Lesson 3a by the Old Red Cracker (Hands-On Cracking) +
howto3b.txt 10626
 How to Crack Lesson 3b by the old Red Cracker (Passwords and Passletters) +
howto5.txt 24084
 How to Crack Lesson 5 by The Old Red Cracker (Handling Disk/CDROM Access) +
howto6.txt 23416
 How to Crack Lesson 6 by Old Red Cracker (Funny Tricks) +
howto8a.txt 17634
 How to Crack Lesson 8.1 by Old Red Cracker (How to Crack Windows) +
howto8b.txt 23925
 How to Crack Lesson 8b by the Old Red Cracker (How to Crack Windows, a Deeper Approach) +
howto9a.txt 30168
 How to Crack Lesson 9a by the Old Red Cracker (Some Tricks) +
howtoa.txt 18595
 How to Crack Advanced Lessons by the Old Red Cracker (Internet Cracking) +
howtoca.txt 22183
 How to Crack As an Art by the Old Red Cracker (Barcodes and Instant Access) +
howtocb.txt 26479
 How to Crack as an Art by the Old Red Cracker (Strainer for the HCU) +
howtocp2 3702
 IBM Disk Cracking Made Simple by Phobos +
howtocrk.txt 299115
 How to Crack by +ORC: A Tutorial +
htc.txt 216684
 A Beginner's Guide to Cracking +
hwoodtut.txt 11853
 How to Crack Hardwood Solitare by JosephCo +
krakerscorner.txt 6827
 The Kraker's Corner, by Mr. Krac-Man (August 1, 1982) +
krakman.txt 5649
 Krak-Man's Parameters: Parameters for Copying Various Apple Disks +
lomt-tsr.txt 1825
 DOCUMENTATION: Legend of Myra Interactive TSR Trainer +
max1.crk 13176
 Max's Cracking Tutorial for the Poor (Registering PCXDump 9.2) +
methods.txt 31520
 Techniques in Cracking by TOP (Tired of Potection) +
mex-c4n.nfo 10049
 An Introduction to Mexelite, a New Cracking Group (July 28, 1997) +
mhpcnws1.txt 20193
 A Cracking Guide for Beginners, by The Psychopath of the Midnight Hackers Private Club +
mhpcnws2.txt 19997
 A Cracking Guide for Advanced Amateurs by The Psychopath of the Midnight Hackers Private Club +
mhpcnws5.txt 16027
 A Cracking Guide for Advanced Amateurs Part II by The Psychopath of Midnight Hackers Private Club +
nags.txt 8155
 How to use Nag Screens (August 24, 1997) +
od-crk1.txt 18170
 Cracking/Patching Softart's Deskey v1.02.010 +
owl-ice.txt 31929
 Cracking: Now More Annoying WinIce, or How to Improve Winice +
pp2t-t&l.txt 3924
 SOFTDOCS: Prince of Persia II Interactive TSR and LOADER Trainer Example Documentation +
psp.nfo 28660
 NFO: The Information File Revision III by Plate Steel Productions (August 1995) +
razzia.nfo 1193
 NFO: Razzia by Kenetic +
romeod4c.txt 6227
 Software Re-Engineering For Dummies: An Overview by Romeo (1997) +
scanf.dox 7679
 DOCUMENTATION: Scanfile 4.0 by Marquis De Soire (July 1996) +
shareman.txt 6208
 How to Crack Shareman 1.6 by pain of Mexelite (July 13, 1997) +
sice3.qrf 14249
 SOFTDOCS: The Softice 3.0 Quick Reference by ZeroDay (February 7, 1997) +
sigma-4f.nfo 2985
 The Universal Improved Patcher Volume by 4Fun +
t!tutor.txt 20259
 An ASM Keygen Tutorial by Teraphy (1997) +
timetrial.txt 18864
 Cracking Tutorial: Wintar Remote (August 24, 1997) +
tsrcrack.txt 2130
 SOFTDOCS: TSR Crack v3.0 by Wong Wing Kin (1994) +
tt-unt.txt 103968
 The Training Tutorial for the PC by Dr. Detergent of UNT (1993) +
unp.txt 31148
 Documentation fo UNP v4.11 by Ben Castricum (May 30, 1995) +
vbtutori.txt 22696
 Razzia's Tutorial for Visual Basic Cracking +
wincrack.txt 13080
 Qapla's Cracking Tutorial Version 0.1 (February 9, 1997) +
cal!go.nfo 284
 NFO: Caligo Cracking (July 9, 1997) +

There are 100 files for a total of 2,687,793 bytes.
diff --git a/textfiles.com/piracy/CRACKING/acrpatch.nfo b/textfiles.com/piracy/CRACKING/acrpatch.nfo new file mode 100644 index 00000000..4c3d0aab Binary files /dev/null and b/textfiles.com/piracy/CRACKING/acrpatch.nfo differ diff --git a/textfiles.com/piracy/CRACKING/act-13.txt b/textfiles.com/piracy/CRACKING/act-13.txt new file mode 100644 index 00000000..03a8aaab --- /dev/null +++ b/textfiles.com/piracy/CRACKING/act-13.txt @@ -0,0 +1,1696 @@ + + + + + + + + + VOL 1 NUM 1 + + + + + The Amatuer Crackist Tutorial + Version 1.3 + By + Specular Vision + + + + + + Special Thanks to: + Mr. Transistor + Ironman + The Grand Elusion + Banzai Buckaroo + + + + + Another fine PTL Production + Call The Myth Inc. BBS + Table of Contents: + ------------------ (Page Numbers will be aprox. until + final version is finished) + i. Table of Contents 2 + + ii. Introduction 3 + + I. How to Crack 4 + Debugging DOS 4 + Cracking on the IBM PC Part 1 7 + Cracking on the IBM PC Part 2 11 + + II. Example Cracks 14 + Mean-18 by Accolade 14 + Submarine by Eypx 18 + Space Station Oblivion by Eypx 22 + + III. Removing Doc Check Questions 23 + F-15 Strike Eagle by MicroProse 23 + Battlehawks 1945 by Lucasfilms 25 + Yeager's AFT by Electronic Arts 26 + + IV. Cracking Self Booters 27 + Disk Basics + Victory Road by Data East 27 + MS-Flight Simulator (Ver 2.x) 30 + + V. Creating Title Screens 33 + + VI. Appendix 35 + A - Interrupt Tables 36 + (This will be an add-on file) + + + + + + + + + + + + + + + + + + + + + + + + 2 + Introduction: + ------------- + + Due to the current lack of Crackers, and also keeping in mind + the time it took me to learn the basics of cracking, I de- + cided to put this tutorial together. I will include many + files which I have found helpful in my many cracking endeav- + ors. It also has comments that I have included to make it + easier to understand. + + + + Comments Key: + ------------- + + Comments in the following material will be made by one of the + following and the lines that enclose the comments show who + made the comment. + + Specular Vision = ------------- + Mr. Transistor = +++++++++++++ + Ironman = ||||||||||||| + + + Special thanks to Mr. Transistor, for coming out of "Retire- + ment" to help compose this document. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 3 + Chapter I How to Crack + + + ------------------------------------------------------------- + Let's start with a simple introduction to patching a program + using the DOS DEBUG program. The following article will in- + troduce you to the basic ideas and concepts of looking for a + certain area of a program and making a patch to it. + ------------------------------------------------------------- + + + By: Charles Petzold / Specular Vision + Title: Case Study: A Colorful CLS + + This article originally appeared in the Oct. 14,1986 Issue + of PC Magazine (Vol 15. Num 17.). Written by Charles Petzold. + + The hardest part of patching existing programs is determin- + ing where the patch should go. You really have to make an + intelligent guess about the functioning of the program. + + As an example, let's attempt to modify COMMAND.COM so that + is colors the screen on a CLS command. As with any type of + patch try it out on a copy and NOT the original. + + First, think about what we should look for. CLS is differ- + ent from all the other DOS internal Commands, It is the only + internal command that does something to the screen other than + just write to it with simple teletype output. CLS blanks the + screen and homes the cursor. Since it can't do this through + DOS Calls (unless ANSI.SYS is loaded), it is probably calling + the BIOS Directly. The BIOS Interrupt 10h call controls the + video, and so the CLS command probably uses several INT 10h + instructions. The machine code for INT 10h is CD 10. + + (While this same method will work under any version of + PC-DOS, Version 2.0 and later, the addresses I'll be using + are from PC-DOS 3.1. Other versions of PC-DOS(or MS-DOS) will + have different addresses; you should be absolutely certain + that you're using the correct addresses.) + + Load COMMAND.COM into DEBUG: + + DEBUG COMMAND.COM + + and do an R (Registers) command. The size of COMMAND.COM is + in register CX. For DOS 3.1's COMMAND.COM, this value is + 5AAA. + + Now do Search command to look for the CD 10 bytes: + + S 100 L 5AAA CD 10 + + You'll get a list of six addresses, all clustered close to- + + 4 + gether. The first one is 261D. You can now pick an address a + little before that (to see what the first call is doing) and + start disassembling: + + U 261B + + The first INT 10 has AH set to 0F which is a Current Video + State call. The code checks if the returned value of AL + (Which is the video mode) is less than 3 or equal to 7. + These are the text modes. If so, it branches to 262C. If + not, it just resets the video mode with another INT 10 at ad- + dress 2629. + + At 262C, the code first sets the border black (the INT 10 + at 2630), then does another Current Video State call (at + 2634) to get the screen width in register AH. It uses infor- + mation from this call to set DX equal to the bottom right row + and column. It then clears the screen by scrolling the en- + tire screen up with another INT 10 (at 2645), and then sets + the cursor to the zeroth row and zeroth column with the final + INT 10 (at 264D). + + When it scrolls the whole screen, the zero value in AL ac- + tually means blank the screen, the value of BH is the at- + tribute to be used on the blanked area. In an unmodified + COMMAND.COM, BH is set to 7 (Which is white on black) by the + following statement at address 2640: + + MOV BX,0700 + + If you prefer a yellow-on-blue attribute (1E), you can + change this line by going into Assemble mode by entering: + + A + + then entering + + MOV BX,1E00 + + and exiting Assemble mode by entering a blank line. + + Now you can save the modified file: + + W + + and quit DEBUG: + + Q + + When you load the new version of COMMAND.COM (and you can + do so without rebooting by just entering: + + COMMAND + + + 5 + on the DOS command level), a CLS will turn the screen blue + and display characters as yellow. + + If it doesn't or if anything you type shows up as white on + black, that probably means you have ANSI.SYS loaded. If you + use ANSI.SYS, you don't have to make this patch but can in- + stead use the prompt command for coloring the screen. + + END. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 6 + ------------------------------------------------------------- + That was just one section of a very large article that helped + me to get started. Next we'll look at two other articles, + both written by Buckaroo Banzi. These two articles CRACK-1 + and CRACK-2 give you an introduction to the different copy + protection schemes used on IBM PC's, and how to find and by- + pass them. + ------------------------------------------------------------- + + + + By: Buckaroo Banzai + Title: Cracking On the IBM PC Part I + + + Introduction + ------------ + For years, I have seen cracking tutorials for the APPLE + computers, but never have I seen one for the PC. I have de- + cided to try to write this series to help that pirate move up + a level to a crackest. + + In this part, I will cover what happens with INT 13 and how + most copy protection schemes will use it. I strongly suggest + a knowledge of Assembler (M/L) and how to use DEBUG. These + will be an important figure in cracking anything. + + + INT-13 - An overview + -------------------- + + Many copy protection schemes use the disk interrupt + (INT-13). INT-13 is often use to either try to read in a il- + legally formatted track/sector or to write/format a + track/sector that has been damaged in some way. + + INT-13 is called like any normal interrupt with the assem- + bler command INT 13 (CD 13). [AH] is used to select which + command to be used, with most of the other registers used for + data. + + INT-13 Cracking College + ----------------------- + Although, INT-13 is used in almost all protection schemes, + the easiest to crack is the DOS file. Now the protected pro- + gram might use INT-13 to load some other data from a normal + track/sector on a disk, so it is important to determine which + tracks/sectors are important to the protection scheme. I + have found the best way to do this is to use LOCKSMITH/pc + (what, you don't have LS. Contact your local pirate for it.) + + Use LS to analyze the diskette. Write down any track/sector + that seems abnormal. These track are must likely are part of + the protection routine. Now, we must enter debug. Load in + + 7 + the file execute a search for CD 13. Record any address + show. + + If no address are picked up, this mean 1 or 2 things, the + program is not copy protected (right...) or that the check is + in an other part of the program not yet loaded. The latter + being a real hassle to find, so I'll cover it in part II. + There is another choice. The CD 13 might be hidden in self + changing code. Here is what a sector of hidden code might + look like + + -U CS:0000 + 1B00:0000 31DB XOR BX,BX + 1B00:0002 8EDB MOV DS,BX + 1B00:0004 BB0D00 MOV BX,000D + 1B00:0007 8A07 MOV AL,[BX] + 1B00:0009 3412 XOR AL,12 + 1B00:000B 8807 MOV [BX],AL + 1B00:000D DF13 FIST WORD... + + In this section of code, [AL] is set to DF at location + 1B00:0007. When you XOR DF and 12, you would get a CD(hex) + for the INT opcode which is placed right next to a 13 ie, + giving you CD13 or INT-13. This type of code can't and will + not be found using debug's [S]earch command. + + + + Finding Hidden INT-13s + ---------------------- + + The way I find best to find hidden INT-13s, is to use a + program called PC-WATCH (TRAP13 works well also). This pro- + gram traps the interrupts and will print where they were + called from. Once running this, you can just disassemble + around the address until you find code that look like it is + setting up the disk interrupt. + + An other way to decode the INT-13 is to use debug's [G]o + command. Just set a breakpoint at the address give by + PC-WATCH (both programs give the return address). Ie, -G + CS:000F (see code above). When debug stops, you will have + encoded not only the INT-13 but anything else leading up to + it. + + + What to do once you find INT-13 + ------------------------------- + + Once you find the INT-13, the hard part for the most part + is over. All that is left to do is to fool the computer in + to thinking the protection has been found. To find out what + the computer is looking for, examine the code right after the + INT-13. Look for any branches having to do with the + + 8 + CARRYFLAG or any CMP to the AH register. If a JNE or JC + (etc) occurs, then [U]nassembe the address listed with the + jump. If it is a CMP then just read on. + + Here you must decide if the program was looking for a pro- + tected track or just a normal track. If it has a CMP AH,0 + and it has read in a protected track, it can be assumed that + it was looking to see if the program had successfully com- + plete the READ/FORMAT of that track and that the disk had + been copied thus JMPing back to DOS (usually). If this is + the case, Just NOP the bytes for the CMP and the correspond- + ing JMP. + + If the program just checked for the carry flag to be set, + and it isn't, then the program usually assumes that the disk + has been copied. Examine the following code + + INT 13 <-- Read in the Sector + JC 1B00 <-- Protection found + INT 19 <-- Reboot + 1B00 (rest of program) + + The program carries out the INT and find an error (the il- + legally formatted sector) so the carry flag is set. The com- + puter, at the next instruction, see that the carry flag is + set and know that the protection has not been breached. In + this case, to fool the computer, just change the "JC 1B00" to + a "JMP 1B00" thus defeating the protection scheme. + + NOTE: the PROTECTION ROUTINE might be found in more than just + 1 part of the program + + + Handling EXE files + ------------------ + + As we all know, Debug can read .EXE files but cannot write + them. To get around this, load and go about cracking the + program as usual. When the protection scheme has been found + and tested, record (use the debug [D]ump command) to save + & + - 10 bytes of the code around the INT 13. Exit back to dos + and rename the file to a .ZAP (any extension but .EXE will + do) and reloading with debug. Search the program for the 20+ + bytes surrounding the code and record the address found. + Then just load this section and edit it like normal. Save + the file and exit back to dos. Rename it back to the .EXE + file and it should be cracked. + + ***NOTE: Sometimes you have to play around with it for a + while to make it work. + + + + + + 9 + DISK I/O (INT-13) + ----------------- + This interrupt uses the AH resister to select the function + to be used. Here is a chart describing the interrupt. + + AH=0 Reset Disk + AH=1 Read the Status of the Disk + system in to AL + + AL Error + ---------------------------- + 00 - Successful + 01 - Bad command given to INT + *02 - Address mark not found + 03 - write attempted on write protected disk + *04 - request sector not found + 08 - DMA overrun + 09 - attempt to cross DMA boundary + *10 - bad CRC on disk read + 20 - controller has failed + 40 - seek operation failed + 80 - attachment failed + (* denotes most used in copy protection) + AH=2 Read Sectors + + input + DL = Drive number (0-3) + DH = Head number (0or1) + CH = Track number + CL = Sector number + AL = # of sectors to read + ES:BX = load address + output + AH =error number (see above) + [Carry Flag Set] + AL = # of sectors read + + AH=3 Write (params. as above) + AH=4 Verify (params. as above -ES:BX) + AH=5 Format (params. as above -CL,AL + ES:BX points to format + Table) + + ------------------------------------------------------------ + For more information on INT-13 refer to appendix A. + ------------------------------------------------------------ + + END. + + + + + + + + 10 + ------------------------------------------------------------- + In part II, Buck cover's Calls to INT-13 and INT-13 that are + located in different overlays of the program. This is a + method that is used often. + ------------------------------------------------------------- + + + Cracking Tutorial II. + + By: Buckaroo Banzai + Title: Cracking On the IBM PC Part II + + + Introduction + ------------ + + OK guys, you now passed out of Copy Class 101 (dos files) + and have this great new game with overlays. How do I crack + this one. You scanned the entire .EXE file for the CD 13 and + it's nowhere. Where can it be you ask yourself. + + In part II, I'll cover cracking Overlays and the use of + locksmith in cracking. If you haven't read part I, then I + suggest you do so. The 2 files go together. + + + Looking for Overlays + -------------------- + So, you cant find CD 13 in the .EXE file, well, it can mean + 4 things. + + 1: The .EXE (though it is mostly .COM) file is just a + loader for the main file. + + 2: The .EXE file loads in an overlay. + + 3: The CD 13 is encrypted &/or hidden in the .EXE file. + + 4: Your looking at the WRONG file. + + + I won't discuss case 1 (or at least no here) because so + many UNP files are devoted to PROLOCK and SOFTGUARD, if you + can't figure it out with them, your stupid. + + If you have case 3, use the technique in part I and restart + from the beginning. And if you have case 4, shoot your self. + + You know the program uses overlays but don't see and on + disk? Try looking at the disk with good old Norton's. Any + hidden files are probably the overlays. These are the ones + we are after. If you still can't find them, use PC-WATCH + (this program is a must!!! For all crackists. Traps ALL in- + terrupts). + + 11 + + Using PC-Watch to Find Overlays + ------------------------------- + Start up PC-Watch and EXCLUDE everything in the left Col.. + Search the right Col. until you find DOS21 - OpnFile and + select it. + + Now run the program to be cracked. + Play the game until the protection is checked. + Examine you PCWatch output to see what file was loaded + right before it. + This probably is the one holding the check. + If not, go through all the files. + + + You Have Found the Overlays + --------------------------- + Great, now just crack the overlay as if it was a DOS file. + You don't need to worry about .EXE file, debug can write an + overlay file. Part I explains the basics of cracking. I + suggest that you keep a backup copy of the overlay so if you + mess up, and you will, you can recover quickly. Ah, and you + thought cracking with overlays was going to be hard. + + + + Locksmith and Cracking + ---------------------- + + The copy/disk utility program Locksmith by AlphaLogic is a + great tool in cracking. It's analyzing ability is great for + determining what and where the protection is. + + I find it useful, before I even start cracking, to analyze + the protected disk to find and id it's protection. This + helps in 2 ways. First, it helps you to know what to do in + order to fake out the protection. Second, it helps you to + find what the program is looking for. + + I suggest that you get locksmith if you don't already have + it. Check your local pirate board for the program. I also + suggest getting PC-Watch and Norton Utilities 3.1.(Now 4.1) + All of these program have many uses in the cracking world. + + END. + + + + + + + + + + + 12 + Chapter II Example Cracks + + + + ------------------------------------------------------------- + OK, now let's put some of this information into practice by + examining a few cracks of some common programs. First we'll + look at a Crack for Mean-18 Golf by Accolade. Accolade has + been one of those companies that has a fervent belief in Copy + Protection. + ------------------------------------------------------------- + + + + + Title: MEAN-18 UnProtect For CGA/EGA Version + + + This crack works by eliminating the code that tests for known + bad sectors on the original diskette to see if it is the + genuine article or an illegal copy. The code begins with an + INT 13 (CD 13 HEX), a DOS BIOS disk service routine followed + a few bytes later by another INT 13 instruction. The program + then checks the returned value for the bit configuration that + signifies the bad sectors and, if all is as expected, contin- + ues on with program execution. + + The code that needs to be patched is in the GOLF.EXE file and + in the ARCH.EXE file. It is identical in both files and lies + near the end of each file. + + In the following steps, you'll locate the start of the test + code and patch it by replacing it with NOP instructions (HEX + 90). The method described uses the DOS DEBUG utility but + Norton's Utility (NU) works too. + + Copy all of the files from the MEAN-18 disk onto a fresh + floppy using the DOS COPY command and place your original + diskette out of harm's way. + + Assuming DEBUG is in the A: drive and the floppy containing + the files to be unlocked is in the B: drive , proceed as fol- + lows: + + First REName the GOLF.EXE file so it has a different + EXTension other than .EXE. + + REN GOLF.EXE GOLF.DEB + + + Next load the file GOLF.DEB into DEBUG and displays the "-" + DEBUG prompt. + + A:> DEBUG B:GOLF.EXE + + 13 + Search for the beginning of the code to be patched by typing: + + + - S CS:100 FFFF CD 13 + + Searches the file for the two byte INT 13 instruction. If + all goes well, two addresses should appear on the screen. + + XXXX:019C + XXXX:01A8 + + XXXX indicates that the numbers preceeding the ":" vary from + system to system but the numbers following the ":" are the + same on all systems. + + The next step is to use the "U" command as indicated to + un-assemble a few bytes in order to verify your position in + the file) + + - U CS:019C + + (Un-assembles 32 bytes of code. Verify the following se- + quence of instructions: + + INT 13 + JB 01E9 + MOV AL,[BX+01FF] + PUSH AX + MOV AX,0201 + INT 13 + POP AX + JB 01E9 + CMP AL,F7 + JNZ 01B5 + + These are the instructions you'll be patching out in the fol- + lowing step) + + - A CS:019C + + This command assembles the new instructions you enter at the + keyboard into the addresses shown. Beginning at CS:019C, and + for the next 21 bytes, ending with and including CS:01B0, en- + ter the no op command "NOP" (90h) followed by a or + . Just hit at address XXXX:01B1 to end the + assemble command.) + + XXXX:019C NOP + XXXX:019D NOP + . + . + . + XXXX:01AE NOP + XXXX:01AF NOP + + 14 + XXXX:01B0 NOP + XXXX:01B1 + + This just wipes out the section of code containing the INT 13 + check. + + Now do a HEX dump and verify that bytes 019C through 01B0 + have been set to 90 HEX. + + - D CS:019C + + If they have, write the patched file to the disk as follows) + + - W + + This writes the patched file back to the + disk where it can be run by typing GOLF just as before but + now, it can be run from any drive, including the hard + drive) + + Now just [Q]uit or exit back to DOS. This command can be ex- + ecuted at any "-" DEBUG prompt if you get lost. No modifica- + tion will be made to the file on the disk until you issue the + "W" command. + + - Q + + The process is the same for the ARCH.EXE file but because it + is a different length, the segment address, (XXXX part of the + address), will be different. You should find the first INT + 13 instruction at address XXXX:019C and the second one at + XXXX:01A8 as before. + + You will again be patching 21 bytes and you will start with + 019C and end with 01B0 as before. After doing the HEX dump + starting at address 019C, you again write the file back to + the disk with a "W" command then "Q" uit. + + Norton's utilities can also be used to make this patch. Be- + gin by searcing the GOLF.EXE or ARCH.EXE files for the two + byte combination CD 13 (remember to enter these as HEX + bytes). Once located, change the 21 bytes, starting with the + first "CD" byte, to 90 (a NOP instruction). As a check that + you are in the right place, the byte sequence in both files + is CD 13 72 49 8A 87 FF 01 50 B8 01 02 CD 13 58 72 3C 3C F7 + 75 04. After modifying the bytes, write the modified file + back to the disk. It can then be run from any drive. + + END. + + + + + + + 15 + ------------------------------------------------------------ + That was the first the tutorial cracks, here's another crack + based on the same ideas but using Norton's Utilities instead. + The following is an unprotect method for Eypx Submarine. + Eypx is another one of those companies bent on protecting the + world. + ------------------------------------------------------------ + + + By: Assembler Magic + Title: EPYX Submarine Unprotect + + + You will only need to make one modification to the main + executable program of Submarine, SUB.EXE. I will assume that + your computer has a hard disk and that you have a path to + DOS. It's time to fire up DEBUG as follows: + + DEBUG SUB.EXE + + The computer should respond with a "-" prompt. Now look at + the registers, just to make sure everything came up okay. + Type the letter "R" immediately after the prompt. The com- + puter should respond with a few lines of info as follows: + + AX=0000 BX=0001 CX=6103 DX=0000 SP=0080 BP=0000 SI=0000 + DI=0000 DS=12CE ES=12CE SS=37B2 CS=27FC IP=0010 NV UP EI PL + NZ NA PO NC + 27FC:0010 8CC0 MOV AX,ES + - + + Note the value of CS is "27FC". That is the hexadecimal + segment address for the beginning of the program code in your + computer's memory. It is highly probable that the value you + see for CS will differ from mine. Whatever it is, write it + down. Also, the values you see for DS, ES and SS will almost + certainly differ from mine and should not cause you concern. + The other registers should show the same values mine do, and + the flags should start with the same values. + + Next, we will do a search for Interrupt 13's. These are + BIOS (not DOS) Interrupts built into the program which are + used to ensure that the original disk is being used to run + the program. The whole key to this unprotect scheme is to by- + pass these Interrupts in the program code. The tricky part + of this unprotect is to find them! They are not in the seg- + ment of program code starting at the value of CS equal to + "27FC". They are closer to the beginning of the program in + memory. Easy enough! Reset the value of CS to equal the + value of DS as follows; type immediately after Debug's "-" + prompt: + + RCS + + + 16 + Debug will prompt you for the new value of CS with: + + CS:27FC: + + You respond by typing the value of DS you saw when you + dumped the registers the first time. For example, I typed + "12CE". The value you type will be different. Debug + will again respond with the "-" prompt which means we are + ready to do our search. Type in the following after the "-" + prompt: + + S CS:0 FFFF CD 13 + + The computer should respond with three lines of information + which are the addresses of the three Interrupt 13 calls built + into the program. The first four digits are the segment ad- + dress and will equal to the value of CS you have just set. + The second four digits following the colon are the offset ad- + dresses which are of primary interest to us. On my machine + they came back as follows: + + 12CE:4307 + 12CE:431F + 12CE:4335 + + The segment addresses will be identical and the three off- + set addresses should all be relatively close together. Now + look at the first offset address. (As you can see, mine was + "4307".) Write it down. Now we do a bit of Unassembly. + + Type "U4307" which is the letter "U", followed immedi- + ately (with no blank spaces) by whatever your first offset + address turned out to be, followed by a carriage return. If + you are not familiar with unassembled machine code, it will + look like lines of gibberish as follows: + + 12CE:4307 CD13 INT 13 + 12CE:4309 4F DEC DI + 12CE:430A 744C JZ 4358 + . + . + 12CE:431F CD13 INT 13 + 12CE:4321 4F DEC DI + . + . + 12CE:4324 BF0400 MOV DI,0004 + 12CE:4326 B80102 MOV AX,0201 + + In my computer, Unassemble will automatically output 16 + lines of code to the screen. Yours may differ. Note, in the + abbreviated list I have shown above, the addresses at the be- + ginning of the two lines which contain the Interrupt 13's + (INT 13) correspond to the first two addresses we found in + our search. Now we continue the unassemble, and here comes + + 17 + another tricky part. Just type in "U" after the "-" + prompt. + + You'll get sixteen more lines of code with the third Inter- + rupt 13 on a line which begins with the address (CS):4335 if + you have the same version of Submarine as I do. It's not + terribly important to this exercise, but it will at + least show you that things are proceeding okay. Now type in + "U" again after the prompt. You are now looking for + three key lines of code. On my program they appear as fol- + lows: + + 12CE:4335 07 POP ES + 12CE:4356 5D POP BP + 12CE:4357 CB RETF + + The true key is the instruction "POP ES". This instruction + begins the normal return sequence after the program has ex- + ecuted its Interrupt 13 instructions and accompanying checks. + If Debug on your machine prints fewer than 16 lines of code + at a shot, you may have to type in "U" more than twice at the + "-" to find these instructions. (If you haven't found any of + this stuff, either get help on the use of Debug or go back to + using your diskette version!) Write down the offset address + of the "POP ES" instruction; the four digits following the + colon, which in my example is "4354". You're well on your + way now, so please persevere. + + The next step is to modify the program to JUMP around the + code which executes the Interrupt 13's and go immediately to + the instruction which begins the normal return sequence + (again, it's the "POP ES". Type in the following instruc- + tions carefully: + + A4307 + + This first bit tells Debug that new Assembler code will be + inserted at the address of the first Interrupt 13. If your + first Interrupt 13 is at an address other that "4307", use + the correct address, not mine. The computer will prompt you + with the address: + + 12CE:4307 + + After which you will immediately type: + + JMP 4354 + + This instruction jumps the program immediately to the normal + return code instructions. Again, at the risk of being redun- + dant, if your "POP ES" instruction is at a different address, + use that address, not "4354"! + + The computer will prompt you with the address of the next in- + + 18 + struction if all went well. MAKE SURE you just hit the + carriage return at this point. Debug will then return the + familiar "-" prompt. + + Now it's time to examine your handiwork. Let's do the + unassemble again starting at the address of what had been the + first Interrupt 13 instruction, but which is now the Jump in- + struction. Type in "U4307" or "U" followed by the appro- + priate address and a carriage return. The first line begin- + ning with the address should appear as follows: + + 12CE:4307 EB4B JMP 4354 + + The key here is the four bytes immediately following the ad- + dress. In my example they are "EB4B". Yours may not be. + But, they are VERY IMPORTANT because they represent the ac- + tual machine code which is the Jump instruction. WRITE THESE + FOUR BYTES DOWN AND MAKE SURE THEY ARE CORRECT. + + Now if you want to have some fun before we go on, reset + register CS to its original value by first typing "RCS" + at the "-" prompt. Then type in the original value of CS + that I asked you to write down. Using my example, I typed + "27FC". Next, you will type "G" after the "-" prompt + which means GO! If all went well, SUB should run at this + point. At least it will if you put all of the Submarine + files onto the diskette or into the hard disk subdirectory + where youre working. If it didn't run, you may have made an + error. Check through what you have done. + + Don't give up at this point if it does not run. Your version + of Debug may simply have not tolerated our shenanigans. When + you are done playing, quit Submarine ("Alt-Q") and type a + "Q" after the Debug prompt "-" appears. + + Now comes the tough part. I can't walk you through this + phase in complete detail, because you may be using one of + several programs available to modify the contents of SUB.EXE. + Debug is not the way to go, because it can't write out .EXE + files, only .COM files. + + ------------------------------------------------------------- + Note: Another method of doing this is to REName the SUB.EXE + file so it has a different extension other than .EXE before + you enter DEBUG. That way after you've made the change you + can then [W]rite then changes out to the file right in DEBUG. + Then one drawback is that you can't run the program in DEBUG + once you've changed the name. + ------------------------------------------------------------- + + You have to get into your sector modification package (NORTON + works good) and work on the SUB.EXE file on your new diskette + or your hard disk. Remember, I warned you that doing this on + your hard disk is dangerous if you are not fully aware of + + 19 + what you are doing. So, IF YOU MESS UP, it's YOUR OWN FAULT! + + You are looking for the first occurrence of an Interrupt 13 + (the "CD 13") using the search facility in your program. If + you don't have the ability to search for the two-byte hexa- + decimal code "CD 13" directly, then you will have to manually + search. + + ------------------------------------------------------------- + Note: Norton 4.x now has a search utility. When you get to + the point of typing in the search text, just press the TAB + key, and you can type in the actual hexadecimal code "CD 13". + ------------------------------------------------------------- + + Start at the beginning of SUB.EXE and proceed. Again, you + want to find the first of the three (first from the beginning + of the program). + + I will give you a hint. I found it in NORTON at location + 4407 hexadecimal which is location 17,415 decimal in the + SUB.EXE program file. DOS standard sectors are 512 decimal + bytes. Replace the two bytes "CD 13" with the "EB 4B" or + whatever your Jump instruction turned out to be. Write or + save the modified file. + + That's ALL there is to modifying SUB.EXE. You can go ahead + and execute your program. If you have followed my instruc- + tions, it should run fine. Get help if it doesn't. Now, you + should be all set. You can load onto your hard disk, if you + haven't already. You can run it from a RAM disk using a BAT + file if you really want it to hum. Or, if you have the fa- + cilities, you can copy it from 5-1/4" floppy to 3-1/2" dis- + kette and run it on machines which accept that medium if you + upgrade to a new computer. + + END. + + + + + + + + + + + + + + + + + + + + 20 + ------------------------------------------------------------- + Now let's take a look at a newer crack on the program, Space + Station Oblivion by Eypx. At a first [S]earch with Debug and + Norton's Utility no CD 13's could be found, and yet it was + using them... So a different approach had to be taken... + ------------------------------------------------------------- + + + By: PTL + Title: Space Station Oblivion Crack + + + First of all, you must determine which file the INT 13's are + in, in this case it had to be the file OBLIVION.EXE since it + was the main program and probably contained the INT 13's. So + then rename it to a different EXTension and load it into De- + bug. + + Then do a [S]earch for INT 13's. + + -S 100 FFFF CD 13 + + Which will promptly turned up nothing. Hmmm... + + Next you might decide that, maybe, the code was modifying it- + self. So quit from Debug and load up PC-Watch, include all + the INT 13 Calls. For those of you not familiar with + PC-Watch, it is a memory resident program that can be set to + look for any type of BIOS call. When that call is made + PC-Watch prints to the screen the contents of all the regis- + ters and the current memory location that the call was made + from. + + After PC-Watch is initialized, then run the OBLIVION.EXE file + from the hard disk, leaving the floppy drive door open, and + sure enough, when the red light comes on in the diskette + drive, PC-Watch will report the address's of some INT 13 + calls. Which you should then write down. + + From there, quit the game, reboot, (To dump PC-Watch from + memory) and load the OBLIVION.EXE into Debug and issue a [G]o + command with a breakpoint. What address should you use for a + breakpoint? You guessed it, the same address PC-Watch gives + you. + + Well, it locked up did'nt it? Which is quite common in this + line of work so don't let that discourage you. So next re- + loaded it into debug and this time [U]nassemble the address + that you got from PC-Watch. But instead of finding the INT + 13's you'll find harmless INT 21's. + + Hmm... could it be that the program was converting the CD + 21's to CD 13's during the run? Well, to test the idea as- + semble an INT 20 (Program Terminate) right after the first + + 21 + INT 21. Then I run the program, and yes immediately after the + red light comes on the drive, the program will terminate nor- + mally. + + Then [U]nassemble that same area of memory, and low and be- + hold, some of the INT 21's have magically turned into INT + 13's. How clever... + + So, then it is just a matter of locating the address of the + routine that it jumped (JMP) to if the correct disk was found + in drive A:. Once you have that address, just go to the + start of all this nonsense and [A]ssemble a JMP XXXX command. + Where XXXX was the address to jump to if the original disk + was in drive A:. + + Then just [W]rite the file back out to the disk and [Q]uit + debug, and then REName the file back to OBLIVION.EXE + afterwhich it should work fine. + + + END. + + 22 + Chapter III Removing Doc Check Questions + + + ------------------------------------------------------------- + A new fad has recently started up with software vendors, it + involves the use of "Passwords" which are either stored in + the documentation or are actually the documentation itself. + Then when you reach a certain part of the program (Usually + the beginning) the program will ask for the password and you + have to look it up in the Docs before being allowed to con- + tinue. If the wrong password is entered, it will usually + drop you to DOS or take you to a Demo version of the program. + + This new form of copy protection is very annoying, but can + usually be cracked without too much effort, and the files + and the disk are usually in the standard DOS format. So now + we'll take a look at cracking the Doc check questions. + + First of all we'll crack the startup questions in F-15 + Strike Eagle by MicroProse. + ------------------------------------------------------------- + + + By: JP ASP + Title: F-15 Unprotect + + + + Make a copy of the original disk using the DOS DISKCOPY pro- + gram. + + >DISKCOPY A: B: + + Then insert the copy disk in the A drive and invoke DOS DE- + BUG. + + >DEBUG + + Now we'll [F]ill an area of memory with nothing (00). + + -F CS:100 L FEFF 0 + + Next we will [L]oad into address CS:0100 the data that is on + the A: disk (0) from sector 0 to sector 80. + + -l cs:100 0 0 80 + + Now lets [S]earch the data we loaded for the area where the + copy protection routine is. + + -s cs:100 l feff FA EB FD + + Then for each of the occurences listed, use the address DEBUG + returned in the [E]nter command below. + + 23 + + -e xxxx 90 90 90 + + ------------------------------------------------------------- + Here's the part we are interested in, it's where you change + all the autorization codes to a space. Notice how you can + use the [S]earch command to look for ASCII text. + ------------------------------------------------------------- + + -s cs:100 l feff "CHIP" + + Then for each occurance of "CHIP" use the address DEBUG re- + turned in the [F]ill command below. + + -F XXXX L F 20 + + Write out the modified data + + -W CS:100 1 0 80 + + Quit DEBUG + + -Q + + + You should now be able to DISKCOPY and boot from all copies + also just press the space bar when it ask for ANY authority + code and then press "ENTER". Now there is no need to remember + (or look up) any codes that are so finely tucked away in the + manual! + + END. + + + + + + + + + + + + + + + + + + + + + + + + 24 + ------------------------------------------------------------- + Here is a similar method that was used break the passwords in + the program BATTLEHAWKS 1945 by Lucasfilms. However Norton + Utilities is used to search for the passwords and change + them. + ------------------------------------------------------------- + + By: PTL + Title: BATTLEHAWKS-1945 Doc Check Crack + + + In keeping in line with their previous programs, Lucasfilms + has released yet another program which uses Doc Checks for + its means of copy protection, Battlehawks 1942. + + When you run this program, it first goes through a series of + graphic displays, then it goes through a series of questions, + asking what type of mission you want to fly, such as Train- + ing, Active Duty, or which side of the war you want to be on. + + Then right before the simulation begins, it shows you a pic- + ture of a Japanese Zero and ask you for a password which you + + are then supposed to get by looking up the picture of the + Zero in the User Manual and typing the corresponding password + in. After which it enters the simulation, in the event you + enter the wrong password, it puts you into a training mis- + sion. + + Removing the Doc Check in a program like this is usually + pretty easy. The ideal way to do it is to remove the Doc + Check routine itself, but if you don't have all day to debug + and trace around the code this might not be the best way. + For instance if you only have your lunch hour to work on it + (Like I did), then you need to use the standard Q.D.C.R.S. + (Quick Doc Check Removal System). + + How do you do a QDCRS? Well first of all, play around with + the program, find out what it will and will NOT accept as a + password. Most programs will accept anything, but a few + (Like Battlehawks) will only accept Alpha characters. + + Once you've learned what it likes, make an educated guess as + to what program the Doc Check routine is in. Then load that + program into Norton's Utility (NU). + + At this point, take a look at the passwords, and write down + the most unusual one that you can find (I'll explain later). + Now type that password in as the search string, and let NU + search through the file until it finds the password. Now a + couple of things can happen. + + 1. It only finds one occurrence + 2. It finds more than one occurrence + 3. It doesn't find any occurrence + + In the event of case 2 then YOU have to determine where the + passwords are stored, you can do this by opening your eyes + and looking. + + In the event of case 3, go to the kitchen and start a pot of + coffee, then tell you wife to go to bed without you, because + you have a "Special Project" that you have to finish tonight. + And by the way, Good Luck. You'll need it. + + Hopefully case 1 will occur, now you have to take a look at + the data and ask yourself 2 questions: + + 1. Are all the passwords the same length? + 2. Is there a set number of spaces between each pass- + word? + 3. Does the next password always start a certain number + of characters from the first character of the previ- + ous password? + + If you can answer yes to any of the above questions, you in + luck. All you have to do is change the passwords to spaces + + (If the program allows that, Battlehawks doesn't) or change + them to you favorite character. The letter X works good, it's + easy to type and easy to remember. + + If you can't answer yes to any of the questions then you ei- + ther need to bypass the Doc Check routine itself or you need + to be adventurous and experiment. Battlehawks will not follow + any of the above patterns, and your quickly running out of + time, so you'll have to try something, fast... + + So just wiped out all of the data area with X's, all the + passwords and associated "garbage" between them. Then saved + the changes and drop out of NU and into BH. Then when it ask + for the password, just filed the area with X's. Next thing + you know, you'll be escorting a bombing run on a Japanese + carrier. + + So, this one turned out to be fairly simple. Where you may + run into trouble is on Doc Checks that use a graphic system, + such as Gunship by MicroProse. When it comes to this type of + Doc Check, you almost have to bypass the routine itself. And + again, a good way to do this is with setting break points and + using the trace option in Debug. + + END. + + + + + + + + 25 + + ------------------------------------------------------------- + That was the easy version Doc Check crack, however there a + "Better" way to crack Doc Checks, is to bypass the routine + completely so the user can just press enter and not worry + about spaces. Let's take a lot at this method by looking at + a crack for the program, Yeager's Advanced Flight Trainer, by + Electronic Arts. + ------------------------------------------------------------- + + + By: PTL + Title: Yeager's Advanced Flight Trainer + + + + + + + + + + + + + + + + + 26 + Chapter 5 Cracking Self Booters + + + + ------------------------------------------------------------- + Now we'll take a look at cracking self booters. A few compa- + nies have found this to be the best copy protection scheme + for them, one of which is DataEast, makers of Ikari Warriors, + Victory Road, Lock-On, Karnov, etc... This posses a special + problem to the Amateur Cracker, since they seldom use stan- + dard DOS formats. So let's jump right in! + ------------------------------------------------------------- + + + This is the area where a "Higher than Normal" knowledge of + Assembly Language and DOS Diskette structures, so first of + all, the Basic's. + + + The Disk's Physical Structure + + Data is recorded on a disk in a series of concentric circles, + called Tracks. Each track if further divided into segments, + called Sectors. The standard double-density drives can + record 40 tracks of data, while the new quad-density drives + can record 80 tracks. + + However, the location, size, and number of the sectors within + a track are under software control. This is why the PC's + diskettes are known as soft-sectored. The characteristics of + a diskette's sectors (Their size, and the number per track) + are set when each track is formatted. Disk Formatting can be + done either by the operating system or by the ROM-BIOS format + service. A lot of self booters and almost all forms of copy + protection create unusual formats via the ROM-BIOS diskette + services. + + The 5 1/4-inch diskettes supported by the standard PC BIOS + may have sectors that are 128,256,512, or 1,024 bytes in + size. DOS, from versions 1.00 through 4.01 has consistently + used sectors of 512 bytes, and it is quite possible that this + will continue. + + Here is a table displaying 6 of the most common disk formats: + _____________________________________________________________ + + Type Sides Sectors Tracks Size(bytes) + _____________________________________________________________ + + S-8 1 8 40 160K + D-8 2 8 40 320K + S-9 1 9 40 180K + D-9 2 9 40 360K + QD-9 2 9 80 720K + QD-15 2 15 80 1,200K + _____________________________________________________________ + + + + S - Single Density + D - Double Density + QD - Quad Density + + Of all these basic formats, only two are in widespread use: + S-8 and D-9. The newer Quad Density formats are for the 3 + 1/2" and 5 1/4" high density diskettes. + + + The Disk's Logical Structure + + So, as we have already mentioned, the 5 1/4-inch diskette + formats have 40 tracks, numbered from 0 (the outside track) + through 39 (the inside track, closest to the center). On a + double sided diskette, the two sides are numbered 0 and 1 + (the two recording heads of a double-sided disk drive are + also numbered 0 and 1). + + The BIOS locates the sectors on a disk by a three-dimensional + coordinate composed of a track number (also referred to as + the cylinder number), a side number (also called the head + number), and a sector number. DOS, on the other hand, lo- + cates information by sector number, and numbers the sectors + sequentially from the outside to inside. + + We can refer to particular sectors either by their + three-dimensional coordinates or by their sequential order. + All ROM-BIOS operations use the three-dimensional coordinates + to locate a sector. All DOS operations and tools such as DE- + BUG use the DOS sequential notation. + + The BASIC formula that converts the three-dimensional coordi- + nates used by the ROM-BIOS to the sequential sector numbers + used by DOS is as follows: + + DOS.SECTOR.NUMBER = (BIOS.SECTOR - 1) + DIOS.SIDE + * SECTORS.PER.SIDE + BIOS.TRACK * SECTORS.PER.SIDE + * SIDES.PER.DISK + + And here are the formulas for converting sequential sector + numbers to three-dimensional coordinates: + + BIOS.SECTOR = 1 + DOS.SECTOR.NUMBER MOD SECTORS.PER.SIDE + BIOS.SIDE = (DOS.SECTOR.NUMBER \ SECTORS.PER.SIDE) + MOD SIDE.PER.DISK + BIOS.TRACK = DOS.SECTOR.NUMBER \ (SECTORS.PER.SIDE + * SIDES.PER.DISK) + + (Note: For double-sided nine-sector diskettes, the PC's + most common disk format, the value of SECTORS.PER.SIDE + is 9 and the value of SIDES.PER.DISK is 2. Also note + that sides and tracks are numbered differently in the + ROM-BIOS numbering system: The sides and tracks are num- + bered from 0, but the sectors are numbered from 1.) + + Diskette Space Allocation + + The formatting process divides the sectors on a disk into + four sections, for four different uses. The sections, in the + order they are stored, are the boot record, the file alloca- + tion table (FAT), the directory, and the data space. The + size of each section varies between formats, but the struc- + ture and the order of the sections don't vary. + + The Boot Record: + + This section is always a single sector located at sector + 1 of track 0, side 0. The boot record contains, among other + things, a short program to start the process of loading the + operating system on it. All diskettes have the boot record + on them even if they don't have the operating system. Asisde + from the start-up program, the exact contents of the boot + record vary from format to format. + + The File Allocation Table: + + The FAT follows the boot record, usually starting at + sector 2 of track 0, side 0. The FAT contains the official + record of the disk's format and maps out the location of the + sectors used by the disk files. DOS uses the FAT to keep a + record of the data-space usage. Each entry in the table con- + tains a specific code to indicate what space is being used, + what space is available, and what space is unusable (Due to + defects on the disk). + + The File Directory: + + The file directory is the next item on the disk. It is + used as a table of contents, identifying each file on the + disk with a directory entry that contains several pieces of + information, including the file's name and size. One part of + the entry is a number that points to the first group of sec- + tors used by the file (this number is also the first entry + for this file in the FAT). + + The Data Space: + + Occupies the bulk of the diskette (from the directory + through the last sector), is used to store data, while the + other three sections are used to support the data space. + Sectors in the data space are allocated to files on an + as-needed basis, in units known as clusters. The clusters + are one sector long and on double-sided diskettes, they are a + pair of adjacent sectors. + + + + (From here on I'll continue to describe the basics of DOS + disk structures, and assembly language addressing technics. + + + ------------------------------------------------------------- + Here is a simple routine to just make a backup copy of the + Flight Simulator Version 1.0 by Microsoft. I know the latest + version is 3.x but this version will serve the purpose of + demonstrating how to access the data and program files of a + selfbooter. + ------------------------------------------------------------- + + + By: PTL + Title: Microsoft Flight Simulator 1.00 Unprotect + + + This procedure will NOT convert the Flight Simulator disk to + files that can be loaded on a hard drive. But... it will + read off the data from the original and put it onto another + floppy. And this should give you an idea of how to read data + directly from a disk and write it back out to another disk. + + First of all take UNFORMATTED disk and place it in drive B:. + This will be the target disk. + + Now place your DOS disk (which has Debug) into drive A:, or + just load Debug off you hard disk. + + A>DEBUG + + Then we are going to enter (manually) a little program to + load the FS files off the disk. + + -E CS:0000 B9 01 00 BA 01 00 BB 00 + 01 0E 07 06 1F 88 E8 53 + 5F AA 83 C7 03 81 FF 1C + 01 76 F6 B8 08 05 CD 13 + 73 01 90 FE C5 80 FD 0C + 76 E1 90 CD 20 + + -E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 + 00 00 04 02 00 00 05 02 00 00 06 02 + 00 00 07 02 00 00 08 02 + + Next we'll [R]eset the IP Register by typing. + + -R IP + + And then typing four zeros after the address prefix. + + xxxx:0000 + + Next insert the original Flight Simulator disk into drive A: + and we'll run our little loader. + + -G =CS:0000 CS:22 CS:2A + + Now enter a new address to load from. + + -E CS:02 0E + -E CS:27 19 + + And run the Loader again. + + -G =CS:0000 CS:22 CS:2A + + New address + + -E CS:02 27 + -E CS:27 27 + + Run Loader + + -G =CS:0000 CS:22 CS:2A + + Here we'll do some [L]oading directly from the disk our- + selves. + + -L DS:0000 0 0 40 + + And the in turn, write it back out to the B: (1) drive + + -W DS:0000 1 0 40 + + Etc... + + -L DS:0000 0 40 28 + -W DS:0000 1 70 30 + -L DS:0000 0 A0 30 + -W DS:0000 1 A0 30 + -L DS:0000 0 138 8 + -W DS:0000 1 138 8 + + When we are all through, [Q]uit from debug and you should + have a backup copy of the Flight Simulator. + + -Q + + And that's all there is to it. + + END. diff --git a/textfiles.com/piracy/CRACKING/act.txt b/textfiles.com/piracy/CRACKING/act.txt new file mode 100644 index 00000000..ce24a3a2 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/act.txt @@ -0,0 +1,1696 @@ + + + + + + + + + VOL 1 NUM 1 + + + + + The Amatuer Crackist Tutorial + Version 1.3 + By + Specular Vision + + + + + + Special Thanks to: + Mr. Transistor + Ironman + The Grand Elusion + Banzai Buckaroo + + + + + Another fine PTL Production + Call The Myth Inc. BBS + Table of Contents: + ------------------ (Page Numbers will be aprox. until + final version is finished) + i. Table of Contents 2 + + ii. Introduction 3 + + I. How to Crack 4 + Debugging DOS 4 + Cracking on the IBM PC Part 1 7 + Cracking on the IBM PC Part 2 11 + + II. Example Cracks 14 + Mean-18 by Accolade 14 + Submarine by Eypx 18 + Space Station Oblivion by Eypx 22 + + III. Removing Doc Check Questions 23 + F-15 Strike Eagle by MicroProse 23 + Battlehawks 1945 by Lucasfilms 25 + Yeager's AFT by Electronic Arts 26 + + IV. Cracking Self Booters 27 + Disk Basics + Victory Road by Data East 27 + MS-Flight Simulator (Ver 2.x) 30 + + V. Creating Title Screens 33 + + VI. Appendix 35 + A - Interrupt Tables 36 + (This will be an add-on file) + + + + + + + + + + + + + + + + + + + + + + + + 2 + Introduction: + ------------- + + Due to the current lack of Crackers, and also keeping in mind + the time it took me to learn the basics of cracking, I de- + cided to put this tutorial together. I will include many + files which I have found helpful in my many cracking endeav- + ors. It also has comments that I have included to make it + easier to understand. + + + + Comments Key: + ------------- + + Comments in the following material will be made by one of the + following and the lines that enclose the comments show who + made the comment. + + Specular Vision = ------------- + Mr. Transistor = +++++++++++++ + Ironman = ||||||||||||| + + + Special thanks to Mr. Transistor, for coming out of "Retire- + ment" to help compose this document. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 3 + Chapter I How to Crack + + + ------------------------------------------------------------- + Let's start with a simple introduction to patching a program + using the DOS DEBUG program. The following article will in- + troduce you to the basic ideas and concepts of looking for a + certain area of a program and making a patch to it. + ------------------------------------------------------------- + + + By: Charles Petzold / Specular Vision + Title: Case Study: A Colorful CLS + + This article originally appeared in the Oct. 14,1986 Issue + of PC Magazine (Vol 15. Num 17.). Written by Charles Petzold. + + The hardest part of patching existing programs is determin- + ing where the patch should go. You really have to make an + intelligent guess about the functioning of the program. + + As an example, let's attempt to modify COMMAND.COM so that + is colors the screen on a CLS command. As with any type of + patch try it out on a copy and NOT the original. + + First, think about what we should look for. CLS is differ- + ent from all the other DOS internal Commands, It is the only + internal command that does something to the screen other than + just write to it with simple teletype output. CLS blanks the + screen and homes the cursor. Since it can't do this through + DOS Calls (unless ANSI.SYS is loaded), it is probably calling + the BIOS Directly. The BIOS Interrupt 10h call controls the + video, and so the CLS command probably uses several INT 10h + instructions. The machine code for INT 10h is CD 10. + + (While this same method will work under any version of + PC-DOS, Version 2.0 and later, the addresses I'll be using + are from PC-DOS 3.1. Other versions of PC-DOS(or MS-DOS) will + have different addresses; you should be absolutely certain + that you're using the correct addresses.) + + Load COMMAND.COM into DEBUG: + + DEBUG COMMAND.COM + + and do an R (Registers) command. The size of COMMAND.COM is + in register CX. For DOS 3.1's COMMAND.COM, this value is + 5AAA. + + Now do Search command to look for the CD 10 bytes: + + S 100 L 5AAA CD 10 + + You'll get a list of six addresses, all clustered close to- + + 4 + gether. The first one is 261D. You can now pick an address a + little before that (to see what the first call is doing) and + start disassembling: + + U 261B + + The first INT 10 has AH set to 0F which is a Current Video + State call. The code checks if the returned value of AL + (Which is the video mode) is less than 3 or equal to 7. + These are the text modes. If so, it branches to 262C. If + not, it just resets the video mode with another INT 10 at ad- + dress 2629. + + At 262C, the code first sets the border black (the INT 10 + at 2630), then does another Current Video State call (at + 2634) to get the screen width in register AH. It uses infor- + mation from this call to set DX equal to the bottom right row + and column. It then clears the screen by scrolling the en- + tire screen up with another INT 10 (at 2645), and then sets + the cursor to the zeroth row and zeroth column with the final + INT 10 (at 264D). + + When it scrolls the whole screen, the zero value in AL ac- + tually means blank the screen, the value of BH is the at- + tribute to be used on the blanked area. In an unmodified + COMMAND.COM, BH is set to 7 (Which is white on black) by the + following statement at address 2640: + + MOV BX,0700 + + If you prefer a yellow-on-blue attribute (1E), you can + change this line by going into Assemble mode by entering: + + A + + then entering + + MOV BX,1E00 + + and exiting Assemble mode by entering a blank line. + + Now you can save the modified file: + + W + + and quit DEBUG: + + Q + + When you load the new version of COMMAND.COM (and you can + do so without rebooting by just entering: + + COMMAND + + + 5 + on the DOS command level), a CLS will turn the screen blue + and display characters as yellow. + + If it doesn't or if anything you type shows up as white on + black, that probably means you have ANSI.SYS loaded. If you + use ANSI.SYS, you don't have to make this patch but can in- + stead use the prompt command for coloring the screen. + + END. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 6 + ------------------------------------------------------------- + That was just one section of a very large article that helped + me to get started. Next we'll look at two other articles, + both written by Buckaroo Banzi. These two articles CRACK-1 + and CRACK-2 give you an introduction to the different copy + protection schemes used on IBM PC's, and how to find and by- + pass them. + ------------------------------------------------------------- + + + + By: Buckaroo Banzai + Title: Cracking On the IBM PC Part I + + + Introduction + ------------ + For years, I have seen cracking tutorials for the APPLE + computers, but never have I seen one for the PC. I have de- + cided to try to write this series to help that pirate move up + a level to a crackest. + + In this part, I will cover what happens with INT 13 and how + most copy protection schemes will use it. I strongly suggest + a knowledge of Assembler (M/L) and how to use DEBUG. These + will be an important figure in cracking anything. + + + INT-13 - An overview + -------------------- + + Many copy protection schemes use the disk interrupt + (INT-13). INT-13 is often use to either try to read in a il- + legally formatted track/sector or to write/format a + track/sector that has been damaged in some way. + + INT-13 is called like any normal interrupt with the assem- + bler command INT 13 (CD 13). [AH] is used to select which + command to be used, with most of the other registers used for + data. + + INT-13 Cracking College + ----------------------- + Although, INT-13 is used in almost all protection schemes, + the easiest to crack is the DOS file. Now the protected pro- + gram might use INT-13 to load some other data from a normal + track/sector on a disk, so it is important to determine which + tracks/sectors are important to the protection scheme. I + have found the best way to do this is to use LOCKSMITH/pc + (what, you don't have LS. Contact your local pirate for it.) + + Use LS to analyze the diskette. Write down any track/sector + that seems abnormal. These track are must likely are part of + the protection routine. Now, we must enter debug. Load in + + 7 + the file execute a search for CD 13. Record any address + show. + + If no address are picked up, this mean 1 or 2 things, the + program is not copy protected (right...) or that the check is + in an other part of the program not yet loaded. The latter + being a real hassle to find, so I'll cover it in part II. + There is another choice. The CD 13 might be hidden in self + changing code. Here is what a sector of hidden code might + look like + + -U CS:0000 + 1B00:0000 31DB XOR BX,BX + 1B00:0002 8EDB MOV DS,BX + 1B00:0004 BB0D00 MOV BX,000D + 1B00:0007 8A07 MOV AL,[BX] + 1B00:0009 3412 XOR AL,12 + 1B00:000B 8807 MOV [BX],AL + 1B00:000D DF13 FIST WORD... + + In this section of code, [AL] is set to DF at location + 1B00:0007. When you XOR DF and 12, you would get a CD(hex) + for the INT opcode which is placed right next to a 13 ie, + giving you CD13 or INT-13. This type of code can't and will + not be found using debug's [S]earch command. + + + + Finding Hidden INT-13s + ---------------------- + + The way I find best to find hidden INT-13s, is to use a + program called PC-WATCH (TRAP13 works well also). This pro- + gram traps the interrupts and will print where they were + called from. Once running this, you can just disassemble + around the address until you find code that look like it is + setting up the disk interrupt. + + An other way to decode the INT-13 is to use debug's [G]o + command. Just set a breakpoint at the address give by + PC-WATCH (both programs give the return address). Ie, -G + CS:000F (see code above). When debug stops, you will have + encoded not only the INT-13 but anything else leading up to + it. + + + What to do once you find INT-13 + ------------------------------- + + Once you find the INT-13, the hard part for the most part + is over. All that is left to do is to fool the computer in + to thinking the protection has been found. To find out what + the computer is looking for, examine the code right after the + INT-13. Look for any branches having to do with the + + 8 + CARRYFLAG or any CMP to the AH register. If a JNE or JC + (etc) occurs, then [U]nassembe the address listed with the + jump. If it is a CMP then just read on. + + Here you must decide if the program was looking for a pro- + tected track or just a normal track. If it has a CMP AH,0 + and it has read in a protected track, it can be assumed that + it was looking to see if the program had successfully com- + plete the READ/FORMAT of that track and that the disk had + been copied thus JMPing back to DOS (usually). If this is + the case, Just NOP the bytes for the CMP and the correspond- + ing JMP. + + If the program just checked for the carry flag to be set, + and it isn't, then the program usually assumes that the disk + has been copied. Examine the following code + + INT 13 <-- Read in the Sector + JC 1B00 <-- Protection found + INT 19 <-- Reboot + 1B00 (rest of program) + + The program carries out the INT and find an error (the il- + legally formatted sector) so the carry flag is set. The com- + puter, at the next instruction, see that the carry flag is + set and know that the protection has not been breached. In + this case, to fool the computer, just change the "JC 1B00" to + a "JMP 1B00" thus defeating the protection scheme. + + NOTE: the PROTECTION ROUTINE might be found in more than just + 1 part of the program + + + Handling EXE files + ------------------ + + As we all know, Debug can read .EXE files but cannot write + them. To get around this, load and go about cracking the + program as usual. When the protection scheme has been found + and tested, record (use the debug [D]ump command) to save + & + - 10 bytes of the code around the INT 13. Exit back to dos + and rename the file to a .ZAP (any extension but .EXE will + do) and reloading with debug. Search the program for the 20+ + bytes surrounding the code and record the address found. + Then just load this section and edit it like normal. Save + the file and exit back to dos. Rename it back to the .EXE + file and it should be cracked. + + ***NOTE: Sometimes you have to play around with it for a + while to make it work. + + + + + + 9 + DISK I/O (INT-13) + ----------------- + This interrupt uses the AH resister to select the function + to be used. Here is a chart describing the interrupt. + + AH=0 Reset Disk + AH=1 Read the Status of the Disk + system in to AL + + AL Error + ---------------------------- + 00 - Successful + 01 - Bad command given to INT + *02 - Address mark not found + 03 - write attempted on write protected disk + *04 - request sector not found + 08 - DMA overrun + 09 - attempt to cross DMA boundary + *10 - bad CRC on disk read + 20 - controller has failed + 40 - seek operation failed + 80 - attachment failed + (* denotes most used in copy protection) + AH=2 Read Sectors + + input + DL = Drive number (0-3) + DH = Head number (0or1) + CH = Track number + CL = Sector number + AL = # of sectors to read + ES:BX = load address + output + AH =error number (see above) + [Carry Flag Set] + AL = # of sectors read + + AH=3 Write (params. as above) + AH=4 Verify (params. as above -ES:BX) + AH=5 Format (params. as above -CL,AL + ES:BX points to format + Table) + + ------------------------------------------------------------ + For more information on INT-13 refer to appendix A. + ------------------------------------------------------------ + + END. + + + + + + + + 10 + ------------------------------------------------------------- + In part II, Buck cover's Calls to INT-13 and INT-13 that are + located in different overlays of the program. This is a + method that is used often. + ------------------------------------------------------------- + + + Cracking Tutorial II. + + By: Buckaroo Banzai + Title: Cracking On the IBM PC Part II + + + Introduction + ------------ + + OK guys, you now passed out of Copy Class 101 (dos files) + and have this great new game with overlays. How do I crack + this one. You scanned the entire .EXE file for the CD 13 and + it's nowhere. Where can it be you ask yourself. + + In part II, I'll cover cracking Overlays and the use of + locksmith in cracking. If you haven't read part I, then I + suggest you do so. The 2 files go together. + + + Looking for Overlays + -------------------- + So, you cant find CD 13 in the .EXE file, well, it can mean + 4 things. + + 1: The .EXE (though it is mostly .COM) file is just a + loader for the main file. + + 2: The .EXE file loads in an overlay. + + 3: The CD 13 is encrypted &/or hidden in the .EXE file. + + 4: Your looking at the WRONG file. + + + I won't discuss case 1 (or at least no here) because so + many UNP files are devoted to PROLOCK and SOFTGUARD, if you + can't figure it out with them, your stupid. + + If you have case 3, use the technique in part I and restart + from the beginning. And if you have case 4, shoot your self. + + You know the program uses overlays but don't see and on + disk? Try looking at the disk with good old Norton's. Any + hidden files are probably the overlays. These are the ones + we are after. If you still can't find them, use PC-WATCH + (this program is a must!!! For all crackists. Traps ALL in- + terrupts). + + 11 + + Using PC-Watch to Find Overlays + ------------------------------- + Start up PC-Watch and EXCLUDE everything in the left Col.. + Search the right Col. until you find DOS21 - OpnFile and + select it. + + Now run the program to be cracked. + Play the game until the protection is checked. + Examine you PCWatch output to see what file was loaded + right before it. + This probably is the one holding the check. + If not, go through all the files. + + + You Have Found the Overlays + --------------------------- + Great, now just crack the overlay as if it was a DOS file. + You don't need to worry about .EXE file, debug can write an + overlay file. Part I explains the basics of cracking. I + suggest that you keep a backup copy of the overlay so if you + mess up, and you will, you can recover quickly. Ah, and you + thought cracking with overlays was going to be hard. + + + + Locksmith and Cracking + ---------------------- + + The copy/disk utility program Locksmith by AlphaLogic is a + great tool in cracking. It's analyzing ability is great for + determining what and where the protection is. + + I find it useful, before I even start cracking, to analyze + the protected disk to find and id it's protection. This + helps in 2 ways. First, it helps you to know what to do in + order to fake out the protection. Second, it helps you to + find what the program is looking for. + + I suggest that you get locksmith if you don't already have + it. Check your local pirate board for the program. I also + suggest getting PC-Watch and Norton Utilities 3.1.(Now 4.1) + All of these program have many uses in the cracking world. + + END. + + + + + + + + + + + 12 + Chapter II Example Cracks + + + + ------------------------------------------------------------- + OK, now let's put some of this information into practice by + examining a few cracks of some common programs. First we'll + look at a Crack for Mean-18 Golf by Accolade. Accolade has + been one of those companies that has a fervent belief in Copy + Protection. + ------------------------------------------------------------- + + + + + Title: MEAN-18 UnProtect For CGA/EGA Version + + + This crack works by eliminating the code that tests for known + bad sectors on the original diskette to see if it is the + genuine article or an illegal copy. The code begins with an + INT 13 (CD 13 HEX), a DOS BIOS disk service routine followed + a few bytes later by another INT 13 instruction. The program + then checks the returned value for the bit configuration that + signifies the bad sectors and, if all is as expected, contin- + ues on with program execution. + + The code that needs to be patched is in the GOLF.EXE file and + in the ARCH.EXE file. It is identical in both files and lies + near the end of each file. + + In the following steps, you'll locate the start of the test + code and patch it by replacing it with NOP instructions (HEX + 90). The method described uses the DOS DEBUG utility but + Norton's Utility (NU) works too. + + Copy all of the files from the MEAN-18 disk onto a fresh + floppy using the DOS COPY command and place your original + diskette out of harm's way. + + Assuming DEBUG is in the A: drive and the floppy containing + the files to be unlocked is in the B: drive , proceed as fol- + lows: + + First REName the GOLF.EXE file so it has a different + EXTension other than .EXE. + + REN GOLF.EXE GOLF.DEB + + + Next load the file GOLF.DEB into DEBUG and displays the "-" + DEBUG prompt. + + A:> DEBUG B:GOLF.EXE + + 13 + Search for the beginning of the code to be patched by typing: + + + - S CS:100 FFFF CD 13 + + Searches the file for the two byte INT 13 instruction. If + all goes well, two addresses should appear on the screen. + + XXXX:019C + XXXX:01A8 + + XXXX indicates that the numbers preceeding the ":" vary from + system to system but the numbers following the ":" are the + same on all systems. + + The next step is to use the "U" command as indicated to + un-assemble a few bytes in order to verify your position in + the file) + + - U CS:019C + + (Un-assembles 32 bytes of code. Verify the following se- + quence of instructions: + + INT 13 + JB 01E9 + MOV AL,[BX+01FF] + PUSH AX + MOV AX,0201 + INT 13 + POP AX + JB 01E9 + CMP AL,F7 + JNZ 01B5 + + These are the instructions you'll be patching out in the fol- + lowing step) + + - A CS:019C + + This command assembles the new instructions you enter at the + keyboard into the addresses shown. Beginning at CS:019C, and + for the next 21 bytes, ending with and including CS:01B0, en- + ter the no op command "NOP" (90h) followed by a or + . Just hit at address XXXX:01B1 to end the + assemble command.) + + XXXX:019C NOP + XXXX:019D NOP + . + . + . + XXXX:01AE NOP + XXXX:01AF NOP + + 14 + XXXX:01B0 NOP + XXXX:01B1 + + This just wipes out the section of code containing the INT 13 + check. + + Now do a HEX dump and verify that bytes 019C through 01B0 + have been set to 90 HEX. + + - D CS:019C + + If they have, write the patched file to the disk as follows) + + - W + + This writes the patched file back to the + disk where it can be run by typing GOLF just as before but + now, it can be run from any drive, including the hard + drive) + + Now just [Q]uit or exit back to DOS. This command can be ex- + ecuted at any "-" DEBUG prompt if you get lost. No modifica- + tion will be made to the file on the disk until you issue the + "W" command. + + - Q + + The process is the same for the ARCH.EXE file but because it + is a different length, the segment address, (XXXX part of the + address), will be different. You should find the first INT + 13 instruction at address XXXX:019C and the second one at + XXXX:01A8 as before. + + You will again be patching 21 bytes and you will start with + 019C and end with 01B0 as before. After doing the HEX dump + starting at address 019C, you again write the file back to + the disk with a "W" command then "Q" uit. + + Norton's utilities can also be used to make this patch. Be- + gin by searcing the GOLF.EXE or ARCH.EXE files for the two + byte combination CD 13 (remember to enter these as HEX + bytes). Once located, change the 21 bytes, starting with the + first "CD" byte, to 90 (a NOP instruction). As a check that + you are in the right place, the byte sequence in both files + is CD 13 72 49 8A 87 FF 01 50 B8 01 02 CD 13 58 72 3C 3C F7 + 75 04. After modifying the bytes, write the modified file + back to the disk. It can then be run from any drive. + + END. + + + + + + + 15 + ------------------------------------------------------------ + That was the first the tutorial cracks, here's another crack + based on the same ideas but using Norton's Utilities instead. + The following is an unprotect method for Eypx Submarine. + Eypx is another one of those companies bent on protecting the + world. + ------------------------------------------------------------ + + + By: Assembler Magic + Title: EPYX Submarine Unprotect + + + You will only need to make one modification to the main + executable program of Submarine, SUB.EXE. I will assume that + your computer has a hard disk and that you have a path to + DOS. It's time to fire up DEBUG as follows: + + DEBUG SUB.EXE + + The computer should respond with a "-" prompt. Now look at + the registers, just to make sure everything came up okay. + Type the letter "R" immediately after the prompt. The com- + puter should respond with a few lines of info as follows: + + AX=0000 BX=0001 CX=6103 DX=0000 SP=0080 BP=0000 SI=0000 + DI=0000 DS=12CE ES=12CE SS=37B2 CS=27FC IP=0010 NV UP EI PL + NZ NA PO NC + 27FC:0010 8CC0 MOV AX,ES + - + + Note the value of CS is "27FC". That is the hexadecimal + segment address for the beginning of the program code in your + computer's memory. It is highly probable that the value you + see for CS will differ from mine. Whatever it is, write it + down. Also, the values you see for DS, ES and SS will almost + certainly differ from mine and should not cause you concern. + The other registers should show the same values mine do, and + the flags should start with the same values. + + Next, we will do a search for Interrupt 13's. These are + BIOS (not DOS) Interrupts built into the program which are + used to ensure that the original disk is being used to run + the program. The whole key to this unprotect scheme is to by- + pass these Interrupts in the program code. The tricky part + of this unprotect is to find them! They are not in the seg- + ment of program code starting at the value of CS equal to + "27FC". They are closer to the beginning of the program in + memory. Easy enough! Reset the value of CS to equal the + value of DS as follows; type immediately after Debug's "-" + prompt: + + RCS + + + 16 + Debug will prompt you for the new value of CS with: + + CS:27FC: + + You respond by typing the value of DS you saw when you + dumped the registers the first time. For example, I typed + "12CE". The value you type will be different. Debug + will again respond with the "-" prompt which means we are + ready to do our search. Type in the following after the "-" + prompt: + + S CS:0 FFFF CD 13 + + The computer should respond with three lines of information + which are the addresses of the three Interrupt 13 calls built + into the program. The first four digits are the segment ad- + dress and will equal to the value of CS you have just set. + The second four digits following the colon are the offset ad- + dresses which are of primary interest to us. On my machine + they came back as follows: + + 12CE:4307 + 12CE:431F + 12CE:4335 + + The segment addresses will be identical and the three off- + set addresses should all be relatively close together. Now + look at the first offset address. (As you can see, mine was + "4307".) Write it down. Now we do a bit of Unassembly. + + Type "U4307" which is the letter "U", followed immedi- + ately (with no blank spaces) by whatever your first offset + address turned out to be, followed by a carriage return. If + you are not familiar with unassembled machine code, it will + look like lines of gibberish as follows: + + 12CE:4307 CD13 INT 13 + 12CE:4309 4F DEC DI + 12CE:430A 744C JZ 4358 + . + . + 12CE:431F CD13 INT 13 + 12CE:4321 4F DEC DI + . + . + 12CE:4324 BF0400 MOV DI,0004 + 12CE:4326 B80102 MOV AX,0201 + + In my computer, Unassemble will automatically output 16 + lines of code to the screen. Yours may differ. Note, in the + abbreviated list I have shown above, the addresses at the be- + ginning of the two lines which contain the Interrupt 13's + (INT 13) correspond to the first two addresses we found in + our search. Now we continue the unassemble, and here comes + + 17 + another tricky part. Just type in "U" after the "-" + prompt. + + You'll get sixteen more lines of code with the third Inter- + rupt 13 on a line which begins with the address (CS):4335 if + you have the same version of Submarine as I do. It's not + terribly important to this exercise, but it will at + least show you that things are proceeding okay. Now type in + "U" again after the prompt. You are now looking for + three key lines of code. On my program they appear as fol- + lows: + + 12CE:4335 07 POP ES + 12CE:4356 5D POP BP + 12CE:4357 CB RETF + + The true key is the instruction "POP ES". This instruction + begins the normal return sequence after the program has ex- + ecuted its Interrupt 13 instructions and accompanying checks. + If Debug on your machine prints fewer than 16 lines of code + at a shot, you may have to type in "U" more than twice at the + "-" to find these instructions. (If you haven't found any of + this stuff, either get help on the use of Debug or go back to + using your diskette version!) Write down the offset address + of the "POP ES" instruction; the four digits following the + colon, which in my example is "4354". You're well on your + way now, so please persevere. + + The next step is to modify the program to JUMP around the + code which executes the Interrupt 13's and go immediately to + the instruction which begins the normal return sequence + (again, it's the "POP ES". Type in the following instruc- + tions carefully: + + A4307 + + This first bit tells Debug that new Assembler code will be + inserted at the address of the first Interrupt 13. If your + first Interrupt 13 is at an address other that "4307", use + the correct address, not mine. The computer will prompt you + with the address: + + 12CE:4307 + + After which you will immediately type: + + JMP 4354 + + This instruction jumps the program immediately to the normal + return code instructions. Again, at the risk of being redun- + dant, if your "POP ES" instruction is at a different address, + use that address, not "4354"! + + The computer will prompt you with the address of the next in- + + 18 + struction if all went well. MAKE SURE you just hit the + carriage return at this point. Debug will then return the + familiar "-" prompt. + + Now it's time to examine your handiwork. Let's do the + unassemble again starting at the address of what had been the + first Interrupt 13 instruction, but which is now the Jump in- + struction. Type in "U4307" or "U" followed by the appro- + priate address and a carriage return. The first line begin- + ning with the address should appear as follows: + + 12CE:4307 EB4B JMP 4354 + + The key here is the four bytes immediately following the ad- + dress. In my example they are "EB4B". Yours may not be. + But, they are VERY IMPORTANT because they represent the ac- + tual machine code which is the Jump instruction. WRITE THESE + FOUR BYTES DOWN AND MAKE SURE THEY ARE CORRECT. + + Now if you want to have some fun before we go on, reset + register CS to its original value by first typing "RCS" + at the "-" prompt. Then type in the original value of CS + that I asked you to write down. Using my example, I typed + "27FC". Next, you will type "G" after the "-" prompt + which means GO! If all went well, SUB should run at this + point. At least it will if you put all of the Submarine + files onto the diskette or into the hard disk subdirectory + where youre working. If it didn't run, you may have made an + error. Check through what you have done. + + Don't give up at this point if it does not run. Your version + of Debug may simply have not tolerated our shenanigans. When + you are done playing, quit Submarine ("Alt-Q") and type a + "Q" after the Debug prompt "-" appears. + + Now comes the tough part. I can't walk you through this + phase in complete detail, because you may be using one of + several programs available to modify the contents of SUB.EXE. + Debug is not the way to go, because it can't write out .EXE + files, only .COM files. + + ------------------------------------------------------------- + Note: Another method of doing this is to REName the SUB.EXE + file so it has a different extension other than .EXE before + you enter DEBUG. That way after you've made the change you + can then [W]rite then changes out to the file right in DEBUG. + Then one drawback is that you can't run the program in DEBUG + once you've changed the name. + ------------------------------------------------------------- + + You have to get into your sector modification package (NORTON + works good) and work on the SUB.EXE file on your new diskette + or your hard disk. Remember, I warned you that doing this on + your hard disk is dangerous if you are not fully aware of + + 19 + what you are doing. So, IF YOU MESS UP, it's YOUR OWN FAULT! + + You are looking for the first occurrence of an Interrupt 13 + (the "CD 13") using the search facility in your program. If + you don't have the ability to search for the two-byte hexa- + decimal code "CD 13" directly, then you will have to manually + search. + + ------------------------------------------------------------- + Note: Norton 4.x now has a search utility. When you get to + the point of typing in the search text, just press the TAB + key, and you can type in the actual hexadecimal code "CD 13". + ------------------------------------------------------------- + + Start at the beginning of SUB.EXE and proceed. Again, you + want to find the first of the three (first from the beginning + of the program). + + I will give you a hint. I found it in NORTON at location + 4407 hexadecimal which is location 17,415 decimal in the + SUB.EXE program file. DOS standard sectors are 512 decimal + bytes. Replace the two bytes "CD 13" with the "EB 4B" or + whatever your Jump instruction turned out to be. Write or + save the modified file. + + That's ALL there is to modifying SUB.EXE. You can go ahead + and execute your program. If you have followed my instruc- + tions, it should run fine. Get help if it doesn't. Now, you + should be all set. You can load onto your hard disk, if you + haven't already. You can run it from a RAM disk using a BAT + file if you really want it to hum. Or, if you have the fa- + cilities, you can copy it from 5-1/4" floppy to 3-1/2" dis- + kette and run it on machines which accept that medium if you + upgrade to a new computer. + + END. + + + + + + + + + + + + + + + + + + + + 20 + ------------------------------------------------------------- + Now let's take a look at a newer crack on the program, Space + Station Oblivion by Eypx. At a first [S]earch with Debug and + Norton's Utility no CD 13's could be found, and yet it was + using them... So a different approach had to be taken... + ------------------------------------------------------------- + + + By: PTL + Title: Space Station Oblivion Crack + + + First of all, you must determine which file the INT 13's are + in, in this case it had to be the file OBLIVION.EXE since it + was the main program and probably contained the INT 13's. So + then rename it to a different EXTension and load it into De- + bug. + + Then do a [S]earch for INT 13's. + + -S 100 FFFF CD 13 + + Which will promptly turned up nothing. Hmmm... + + Next you might decide that, maybe, the code was modifying it- + self. So quit from Debug and load up PC-Watch, include all + the INT 13 Calls. For those of you not familiar with + PC-Watch, it is a memory resident program that can be set to + look for any type of BIOS call. When that call is made + PC-Watch prints to the screen the contents of all the regis- + ters and the current memory location that the call was made + from. + + After PC-Watch is initialized, then run the OBLIVION.EXE file + from the hard disk, leaving the floppy drive door open, and + sure enough, when the red light comes on in the diskette + drive, PC-Watch will report the address's of some INT 13 + calls. Which you should then write down. + + From there, quit the game, reboot, (To dump PC-Watch from + memory) and load the OBLIVION.EXE into Debug and issue a [G]o + command with a breakpoint. What address should you use for a + breakpoint? You guessed it, the same address PC-Watch gives + you. + + Well, it locked up did'nt it? Which is quite common in this + line of work so don't let that discourage you. So next re- + loaded it into debug and this time [U]nassemble the address + that you got from PC-Watch. But instead of finding the INT + 13's you'll find harmless INT 21's. + + Hmm... could it be that the program was converting the CD + 21's to CD 13's during the run? Well, to test the idea as- + semble an INT 20 (Program Terminate) right after the first + + 21 + INT 21. Then I run the program, and yes immediately after the + red light comes on the drive, the program will terminate nor- + mally. + + Then [U]nassemble that same area of memory, and low and be- + hold, some of the INT 21's have magically turned into INT + 13's. How clever... + + So, then it is just a matter of locating the address of the + routine that it jumped (JMP) to if the correct disk was found + in drive A:. Once you have that address, just go to the + start of all this nonsense and [A]ssemble a JMP XXXX command. + Where XXXX was the address to jump to if the original disk + was in drive A:. + + Then just [W]rite the file back out to the disk and [Q]uit + debug, and then REName the file back to OBLIVION.EXE + afterwhich it should work fine. + + + END. + + 22 + Chapter III Removing Doc Check Questions + + + ------------------------------------------------------------- + A new fad has recently started up with software vendors, it + involves the use of "Passwords" which are either stored in + the documentation or are actually the documentation itself. + Then when you reach a certain part of the program (Usually + the beginning) the program will ask for the password and you + have to look it up in the Docs before being allowed to con- + tinue. If the wrong password is entered, it will usually + drop you to DOS or take you to a Demo version of the program. + + This new form of copy protection is very annoying, but can + usually be cracked without too much effort, and the files + and the disk are usually in the standard DOS format. So now + we'll take a look at cracking the Doc check questions. + + First of all we'll crack the startup questions in F-15 + Strike Eagle by MicroProse. + ------------------------------------------------------------- + + + By: JP ASP + Title: F-15 Unprotect + + + + Make a copy of the original disk using the DOS DISKCOPY pro- + gram. + + >DISKCOPY A: B: + + Then insert the copy disk in the A drive and invoke DOS DE- + BUG. + + >DEBUG + + Now we'll [F]ill an area of memory with nothing (00). + + -F CS:100 L FEFF 0 + + Next we will [L]oad into address CS:0100 the data that is on + the A: disk (0) from sector 0 to sector 80. + + -l cs:100 0 0 80 + + Now lets [S]earch the data we loaded for the area where the + copy protection routine is. + + -s cs:100 l feff FA EB FD + + Then for each of the occurences listed, use the address DEBUG + returned in the [E]nter command below. + + 23 + + -e xxxx 90 90 90 + + ------------------------------------------------------------- + Here's the part we are interested in, it's where you change + all the autorization codes to a space. Notice how you can + use the [S]earch command to look for ASCII text. + ------------------------------------------------------------- + + -s cs:100 l feff "CHIP" + + Then for each occurance of "CHIP" use the address DEBUG re- + turned in the [F]ill command below. + + -F XXXX L F 20 + + Write out the modified data + + -W CS:100 1 0 80 + + Quit DEBUG + + -Q + + + You should now be able to DISKCOPY and boot from all copies + also just press the space bar when it ask for ANY authority + code and then press "ENTER". Now there is no need to remember + (or look up) any codes that are so finely tucked away in the + manual! + + END. + + + + + + + + + + + + + + + + + + + + + + + + 24 + ------------------------------------------------------------- + Here is a similar method that was used break the passwords in + the program BATTLEHAWKS 1945 by Lucasfilms. However Norton + Utilities is used to search for the passwords and change + them. + ------------------------------------------------------------- + + By: PTL + Title: BATTLEHAWKS-1945 Doc Check Crack + + + In keeping in line with their previous programs, Lucasfilms + has released yet another program which uses Doc Checks for + its means of copy protection, Battlehawks 1942. + + When you run this program, it first goes through a series of + graphic displays, then it goes through a series of questions, + asking what type of mission you want to fly, such as Train- + ing, Active Duty, or which side of the war you want to be on. + + Then right before the simulation begins, it shows you a pic- + ture of a Japanese Zero and ask you for a password which you + + are then supposed to get by looking up the picture of the + Zero in the User Manual and typing the corresponding password + in. After which it enters the simulation, in the event you + enter the wrong password, it puts you into a training mis- + sion. + + Removing the Doc Check in a program like this is usually + pretty easy. The ideal way to do it is to remove the Doc + Check routine itself, but if you don't have all day to debug + and trace around the code this might not be the best way. + For instance if you only have your lunch hour to work on it + (Like I did), then you need to use the standard Q.D.C.R.S. + (Quick Doc Check Removal System). + + How do you do a QDCRS? Well first of all, play around with + the program, find out what it will and will NOT accept as a + password. Most programs will accept anything, but a few + (Like Battlehawks) will only accept Alpha characters. + + Once you've learned what it likes, make an educated guess as + to what program the Doc Check routine is in. Then load that + program into Norton's Utility (NU). + + At this point, take a look at the passwords, and write down + the most unusual one that you can find (I'll explain later). + Now type that password in as the search string, and let NU + search through the file until it finds the password. Now a + couple of things can happen. + + 1. It only finds one occurrence + 2. It finds more than one occurrence + 3. It doesn't find any occurrence + + In the event of case 2 then YOU have to determine where the + passwords are stored, you can do this by opening your eyes + and looking. + + In the event of case 3, go to the kitchen and start a pot of + coffee, then tell you wife to go to bed without you, because + you have a "Special Project" that you have to finish tonight. + And by the way, Good Luck. You'll need it. + + Hopefully case 1 will occur, now you have to take a look at + the data and ask yourself 2 questions: + + 1. Are all the passwords the same length? + 2. Is there a set number of spaces between each pass- + word? + 3. Does the next password always start a certain number + of characters from the first character of the previ- + ous password? + + If you can answer yes to any of the above questions, you in + luck. All you have to do is change the passwords to spaces + + (If the program allows that, Battlehawks doesn't) or change + them to you favorite character. The letter X works good, it's + easy to type and easy to remember. + + If you can't answer yes to any of the questions then you ei- + ther need to bypass the Doc Check routine itself or you need + to be adventurous and experiment. Battlehawks will not follow + any of the above patterns, and your quickly running out of + time, so you'll have to try something, fast... + + So just wiped out all of the data area with X's, all the + passwords and associated "garbage" between them. Then saved + the changes and drop out of NU and into BH. Then when it ask + for the password, just filed the area with X's. Next thing + you know, you'll be escorting a bombing run on a Japanese + carrier. + + So, this one turned out to be fairly simple. Where you may + run into trouble is on Doc Checks that use a graphic system, + such as Gunship by MicroProse. When it comes to this type of + Doc Check, you almost have to bypass the routine itself. And + again, a good way to do this is with setting break points and + using the trace option in Debug. + + END. + + + + + + + + 25 + + ------------------------------------------------------------- + That was the easy version Doc Check crack, however there a + "Better" way to crack Doc Checks, is to bypass the routine + completely so the user can just press enter and not worry + about spaces. Let's take a lot at this method by looking at + a crack for the program, Yeager's Advanced Flight Trainer, by + Electronic Arts. + ------------------------------------------------------------- + + + By: PTL + Title: Yeager's Advanced Flight Trainer + + + + + + + + + + + + + + + + + 26 + Chapter 5 Cracking Self Booters + + + + ------------------------------------------------------------- + Now we'll take a look at cracking self booters. A few compa- + nies have found this to be the best copy protection scheme + for them, one of which is DataEast, makers of Ikari Warriors, + Victory Road, Lock-On, Karnov, etc... This posses a special + problem to the Amateur Cracker, since they seldom use stan- + dard DOS formats. So let's jump right in! + ------------------------------------------------------------- + + + This is the area where a "Higher than Normal" knowledge of + Assembly Language and DOS Diskette structures, so first of + all, the Basic's. + + + The Disk's Physical Structure + + Data is recorded on a disk in a series of concentric circles, + called Tracks. Each track if further divided into segments, + called Sectors. The standard double-density drives can + record 40 tracks of data, while the new quad-density drives + can record 80 tracks. + + However, the location, size, and number of the sectors within + a track are under software control. This is why the PC's + diskettes are known as soft-sectored. The characteristics of + a diskette's sectors (Their size, and the number per track) + are set when each track is formatted. Disk Formatting can be + done either by the operating system or by the ROM-BIOS format + service. A lot of self booters and almost all forms of copy + protection create unusual formats via the ROM-BIOS diskette + services. + + The 5 1/4-inch diskettes supported by the standard PC BIOS + may have sectors that are 128,256,512, or 1,024 bytes in + size. DOS, from versions 1.00 through 4.01 has consistently + used sectors of 512 bytes, and it is quite possible that this + will continue. + + Here is a table displaying 6 of the most common disk formats: + _____________________________________________________________ + + Type Sides Sectors Tracks Size(bytes) + _____________________________________________________________ + + S-8 1 8 40 160K + D-8 2 8 40 320K + S-9 1 9 40 180K + D-9 2 9 40 360K + QD-9 2 9 80 720K + QD-15 2 15 80 1,200K + _____________________________________________________________ + + + + S - Single Density + D - Double Density + QD - Quad Density + + Of all these basic formats, only two are in widespread use: + S-8 and D-9. The newer Quad Density formats are for the 3 + 1/2" and 5 1/4" high density diskettes. + + + The Disk's Logical Structure + + So, as we have already mentioned, the 5 1/4-inch diskette + formats have 40 tracks, numbered from 0 (the outside track) + through 39 (the inside track, closest to the center). On a + double sided diskette, the two sides are numbered 0 and 1 + (the two recording heads of a double-sided disk drive are + also numbered 0 and 1). + + The BIOS locates the sectors on a disk by a three-dimensional + coordinate composed of a track number (also referred to as + the cylinder number), a side number (also called the head + number), and a sector number. DOS, on the other hand, lo- + cates information by sector number, and numbers the sectors + sequentially from the outside to inside. + + We can refer to particular sectors either by their + three-dimensional coordinates or by their sequential order. + All ROM-BIOS operations use the three-dimensional coordinates + to locate a sector. All DOS operations and tools such as DE- + BUG use the DOS sequential notation. + + The BASIC formula that converts the three-dimensional coordi- + nates used by the ROM-BIOS to the sequential sector numbers + used by DOS is as follows: + + DOS.SECTOR.NUMBER = (BIOS.SECTOR - 1) + DIOS.SIDE + * SECTORS.PER.SIDE + BIOS.TRACK * SECTORS.PER.SIDE + * SIDES.PER.DISK + + And here are the formulas for converting sequential sector + numbers to three-dimensional coordinates: + + BIOS.SECTOR = 1 + DOS.SECTOR.NUMBER MOD SECTORS.PER.SIDE + BIOS.SIDE = (DOS.SECTOR.NUMBER \ SECTORS.PER.SIDE) + MOD SIDE.PER.DISK + BIOS.TRACK = DOS.SECTOR.NUMBER \ (SECTORS.PER.SIDE + * SIDES.PER.DISK) + + (Note: For double-sided nine-sector diskettes, the PC's + most common disk format, the value of SECTORS.PER.SIDE + is 9 and the value of SIDES.PER.DISK is 2. Also note + that sides and tracks are numbered differently in the + ROM-BIOS numbering system: The sides and tracks are num- + bered from 0, but the sectors are numbered from 1.) + + Diskette Space Allocation + + The formatting process divides the sectors on a disk into + four sections, for four different uses. The sections, in the + order they are stored, are the boot record, the file alloca- + tion table (FAT), the directory, and the data space. The + size of each section varies between formats, but the struc- + ture and the order of the sections don't vary. + + The Boot Record: + + This section is always a single sector located at sector + 1 of track 0, side 0. The boot record contains, among other + things, a short program to start the process of loading the + operating system on it. All diskettes have the boot record + on them even if they don't have the operating system. Asisde + from the start-up program, the exact contents of the boot + record vary from format to format. + + The File Allocation Table: + + The FAT follows the boot record, usually starting at + sector 2 of track 0, side 0. The FAT contains the official + record of the disk's format and maps out the location of the + sectors used by the disk files. DOS uses the FAT to keep a + record of the data-space usage. Each entry in the table con- + tains a specific code to indicate what space is being used, + what space is available, and what space is unusable (Due to + defects on the disk). + + The File Directory: + + The file directory is the next item on the disk. It is + used as a table of contents, identifying each file on the + disk with a directory entry that contains several pieces of + information, including the file's name and size. One part of + the entry is a number that points to the first group of sec- + tors used by the file (this number is also the first entry + for this file in the FAT). + + The Data Space: + + Occupies the bulk of the diskette (from the directory + through the last sector), is used to store data, while the + other three sections are used to support the data space. + Sectors in the data space are allocated to files on an + as-needed basis, in units known as clusters. The clusters + are one sector long and on double-sided diskettes, they are a + pair of adjacent sectors. + + + + (From here on I'll continue to describe the basics of DOS + disk structures, and assembly language addressing technics. + + + ------------------------------------------------------------- + Here is a simple routine to just make a backup copy of the + Flight Simulator Version 1.0 by Microsoft. I know the latest + version is 3.x but this version will serve the purpose of + demonstrating how to access the data and program files of a + selfbooter. + ------------------------------------------------------------- + + + By: PTL + Title: Microsoft Flight Simulator 1.00 Unprotect + + + This procedure will NOT convert the Flight Simulator disk to + files that can be loaded on a hard drive. But... it will + read off the data from the original and put it onto another + floppy. And this should give you an idea of how to read data + directly from a disk and write it back out to another disk. + + First of all take UNFORMATTED disk and place it in drive B:. + This will be the target disk. + + Now place your DOS disk (which has Debug) into drive A:, or + just load Debug off you hard disk. + + A>DEBUG + + Then we are going to enter (manually) a little program to + load the FS files off the disk. + + -E CS:0000 B9 01 00 BA 01 00 BB 00 + 01 0E 07 06 1F 88 E8 53 + 5F AA 83 C7 03 81 FF 1C + 01 76 F6 B8 08 05 CD 13 + 73 01 90 FE C5 80 FD 0C + 76 E1 90 CD 20 + + -E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 + 00 00 04 02 00 00 05 02 00 00 06 02 + 00 00 07 02 00 00 08 02 + + Next we'll [R]eset the IP Register by typing. + + -R IP + + And then typing four zeros after the address prefix. + + xxxx:0000 + + Next insert the original Flight Simulator disk into drive A: + and we'll run our little loader. + + -G =CS:0000 CS:22 CS:2A + + Now enter a new address to load from. + + -E CS:02 0E + -E CS:27 19 + + And run the Loader again. + + -G =CS:0000 CS:22 CS:2A + + New address + + -E CS:02 27 + -E CS:27 27 + + Run Loader + + -G =CS:0000 CS:22 CS:2A + + Here we'll do some [L]oading directly from the disk our- + selves. + + -L DS:0000 0 0 40 + + And the in turn, write it back out to the B: (1) drive + + -W DS:0000 1 0 40 + + Etc... + + -L DS:0000 0 40 28 + -W DS:0000 1 70 30 + -L DS:0000 0 A0 30 + -W DS:0000 1 A0 30 + -L DS:0000 0 138 8 + -W DS:0000 1 138 8 + + When we are all through, [Q]uit from debug and you should + have a backup copy of the Flight Simulator. + + -Q + + And that's all there is to it. + + END. \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/asm_for_.txt b/textfiles.com/piracy/CRACKING/asm_for_.txt new file mode 100644 index 00000000..70485c72 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/asm_for_.txt @@ -0,0 +1,184 @@ +Assembly for Crackers - v1.0 +---------------------------- + +Hey, This is a very basic guide to assembly for all those people who couldn't be bothered learning the in's & out's of their computer just to be able to use mIRC without having to click on some guys face. :) + +I'll basically go through the most necessary stuff that you need to know before you can begin to crack. I know it's not in a very logical order, but what d'ya want for free? ;)) + +Oh yeah, you should view this with wordwrap on, otherwise it'll be a pain in the arse to follow ;) + + +REGISTERS +--------- + +Registers are basically default places in which to store data. The only ones we need to worry about are: (E)AX,(E)BX,(E)CX,(E)DX +( The (E) is only significant when debugging 32-bit code ) + +Also the register pairs: +DS:SI ; Can be used as the source for string operations +ES:DI ; Used as the target for string operations + +To understand registers isn't very important for cracking, generally just to know that they're variables for data storage is enough to get you started :) + + + +FLAGS +----- + +Flags are essentially like registers except that they can only be true or false ( ie 0 or 1 ) These are set by commands such as CMP, and are used to check the outcome of such a call, ie: + +CMP AX, BX ; Compare AX to BX, if equal the zero flag is set to 1 +JZ 00124531 ; If the zero flag is set, jump to 001254531. + +To understand this properly you'll probably have to read on and then come back... :P + + + +The Stack & Push/Pop +-------------------- + +Before any function call, a program must 'push' any parameters that the function expects onto the stack. Think of it as a stack of plates, the first plate on the stack is the last one to be taken off-- the stack is exactly the same. It's important to remember this 'first on/last off' principal when looking at a call, as this means that the parameters will be passed in reverse order... + +In case my babbling has confused you, lets look at this example: + + +The windows api function GetDlgItemText requires the following parameters: + +(1) Handle of dialog box +(2) Identifier of control +(3) Address of buffer for text +(4) Maximum size of string + +Therefore these could be passed like so: + +MOV EDI,[ESP+00000220] ; Get Handle of dialog box in EDI +PUSH 00000100 ; PUSH (4) Max size of string +PUSH 00406130 ; PUSH (3) Address of buffer for text +PUSH 00000405 ; PUSH (2) Identifier of control +PUSH EDI ; PUSH (1) Handle of dialog box +CALL GetWindowText ; CALL the function + +Easy eh? This can be one of the simplest ways of cracking a serial number app, if you know the address of the buffer for the serial number, in this case 00406130, just breakpoint it, and you'll usually end up in or around the procedure that generates the real serial!! :) + +POP is simply used to remove the first item from the stack, there are usually a lot of them before a function returns to the program... + + + +AND +--- + +USAGE : AND dest,src +PURPOSE : Performs a logical AND of the two inputs, replacing the dest with the result +EXAMPLE : AND BX, 03h + +There's not very much that can be said about this call, it does what it says. + + + +CALL +---- + +USAGE : CALL address +PURPOSE : Executes a function at the address 'address' +EXAMPLE : CALL 10284312 + +Calls the function at address 'address', once the function has finished, the code with continue the line after the call. + + + +CMP +--- + +USAGE : CMP dest,src +PURPOSE : Subtracts src from dest and updates the flags. +EXAMPLE : CMP AX,03h + +This is an important instruction as far as we ( crackers ) are concerned :). Somewhere in the program for it to verify something, ie. to compare the real serial to the one we enter, or to check if a program is registered etc. + +This instruction usually preceeds a jump instruction of some kind. + + + +INT +--- + +USAGE : INT interrupt_number +PURPOSE : Calls a default function ( usually coded in the BIOS ) +EXAMPLE : INT 10h + +You won't really see this command much ( if at all ) when debugging windows programs, but they turn up all over the place in DOS. Usually the parameters are passed in the default registers ( AX,BX,CX etc. ) + +There are far too many INT calls to list here, better to get a copy of an interrupt list. Ralph Browns is very good! :) + + + +JMP +--- + +USAGE : JMP address +PURPOSE : Equivalent to a basic GOTO, jumps to a section of code +EXAMPLE : JMP 00402011 + +JMP is an unconditional jump to a section of code. As simple as that! :) + +There are tons of variations on this instruction, the most important ones are: + +JZ - Jump if the zero flag is set. ( Same as JE ) +JNZ - Jump if the zero flag is not set. ( Same as JNE ) + +These usually follow a CMP instruction, ie: + +CMP RealSerial,BadSerial ; Compare the real serial to our serial +JNE GoAwayBadCracker ; If Not Equal then exit. + + + +MOV +--- + +USAGE : MOV dest,src +PURPOSE : Copies byte or word value from the source to the destination +EXAMPLE : MOV AX,DX + +You will see this a *lot* when you're stepping through code, it basically means ( to use BASIC terms ;) ) LET dest = src + +There are quite a few variants including MOVSX, but they all basically do the same thing. It might help to get the intel programming specs from their website. + +If you can't understand this one, you're screwed! ;) + + + +OR +-- + +USAGE : OR dest,src +PURPOSE : Performs a logical OR on the two inputs replacing the dest with the result +EXAMPLE : OR DX, AX + +Does what it says. + + + +RET +--- + +USAGE : RET +PURPOSE : To return from a function +EXAMPLE : RET + +You will usually see this at the end of a function, and it simply instructs the processor to return to the address of the call to the function. + + + +Useful Stuff +------------ + +The specs for programming intel processors : www.intel.com +Ralph Browns interrupt list : search for it +Win32 Programmers Reference : comes with any visual language + + +As far as I know this is about all you'll need to really understand to get started in cracking. Most of the stuff is pretty self-explanitory, but if you get stuck you can email me at: Corn02@hotmail.com or go to #cracking4newbies on efnet, where you'll be able to find someone to help you out. Any comments and stuff are also welcome, or any stuff that you think needs to be added also. + +--Corn2 + diff --git a/textfiles.com/piracy/CRACKING/asmtut.txt b/textfiles.com/piracy/CRACKING/asmtut.txt new file mode 100644 index 00000000..8e94a262 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/asmtut.txt @@ -0,0 +1,389 @@ +Welcome to XLogic's Assembly KeyGen tutorial. + +What you will need: +TASM 3.0 or higher (Comes with TD). +A Good Text Editor (EDIT.COM). +A Good Dos Debugger (I will use TD, S-ICE and DG are also Acceptable). +A File access monitor (SCANF is included). +An ASM Command Listing (go buy a book). +A GOOD (intermediate) knowledge of ASM. <-- Don't bug me for help. +X-Tract 1.51 (included). + +1. Introduction. +This was the first key generator I ever wrote. It taught me more about +assembly than any book I've read, considering that I originally +learned assembly from debugging stuff. + +This is a very easy keygen to do, but you use the same process to write +other much more complex keygens. + +The best way of writing a keygen in my experience is: +1. Debug, dissasemble, do whatever is necessary to UNDERSTAND what the hell + the program is doing. +2. Extract the relevant code, reverse it or whatever needs doing to make it + ready for the keygen. +3. Write the keygen. +4. Use a key you made, debug the program, and make sure it works 101%. + +2. Let's Get Started! +Ok, look at the program, how it runs. See if it prompts for a reg number, +if it looks for a key file, any way it gets registration in. + +With X-Tract, there are no prompts for reg numbers, or anything. +Ok, so now you run a file access monitor, to check if it looks for a reg +key. (I have included a good file access monitor with the package, SCANF. +To make it put file access up on the screen, use "scanf con" to run it) +Bingo. It looks for X-TRACT.KEY. + +Now the debugging starts. First create a file called X-TRACT.KEY in the +same directory as X-Tract, and load your debugger. Step through with the +file access montior loaded to see where it opens the key file. + +You trace over the following call, and the file monitor tells you that the +key has been opened. + + cs:366B 2EA27908 mov cs:[0879],al + cs:366F 9C pushf + cs:3670 E8D71A call 514A + +Now you restart debugging and trace one instruction into that function call. +You trace over the first function call, and notice that it displays the +startup banner: +X-TRACT (tm) Executable File Extractor Version 1.51 7-26-95 +Copyright 1994-95 by Pablo Carboni. All Rights Reserved. + +The next block of code uses an Int 21h call. +You notice that this is what opens the file. +Int 21h's usage is as follows: +ah = 3D ; Open file Handle for file access +al = 02 ; file access code +dx = filename offset ; Where the filename is in memory +Int 21h ; Try to open the file +jnb ok ; If the file exists, and has been opened, jump +jmp error ; If the file hasn't been opened, jump. + +So what this block of code does is try and open the file. + cs:5150 B8023D mov ax,3D02 + cs:5153 BAFC21 mov dx,21FC + cs:5156 CD21 int 21 + cs:5158 7303 jnb 515D + cs:515A E9ED00 jmp 524A + +Since you made a file called X-TRACT.KEY before you started debugging +it should jump on the first jump. +You then end up here: + cs:515D 2EA3D805 mov cs:[05D8],ax + cs:5161 B43F mov ah,3F + cs:5163 2E8B1ED805 mov bx,cs:[05D8] + cs:5168 B99B00 mov cx,009B + cs:516B BABD00 mov dx,00BD + cs:516E CD21 int 21 + cs:5170 3D9B00 cmp ax,009B + cs:5173 7303 jnb 5178 + cs:5175 E9D200 jmp 524A + +The first line stores the files handle for future access from AX to +memory location 05D8h. + +Now, we see another Int 21h call coming up. This time it is as follows: +ah = 3Fh ; Read Data from the open filehandle in BX +bx = [05D8h] ; get the file handle we saved just before. +cx = 9Bh ; How many bytes we want to try and read. +dx = 0BDh ; Where we want to put the read bytes. +Int 21h ; Do the deed + +When this returns, AX will be the actual number of bytes read from the file. +So what is this next piece of code doing? + cs:5170 3D9B00 cmp ax,009B + cs:5173 7303 jnb 5178 + cs:5175 E9D200 jmp 524A +Its checking if it could read 9Bh bytes from the file, and if it could, +continue. + +As you should have noticed, if any of the previous tests have failed, they +jump to location 524Ah. Keep this in mind when you are debugging the code. + +Now you hit this big lump of code: + cs:5178 BEBD00 mov si,00BD + cs:517B BF5521 mov di,2155 + cs:517E B99A00 mov cx,009A + cs:5181 0E push cs + cs:5182 1F pop ds + cs:5183 0E push cs + cs:5184 07 pop es + cs:5185 FC cld + cs:5186 F3A6 rep cmpsb + cs:5188 7403 je 518D + cs:518A E9BD00 jmp 524A +rep cmpsb....... hmmm, a byte-by-byte compare statement. +how this is called is: +cx = Number of bytes to compare +DS:DI = First lot of bytes to compare +ES:SI = Second lot of bytes to compare +rep cmpsb ; do the compare +je continue ; jump here it the same +jmp error ; jump here if not the same + +So what should be at the start of the rego key? +Whatever is at ES:DI. The other location has what was in the rego key +that you created. + +Now you get to this: + cs:518D AC lodsb + cs:518E 3CE0 cmp al,E0 + cs:5190 741B je 51AD +And a few more with different compares. It is checking if one of these +is equal to the byte it loaded from DS:DI (its there from after the 1st +compare). + +Could it be checking for the type of registration? Lets continue and see. + cs:51AD 2EA28008 mov cs:[0880],al + cs:51B1 B43F mov ah,3F + cs:51B3 2E8B1ED805 mov bx,cs:[05D8] + cs:51B8 B92A00 mov cx,002A + cs:51BB BABD00 mov dx,00BD + cs:51BE CD21 int 21 + cs:51C0 3D2A00 cmp ax,002A + cs:51C3 7403 je 51C8 + cs:51C5 E98200 jmp 524A + +It saves the byte it just checked to cs:880h. +Then it does what it did before with Int 21h, it reads 2Ah bytes from the +file to ds:00BDh. If it could read 2Ah bytes, it continues on, otherwise +it quits. + +Now would be a good time to get out of the debugger and make the key file. +9Bh + 2Ah bytes (add the two cx vaules from the file read Int 21h's) is +equal to 197 bytes, so now would be a good time to get out, make a file of +size 197 bytes, With the first lot of data it compared (that string of +bytes), then either a E0h, E1h, E2h or E3h, which it looked for. I will +use a E0h. + +You've got your registration key half done. After making it, you +should be able to pass all of the tests it performs to the point where we +left off. If you had problems, have a look at the key that I provided +called XLOGIC.REG to get some hints. + +Now you hit this: + cs:51C8 BEBD00 mov si,00BD + cs:51CB 8BFE mov di,si + cs:51CD B92A00 mov cx,002A + cs:51D0 2E8A1E8008 mov bl,cs:[0880] + cs:51D5 AC lodsb + cs:51D6 32C3 xor al,bl + cs:51D8 AA stosb + cs:51D9 80EB22 sub bl,22 + cs:51DC E2F7 loop 51D5 + +Now before i tell you, try and work out what this does. + +Here is what it is doing: +1. si = 0BDh ;the location to start from +2. di = si ;set the second location to start from +3. cx = 2Ah ;how many times to loop +4. bl = cs:880h ;get that byte that it checked for earlier +5. lodsb ;load a byte from ES:SI into al, increment si by 1 +6. xor al,bl ;xor al by bl +7. stosb ;store al to DS:DI, increment di by 1 +8. sub bl,22 ;decrement bl by 22h +9. loop 5 ;loop cx times. + +Now, step through this, watching what this does. +What does it do? +It decripts the data after the 0E0h, in the keyfile, using the above process. + +If you can't understand this, just keep watching it and debugging it, +because if you can't understand this, you won't be able to write a keygen. + +Now it has tried to decrypt your name, and what we're about to look at. + +Check this code out: + cs:51DE BEBD00 mov si,00BD + cs:51E1 8BFE mov di,si + cs:51E3 B92800 mov cx,0028 + cs:51E6 2E8A1E8008 mov bl,cs:[0880] + cs:51EB 33D2 xor dx,dx + cs:51ED 33C0 xor ax,ax + cs:51EF AC lodsb + cs:51F0 03D0 add dx,ax + cs:51F2 E2FB loop 51EF + cs:51F4 2E3B14 cmp dx,cs:[si] + cs:51F7 7551 jne 524A + +Whats it doing? +You should understand the first 7 lines, actually, you should understand +the whole thing if you have a good grasp of Assembly. + +It adds all the bytes together of what "Should" be you name, into dx. +Then it compares dx to the number stored at cs:si. This is what is called +a CRC check. This is only a simple one, and all it does is check if any +of the bytes in the string have changed. + +If it is the same, it is ok, and continues, otherwise it quits. + +Now it sets cs:2220 to 01h, to tell the program it is registered. + cs:51FC 2EC606202201 mov cs:byte ptr [2220] +Then it checks the 0E0h byte. This is where we find out what it does. + cs:5202 2E803E8008E0 cmp cs:byte ptr [0880] + cs:5208 7424 je 522E +So we let it jump: + cs:522E BA9B22 mov dx,229B + cs:5231 E81D00 call 5251 + cs:5234 C3 ret +And it prints on the screen "REGISTERED VERSION". +So what do the other "0E?h" values do? +Go back and try the others to find out for yourself. + +IMPORTANT. +If you don't understand all of the above, go over and over it until you do. + + +2. Writing The KeyGen. + +Now I am going to get lazy. I will tell you what the steps are, +give you my commented source file, and leave you go from there. + +Here is what it is doing: +1. Open the Rego File. +2. Read the Header. +3. Check it. +4. Read the Rego Name and CRC. +5. Decrypt them. +6. Calculate the CRC. +7. Check the CRC. +8. Display the Rego type. +9. Continue on with the program. + +Here is what you have to do: +1. Read the Rego Name. +2. Calculate the CRC. +3. Encript the Rego name and CRC. +3. Store the Rego type. +4. Write the whole block (including the header) to the Rego file. + +Now for the assembly file: +------------------------------------------------------------------------------- +.386p +seg_a segment byte public use16 + assume cs:seg_a, ds:seg_a + + org 100h + +xtract_keygen Proc Far +start: + mov dx,offset title_text ;load the startup banner + call print_text ;print it on the screen + mov dx,offset max_ent_length ;load the text entry offset + mov ah,0Ah ;function=get text string + int 21h ;get the text + cmp byte ptr entry_length,01h ;check if mor than 1 + ;character was entered + jae short reg_type_sel ;jump if 1 or more + mov dx,offset no_entry ;not enough was entered + jmp short exit ;jump to exit + +reg_type_sel: + mov dx,offset reg_type_text ;load rego type selection + call print_text ;display it + xor ax,ax ;clear ax + int 16h ;get a char from the keybd + int 29h ;display it + cmp al,31h ;check if its 1 + jl reg_type_sel ;jmp if lower than + cmp al,34h ;check if its 4 + ja reg_type_sel ;jmp if above +continue: + add al,0AFh ;add 0AFh to input, to get + ;"E" value. + mov reg_type,al ;store it in the rego type + mov dl,0Ah ;1 These lines store + mov dh,al ;2 the rego type + mov bx,offset max_ent_length ;3 + mov [bx],dx ;4 + call make_key ;make the key + mov dx,offset done_text ;load done text +exit: + call print_text ;display the output result + retn ;exit to dos/windoze +xtract_keygen endp + +print_text proc near ;put text up on the + mov ah,9 ;screen + int 21h + retn +print_text endp + +make_key proc near + mov si,offset name_input ;this should look + mov dx,si ;familiar :) + mov cx,28h ; + mov bl,reg_type ; + xor dx,dx ; + xor ax,ax ; +crc_loop: ; + lodsb ; + add dx,ax ; + loop crc_loop ; + mov bx,offset checksum_dat ; + mov [bx],dx ;store the crc + + mov si,offset name_input ;this should also look + mov di,si ;familiar :) + mov cx,2Ah ; + mov bl,reg_type ; +encription_loop: ; + lodsb ; + xor al,bl ; + stosb ; + sub bl,22h ; + loop encription_loop ; + + mov ah,3Ch ;open the file to write + mov dx,offset key_name ; + int 21h ; + xchg bx,ax ;put filehand in bx + mov ah,40h ;write the key to disk + mov dx,offset key_data ; + mov cx,0C5h ; + int 21h ; + mov ah,3Eh ;close the file handle + int 21h ; + retn +make_key endp + +title_text db 'X-Tract 1.51 Key File Generator by XLogic', 0Dh, 0Ah +name_prompt db 'Enter your name: $' +reg_type_text db 0Dh,0Ah,'Please Choose Registration Type:',0Dh,0Ah + db '1. Registered Version',0Dh,0Ah + db '2. Beta-Test Version',0Dh,0Ah + db '3. Distro-Site Version',0Dh,0Ah + db '4. Special Version',0Dh,0Ah + db 'Enter the number corresponding to the type: $' +no_entry db 0Dh,0Ah,'You must enter a name.$' +done_text db 0Dh,0Ah,'Key file X-TRACT.KEY created.$' +key_name db 'X-TRACT.KEY',0 +reg_type db 0 +key_data dd 073696854h,020736920h,072756F79h,067657220h,072747369h,06F697461h,0656B206Eh,06F662079h + dd 02D582072h,043415254h,050202E54h,07361656Ch,064202C65h,06F6E206Fh,069642074h,069727473h + dd 065747562h,021746920h,063280A0Dh,039312029h,062203439h,06F572079h,02C79646Fh,065754220h + dd 020736F6Eh,065726941h,041202C73h,04E454752h,0414E4954h,06150202Eh,0206F6C62h,06576694Ch + dd 06F532073h,06877656Dh,020657265h,054206E49h,054206568h,02E656D69h + db 0Dh +max_ent_length db 26h +entry_length db 0 +name_input db 40 dup ('$') +checksum_dat db 2 dup (0) +seg_a ends + end start +------------------------------------------------------------------------------- + +Ok, there it is in all its glory. I hope you've learned something from this, +and if you did, let me know. If you didn't, good for you. Tell me how to +improve this tutorial. + +I can be contacted in #PC97 or #cracking on EFNET. + +Cya Round. + +XLogic. + diff --git a/textfiles.com/piracy/CRACKING/begcrck.txt b/textfiles.com/piracy/CRACKING/begcrck.txt new file mode 100644 index 00000000..e8bde12b --- /dev/null +++ b/textfiles.com/piracy/CRACKING/begcrck.txt @@ -0,0 +1,1616 @@ + A Beginners Guide to Cracking + + + + Chapter 1 Overview + + Chapter 2 Some tips on how to use the debugger + + Chapter 3 Some basic cracking techniques + + Chapter 4 Walk through of an easy crack + + Chapter 5 How to use the disk editor + + Chapter 6 Other cracking tools + + Chapter 7 Source code to a simple byte patcher + + Chapter 8 Conclusion + + + Programs included with this guide + + + UNP411.ZIP An important Cracking tool + + SS33S.ZIP Another importnat Tool + + BUDGET.ZIP Program to crack for the walk through + + + + +CHAPTER 1 OVERVIEW +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +You might be wondering what type of programming skills you need to become a +cracker. Knowing a higher level language such as Basic, Pascal, or C++ will +help you somewhat in that you will have an understanding of what's involved in +the process of writing a program and how certain aspects of a program +function. If you don't have any programming skills at all, you have a long +road ahead of you. But even if you can program in a high level language, in +order to crack you have to know assembly... + +It really doesn't matter what language a program was written in in order to +crack it, because all programs do the same thing. And that is issue commands +to the microprocessor. And all programs when broken down to their simplest +form are nothing more than a collection of 80XXX instructions and program +specific data. This is the level of assembly language. In assembly you have +total control of the system. This is also the level that the debugger operates +at. + +You don't have to become a master at assembly to crack a program, but it +helps. You do need to learn some rudimentary principles, and you absolutely +have to become familiar with the registers of the cpu and how the 8088 +instruction set uses them. There is no way around this. + +How proficient you are at assembly will determine how good of a cracker you +become. You can get by on learning a few basic instructions, how to use a +debugger, and one or two simple techniques. This will allow you to remove a +few shareware nag screens, and maybe you'll luck out and remove the copy +protection from a game or two, but that's it. + +As soon as a programmer throws some anti-debugging code into a program or +starts revectoring interrupts, you'll be whining for someone to post a crack +for this or that... And you can forget about ever learning to crack windows +programs. + +It's much much easier to learn to crack in DOS than windows. DOS is the +easiest environment to debug in. This guide will focus on DOS programs as +cracking windows apps is a little bit overwhelming unless you are already an +experienced cracker. And if you are, your wasting your time by reading this. +This manual is geared towards the raw beginner who has no clue as to where to +start and needs a little hand holding in order to get going. + +There are several good beginners manuals out there, but most of them assume a +person has at least some experience in cracking or knows how to use the +different tools of the cracker, and the raw beginner usually becomes +frustrated with them very quickly because they don't understand the concepts +contained in them. + +I wrote this guide as sort of a primer for the beginner to read before reading +the more comprehensive guides. I tried to keep it as simple as possible and +left a great deal of information out so as not to overwhelm anyone with too +much information at once. Hopefully after reading this guide it will be easier +for the beginner to understand the concepts of the more arcane guides out +there. So if you are reading this and it seems a little bit remedial, +remember, at one time you didn't know what a debugger was used for either. + +Now in case your not familiar with the debugger and disk editor and what their +different roles in cracking are, I'll give a brief explanation of each. As +these are the crackers most used tools. + +The debugger is what you will use to actually crack the program. When you load +a program you wish to crack into the debugger, it will load the program and +stop at the first instruction to be executed within the code segment. Or, you +can also optionally break into an already running program and it will halt the +program at the instruction you broke into it at and await further input from +you. At this point, you are in control of the program. + +You can then dynamically interact with the program and run it one line of code +at a time, and see exactly what the program is doing in real time as each line +of code is executed. You will also be able to re-assemble instructions (in +memory only), edit the contents of memory locations, manipulate the cpu's +registers, and see the effects your modifications have on the program as it's +running. This is also where all your system crashes will occur... There is a +lot of trial and error involved in cracking. + +As stated above, the debugger will only modify the program while it's up and +running in memory. In order to make permanent changes, you need to load the +program file to be patched into the disk editor and permanently write the +changes you've made to disk. A detailed explanation of how to do this will be +made in chapter 5. + +So, with this in mind, you need a few essential tools... The first one is a +good debugger. The original draft of this guide gave explicit instructions on +how to use my favorite debugger. After considerable deliberation, I decided to +re-write it and make the instructions more generic so you could apply them to +most any debugger. You will also need a disk editor, it doesn't matter which +one you use as long as it will load the program file, search for and edit the +bytes you want to change. + +I uuencoded a few cracking tools that you will find indespensible and placed +them at the end of this guide. I won't go into the use of the cracking tools +right now. But believe me, you absolutely need one of them, and the other one +will save you a lot of effort. I also uuencoded the program that we will crack +in the walk through and included it in this guide as well. + +As you get better, you'll have to write programs that will implement your +patches if you decide to distribute them. The patches themselves don't have to +be written in assembly. + +The source code I included in this manual for the byte patcher is the first +patcher program I ever wrote, and is extremely simple. It's written in +assembly because that's the only language I know how to program in. but if you +are already proficient in a higher level language, it should be trivial for +you to duplicate it's methods in your preferred language. + + + + +CHAPTER 2 SOME TIPS ON HOW TO USE THE DEBUGGER +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Ok, before I begin, I'd just like to stress how important it is that you know +at least some assembly before trying to continue. If you don't, you will get +lost pretty quick from here on out. Comprehension of the base 16 (hexadecimal) +number system is also required. + +I'm not about to give a remedial course on assembly or hex math, that would +take too long and I'd probably leave too many questions un-answered. Besides, +there is enough information on them available from a myriad of other sources. + +So, from now on in this guide, I'm assuming you have a fair working knowledge +of assembly and hexadecimal. If I say something you don't understand or you +cannot grasp some concept, look it up somewhere... + +I've tried to make this section as generic as possible. I used general +descriptions when explaining HOTKEYS and COMMANDS as different debuggers will +use different keys and command syntax to implement these functions. + +You should be able to translate these instructions to the actual key strokes +and commands that your debugger uses... If you don't know how to use a +debugger, PAY ATTENTION!!! If you already know how to use a debugger you can +skip this section as it is only a general overview of different windows and +functions designed for the absolute beginner who has no clue as to what he is +looking at. + +The reason I included this section is because most manuals for debuggers tell +you how to use the various features of the debugger, but they don't give any +insight on how to apply those features, as they assume the person reading them +already knows how to debug a program. + +First, I'll give an overview on the different windows that most debuggers use. + + +REGISTER WINDOW: + +The register window contains the general purpose and flags registers of the +cpu. You will notice that the general purpose registers contain hexadecimal +values. These values are just what happened to be in there when you brought up +the debugger. you will also notice that some of the flags are highlighted +while some are not. Usually, the highlighted flags are the ones that are SET. +While the ones that are not highlighted are CLEARED. The layout of this window +will vary from debugger to debugger, but they all basically are the same. + +From this window you will be able to manipulate the contents of the cpu's +registers. some debuggers accomplish this by clicking on the register to +modify with the mouse and then entering a new value. Other more powerful +debuggers use a command line interface, you'll have to discover how your +debugger goes about this yourself. + +You can change the values of the registers while debugging a program in order +to change the behavior of the running program. Say you come across a JNZ +instruction (jump if not zero), that instruction makes the decision on whether +or not to make the jump based on the state of the (Z)ero flag. You can modify +the condition of the (Z)ero flag in order to alter the flow of the programs +code. + +By the same token, you can modify the general purpose registers in the same +manner. Say the AX register contains 0000, and the program bases it's actions +on that value, modifying the AX register to contain a new value will also have +the effect of modifing the flow of the code. After you become comfortable with +using a debugger you'll begin to appreciate just how powerful this window is, +and you'll aslo discover soon enough just how totally it can screw your +system. + + +DATA WINDOW: + +The data window will display data as it exists in memory. From this window you +can usually display, search, edit, fill, and clear entire ranges of memory. +The two most common commands for this window are display and edit. The search +command is also useful in cracking. But for the level of debugging I'll be +teaching you in this guide, we won't make much use of this window. You have a +lot to learn before this window becomes an asset to you. + + +CODE WINDOW: + +The code window is the window in which you will interact with the running +program. This is the most complex window, and it is where the bulk of +debugging occurs. I'll just go over some keystrokes and a few commands here, +as the majority of learning how to use this window will come when I show you +how to crack a program. + +The layout of the window is pretty simple, the group of 8 numbers with the +colon in the middle of them to the far left of the window is the +address:offset of that line of code. Each line of code in this window is an +instruction that the program will issue to the microprocessor, and the +parameters for that instruction. The registers that contain the address for +the current instruction waiting to be executed are the CS:IP registers (code +segment and instruction pointer). + +You will also notice a group of hex numbers to the right of the addresses, +this group of numbers is the hexadecimal equivalent of the mnemonic +instructions (pronounced new-mon-ik). The next group of words and numbers to +the right of the hex numbers are the mnemonic instructions themselves. + +HOTKEYS AND COMMANDS: + +Now we'll move onto the HOTKEYS. I won't go into all of them, only the most +useful ones, same for the commands. + +The RESTORE USER SCREEN KEY: This key will toggle the display between the +debugger and the program you are debugging without actually returning control +to the program itself. it's useful to check what the program is doing from +time to time, especially after stepping over a CALL. + +The HERE KEY: This key is the non-sticky breakpoint key. To use it, Place the +cursor on a line of code and hit it. The program will then run until it +reaches that line. When (and if) the program reaches that line, program +execution will halt, control will be returned to the debugger and the +breakpoint will be removed. + +The TRACE KEY: This key will execute one line of code at a time and will trace +into all calls loops and interrupts. + +The BREAKPOINT KEY: This is the sticky breakpoint key. This will enable a +permanent (sticky) breakpoint on the line of code that the cursor is on. When +a sticky breakpoint is enabled, program execution will halt and control will +be returned to the debugger every time that line of code is encountered within +the running program until you manually remove it. + +The SINGLE STEP KEY: The most used key on the keyboard. This key will execute +one line of code at a time but will not trace into calls loops or interrupts. +When you step over a call interrupt or loop with this key, all the code +contained within the sub-routine is executed before control is returned to the +debugger. If the program never returns from the sub-routine, you will lose +control and the program will execute as normal. + +The RUN KEY: This key will return control to the program being debugged and +allow it to execute as normal. Control will not be returned to the debugger +unless a breakpoint that you've set is encountered. + +Now for a few commands. The GO TO command functions like the HERE key in that +it will insert a non-sticky breakpoint at the specified address. + +When you enter this command the debugger will return control to the program +until the line of code you specified in the GO TO command is reached. When +(and if) the CS:IP registers equal the address you typed in, the program will +halt, control will be returned to the debugger and the breakpoint will be +removed. + +You might be wondering why you would want to type all this in when you can +just hit the HERE KEY instead. The answer is this; the HERE KEY is great if +you want to set a local breakpoint. By a local breakpoint I mean that the +breakpoint you want to set is somewhat close to your current location in the +program. + +But what if you want to set a breakpoint on a line of code that isn't in the +current code segment? You wouldn't want to use the HERE KEY cause the address +is no where near the point you are at in the program. This, among other uses +is where the GO TO command comes in. + +The ASSEMBLE command is the command you will use to re-write the programs +instructions. This command will allow you to assemble new instructions +beginning at the address you type in, or at the current CS:IP. The +instructions you enter will replace (in memory only) the existing program code +at the address you specified. This is another method you will use to alter the +running program to behave as you wish and not as the programmer intended it +to. + +EXAMPLE: Lets say that there is a line of code that reads JNZ 04FC, and we +want to change it to read JMP 04FC. You would issue the ASSEMBLE command and +specify the address of the code you wish to change, then type in JMP 04FC. +Now the line of code in the code window who's address you specified in the +ASSEMBLE command will be overwritten with the code you typed in. Some +debuggers automatically default to the address contained in the CS:IP for this +command. + +There are a whole host of other commands available in this window depending on +what debugger you are using, including commands to set breakpoints on +interrupts, memory locations, commands that list and clear breakpoints, +commands to un-assemble instructions etc etc... + +Well, that's pretty much it on debuggers without going into explicit +instructions for specific debuggers. The only other thing I can tell you is +that the more you use it, the easier it'll get. Don't expect to become +familiar with it right away. As with anything, practice makes perfect. It's +taken me 5 years and thousands of hours of debugging to reach the level I'm at +now. And I still learn something new, or re-learn something I forgot on just +about every program I crack. + + + +CHAPTER 3: SOME BASIC CRACKING TECHNIQUES +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +The first thing I want to do before going into some simple techniques is to +explain the purpose of one of the uuencoded cracking tools at the end of this +guide. And also to go over some general procedures you should perform before +actually loading a program you wish to crack into the debugger. + +Nowadays a lot of programmers will compress the executable files of their +programs to save space and to make it difficult for people who don't know any +better to hack those files. There are a lot of losers out there who will get +ahold of a program and lacking any skill or talent of their own, will load the +program into a disk editor and hex edit their name into it. Or they will make +other similarly feeble modifications. + +This is the reason I encrypt all of the cracks that I distribute. The routines +I write are not that hard to defeat, but I figure anyone with the skill to +crack them is far above having to hack their name into them... + +Ok, back to the file, the name of the program is UNP and it is an executable +file expander. It's purpose is to remove the compression envelope from +executable programs. And it supports most of the compression routines +currently in use... + +A lot of the compression routines will cause a debugger to lock up if you try +to step through the compressed file, especially PKLITE v1.15. And seeing as +how the file is compressed, if you load it into a disk editor it will just +look like a bunch of garbage and you'll not be able to find the bytes you want +to edit anyway. + +UNP is very easy to use, just type UNP [filename] and if there is any type of +compression envelope that UNP understands on the file, UNP will remove it. You +can then load the file into a debugger and hack away... + +But before you load a program into the debugger you should run the program a +few times and get a feel for it. You want to see how the protection is +implemented. Whether it's nag or delay screens and at what point in the +program they fist appear, or where in the program does the first mention of +being unregistered or an evaluation copy appear? + +This is important. Because before the program displays the first mention of +being unregistered, it has to do the protection check. and this is where you +will usually want to concentrate. Also look for registered functions being +disabled, and sometimes date expirations. The program could also be looking +for a registration key. + +In the case of commercial software what type of copy protection is used? Is it +a doc check, or does the program want you to input a serial number before it +will install itself? Once you see how and where the offending routines are +implemented you can begin to develop an overall strategy on the best approach +to circumvent them. It's also a good idea to read the docs, you can pick up a +lot of useful info from doc files. + +There are basically three categories that shareware programs fall into... They +are begware, crippleware, and deadware. + +The begware category is comprised of programs that have all the registered +features enabled but every time you run them they will display screens that +bug you to register. This is usually the easiest form of protection to remove +and it's the type I'll go over in the walk through. + +The crippleware category is comprised of programs that in the unregistered +version have certain functions disabled, and maybe nag screens as well. This +type of protection can be more complex, but often times is just as easy to +defeat as a simple nag screen. + +The deadware category is comprised of programs that are totally stripped of +the code for the registered features so there is really nothing to crack. A +good example of this is DOOM by ID software. You can get the shareware version +just about anywhere, however no matter how much you hack at it you cannot make +it into the commercial version cause it only contains the code for the first +episode. + +The sample code fragments in this section are not taken from actual programs. +I just made them up off the top of my head while I was writting this guide, +and there are bound to be some errors in them. Please dont write me and tell +me this, I already know it. + +Most forms of copy protection have one weak spot, and this is the spot you +will concentrate on. They have to perform the protection check and then make a +decision based on the results of that check. And that decision is usually a +conditional jump. If the check was good the program will go in one direction, +if it was bad it will go somewhere else. + +So, you've run the program through a few times and you know at what point the +routines you want to modify first appear, you've also run UNP on it and have +removed any compression envelopes. Now you load the program into the debugger +and wonder what to do next... + +What you want to do is to step through the code until something significant +happens like a nag screen gets displayed, or a doc check comes up or the +program tells you that the function you just tried to use is only available in +the registered version. When you reach that point you can then start to +evaluate what portion of code to begin studying. + +Let's say you have a program that displays a nag screen and you want to remove +it. You step through the program until the nag screen pops up, you now think +you know the location of the instructions that are causing it to be displayed. +So you reload the program and trace back to a point a few instructions before +the call to the nag screen, and this is what you see: + +09D8:0140 CMP BYTE PTR [A76C],00 +09D8:0145 JNZ 014B +09D8:0148 CALL 0C50 +09D8:014B MOV AH,18 + +Now, let's assume that the memory location referenced by the first line of +code does indeed contain 00 and that it is the default value placed in there +by the programmer to indicate that the program is unregistered. + +The first line of code is checking the value contained in the memory location +to see if it is 00 or not. If the location does contain 00, the compare +instruction will cause the Zero flag to be set. If the location contains any +other value than 00, the Zero flag will be cleared. + +The second line of code makes the decision on how to proceed based on the +results of the compare instruction. The JNZ instruction will make the jump to +the fourth line of code if the zero flag is cleared. This will bypass the call +to the nag screen on the third line. If the zero flag is set, no jump will +occur and the call will be made. + +The third line of code contains the call to the nag screen. If it is executed +the nag screen will be displayed. The fourth line of code is just the next +instruction in the program. + +Once you have found and analyzed this piece of code within the program, you +can now decide on how to bypass the call on the third line. There is no single +way to do this. I can think of a half dozen different ways to patch the +program so it will not make the call. But there is a best way... + +First, you could just replace the JNZ 014B with JMP 014B. This is an +unconditional jump and it will bypass the call on the third line no matter +what the memory location that the first line of code is referencing contains. + +You could also change it to read JZ 014B so that the jump will be made if the +location contains 00, and not the other way around. You could even change the +CMP BYTE PTR [A76C],00 instruction to JMP 014B. + +Or you could just NOP out the call on the third line altogether seeing as how +it's a local call. By a local call I mean that the code contained within the +call resides in the same code segment as the call instruction itself. + +This is an intersegment call. You will see other calls that reference lines of +code outside of the current code segment. These are intrasegment calls, and +have to be handled differently. They will look something like CALL 0934:0AC5, +or CALL FAR 0002. I'll go over how to handle intrasegment calls later on. + +NOP is short for no op-code, and it is a valid instruction that the +microprocessor understands. It is only one byte in length, and the call +instruction is three bytes in length. So if you wanted to nop out the call +instruction you would have to enter the NOP instruction three times in order +to replace it. And if you replaced the CMP BYTE PTR [A76C],00 with JMP 014B, +you would have to pad it out with a few nop's as well. + +The compare instruction is 5 bytes and the jump instruction is only 2 bytes, +so you would have to add 3 nops in order to equal the length of the original +compare instruction. Otherwise you would throw off the address of every +instruction after it in the program and end up with a bunch of unintelligible +garbage. Not to mention a major system crash... + +When the NOP instruction is encountered no operations will take place and the +CS:IP will then be incremented to the next instruction to be executed. A lot +of compilers leave nop's in the code all the time and it's a great instruction +you can use to wipe out entire lines of code with. + +The above methods of bypassing the call are called 'dirty' cracks in that they +have only modified the end result of the protection check and have done +nothing to alter the actual protection check itself. + +All the techniques I showed you above are only implemented after the check is +made. They will bypass the nag screen, but what if the program also has +registered features that are disabled or displays another nag screen upon +exit? The above methods only remove the original nag screen and don't address +the reason the screen is being displayed in the first place. + +A much cleaner way to crack the above piece of code would modify the cause and +not the effect. And could be written like this: + + original code new code + +09D8:0140 CMP BYTE PTR [A76C],00 09D8:0140 MOV BYTE PTR [A76C],01 +09D8:0145 JNZ 014B 09D8:0145 JMP 014B +09D8:0148 CALL 0C50 09D8:0148 CALL 0C50 +09D8:014B MOV AH,18 09D8:014B MOV AH,18 + +Remember that the protection check is basing it's actions on the value +contained in the memory location that the first line of code is checking. The +original code displayed the nag screen if the value of that location was 00, +meaning it was unregistered. So that means a value of 01 indicates a +registered copy. It could be the other way around as well, it just depends on +how the programmer worded the source code. But we know in this case that +00=false so 01=true. These are Boolean expressions and most compilers use the +AX register to return these values. + +By changing the first line from CMP BYT PTR [A76C],00 to MOV BYTE PTR +[A76C],01 the program no longer performs the protection check. Instead, it +places the correct value in the memory location to indicate a registered copy. +Now if the program checks that memory location again later on it will think +that it is registered and activate all of it's disabled features, or not +display a second nag screen upon it's exit if it has one. + +I changed the second line of code to an unconditional jump because the compare +instruction on the first line no longer exists, and the conditional jump on +the second line may still access the call to the nag screen on the third line +if the Z flag was already set before the old compare instruction was +encountered. + +Don't think that all programs are this easy, they're not. I just +over-simplified this example for instructional purposes. And I really wouldn't +patch the code like that, although the last method should work fine for all +registered features to be enabled. Remember I told you there was a best way to +crack this? + +What I would actually do is to trace further back into the program and find +the line of code that sets up the memory location referenced by line one of +the code for the protection check in the first place and modify it there. This +is an example of a 'clean' crack. + +I just did it in the above manner to try and show you the difference between +clean and dirty cracks without totally confusing you. And to give you a +general idea on how to creatively modify existing code. + +If you are using soft ice as your debugger, an easy way to find the +instruction that sets up the memory location for the protection check is to +set a breakpoint on the location when it gets 00 written to it. The syntax +would be BPM XXXX:XXXX W EQ 00, where XXXX:XXXX is the address of the memory +location referenced by the compare instruction on line 1. + +Now when the program wrote 00 to that memory location, soft ice will pop up +and the CS:IP will be sitting at the next instruction after the one that wrote +00 to the memory location. You will now be able to evaluate the code around +the instruction that writes to the memory location and decide on how to +proceed. + +This also could just be a general purpose location that the program uses for +generic references (especially if it's in the stack segment), and it could +write 00 to it several times throughout the course of the program for a +variety of different functions. You should let the program run normally after +soft ice broke in to see if it will trigger the breakpoint again. If it +doesn't you know that the location is only used for the protection check. But +if the breakpoint gets triggered several more times, you will have to figure +out which set of instructions are being used to set up for the protection +check before proceeding. + +The above examples were based on shareware programs. Now I'll go over a few +techniques to remove copy protection from commercial games that have doc +checks in them as the methods are slightly different... + +shareware programs are usually coded so that they check a variable in memory +before deciding if they are registered or not and how to proceed. Commercial +games with doc checks take a different approach as they check nothing before +calling the copy protection. It always gets called every time you play the +game no matter what. As a result, the doc check routine is usually easier to +find, and there are basically two types of doc checks... The passive check, +and the active check. + +The passive doc check is easier to defeat than the active. In the passive doc +check, the program will issue a call to the copy protection routine. And if it +is unsuccessful will either abort the program, or loop back to the beginning +of the routine and give you a few more tries before aborting. The entire +protection routine will be included in a single call, so merely nopping out +or bypassing the call will be sufficient to remove the copy protection. + +A few good examples of this are Spear of Destiny by ID, and the Incredible +Machine by Sierra. Yes I know that they are old, but if you happen to have a +copy of either one laying around they are excellent examples of passive doc +checks to practice on. + +Look at the following piece of code: + +0277:01B5 MOV [AF56],AX +0277:01B8 PUSH BX +0277:01B9 PUSH CX +0277:01BA CALL 0234 +0277:01BD POP CX +0277:01BE POP BX +0277:01BF JMP 0354 + +The first three lines of code are just setting up for the call, the call on +the fourth line is the protection check itself. It will display the input +window asking for a word from the manual, will perform the protection check, +and will display an error message if you input the wrong word. It can also +optionally give you a few more tries if you type in the wrong word. + +If you fail the protection check, the program will abort without ever having +returned from the call. The fifth, sixth, and seventh lines are the next +instructions to be executed if the protection check was successful and the +program returns from the call. + +This type of protection is trivial to defeat, all you have to do is the +following: + + original code new code + +0277:01B5 MOV [AF56],AX 0277:01B5 MOV [AF56],AX +0277:01B8 PUSH BX 0277:01B8 PUSH BX +0277:01B9 PUSH CX 0277:01B9 PUSH CX +0277:01BA CALL 0234 0277:01BA NOP +0277:01BD POP CX 0277:01BB NOP +0277:01BE POP BX 0277:01BC NOP +0277:01BF JMP 0354 0277:01BD POP CX + 0277:01BE POP BX + 0277:01BF JMP 0354 + +Simply nopping out the call to the protection routine will be sufficient to +crack this type of doc check. No window asking for input will appear, and the +program will continue on as if you had entered the correct word from the +manual. Remember that I told you that the NOP instruction is only one byte in +length, so you have to enter as many nop's as it takes to equal the length of +the code you are modifying. + +The active doc check is more complex. The program will issue the check and +unlike the passive protection, will set a variable in memory somewhere and +reference it later on in the program. + +You can crack this type of protection somewhat using the methods for the +passive check and it might run fine for a while. But if you didn't crack it +right, later on when the next episode gets loaded or you reach a crucial point +in the game, the program will reference a memory location and bring up the +copy protection again, or abort. This type of protection is more akin to how +most shareware programs operate and MUST be done with a CLEAN crack. + +Look at the following piece of code: + +0234:0B54 MOV CX,0003 ;Sets up to give you three tries +0234:0B57 DEC CX ;deducts one for every time through the loop +0234:0B58 JCXZ 031A ;when CX=0000, program will abort +0234:0B60 PUSH CX ;just setting up for the call +0234:0B61 PUSH DS ; " " +0234:0B62 PUSH ES ; " " +0234:0B63 CALL 035F:112D ;call to input window and validation routine +0234:0B68 OR AL,AL ;seeing if check was successful +0234:0B6A JNZ 0B6E ;yes, continue on with the program +0234:0B6C JMP 0B57 ;no, set up for another try +0234:0B6E CALL 8133 ;next line in the program if check was good + +The above code is the outer loop of the protection routine. Look at the call +on the seventh line and the compare instruction on the eighth line. When the +call to the input routine or in the case of shareware, the check routine is +paired with a compare instruction in this manner, You can bet that the program +set a memory variable somewhere inside the call. Especially suspicious is the +unconditional jump on line 10 that jumps backwards in the code. + +This won't always be the case as no two programs are alike, and simply +changing line 9 of the code from JNZ 0B6E to JMP 0B6E to force the program to +run even if you fail the doc check may allow the program to run just fine. +Let's say that this is how you patched the program and it runs. Great, your +work is done... But what if before the first level loads, or at some other +point within the program the input window pops up again asking for a word from +the manual? + +You realize that you should have patched it right in the first place as you +now have to go back in there and fix it. This is why so many groups have to +release crack fixes, they patch the program in a hurried manner and don't even +run it all the way through to see if it's going to work. + +Ok, back to the problem at hand... The above method of patching the program +didn't work, so you now have to load the program back into the debugger and +trace into the call on line seven to see whats going on in there. And you +can't NOP this kind of call out either, this is an intrasegment call. + +Certain things in programs get assigned dynamic memory locations, and +intrasegment calls are one of those things. When the program gets executed, +the code segment, data segment, extra segment, and stack segment get assigned +their respective addresses based on the memory map of your computer. + +And when a program does a FAR call (a call to a segment of memory outside the +current code segment), The program goes to the address that was assigned to +that segment at run time. The CS, DS, ES, and SS will be different on every +computer for the same program. + +And seeing as how these addresses don't get assigned until run time, the +actual bytes for the addresses of far calls don't exist in the program file as +it resides on your disk. That's why you can't just NOP a CALL FAR instruction +out. + +However, the bytes for calls that are within the same segment of code as the +calling instructions themselves will be contained within the file as it +resides on disk. And that is because even though the program doesn't get the +addresses for the actual segments until run time, the offsets within those +segments will always be the same. + +Back to the example, let's say you've traced into the call on line seven and +this is what you see: + + +035F:112D MOV [324F],BX ; +035F:1131 CMP BYTE PTR [BX+06],03 ; just some error checking +035F:1135 JNZ 0339 ; + +035F:1137 CALL F157 ; call to the input window that + ; asks you to type a word in from + ;the manual + +035F:113A MOV DI,[0332] ; this routine is comparing the +035F:113D MOV ES,DX ; word you typed in to a word +035F:1140 MOV DS,BX ; in memory that the program is +035F:1144 MOV SI,[0144] ; referencing. As long as the +035F:1148 MOV CX,[0097] ; bytes match the loop will +035F:114C REPE CMPSB ; continue. + +035F:114F JCXZ 1154 ; This is the routine that sets +035F:1151 JMP 1161 ; the memory variable. 01 will be +035F:1154 MOV AX,0001 ; placed in it if you typed in +035F:1159 MOV [0978],AX ; the correct word. 00 will be +035F:115E JMP 116B ; placed in it if you typed in +035F:1161 MOV AX,0000 ; the wrong word. +035F:1166 MOV [0978],AX ; + +035F:116B POP ES ; setup to return from call +035F:116C POP DS ; " " +035F:116D POP CX ; " " +035F:116E RETF ; return from call + + +Again, this code is over simplified as I figured all of the code would be +overwhelming and really is not needed to get my point across. And as I've +stated before, every program will be different anyway, so the actual code +wouldn't help you. Instead, I want to give you a general overview on what to +look out for. + +So, what do you think is the best way to patch the above piece of code? Take a +few minutes to study the code and formulate some ideas before reading on. Then +compare your methods to mine. And remember, as with any code there is no +single way. But as always, there is a best way... I'll go over few of them one +at a time, starting with the dirtiest and finishing up with the cleanest. + +The dirtiest crack for this piece of code also happens to be the method you +will use to nop out intrasegment calls. It really isn't nopping out, but +seeing as how you can't nop it out, just let the program make the call and +change the first line of the code within the call to RETF. This will return +from the call without ever having executed any of the code contained within +it. + +In the case of registers needing to be restored as in the above code, change +the first line of code to jump to the part of the routine that restores the +registers for the return. However, in the above example if you use this method +and just return from the call without executing any of the code, you will also +have to patch the outer loop as well. + +Remember that this call only displays the input window and sets the memory +variable. The outer loop of the routine makes the decision on how to proceed +based on the results of the call. + +To do this, you would change line one of the call from MOV [324F],BX to JMP +116B. This will restore the registers and return from the call without ever +having executed any of the code within the call. But seeing as none of the +code got executed, you'll have to patch line 9 of the outer loop from JNZ 0B6E +to JMP 0B6E as you now need an unconditional jump to force the program to +continue. This doesn't address the problem of the memory variable though, and +the program won't be completely cracked. That's why if you did it like this +you would end up releasing a fix. + +A cleaner crack would be to change line 11 of the call from JCXZ 1154 to JMP +1154. Now when the window pops up and asks for a word, it will set the correct +memory variable and the program will run no matter what word you type in. This +method is still not desirable because the end user will get the input window +and have to type something every time they play the game. + +The cleanest way to crack this, and the way I would do it is to change line 4 +of the call from CALL F157 to JMP 1154. This method will totally bypass the +input window, place the correct variable in memory and return from the call +without the end user ever having seen even a hint of copy protection. + +With this method, the outer loop does not need to be patched cause the program +now thinks that it displayed the input window and the correct word was typed +in. Now when the program checks that memory variable later on, it will think +that you successfully passed the original check and skip the second protection +check. + +There is also an added benefit to the last method... Some games will bring up +the protection check between each and every level of the game even though you +type the correct word in every time. But if you've completely killed the +routine as in the last example, you'll never be bothered by it again no matter +how many times the program tries to bring it up. + +Please be aware of the fact that these are not the only methods that +programmers will use in copy protection schemes. These are just the basics and +there are several variations on these routines. The only way to be able to +know what any given routine is doing at any time is to master assembly +language. + +Before we move onto the walk though, there is one other technique I want to go +over with you. And that is how to get out of a loop. You will get stuck in +loops constantly during the course of debugging a program and knowing how to +get out of them will save you a lot of time and frustration. You will find +that programs contain loops within loops within loops etc... Some loops can +execute hundreds of times before the program will advance, especially ones +that draw screens. + +When you realize that you are stuck in a loop, execute the loop several times +and keep an eye on the highest address the loop reaches before jumping +backwards within the code. Once you have found the end of the loop, write down +the address of the jump that re-executes the loop, and then look for +conditional jumps inside the loop that will put you past the address of that +backwards jump. You will want to set a breakpoint on the address this +instruction jumps to and then let the program run normally. The HERE KEY is +excellent for this type of situation. + +If you guessed right, control will be returned to the debugger when the +program reaches that instruction. If you guessed wrong, you will lose control +of the program and will have reload it and try again. This is where writing +down the address comes in handy, just reload the program and then issue the GO +TO command and supply it the address of the backwards jump that you wrote +down. + +The program will run until it reaches that address and control will then be +returned to the debugger. This will save you from having to trace all the way +through the code again in order to reach the point where you lost control of +the program in the first place. You could just use sticky breakpoints instead, +but what you will end up with is a half dozen or so breakpoints in as many +different locations in the code, and it's very easy to loose track as to which +breakpoint is which. + +That's why I use non-sticky breakpoints and write down the address I'm +currently at before executing suspicious looking calls and jumps. My desk is +usually scattered with scraps of paper filled with notes and addresses. I only +use sticky breakpoints for specific situations. It's much easier to just +reload the program and use the GO TO command to get back to the point in the +program where I lost control. + + + +CHAPTER 4 WALK THROUGH OF AN EASY CRACK +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +First of all, I want to go over some of the criteria I used in choosing the +program I used for the walk through. An important factor was the programs +size. I want to keep this manual as small as possible, and I chose the program +that is included in this guide because among other things it is the smallest +one I could find that best illustrated the example of a simple nag screen. + +Whether or not the program was one that you would actually find useful was not +a consideration, as you should eventually be able to crack just about any +program you wish if your serious about cracking. If you come across a program +that has you stumped, leave it alone for a while and then try again after +you've cracked something else. You may find that whatever you were having +problems with is now easier to understand. + +Before we start I want to go over one other thing. When you load a program +into a debugger, the debugger will load the program and halt at the very first +instruction to be executed within the program. You can also at this point let +the program run normally and then break back into it at a later point. + +When you use the second method it will halt the program at the current +instruction and return control to the debugger, but you may not end up in the +program itself. You could have broken into the program while it was in the +middle of executing either a DOS or BIOS interrupt, and the code you are in +belongs to either DOS or BIOS and not the program you are debugging. + +You can tell by looking at the addresses of the instructions in the code +window where you are, low segment addresses indicate you are in DOS, and +addresses that start with FXXX indicate a BIOS routine. + +If you break into the program while it is in one of these interrupt routines +you will have to trace your way back into the programs code, this will usually +be indicated by an IRET (interrupt return) instruction. When you do get back +to the program code, you will then have to trace your way back to the top of +the call that issued the interrupt you broke into. Then you may also have to +trace back to the top of that call, and to the top of that call, etc etc, +until you reach the top level of the program. After you've done this a few +times you'll begin to recognize when you've gotten back to the main flow of +the program... + +On the other hand, when you load a program into the debugger and begin +stepping through the code from the very first instruction to be executed +within the program, you have the best picture on the overall flow of the +program as you are sitting on top of everything. + +But some programs don't access the copy protection until they are further +along in the code. In this case, it's best to let the program run normally and +then break into it at a later point. Otherwise, you will have a ton of code to +trace through before the protection routine is accessed, and this can become +quite tedious. Which method you choose will be determined after you've run the +program through a few times and decide how and where you want to break into +it. + +One last thing, DOS will always load a program into the same memory range +provided that no other programs are run in the interim. It's important that +you always boot with the same config files and don't run any other memory +resident programs between cracking sessions. + +If you load a program into the debugger and start tracing, then quit. And +before The next time you load that same program into the debugger, you boot +with a different config or load a memory resident program that you didn't have +loaded the first time you started cracking that program, the segment addresses +will change and the addresses you wrote down will be useless. This is because +the memory map of your computer will change. + +When I boot with my debugging config (when I use my DOS debugger, Windows +manages memory differently and these steps are not needed), the only things I +load are a mouse driver, 4DOS, my debugger and ansi.sys (needed for cracking +bbs doors). This way I'm assured that the program I want to crack gets loaded +into the same memory region every time I run it, providing I don't run any +other memory resident programs before loading the program to be cracked into +the debugger. + +Take soft ice as an example, if you load a program into it using LDR.EXE and +begin debugging, then later on you decide to just execute the program and +break into it without first loading it with LDR.EXE, the segment addresses +will change. That's because LDR.EXE is a program and using it will throw the +segment addresses off by one word as opposed to just breaking into an already +running program without first loading it with LDR.EXE. + +The program we will crack is budget minder, it is an extremely simple crack +(it took me about 2 minutes to crack it) and is ideal for the lesson on how to +remove nag screens from otherwise fully functional programs. It also deals +with intrasegment calls, so it serves a dual purpose. That's another reason I +chose it for the lesson. + +From now on, when I say step, step through, or step over, I want you to use +the SINGLE STEP key. When I say trace, I want you to use the TRACE key once +and only once!!!! The TRACE key is a highly specialized key and is not +intended to be used multiple times like the SINGLE STEP key. If you don't +follow these instructions, your gonna get lost... + +OK, once you've run budget minder a few times you will notice that it displays +a nag screen before the main program is executed. You will also notice that +this nag screen is the only type of protection that the program has. It +doesn't contain any features that are disabled, nor does it display an +additional nag screen upon exit. + +It's okay to apply a dirty crack to this program as all you want to do is kill +the nag screen, so you have a little more leeway on how to patch it. And if +you want to try different methods of patching it than the ones I give, it +should still work fine. + +That was the most important factor in my decision to use this program for the +lesson. I wanted to walk you through a program so you would become comfortable +with it's flow, and I also wanted the program to be easy enough so that once +you became familiar with it, there was enough room for you to experiment and +try out your own methods. + +In this case, it's best to load the program into the debugger and start +stepping through it right away. The protection is implemented very close to +the beginning of the program, and this method of loading the program will put +you right on top of everything. + +Allowing the program to run and breaking into it later on will not serve any +useful purpose. You'll just end up having to trace your way back to the top. +Besides, the nag screen comes up so fast you'll probably miss it if you try +the second method anyway. + +Before you load it into the debugger, run UNP on BUDGET.EXE... AHA! The file +was compressed with EXEPACK. It's now ready to debug as you've removed the +compression envelope. Just for the hell of it, run UNP on it again. I've come +across a few programs that have had multiple compression routines on them. If +it shows up negative, your set to go. + +Now load BUDGET.EXE into the debugger, the program will be sitting at the +first instruction to be executed awaiting your next command... Use the SINGLE +STEP key to start stepping through the code and keep an eye on the +instructions as you are stepping through them. + +Shortly you will come to a couple of calls, before you step over the first +one, write down it's address. Now step over the first call with the SINGLE +STEP key. Nothing happened, so you have to continue stepping through the code. +But if something did happen when you stepped over this call like the nag +screen being displayed or if you lost control of the program, you could just +reload the program and issue the GO TO command to get back to that point using +the address you wrote down. + +Step over the second call, nothing again. Ok, keep stepping through the code +and keep an eye on the instructions. You will encounter a third call about 6 +instructions or so after the second call, step over it with the SINGLE STEP +key... Bingo, you have found the call to the nag screen. Hit a key to exit the +nag screen and you will now be sitting in the main program screen. + +But you no longer have control of the program. Remember I said you would loose +control if you step over a call loop or interrupt and the program never +returns from it? Hopefully you wrote down the address of that last call before +you executed it. Now you can just quit out of the program and reload it. Then, +once it's reloaded, issue the GO TO command to get back to the call without +having to trace your way back there. So go ahead and do this before reading +on... + +Ok, we are all back at the third call. It's address will be CS:0161, remember +that the segment adresses will always be different for every computer, but the +offsets will be the same. So from now on I'll write the addresses in that +manner... + +We know that the last time we executed this call, the program never returned +from it. So now we are going to have to trace into it for a closer look. Trace +into the call with the TRACE key, don't use the SINGLE STEP key this time or +you'll loose control again. + +You will now be inside the code for that call, start stepping through it again +with the SINGLE STEP key, you will see some calls. Better write down your +address before you step over them. + +Step over the first two calls, nothing... Use the RESTORE USER SCREEN key to +toggle the display between the debugger and the program. Still a blank screen, +so nothing important has happened yet. Now toggle the RESTORE USER SCREEN key +to get the debugger screen back and continue stepping through the code. + +You will see another call and some more code, just step through them until you +reach the RETF instruction and stop there. Toggle the display with the RESTORE +USER SCREEN key, the screen is still blank... + +But we executed all of the code within the call and are ready to return +without anything happening. The nag screen didn't get displayed nor did we +loose control and end up in the main program, How come? + +Step over the RETF instruction with the SINGLE STEP key and you'll see why... +The address that we return to is not the next instruction after the original +call. Part of the code within the call we traced into revectored the return +address for the original call and sent us to an entirely different location +within the program. + +This is why we lost control when we first stepped over the call, the debugger +was expecting the program to return to the next instruction after the original +call, but it never did... + +So the instruction that we returned to was not the original line of code that +was expected, instead we are at another far call. If you haven't gotten lost +you should be at CS:0030 CALL CS:28BC. + +Write down the address of the CS:IP and then step over this call with the +SINGLE STEP key, there is that annoying nag screen again. Hit a key to exit +the nag screen and control will be returned to the debugger. This time the +program returned from the call and you are in control again. So you now know +that this call is the one that displays the nag screen and it is the one you +want to kill. + +Hit the RUN key and let the program run, now quit out of it from the main +program screen and reload it into the debugger. Use the GO TO command and +supply it the address for the call to the nag screen. + +Ok, now lets see if the program will run or not if we don't execute the call +to the nag screen. The call is at CS:0030 and the next instruction after the +call is at address CS:0035... A quick way to jump past this call without +executing it is to just increment the instruction pointer register to the next +instruction. + +In this case we want to manipulate the IP register, and we want to set it to +point to the instruction at CS:0035 instead of the instruction it is currently +pointing to at CS:0030. You are going to have to figure out the command on how +to do this with the debugger you are using yourself. + +If you are using turbo debugger, place the mouse cursor on the line of code at +CS:0035 and right click the mouse. A window will pop up, then left click on +new IP, or increment IP. If you are using soft ice, type rip=0035 and hit +enter. Any other debugger, I have no clue... + +Now that we've moved the IP past the call to the nag screen let's see if the +program is going to run. Hit the RUN key, this time the nag screen doesn't +come up, instead you are brought right into the main program screen. + +It looks like getting rid of that call is going to do the trick. Now that we +know the program will run without making that call, it's time to decide on how +to patch the program so the call is never made again. + +Think back to the original call we traced into for a minute, that call was the +one that revectored the return address and brought us to the call to the nag +screen. Therefore, it's reasonable to assume that that call is the protection +check, and it might be a good idea to have another look at it. + +Before we do that there is one other thing I want to show you, and that's how +to allow the program to make the call to the nag screen and return from the +call without executing any of the code contained within it. + +This isn't the method we will use to patch this program, but it's an important +concept to grasp as you'll end up doing it sooner or later on some other +program anyway. Remember that this is a far call and you can't just nop it +out. + +Quit the program, reload it, and get to the address of the call to the nag +screen. Last time through we just incremented the IP to bypass it. Now we will +trace into it to see what it is doing. + +Hit the TRACE key and trace into the call. Now start stepping through it with +the SINGLE STEP key, don't bother writing any addresses down for now. There +are several dozen calls in this routine along with shitloads of other code. + +Toggle the display with the RESTORE USER SCREEN key after you step over a few +of the calls and you will see that the program is in the process of drawing +the nag screen. + +Keep stepping through it and you'll see more and more of the screen being +drawn as the code progresses. This is getting boring, so stop stepping through +the code and start scrolling the code window down with the down arrow key and +watch the code. If you are using soft ice, the F6 key toggles the cursor +between the code and command windows, and the cursor must be in the code +window in order to scroll it. + +What you are looking for is the RETF instruction as this is the end of the +call. Keep scrolling, I told you this call had a ton of code in it. When you +do find the RETF instruction write down it's address, it is CS:2B0E in case +your having trouble finding it. Ok, you've got the address of the RETF far +instruction written down so now just let the program run, quit out of it, +reload it, and get back to the call for the nag screen. + +You should now be sitting at the call to the nag screen, trace into it and +stop. The first instruction of the call is MOV CX,0016 and this is where the +CS:IP should be pointing to. What we want to do now is to jump to the RETF +instruction and bypass all of the code within the call itself. So let's +re-assemble the MOV CX,0016 instruction and replace it with a new one. + +First, make sure you are at this instruction, if you've traced passed it your +gonna have to reload the program and get back to it... OK, we are all sitting +at the MOV CX,0016 instruction and it's address is contained in the CS:IP +registers. + +Now ASSEMBLE JMP 2B0E (the offset address of the RETF instruction) and specify +the address of the CS:IP. The MOV CX,0016 instruction will be replaced with +JMP 2B0E. And seeing as how both of these instructions are the same length we +didn't have to pad it out with any nop's. + +Now hit the RUN key, you are brought into the main program and the nag screen +didn't get displayed! We allowed the program to make the call, but we didn't +allow any of the code within the call to be executed. And as far as the +program is concerned, it made the call and the nag screen was displayed. + +Now let's go back and take another look at the call that we suspect is the one +that contains the protection check itself. Reload the program and go to the +original call that revectored the return address, now trace into it. I've +traced into the calls that are contained in here and they are setting up the +addresses for the RETF instruction at the end of this call among other things. +You don't need to trace into them as you might not understand what's going on, +but if you feel up to it, go right ahead. + +What I want to concentrate on are the last four lines of code in the call as +they are the ones that finally set up the address to return to. Step through +the code until you are at CS:00A8 and take a look: + +CS:00A8 8B04 MOV AX,[SI] DS:SI=0000 +CS:00AA 053000 ADD AX,0030 +CS:00AD 50 PUSH AX +CS:00AE CB RETF + +The first instruction is loading the AX register with the contents of the +memory location that the SI register is pointing to. And you can see by +looking at the memory location that the DS:SI pair is pointing to that it +contains 0000. (this is where the display command and data window come in +handy). + +The second instruction is adding 0030 to the contents of the AX register. + +The third instruction is placing the contents of the AX register onto the top +of the stack. + +The fourth instruction is returning from the call, and where do you think that +the RETF instruction gets the address for the return? Yep, you guessed it, it +gets it off the top of the stack. Funny that the instruction right before it +just placed something there isn't it? + +Also funny is that it happens to be the address of the nag screen. Look at +what is being added to the AX register on the second line of code. Boy that +sure looks like the offset address to the nag screen to me. + +Remember that the next instruction after the nag screen is CS:0035, now look +at the first line of code. The contents of the memory location it's +referencing contains 0000, and I'll bet that if your copy was registered it +would contain 0005 instead. + +Why? because if the first instruction placed 0005 in the AX register, when the +second line of code added 0030 to it, you would end up with 0035 which happens +to be the address of the next line of code after the nag screen. + +Then the third instruction would place 0035 on the stack and that is where the +RETF instruction would go to. If this were the case, the nag screen would +never get displayed... + +Well, what do you think we should do? We could trace further back in the +program and try to find the instructions that place 0000 in that memory +location and modify them to place 0005 in there instead, but this process is +somewhat involved and I don't want to throw too much at you at once. + +Instead, I have an easier solution. Seeing as how the memory location will +always contain 0000, why don't we just change the ADD AX,0030 instruction to +ADD AX,0035? This should get the correct address placed on the stack for the +RETF instruction to bypass the nag screen... + +Let's try it and see how it works. SINGLE STEP through the code until the +CS:IP is at the instruction ADD AX,0030. Now, ASSEMBLE the instruction to read +ADD AX,0035 and hit the RUN key. We are placed in the main program screen +without any stinkin' nag screen getting displayed! + +Congratulations! you have just cracked your first program :) Try other methods +of patching the program besides the ones I went over. The next chapter will +deal with how to make the changes you've made permanent. + + + +CHAPTER 5 HOW TO USE THE DISK EDITOR +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Ok, we cracked budget minder in the debugger and know it's going to work. Now +we need to make those changes permanent. The first thing we have to do before +we load the file into the disk editor is to create a search string. + +So we are going to have to reload budget.exe into the debugger and trace back +to the location where we want to make the patch in order to get the hex bytes +of the instructions we want to search the disk file for. + +Load budget.exe back into the debugger and trace back to the last four +instructions of the original call that revectored the return address. You +should be looking at this: + +CS:00A8 8B04 MOV AX,[SI] +CS:00AA 053000 ADD AX,0030 +CS:00AD 50 PUSH AX +CS:00AE CB RETF + +The group of numbers to the right of the addresses are the hexadecimal +representations of the mnemonic instructions. These are the bytes that we will +use for our search string. So write them down beginning from top left to +bottom right so you end up with this: 8B0405300050CB + +This is the byte pattern that we will search for when we load the file into +the disk editor. We have a search string, but we also need to make a patch +string as well. In order to do this, we will have to assemble the new +instructions in memory, and then write down the changes we've made to the +code. + +So ASSEMBLE ADD AX,35 and specify the address for the old ADD AX,0030 +instruction. The new code should look like this: + +CS:00A8 8B04 MOV AX,[SI] +CS:00AA 053500 ADD AX,0035 +CS:00AD 50 PUSH AX +CS:00AE CB RETF + +Notice that we only re-assembled the second line of code and that is the only +difference between the new code and the original code. So what I want you to +do is to write down the changes under the old code it replaced so it looks +like this: + + 8B0405300050CB <-- search string + ^ + 5 <-- patch string + +Now we are all set to load the file into the disk editor. We have a string to +search for and another one to replace it with. Load budget.exe into your disk +editor, select the search function, and input the search string. + +NOTE: some disk editors default to an ASCII search so you may have to toggle +this to hex search instead. If your in the wrong mode, the disk editor will +not find the byte pattern your looking for. + +Once the disk editor finds the byte pattern of the search string, just replace +the bytes of the old code with the bytes to the new code and save it to disk. +The program is now permanently cracked. + +Sometimes however, the code you want to patch is generic enough that the +search string will pop up in several different locations throughout the file. +It's always a good idea to keep searching for the byte pattern after you've +found the first match. If the disk editor doesn't find any more matches your +all set. + +If the string you are searching for is contained in more than one location and +you patch the wrong one the crack will not work, or you will end up with a +system crash when you run the program. In this case, you'll have to reload the +program back into the debugger and create a more unique search string by +including more instructions around the patch site in the search string. + +One last thing, you cannot include instructions that reference dynamic memory +locations in the search string. These bytes are not contained in the disk +file. So keep this in mind when you are creating your search strings... + +And the protection might not be included in the main executable either. If you +cannot find the search string in the main exe file, load the other program +files into the disk editor and search them as well, especially overlay files. +Fortunately for you, I've included a tool to help you do this. + + + + +CHAPTER 6 OTHER CRACKING TOOLS +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + +In addtion to UNP, there are several other tools that you can utilize to make +your job easier. These tools were not designed with the cracker in mind, but +they can be adapted to serve our purposes rather than the ones which they were +written for. + +UNP and other programs like it were written to remove the compression +envelopes from exectables so you would be able to scan those files with a +virus scanner among other things. If someone were to attach a virus to an exe +file and then compress it, the file for all intents and purposes would be +encrypted. Now when you downloaded that file and ran your virus scanner on it, +it might not find the virus. + +But crackers found a different use for these types of programs. We use them to +remove the compression envelope so that we can find the byte strings we want +to search the files for. I'm sure most of the programmers who wrote these +programs never intended them for this purpose. There are some out there though +that were written by crackers with this exact purpose in mind. + +Don't just rely on UNP as your only program to do this. No one program will be +able to remove evrything you come across. It's a good idea to start collecting +these types of programs so you have more than one alternative if you come +across a compressed file, and your favorite expander doesn't understand the +routines. Be aware though that some programs are actually encrypted and not +compressed. In this case the expander programs will prove useless. + +Your only recourse in this instance is to reverse engineer the encryption +routine while the program is decrypting to memory, and modify your search +string to search for the encrypted version of the bytes. Or you could write a +tsr patcher that impliments your patch after the program is decrypted to +memory. + +There is another category of programs you can adapt to your use and they work +in conjunction with the file expanders. These types of programs will scan +entire directories of files and pop up a window that displays which files are +compressed and what they are compressed with. They won't remove the +compression routines from the files themselves, but will only inform you which +files are compressed and which are not. UNP also includes a command line +switch to do this... + +Now instead of blindly running UNP on several different program files to see +if they are compressed or not, you can see at a glance if you even need to run +it at all. And if you do, you'll know exactly which files to run it on. This +is another time saving type of program and there are several out there, you +just have to look for them. + +Another type of program that you will find useful will scan entire +disks/directories/subdirectories of files for specific hex or ascii byte +patterns contained within those files, and this is the purpose of the second +uuencoded cracking tool contained in this guide. + +One method I use to determine if a shareware program is registerable or not +before actually loading it into the debugger is to use this tool. + +I usually will have it scan all the programs files and input the string REG. +This will show all files that contain the string unREGistered and REGistered. +If it returns a string that contains REGistered in a file other than the doc +files, I know the program can be made into the registered version. This is +just a quick check I do on programs that have certain features diabled to +determine if the program does contain the code for the registered version. + +An added feature of this program is that after you've cracked a program and +have a byte string to search for, you can run this program in hex mode and +input your search string. Now it will search all of the programs files and +return the name of the file that contains your search string, then you can +just load that file into the disk editor and make the patch. + +It will also let you know if your search string is contained in more than one +location within the file. Remember, if this is the case you'll have to reload +the program back into the debugger and create a larger search string by +including more instructions around the patch site. + +The programs name is SS303 and it's very easy to use, just read the docs for +it... + +These are the 'accessory' tools I use in cracking, there are several more out +there, I just don't have any use for them. And if you are dilligent, these are +all you'll really need as well. + + +CHAPTER 7 SOURCE CODE TO A SIMPLE BYTE PATCHER +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +As I've stated in the overview chapter, if you want to distribute your patches +you are going to have to write a patcher program. Simply releasing the patched +version of the program file is not desirable. For one thing it's illegal, +another consideration is size. Some files you patch will be 300K or more, and +this is quite a large crack to release. The patcher program included in this +guide is much much smaller, it will assemble to about 600 bytes or so, +depending on the size of your logo. + +And what if you want the end user to be able to register the program in their +own name? A patched .exe or .ovr file will not allow this. + +When you release a patch that you yourself wrote, you are not breaking any +laws. The program was written by you and is your intellectual property to do +with as you see fit, including making it available for public use. The person +breaking the law is the end user who will use it to illegally modify someone +elses intellectual property contrary to the licencing terms they agreed to +when they installed the program. Remember, it's not illegal to write and +distribute a crack, but it is illegal to apply a crack. + +That's why all of the programs I've included in this guide are shareware +programs in the original archives as released by the authors and have not been +tampered with in any way. I'm not about to release a modified version of +someone elses copyrighted property. The only thing I am doing is supplying you +with the original archive and the information on how to modify it if you wish, +this is not illegal. If you decide to take the program and modify it that's +your problem, not mine... + +This patcher routine is very simple, I wrote it about 5 years ago and it was +my very first patcher program. It is a brute force patcher in that it will not +do any error checking and blindly patch the program you specify with the byte +pattern you supply. This method has it's advantages and disavantages. + +The disadvantage to this method is that seeing how the program does not +perform any error checking it will patch the file specified with the +replacement string even if it's not the correct version of the program. If the +filename is the same, the patch will be applied. + +Let's say you crack a program called Ultimate Menu and the version number is +1.0, and the file you patch is called menu.exe. Now let's say a little while +later version 1.5 of the program comes out and someone who has your patch for +version 1.0 decides to run it on version 1.5 of the program. + +This byte patcher will not check the new menu.exe for any changes before +making the patch, it will just patch the program in the location you specified +with the string you supplied even if the code you want to change is no longer +there. This could very well be the case if the programmer has significantly +re-written the code between versions, and what will end up happening is the +file will be corrupted and probably crash the system when it is run. + +But this is also the advantage of my byte patcher. If the code to be replaced +is still in the same location in the new version, you'll not have to release a +new crack for each version of the program. Bear in mind that when I wrote this +program I was just starting out and didn't consider these possibilities. The +reason I included it in this guide was to give you an idea on how to write +your own patcher or to modify this one to suit your own purposes. + +The patcher program that I use now is extremely complex and would just confuse +the hell out of you. Basically what I do is to make a backup of the original +file I am going to patch and then patch the original file. Then I run my +patcher program on the two files, it compares the differences between the +original file and the patched one and saves them to a data file. I then +assemble a patch using the data file. + +What I end up with is a patch that will check the file you are running it on +to see if it is indeed the correct version before applying the patch. If it's +not, the patch won't be made. This method also allows me to make multiple +patches at different locations throughout the program. The byte patcher +included in this guide will only allow one string to be patched in one +location. But if you do a clean crack, that's all you'll usually need anyway. + +Ok. here is the source code to the patcher program, I've commented as much as +I could throughout the code to make it more understandable. I also wrote it to +be generic enough so that you can re-use it over and over simply by plugging +in certain values and re-assembling it. + +NOTE: the patch offsets are not the segment:offset adresses of the code as it +resides in memory, but the offset from the beginning of the disk file. + +.model small +.code +ORG 100H +start: JMP begin + +;****************************************************************************** +; these are all the variables you set to crack a file, +; simply change the values and then assemble the program +;****************************************************************************** + +msb EQU 0000H ;the first part of the patch offset +lsb EQU 055AH ;the second part of the patch offset +cnt EQU 3H ;number of bytes in your patch +patch_data DB 'EB2E90',0 ;the byte string to be written +file_name DB 'go.pdm',0 ;the name of the file to be patched + +logo DB 'Cracked by Uncle Joe',0AH,0DH + DB ' -=W.A.S.P. 92=- ',0AH,0DH + +error1 DB 'FILE NOT FOUND',0AH,0DH + DB 'Make sure you have GO_CRACK.COM in the same',0AH,0DH + DB 'directory as GO.PDM',0AH,0DH + DB '$' + +error2 DB 'A fatal error has occured',0AH,0DH + DB 'the crack was not applied',0AH,0DH + DB '$' + +error3 DB 'GO.PDM has the read only attribute set',0AH,0DH + DB 'reset it before attempting to make the patch',0AH,0DH + DB '$' + +handle DW 0 + +;****************************************************************************** +; this procedure opens the file to be cracked +;****************************************************************************** + +open_it PROC near + MOV DX,offset file_name ;setup to open file to be + MOV AX,3D02H ;cracked + INT 21H + JNC done ;if successful, continue + + CMP AX,05H + JZ read_only + MOV AH,09H ;else display error message + MOV DX,offset error1 ;and exit + INT 21H + JMP exit +read_only: MOV AH,09H + MOV DX,offset error3 + INT 21H + JMP exit + +done: MOV handle,AX ;store the file handle for + RET ;use later and return +open_it ENDP + +;****************************************************************************** +; this procedure sets the file pointer to the patch location +;****************************************************************************** + +move_it PROC near + MOV AH,42H ;setup to move the file + MOV AL,00H ;pointer to the patch site + MOV BX,handle ;load the file handle + MOV CX,msb ;the first part of offset + MOV DX,lsb ;and the second part + INT 21H ;move the pointer + JNC ok ;if successful, continue + + MOV AH,09H + MOV DX,offset error2 + INT 21H ;else print error message and + JMP exit ;exit +ok: RET +move_it ENDP + +;****************************************************************************** +; this procedure writes the crack to the file and closes it +;****************************************************************************** + +patch_it PROC near + MOV AH,40H ;setup to write the crack + MOV BX,handle ;load file handle + MOV CX,cnt ;load number of bytes to write + MOV DX,offset patch_data ;point DX to patch data + INT 21H ;make the patch + + JNC close_it ;if successful, contintue + MOV AH,3EH + INT 21H + MOV AH,09H ;if not then something + MOV DX,offset error2 ;is wrong, disk may be write + INT 21H ;protected. If so, print error + JMP exit ;message and exit + +close_it: MOV AH,3EH ;crack was successful + INT 21H ;close file and return + RET +patch_it ENDP + +;****************************************************************************** +; the main program +;****************************************************************************** + +begin PROC near + CALL open_it ;open file to be patched + CALL move_it ;move pointer to patch site + CALL patch_it ;make the patch and close file + MOV AH,09H + MOV DX,offset logo ;display logo + INT 21H + +exit: MOV AX,4C00H ;and exit + INT 21H +begin ENDP + + END START + + + + +CHAPTER 8 CONCLUSION +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Hopefully this guide has been useful in helping you understand the cracking +process. It is by no means an all inclusive guide, the main goal I had in mind +when I wrote it was to give beginners a push without confusing the hell out of +them. + +It is not feasable to try and include all of the tricks of the trade that a +beginner might find useful into one single guide, nor would I want to do this. +For one thing, this guide would be ten times the size it is now, and even then +it would not be an encyclopedia of what to do for every situation. If your +serious enough about cracking, you will discover enough tricks and develop +your own methods as you progress. And you have to be creative! What works in +one situation may not work again in a similar one. + +Instead, I tried to give you a general idea on how a programs code might +operate and what to look for. A successful cracker is not someone who +memorizes a specific set of actions to perform on a specific piece of code. A +successful cracker is someone who understands the flow of the code, and how to +adapt his methods to successfuly re-write the programs code to behave as he +wishes and not as the programmer intended it to. There are no set rules for +this, the very nature of the PC won't allow it. + +If you have any questions about cracking or are stumped by something, drop me +a note at fishpaw@helix.xiii.com, I'll be glad to give any advice I can. Or if +you simply just wish to discuss cracking techniques or anything of that +nature. + +NOTE: Do NOT mail me and ask me to crack programs for you! I'm not interested +in cracking for the masses. If you need something cracked, learn how to crack +it yourself. If you are unwilling to learn how, then register it. + + diff --git a/textfiles.com/piracy/CRACKING/budget.txt b/textfiles.com/piracy/CRACKING/budget.txt new file mode 100644 index 00000000..eebc202e --- /dev/null +++ b/textfiles.com/piracy/CRACKING/budget.txt @@ -0,0 +1,254 @@ + + + _______ + ____|__ | (R) + --| | |------------------- + | ____|__ | ASSOCIATION OF + | | |_| SHAREWARE + |__| 0 | PROFESSIONALS + -----| | |--------------------- + |___|___| MEMBER + + + HOW TO USE BUDGET MINDER (Budget.Doc) + + BUDGET MINDER was prepared after my experience in trying to find a home + budget program that was easy to use and yet had more than a a minimal + capacity for categories of expenditures. Spread sheets are cumbersome + to set up and enter data and even general purpose data bases take a lot + of work to set up the fields and forms. I wanted a stand alone program + that would take less time to use than if I were to use pencil, paper, and + a calculator. + + BUDGET MINDER allows you to establish a budget and keep track of your + actual expenses on a month-to-month basis. It keeps a running total of + your expenses for the year and provides you with the variance from your + budget for both the month and the year. Each month is kept in a separate + file and can be viewed on the screen or printed out. + + Up to 45 categories of expenses can be enterd into BUDGET MINDER. + However, you don't have to use all of them. I have found that it is a + good idea to add a couple of "Extra" categories at the end of the list + to accommodate unforseen expenses. + + Set up your expense categories and the yearly budget for each category + using the MAKE BUDGET OPTION. The program will compute the average + monthly budget. BUDGET MINDER is normally based on a calendar year. If + you want to start your budget at some month later than January, then enter + the number of the starting month when prompted. You should file your new + budget on disk with some name such as "START94". + + Don't worry if you misspell a category or enter a wrong amount for a + yearly budget because you can make corrections later after you enter + expenses for the first month. + + If you quit the program after setting-up the budget you will have to + reload your "START" file to enter data for the first month. + + To enter the actuals for the first month. When asked "Did you load + budget for the previous month?", answer "Y" if your "START" budget is + in memory and follow the prompts. BUDGET MINDER will compute the totals + for the month and the year and the variance of expenditures from the budget. + Each succeeding month you only need to follow the prompts to enter your + actual expenses. + File the monthly data on disk with some name such as "JAN94". + + To make corrections to the current month, select the CORRECT DATA + and "C" (Current Month) option. Do not use this option for staring a new + month's actuals. Use it only for corrections. Several prompts on the + screen will remind you of this. Also, if you goof-up you still have the + last month's data filed on a disk. + + + + + + + Note, you don't enter expenses on a daily basis. You only enter a total + for each category for the month. Once a month I go through my check book + determine the category of each expense and write down the amount of each + check on a form I created to use with BUDGET MINDER. I do the same with a + log of cash expenditures that I keep. I then enter the totals from the + form into BUDGET MINDER. + + Use the PRINT FORM option to print out a blank form. Use one sheet for + checks and another for cash expenditures. + + As the year progresses, you load the file for the previous month and + enter data for the new month. You then save the current month's data with a + name that reflects the name of the month, Such as "JUL1994." + + The secret of BUDGET MINDER'S operation is that when you want to enter + actuals for the current month, you are first asked to read in the file for + the previous month. The program checks to see that you have called-up the + correct month. The yearly totals for the previous month are stored + temporarily and once the actuals for the new month have been entered they + are added to the totals for the past month to provide the current yearly + total. + + SAMPLE FILE + I have included a file named JAN2000.BDG so you can experiment with + the program. + + WHY SHOULD YOU MAKE A BUDGET? + + One reason, often given, is to gain control over your finances. But, to + be truly effective. a budget derives from a plan, not otherwise. Define + specifically what you want to accomplish. Buy a home...take great + vacations...have money for the kid's education...save for retirement... + + To do these things you need to cut costs and increase savings. Most + people have no idea at all how much money they have coming in or going out. + I have heard people complain that a budget is too "restrictive." A budget + is not meant to restrict your life style but to increase your financial + independence. In some cases those who complain the most are afraid to let + their spouse know how their money is really spent. + + Even if you have not completely decided on some financial goals, you + need to make a serious attempt to track your expenses. One way is to use a + simple note book to record necessary and discretionary spending for at + least a couple of months. + + A better way is to list your estimated monthly income and every possible + expense over the year by reviewing last year's bills, checks, and receipts. + Make a list of mortgage or rent payments, utility bills, property taxes, + income taxes, food, and medical bills and the cost of maintenance of your + home. Don't forget to tally up car expenses, the cost of meals out, movie + tickets, and other miscellaneous expenses that you may have covered with + cash. + + When you have finished this first phase, you more than likely will have + some unexplained areas in your spending pattern such as a large number of + miscellaneous cash expenditures. If your spending habits are way out of + control, you will see that your expenses are much more than you income. + But, you already knew that didn't you? + + On the other hand, you may find that you can't account for all your + expenditures and they are less than your disposable income. Still you don't + seem to have money to do some of the things that you want to accomplish. + Most likely it is the cash and credit card purchase that you can't account + for. + + + Once you have a grasp of your present spending pattern, you can take the + first step in implementing your financial plan by preparing your budget. + + Good Luck! + + REGISTRATION AND SUPPORT + If you decide to keep using BUDGET MINDER you must pay a registration + fee of $15 to Bob Day 543 W. Walnut Ave., Monrovia CA 91016. + Califorinia residents please add sales tax. + The registration fee will entitle you to software support for a period of + three months after the date of registration. Support beyond that date will + be at the option of the author. You may also call 818-358-5963. Leave + a message if no one answers. + + This program is produced by a member of the Association of Shareware + Professionals (ASP). ASP wants to make sure that the shareware principle + works for you. If you are unable to resolve a shareware-related problem with + an ASP member by contacting the member directly, ASP may be able to help. + The ASP Ombundsman can help you to resolve a dispute or problem with an ASP + member, but does not provide technical support for members' products. Please + write to the ASP Ombundsman at 545 Grover Road, Muskegon, MI 49442 or send a + Compuserve message via Compuserve Mail to ASP Ombundsman 70007,3536. + + Also, please read the following about Shareware. + + DEFINITION OF SHAREWARE + + Shareware distribution gives the users a chance to try software before + buying it. If you try a Shareware program and continue using it, you are + expected to register. Individual programs differ on details -- some + request registration while others require it, Some specify a maximum + trial period. With registration, you get anything from the simple right + to continue using the software to an updated program with a printed + manual. + + Copyright laws apply to both Shareware and commercial software and the + copyright holder retains all rights, with a few specific exceptions as + stated below. Shareware authors are accomplished programmers, just like + commercial authors, and the programs are of comparable quality. (In both + cases there are good programs and bad ones!) The main difference is in + the method of distribution. The author specifically grants the right to + copy and distribute the software, either to all and sundry or to a + specific group. For example, some authors require written permission + before a commercial disk vendor may copy their shareware. + + Shareware is a distribution method, not a type of software. You should + find software that suits your needs and pocketbook, whether it's + commercial or Shareware. The Shareware system makes fitting your needs + easier, because you can try before you buy. And because the overhead is + low, prices are also low. Shareware has the ultimate money-back guarantee + -- if you don't use it, you don't pay for it. + + DISCLAIMER -AGREEMENT + + Users of BUDGET MINDER must accept this disclaimer of waranty: + BUDGET MINDER is supplied as is. The author disclaims all waranties, + expressed or implied, including without limitation, the warranties of + merchantability and of fitness for any purpose. The author assumes no + liability for damages, direct or indirect, or consequential, which may + result from use of BUDGET MINDER. + + + + + + + + BUDGET MINDER is a "shareware program" and is provided at no charge to the + user for evaluation. Feel free to share it with your friends, but please + do not give it away altered or as a part of another system. The essence of + "user-supported" software is to provide personal computer users with + quality software without high prices, and yet to provide incentive for + programmers to continue to develope new products. If you find this + program useful and find that you are using BUDGET MINDER and continue to use + BUDGET MINDER after a reasonable trial period, you must pay a registration + fee of $15 to Bob Day, 543 W. Walnut Ave., Monrovia, CA 91016. + The $15 fee will license one copy for use on any one computer at any one + time. You must treat this software just like a book. An example is that + this software may be used by any number of people and may be moved from + one computer location to another, so long as there is no possibility of + it being used at one location while it is being used at another. Just as + a book cannot be read by two different persons at the same time. + + Commercial users of BUDGET MINDER must register and pay for their copies of + BUDGET MINDER within 30 days of first use or their license is withdrawn. + + Anyone distributing BUDGET MINDER for any kind of remuneration must first + contact Bob Day at 543 W. Walnut Ave., Monrovia, CA 91016 for authorization. + This authorization will automatically be granted to distributors + recognized by the (ASP) as adhering to its guidelines for shareware + distributors, and such distributors may begin offering AUCTION immediately. + (However, Bob Day must still be advised so that the distributor can be + kept up-to-date with the latest version of BUDGET MINDER.) + + You are encouraged to pass a copy of BUDGET MINDER along to your friends for + evaluation. Please encourage them to register their copy if they find that + they can use it. All registered users will receive the latest version of + BUDGET MINDER. + + End of BUDGET.DOC text + + *************************************************************************** + + Cut off and mail with your registraton fee of $15 plus $1 S & H to: + + Bob Day + 543 W. Walnut Ave. + Monrovia, CA 91016 + + Registration for BUDGET MINDER program DATE:______________________ + + + NAME + ADDRESS + CITY + + DISK SIZE + + + California residents please add sales tax + + diff --git a/textfiles.com/piracy/CRACKING/bytecatcher.txt b/textfiles.com/piracy/CRACKING/bytecatcher.txt new file mode 100644 index 00000000..841a9caa --- /dev/null +++ b/textfiles.com/piracy/CRACKING/bytecatcher.txt @@ -0,0 +1,86 @@ +Name:Byte Catcher 1.01 d +Where:http://www.save-it.com +Type of protection:serial number +Description:This is a neat little program that allows you to resume a + download off of an ftp, even after disconnection, by just + hitting the "Go" button. Some disadvantages are that it + doesn't have a retry feature incase the server is full and + you can't change the port number. + +Tools you will need to crack this program: Soft-ice 3.0 or better + A piece of paper to write the + correct serial # down + +How to crack this program: + +Step 1.)Load Byte Catcher 1.01 and select "About" from the "Help" menu. +Step 2.)Click on register and fill out the information it asks for. I + used this: + 66696669 + Manson69 + mExElitE/c4n '97 + DO NOT HIT ENTER YET!!! +Step 4.)Press ctrl-D to enter Soft-ice and set a break point on hmemcpy by + typing "bpx hmemcpy" (without quotation marks.) +Step 5.)Leave Soft-ice by hitting ctrl-D or F5. Then hit "Ok." +Step 6.)You will be back in Soft-ice now. Hit ctrl-D or F5 two more times + to allow Byte Catcher to read all the information you entered in the + boxes. +Step 7.)Now hit F12 until you get out of the 16-bit protected code and into + the 32-bit code. + XXXX:XXXX <----4 digits followed by a colon and 4 more digits + indicates that you are in 16-bit protected mode + XXXX:XXXXXXXX <----4 digits followed by a colon and 8 more digits + indicates that you are in 32-bit code. +Step 8.)Now lets scan for the serial number that we entered. We do this by + typing "s 0 l ffffffff 'your code here'" (without the quotation + marks but WITH the ' ' marks.) My serial number was 66696669 so I + entered: + s 0 l ffffffff '66696669' + It will then find you your code at a given address. My serial + number was found at the address 013F:00A22FAC. Lets now set a + break point on this memory location by typing: + bpm 013F:00A22FAC <----Your memory address will probably be different +Step 9.)Hit ctrl-D or F5 to leave Soft-ice and low and behold you are right + back in Soft-ice! You will end up in code similar to this: + 0137:00418936 8A02 MOV AL,[EDX] <--This moves what is in + memory at EDX to AL + 0137:00418938 3A06 CMP AL,[ESI] DS:0047B14C=37 <--This + compares + what is + in + memory + at AL + and ESI + 0137:0041893A 751E JNZ 0041895A <--Acts as a result of the + compare. + This is the code that we need to be concerned with. The brackets + around EDX and ESI indicate that you are dealing with thier what is + in their memory location not their values. If you do a + d edx + and view the what is in memory on EDX you will see the code you + entered. If you do a + d esi + you will see the correct code. Note down the correct code,type + "bc *" (without quotation marks) to clear all break points. Then + enter the correct serial number in place of the one you entered and + hit "Ok" and it will register! +Final Notes: If you try don't enter the correct serial number, but change the + registration name and company and follow these steps over you + will see that the registration code doesn't change. This + program has one universal registration code. Which mean that + you can enter the same serial number with any name and/or + company and it will register! Due to this fact a key maker/ + generator or crack/patch is not needed. + Hope that this tutorial worked for you! +Acknowledgments: I would like to say thanks to all the members and regular + visitors of the mExElitE/c4n '97 group and channel. + + This tutorial was written by: + Manson69 of + mExElitE/c4n '97 + I can be found on IRC (Efnet) + everyday in: + #cracking4newbies + the mExElitE/c4n '97 official + channel. \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/c1.txt b/textfiles.com/piracy/CRACKING/c1.txt new file mode 100644 index 00000000..82cc2e67 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c1.txt @@ -0,0 +1,412 @@ +HOW TO CRACK, by +ORC, A TUTORIAL +LESSON C (1) - How to crack, Cracking as an art +[BARCODES] [INSTANT ACCESS] + +[BARCODES] + First of all, let me stress the importance of cracking in +our everyday life. Cracking it's not just about software, it's +about information, about all patterns of life. To crack is to +refuse to be controlled and used by others, to crack is to be +free. But you must also be yourself free from petty conventions +in order to crack properly. + You must learn to discerne cracking possibilities all around +yourself, and believe me, the development of this ghastly society +brings every day new codes, protections and concealing +mechanismes. + All around us grows a world of codes and secret and not so +secret patterns. Codes that are at times so familiar and common +that we do not even notice them any more... and yet they are +there to fool us, and yet they offer marvellous cracking +possibilities. + + Let's take as an striking example BARCODES... those little +lines that you see on any book you buy, on any bottle you get, +on any item around you... do you know how they work? If you do +not you may be excused, but you cannot be excused if you never +had the impulse to understand them... crackers are curious by +nature... heirs of an almost extinct race of researchers that has +nothing in common with the television slaves and the publicity +and trend zombies around us. Cracker should always be capable of +going beyond the obvious, seek knowledge where others do not see +and do not venture. + +[BARCODE HISTORY] + Let's begin with a little history. Universal Product Code +(UPC) was adopted for commercial use by the grocery industry in +the USA. Among the advantages were a rapid, accurate and reliable +way of entering stock information into a computer and the +possibility to sack a lot of workers and to do more profit. The +early success led to the development of the European Article +Numbering System (EAN), a symbology similar to UPC, that is +widely used in Europe and in the rest of the World. I'll teach +you to crack this one, since I do not -fortunately- live in the +States. Keep in mind, anyway, that there are different barcode +symbologies, each with its own particular pattern of bars. The +UPC/EAN code used on retail products is an all-numeric code; so +is the Interleaved 2 of 5 Code. Code 39 includes upper case +letters, digits, and a few symbols. Code 128 includes every +printable and unprintable ASCII character code. The most new one +is a 2-D code. These are special rectangular codes, called +stacked barcodes or matrix codes. They can store considerably +more information than a standard barcode. They require special +readers which cost more than a standard scanner. The practical +limit for a standard barcode depends on a number of factors, but +20 to 25 characters is an approximate maximum. For applications +that need more data, matrix codes are used. For example, the next +time you receive a package from United Parcel Service look for +a small square label with a pattern of dots and a small bullseye +in the centre. This is a MaxiCode label, and it is used by UPS +for automatic destination sortition. + The manufacturer's ID number on the barcode uniquely +identifies products. These numbers are managed by the Uniform +Code Council in Dayton, Ohio for the States and Canada and by the +EAN authority (Internationale Article Numbering Association) in +Bruxelles, for Europe and the rest of the World. The +manufacturer's ID number accounts for some digits of the code, +which leaves other digits to be assigned in any way the producer +wants. He provides retail outlets with a list of his products and +their assigned codes so that they can be entered in the cash +register system. Many codes are NOT on the products and are added +by the supermarkets on the fly, using an internal code schema +that may be non standard. Now it's enough... let's crack. + BARCODES are the only thing an automated casher needs to see +on a product to calculate its price and automatically catalogate +the sold merchandise... imagine (just imagine it :=) coz it would +be extremely illegal to act in this way) somebody would fasten +an adhesive home-made codebar label direct on the top of the +supermarket/mall/retail store label, say on a bottle of Pomerol +(that's a very good but unfortunately very expensive french +wine). + The new label would mean for the casher something like +"cheap wine from Bordeaux, France, cost so and so, everything +it's OK, do not worry"... do you think that anybody would come +to the idea that there is something wrong with the label, with +the bottle or with you? I have been codebaring for years and had +only once a problem, coz my printer was running out of ink and +the scanner in the supermarket could not read it... so what? Act +uninterested, always wear jackets of the utmost quality, shetland +pullovers and beautiful expensive shoes... (all articles that you +may codebar too, by the way), in this society appearance and look +count much more than substance and knowledge... LET'S USE THIS +TO OUR ADVANTAGE! Nobody will ever come to the idea that you may +actually really know the working of the scheme... coz codebar is +pretty complicated and not exactly exceptionally public. On the +Web there are a lot information about it, but most of them are +useless, unless you know how to search most of the time you'll +find only sentences like this one: + "The calculated check digit is the twelfth and final + digit in the U.P.C.code. It is calculated based on a + specific algorithm, and is necessary to ensure that + the number is read or key-entered correctly." + +But good +ORC will now explain you everything you need to crack: + +[THE 13 BAR "CODES"] +Each barcode label has 13 values, from #0 to #12 (that's the EAN +code, the UPC american one has only 12, from #0 to #11). + #0 and #1 indicate the origin of the product. + #2 to #11 give the article code + #12 (the last and 13th one) is a checksum value, that + verifies the validity of all the other numbers. +How is it calculated? #12 is calculated in 4 steps + VALUE A: You sum odd position numbers (#0+#2+#4+#6+#8+#10) + VALUE B: You sum even position numbers and multiply by 3 + ((#1+#3+#5+#7+#9+#11)*3) + VALUE C: You sum value A and value B + VALUE D: You mod value C (you divide by 10 and only keep + the remaining units, a very widespread checking scheme as + you'll see in the software part of this lesson) + If the result is not zero, you subtract it from 10. +Now look at a barcode label, get some books or other barcoded +items and *watch* it... +Bar codes are supposed to have "quiet zones" on either side of +the symbol. Quiet zones are blank areas, free of any printing or +marks,typically 10 times the width of the narrowest bar or space +in the bar code. Failure to allow adequate space on either side +of the symbol for quiet zones can make it impossible to read the +bar code. + +On the barcode there are two "borders", left and right, and a +"middle" longer line. These three lines are longer than the +others and are used to "regulate" the scanner to whatever +dimension has been used for the barcode. +#0 dwells left of the first (left) border and has a special +meaning, the other 12 numbers are written "inside" the code and +are divided in two "groups" by the middle bar. +Each value is coded through SEVEN bars: black=1 and White=0. +These form two couples of "optic" bars of different widths. +We come now to the "magic" part: In order to bluff the +simpletons, barcode uses three different SETS of characters to +represent the values 0-9. This should make it impossible for you +to understand what's going on, as usual, in this society, slaves +should not need to worry with the real functioning of things. + Here are the graphic codes of the three graphic sets: + + CODE A CODE B (XOR C) CODE C (NOT A) +0: 0001101 (13) 0100111 (39) 1110010 (114) +1: 0011001 (25) 0110011 (51) 1100110 (102) +2: 0010011 (19) 0011011 (27) 1101100 (108) +3: 0111101 (61) 0100001 (33) 1000010 (066) +4: 0100011 (35) 0011101 (29) 1011100 (092) +5: 0110001 (49) 0111001 (57) 1001110 (078) +6: 0101111 (47) 0000101 (05) 1010000 (080) +7: 0111011 (59) 0010001 (17) 1000100 (068) +8: 0110111 (55) 0001001 (09) 1001000 (072) + +9: 0001011 (11) 0010111 (23) 1110100 (116) + +Borders: 101 +Centre: 01010 + +- The C graphic set is a "NOT A" graphic set. +- The B graphic set is a "XOR C" graphic set. +- each value has two couples of bars with different widths + + Now watch some labels yourself... see the difference between the +numbers left and the numbers right? The first "half" of the +barcode is coded using sets A and B, the second "half" using set +C. As if that were not enough, A and B are used inside the first +"half" in a combination that varies and depends from value #0, +following 10 different patterns: + #1 #2 #3 #4 #5 #6 + 0 A A A A A A + 1 A A B A B B + 2 A A B B A B + 3 A A B B B A + 4 A B A A B B + 5 A B B A A B + 6 A B B B A A + 7 A B A B A B + 8 A B A B B A + 9 A B B A B A + +"Ah! Stupid buyer will never understand why the same values gives +different bars! Nothing is as reliable as barcodes!" :=) + +Let's take as example the codebar for Martini Dry: +BARCODE: 8 0 00570 00425 7 +Let's see: we have a 8 0 0 = booze +Then a 000570 as ABABBA and a 004257 as C +"Even" sum: 8+0+5+0+0+2 = 15 (even sum) +Then a 0+0+7+0+4+5= 16 and 16 *3 = 48 (odd sum) +Then a 15+48=63 +63 === 3 +10 - 3 = 7 = checksum +Pattern = 8 = ABABBA CCCCCC + +OK, one more example: Osborne Windows programming series Volume +2 General purpose API functions (always here on my table)... +BARCODE: 9 7 80078 81991 9 +Let's see: we have a 9 7 8 = book +Then a 780078 as ABBABA and a 819919 as C +"Even" sum: 9+8+5+8+8+4 = 42 (even sum) +Then a 7+1+5+2+4+4= 23 and 23 * 3 = 69 (odd sum) +Then a 42+69=111 +111 === 1 +10 - 1 = 9 = checksum +Pattern = 9 = ABBABA + +Well... what's the point of all this? +The point, my pupils, is that who DOES NOT KNOW is taken along +on a boat ride, who KNOWS and LEARNS can use his knowledge in +order to try to beat blue and black the loathsome consumistic +oligarchy where we are compelled to live. Try it out for +yourself... if you crack correctly and wisely your supermarket, +mall and library bills will be cut to almost zero. + Write a small program to print whichever codebar you fancy +(or whichever your mall uses) in whichever size on whichever sort +of label you (or better your targets) fancy... it's quickly done +with Visualbasic or Delphy... but you'll not find much on the Web +Alternatively you could also write, as I did long ago, a short +c program in dos, using a modified upper char set... and there +you are, have labels... see the world. + A small word of caution... crack only ONE item at time and +try it out first with the SAME label for the same product... i.e. +the correct code for that item, but on your own label. If it goes +through your program works good, if not, nobody will ever be able +to harm you. Anyway it never happens anything, never: the bar +code reading equipments have great tolerance, coz the scanners +must be able to recognize barcodes that have been printed on many +different medias. You should choose labels similar to the ones +effectively used only in order not to arise human suspects, coz +for all the scanner itself cares, your label could be pink with +green stripes and with orange hand-written, numbers. Mind you, +we are still just academically imagining hypothetical situations, +coz it would be extremely illegal to act in such an inconsiderate +manner. + CRACKING POWER! It's true for barcodes, for Telecom bills, +for Compuserve accounts, for Amexco cards, for banking cheques +(do you know what MICR is? Magnetic Ink Character Recognition... +the stylized little printing on the lower left of new cheques... +there is a whole cracking school working on it), for registration +numbers... you name it, they develope it, we crack it... + Begin with barcodes: it's easy, nice and pretty useful! Live +in opulence, with the dignity and affluence that should always +distinguish real crackers. Besides... you should see the +assortment of 'Pomerols' in my "Cave-a-vin" :=) + +[INSTANT ACCESS] + The (c) Instant access routines are a commercial protection +scheme used to "unlock" complete commercial applications that +have been encrypted on CD- +ROMs which are distributed (mostly) through reviews. + This is an ideal cracking target: it's commercial software, +complete, uncrippled and of (relatively) prominent quality, that +you can get in tons for the price of a coke. Obviously this kind +of protection represents an ideal subject for our lessons. This +fairly intricate protection scheme has not yet been cracked by +anybody that I am aware of, anyway not publicly, therefore it's +an ideal candidate for a "strainer" to my university. I'll teach +you here how to crack it in three lessons, C.1, C.2 and C.3. I warn +you... it's a difficult cracking session, and this protection +represents quite an intellectual challenge. But if you are +seriously interested in our trade you will enjoy these lessons +more than anything else. + This cracking is intended as an "assignment" for my +HCU +"cracking university": you'll find inside lessons C.1 and C.2 a +relatively deep "introduction" to Instant access cracking. This +will teach you a lot anyway, and spare you hours of useless +roaming around, bringing you straight to the cracking point. But +I'll release the third part of this session, with the complete +solution (lesson C.3) on the Web only in october 1996, not a day +before. All the students that would like to apply to the Higher +Cracking University, opening on the web 01/01/1997, should work +in July, August and September (three months is more than enough +time) on this assignment. They should crack completely the +instant access scheme and send me their solutions, with a good +documentation of their cracking sessions, before 30/09/1996 +(WATCH IT! You can crack this scheme in -at least- three +different paths, be careful and choose the *best* one. WATCH IT! +Some of the informations) in lesson C.1 and C.2 are slightly incorrect: +check it!). +There are four possibilities: +1) The candidate has not found the crack or his solution is + not enough documented or not enough viable... the candidate + is therefore not (yet) crack-able, he will not be admitted + to the +HCU 1997 curses, better luck in 1998; +2) The cracking solution proposed by the candidate is not as + good as mine (you'll judge for yourself in october) but it + works nevertheless... he'll be admitted at the 1997 + courses; +3) The cracking solution of the candidate is more or less + equal to mine, he'll be admitted, personally monitored, and + he'll get all the material he needs to crack on higher + paths; +4) The cracking solution of the candidate is better than mine, + he'll be admitted, get all the material he wishes and asked + to teach us as well as study with us: "homines, dum docent, + discunt". + +[Cracking Instant access] + The user that wants to "unlock" a software application +protected with (c) Instant Access must enter first of all a +REGISTRATION number string, which through a series of +mathematical manipulations gives birth to a special "product" +code. On the basis of this "product code" the user is asked to +phone the commercial protectors (and pay) in order to get a +special "unlock code" that will allow him to decrypt the relevant +software. + This kind of "passnumber" protection routines are widely +used for software unlocking, BBS access, server access, backdoor +opening and many other protection schemes. We have already seen +password cracks in different lessons of this tutorial (in +particular Lessons 3.1 and 3.2 for DOS and Lessons 8.1, 8.2 and +9.1 for WIN) albeit on a more simplistic scale: there it did +mostly not matter very much *HOW* you passed the protection: once +passed, you could have access to the application. This is not the +case with (c) Instant Access. Face it: it's a little boring, but +important that you learn how to defeat intricate protection +routines (you'll meet them often in the next years) and I believe +that the following example will give you a "feeling" for the +right cracking approach. + In this case we must not only "crack" this protection scheme +but also study it thoroughly in order to achieve our blessed +aims. This is a very good exercise: reverse disassembling will +teach you a lot of little tricks that you'll be able to use in +your other future cracking sessions. + Instant access (c) is a exceptionally widespread protection +scheme, and it should be relatively easy for you to gather some +encrypted software that has been protected with this method... +*DO IT QUICKLY!!* After the Web publishing of this lessons (I am +sending C.1 to 8 pages and 4 usenet groups on 25/06/1996) this +protection is obviously as dead as a Dodo. The "Accessors" guys +will have to conceive something smarter if they want to keep +selling "protections" to the lamer producers of "big" software. + BTW, if you are reading this and are working for some +commercial "protection" company, consider the possibility to +double cross your masters! Deliver me anonymously all the future +projects you are working on! That will amuse me, speed up the +advent of a true altruistic society and earn you the respect of +the better part of humanity. + As I said, many "huge" application are still protected with +this "Instant access" system. I have personally bought at least +7 or 8 "second hand" CD-ROMs packed full with Microsoft, Lotus, +Norton, Symantec, you name it, applications all "protected" +through this crap. The cost of this bunch of CD-ROMs was the +equivalent of a bottle of Dry Martini, maybe less. The same +software is sold, unlocked, to zombies and lusers for ludicrous +amounts of money. + Never buy CD-ROMs magazines when they appear! Be cool! Buy +them two or three months after the publishing date! Buy +"remainders" or "second hand" CD-ROM magazines "at kilo price"... +Come to think of it, never buy *anything* when it appears or when +some (paid) advertiser tells you to... remember that "trends", +"vogues", "fashions" and "modes" are only different names for the +whips that drill and chain the dull-witted slaves of this +loathsome society: "clever crackers consider cool, crack cheap, +cheat customary culture" (a rhetorical figure: an "Alliteration". +To defend yourself learn rhetoric... it's a more powerful and +more useful weapon than Kung-fu). + The "triple" password protection routine in (c) Instant +Access is very interesting from a cracker point of view. It's a +relatively complex scheme: I'll teach you to crack it in two +phases: First of all you must find the "allowed" registration +code, the one that "ignites" the "product code". We must crack +and understand this re_code first if we want to crack the rest. + Just for the records, I am cracking here (c) Action Instant +access version 1.0 (CD-ROM found on a old copy of "Personal +Computer World" of August 1994, packed full with encrypted Lotus, +Symantec, Claris and Wordperfect applications. Just to be sure +I crosschecked my results with another CD-ROM which also has +applications protected with (c) Instant Access: Paragon +Publishing's PC OFFICE: the protection scheme remains the same). + +I am focusing for this lesson on the cracking of the specific +protection for the encrypted Symantec's Norton Utilities v.8.0. + Please refer to the previous lessons for the basic +techniques used in order to find the protection routine inside +our babe... for "low" cracking purposes you -basically- type a +number (in this case, where the input gets 10 numbers, we'll use +"1212-1212-12"), do your search inside the memory (s 30:0 +lffffffff "your_string") and then set memory breakpoints on all +the relevant memory locations till winice pops (I know, I know, +buddies... there are more effective ways... but hold your mouth: +for now we'll keep them among us: let's make things a little +harder for the protectionists who read this... Besides: the old +approach works here flawlessly). After getting the Registration +window on screen the Winice standard procedure is: + :task ; how + :heap IABROWSE ; where & what + :hwnd IABROWSE ; get the Winhandle + :bpx [winhandle] WM_GETTEXT ; pinpoint code + :bpx GetProcAddress ; in case of funny routines + :dex 0 ds:dx ; let's see their name + :gdt ; sniff the selectors + :s 30:0 lffffffff "Your_input_string" ; search in 4 giga data + :bpr [all memory ranges for your string that are above 80000000] +and so on. (continued in lesson C.2) + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you rediscovered them +with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. ++ORC an526164@anon.penet.fi + + diff --git a/textfiles.com/piracy/CRACKING/c101-90.000 b/textfiles.com/piracy/CRACKING/c101-90.000 new file mode 100644 index 00000000..ad196768 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c101-90.000 @@ -0,0 +1,79 @@ + CRACKING 101 - 1990 edition + + Ŀ + INTRODUCTION + + + by Buckaroo Banzai + + + A long time a go, in a galaxy far far away, a great + adventure took ... What, oh sorry, wrong textfile. + + + Hello my children. Let me introduce myself, I am the + great cracking guru BUCKAROO BANZAI (the original) and I'm + back after a couple of years of hiding (from the Feds? from + the IRS? No, from this girl MaryLou. Let me tell you, she + could ... oh well let's get back to the textfile). + + Let me tell you a little history about cracking on the + IBMpc. It all started about 11 years ago with an apple IIe. + See, I owned one and always wanted to learn how to crack (I + was already a good pirate). Unfortunately, I just never + could get the hang of it. + + Well anyway, then I got my PC, and right away started to + learn to program. Soon, I had pick up oh 4 languages one of + which was assemble language. So I started down the long road + to becoming a crackist. + + But the road was hard since unlike the apple, there were + NO textfiles on cracking the PC. Several unprotects, but + nothing that really told you what to do. But thanks to some + of the better known crackists of the day (Thanks SPI for the + help) I got through. + + It was at that point I decided to give something back. + And thus, after a long (and I mean long) night of sex, drugs + and rock and roll I started on my first cracking textfile. + (Ok, so there really wasn't any drugs) + + Since then, I have written about 10 different textfiles, + 4 utilities and cracked several dozen programs. So, why the + long pause, well I never really stopped cracking. I just + basicly stuck to myself. I never released any of my cracks + cause I was never first but several of my cracking programs + (most known is SECTOR-C) reached the pirate world. + + So, why am I back. 3 reasons. First is because now DOC + CHECKS have taken over the scene and nobody has really + written about them (plus I'm tired of seeing my old textfiles + butchered in "CRACKING" mags). Second is because I have some + free time, and third, because it was there. + + It feels kinda funny. I have written this intro file + several times, and the whole series has been rewritten. What + started off as 4 simple textfiles has grown. I have givin up + trying to write a book. What I'm doing is as a new game + reaches me, I will crack it, and then tell how it was done, + highlight the odd quirks about the crack. + + I have also compiled a preaty good reference on INT 13h. + I have included it with this series. And in the near future, + I hope to release several utilities that I use to help me + crack. + + As of this writing, I have 2 actual lessons done, and 2 + ready to be written. For the first 2 lessons I touch on both + types on copy protection (On disk copy protection with + I.B.M.'s DRAWING ASSISTANT and dos checks with EOA's ESCAPE + FROM HELL). I still have to compose 2 more files, 1 more on + each type (usings STAR CONTROL and CHAMBER OF THE SCI-MUNTANT + PREISTEST). From there, who the hells knows. + + So anyway, sit back, watch, listen, learn and if that + doesn't work, kick a small kid in the head... + + -Buckaroo Banzai + -the cracking guru diff --git a/textfiles.com/piracy/CRACKING/c101-90.002 b/textfiles.com/piracy/CRACKING/c101-90.002 new file mode 100644 index 00000000..5b65f4ec --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c101-90.002 @@ -0,0 +1,642 @@ + + CRACKING 101 - 1990 edition + + Lesson 2 + + Ŀ + DOC CHECK PRIMER + + + by Buckaroo Banzai + + + Ok, in this textfile, I will start talking about + removing doc check protection schemes. I find, the doc check + scheme to be slightly more difficult to work on than normal + INT 13 schemes. + + What is a doc check. Usually, a doc check when a + program ask the user to enter a phrase or code supplied with + the manual. Now, one might think that "Shit, we can just + type all the codes in to a textfile and upload it with the + DOCS", but that way of thinking breaks down on programs such + as Future Classics where there are 6 pages with about 200 + codes per page. So it is just better to remove the check + completely. + + In this primer, I will get in to the theory of removing + a doc check, then start with a simple example (Electronic + Art's ESCAPE FROM HELL). Then in the next file, I will take + you deeper in to the world of doc checks and work with more + difficult examples. But for now, lets get started. + + A doc check, in basic theory works much like normal + INT 13 copy protection. Somewhere in the beginning of the + program before it really starts, the check is made. If the + result is ok (ie the user enters the correct word or phrase) + then the program continues. If not, then the program simply + exits to dos. + + Simple right, well not really. Usually, the input + routine is part of the standard input routine of the program + so you just can't go about modify the call to INT 16h (the + keyboard interrupt) like you could with INT 13h. So, where + do we start. If you think back to cracking the old INT 13 + protection schemes, you would use a program like PCWATCH or + TRAP13 to get a rough idea of where the call resides. With + doc checks, this is really not the best way to do it. + + I suggest that you try to break in to the program well + before the protection is checked. Remember, we must remove + the check without messing with the actual input routine so we + want to come in highest level. + + So, how do we break in. By using a good debugger. I + suggest Periscope. I find it is the best and easiest to use. + Once we are in, all the is left is to trace through the + program until we find the topmost call to the doc check. Now + we're moving. + + So let's say we have broken in to the program and found + the topmost call to the doc check. What next. We must try + to figure out what the program does. There are 2 + possibilities. First, the program could simply check the + inputed string against a value in memory, and if they don't + match simply exit to dos and if they do, just continue with + the program; or if the input matches it can set a flag in + memory that is checked by some routine later. + + So, on to the example. NOTE! All address might be + different. This is how it looked when I cracked it. ALSO + NOTE, you should be cracking without any memory resident + programs. Make sure MEMORY is clear, and that you load the + system the same way each time. Remember, if you load + everything the same, everything will be in the same memory + location. + + So, what is our first step. Well, I suggest picking out + the right tools to do the job. In this case, You will only + need PERISCOPE (and the addin program that comes with it + called PSKEY) and a good file editor (when I say good I mean + it can edit and search in hex). So let's get started. + + First, we load PERISCOPE (PS from now on). This is + gonna be the debugger we use. Next, we need a quick way in + to the debugger. Since ESCAPE FROM HELL (EFH from now on) is + not all the picky about how it keeps a crackest out, PSKEY + will do just fine but not without using a little trick. + + Normally, when using PSKEY (for those of you who do not + know what PSKEY does, it allows up to break in to PS usings a + TSR hotkey) and you hit the hotkey, PSKEY does an INT 2h + (NMI). This then brings up PS and you are set. But, EFH + revectors INT 2h (NMI) to simply an IRET so this method does + not work. How do we get around this, well, INT 2h is the + default used with PSKEY but not the only way to work it. You + can also use INT 3h (Breakpoint interrupt) or INT 15h + (Extended services interrrupt) to activate PS. In this case + we will use INT 3h; so when we invoke PSKEY we add the + command line parameter "3" (ie: "PSKEY 3CAL" invokes PSKEY + using INT 3h setting the hotkey to CTRL-ALT-LEFT_SHIFT). + + So, now that we have a way in to EFH, where do we want + to break out. Well boys (and Girls, and BTW: if there are + any Fems reading this, give me a ring, I'd like to hear from + ya) I don't have any formula to give, but remember, I suggest + that we try to break in to the outermost loop. So, + experiance (and a good fucking guess) tells me to break out + in the title screen before the music begins. + + It just so happens that this time I was right (And noone + had to get nail to anything -D.A.) Right after the title + picture comes up, press your hotkey (oooh). The PS debugging + screen should come up and you should see the follow section + of code.. + + 2309:019C CF IRET + 2309:019D 3D0085 CMP AX,8500 + etc. + + This is the exit code from PSKEY. By usings the J(ump) + command, and executing the IRET, you will be put back right + to the spot where you pressed the hotkey (boy I'm getting + excited). I would love to give you a code fragment here, but + each time you press the hotkey you will end up at a different + point. + + So what do we do next. Well, we will just have to keep + executing code until we find some reference point. Remember + how I said we wanted to break out before we reached to music + at the title screen. Well, you can bet that we are in the + outermost loop since the music comes before the doc check and + we haven't reached the call to the music routine yet. So we + start executing code. + + Then all of the sudden BOOM! you execute a CALL + instruction and music bursts through the speaker. AHa, a + reference point. We know we are on the right track. + + Press during the music so that we can skip the + stupid intro for now. After pressing you should regain + control at the instruction after the call to the music + routine. + + From here on out, we want to procede rather slowly. + Each time you reach a CALL instruction you want to write down + the address where it is located. Sooner or later you will + execute a CALL instruction and EFH will jump in to it's doc + check routine. But damn, you have the address of the that + call WRITTEN DOWN right. So simply reboot and reload + everything. + + Break out in to PS at the title picture. Now, + unassemble the address you wrote down. You should see + something like this + + 21DD:3EA4 9AA5368132 CALL 3281:36A5 (current line) + 21DD:3EA4 9A522F8132 CALL 3281:2F52 + 21DD:3EA4 C706BB070000 MOV WORD PTR [07BB],0000 + 21DD:3EA4 8BE5 MOV SP,BP + 21DD:3EA4 5D POP BP + 21DD:3EA4 CB RETF + + The first call, is the call to the doc check, therefore + it can for now be assumed that the second call is to the + actual game (remember, most programmers follow good + programming practice and will exit the routine that does the + doc check to finish the game). Please NOTE, from here on + out, if I say go back to STEP 1, reboot the machine, reload + and get to this point. Ok. + + Our first though in seeing code like this is shit maybe + they just check the keyword and exit to dos if it's bad; if + it it's good, then they just exit that subroutine and start + the game. So having lots of time on our hands, we try just + executing the second CALL and bypass the first (you can do + that by setting the IP (instruction pointer) register to the + offset of the second call [In our case 3EA9]). When you do + this, the screen clears, and you see the character (Richard) + on the screen. But just as you think it worked, it switches + back to text mode and prints the message "Hell is HOT". Shit + I hate it when that happens. + + So now we know that somewhere in the doc check routine, + EFH sets a flag in memory. We must figure out where this + flag is and figure out a way to fake it. So go back to step + 1, this time, let's trace (using the T command) in to the doc + check routine. + + I have included the entire outerloop of the doc check + routine here. The small subroutines are not of any + importants and infact when I first crack EFH, I never traced + in to any of them. It wasn't until I was out getting this + information that I took a look to see what they did. + + Here is the dos check code. I have place some basic + instructions that should help you as you go along. Although + you address might be different than mine, I will use mine for + reference. Also, I have noted some special subroutines along + the way. + + ( - Unassembled DOC CHECK for ESCAPE FROM HELL [outer loop] ) + + First, we start off with some initialization routines. + You don't need to be all to concerned with them. + + 3281:36A5 55 PUSH BP + 3281:36A6 8BEC MOV BP,SP + 3281:36A8 83EC2A SUB SP,+2A + 3281:36AB C746DE0000 MOV WORD PTR [BP-22],0000 + 3281:36B0 B80600 MOV AX,0006 + 3281:36B3 50 PUSH AX + 3281:36B4 9AE3169900 CALL 0099:16E3 + 3281:36B9 59 POP CX + 3281:36BA 48 DEC AX + 3281:36BB 8946DA MOV [BP-26],AX + 3281:36BE B80F00 MOV AX,000F + 3281:36C1 50 PUSH AX + 3281:36C2 9AE3169900 CALL 0099:16E3 + 3281:36C7 59 POP CX + 3281:36C8 48 DEC AX + 3281:36C9 8946DC MOV [BP-24],AX + 3281:36CC C706CB070E00 MOV WORD PTR [07CB],000E + 3281:36D2 C746D60000 MOV WORD PTR [BP-2A],0000 + 3281:36D7 E9C002 JMP 399A + 3281:36DA C746D80000 MOV WORD PTR [BP-28],0000 + 3281:36DF E92501 JMP 3807 + 3281:36E2 9A9B479900 CALL 0099:479B + 3281:36E7 B83866 MOV AX,6638 + 3281:36EA 50 PUSH AX + 3281:36EB A03407 MOV AL,[0734] + 3281:36EE B400 MOV AH,00 + 3281:36F0 50 PUSH AX + 3281:36F1 B80C00 MOV AX,000C + 3281:36F4 50 PUSH AX + 3281:36F5 B8CF00 MOV AX,00CF + 3281:36F8 50 PUSH AX + 3281:36F9 8B46DC MOV AX,[BP-24] + 3281:36FC BA5800 MOV DX,0058 + 3281:36FF F7E2 MUL DX + 3281:3701 8BD8 MOV BX,AX + 3281:3703 8A87F640 MOV AL,[BX+40F6] + 3281:3707 B400 MOV AH,00 + 3281:3709 8BD8 MOV BX,AX + 3281:370B 81C39400 ADD BX,0094 + 3281:370F D1E3 SHL BX,1 + 3281:3711 D1E3 SHL BX,1 + 3281:3713 FFB7F25D PUSH [BX+5DF2] + 3281:3717 FFB7F05D PUSH [BX+5DF0] + 3281:371B 9AE7019900 CALL 0099:01E7 + 3281:3720 83C40C ADD SP,+0C + 3281:3723 8B46DA MOV AX,[BP-26] + 3281:3726 3D0500 CMP AX,0005 + 3281:3729 7603 JBE 372E + 3281:372B E9B200 JMP 37E0 + 3281:372E 8BD8 MOV BX,AX + 3281:3730 D1E3 SHL BX,1 + 3281:3732 2E CS: + 3281:3733 FFA73737 JMP [BX+3737] + 3281:3737 43 INC BX + 3281:3738 37 AAA + 3281:3739 5E POP SI + 3281:373A 37 AAA + 3281:373B 7837 JS 3774 + 3281:373D 92 XCHG DX,AX + 3281:373E 37 AAA + 3281:373F AC LODSB + 3281:3740 37 AAA + 3281:3741 C637B8 MOV BYTE PTR [BX],B8 + 3281:3744 2000 AND [BX+SI],AL + 3281:3746 50 PUSH AX + 3281:3747 B82E01 MOV AX,012E + 3281:374A 50 PUSH AX + 3281:374B B88100 MOV AX,0081 + 3281:374E 50 PUSH AX + 3281:374F B87348 MOV AX,4873 + 3281:3752 50 PUSH AX + 3281:3753 9AD6029900 CALL 0099:02D6 + 3281:3758 83C408 ADD SP,+08 + 3281:375B E98200 JMP 37E0 + 3281:375E B82000 MOV AX,0020 + 3281:3761 50 PUSH AX + 3281:3762 B82E01 MOV AX,012E + 3281:3765 50 PUSH AX + 3281:3766 B88100 MOV AX,0081 + 3281:3769 50 PUSH AX + 3281:376A B88648 MOV AX,4886 + 3281:376D 50 PUSH AX + 3281:376E 9AD6029900 CALL 0099:02D6 + 3281:3773 83C408 ADD SP,+08 + 3281:3776 EB68 JMP 37E0 + 3281:3778 B82000 MOV AX,0020 + 3281:377B 50 PUSH AX + 3281:377C B82E01 MOV AX,012E + 3281:377F 50 PUSH AX + 3281:3780 B88100 MOV AX,0081 + 3281:3783 50 PUSH AX + 3281:3784 B8AD48 MOV AX,48AD + 3281:3787 50 PUSH AX + 3281:3788 9AD6029900 CALL 0099:02D6 + 3281:378D 83C408 ADD SP,+08 + 3281:3790 EB4E JMP 37E0 + 3281:3792 B82000 MOV AX,0020 + 3281:3795 50 PUSH AX + 3281:3796 B82E01 MOV AX,012E + 3281:3799 50 PUSH AX + 3281:379A B88100 MOV AX,0081 + 3281:379D 50 PUSH AX + 3281:379E B8C748 MOV AX,48C7 + 3281:37A1 50 PUSH AX + 3281:37A2 9AD6029900 CALL 0099:02D6 + 3281:37A7 83C408 ADD SP,+08 + 3281:37AA EB34 JMP 37E0 + 3281:37AC B82000 MOV AX,0020 + 3281:37AF 50 PUSH AX + 3281:37B0 B82E01 MOV AX,012E + 3281:37B3 50 PUSH AX + 3281:37B4 B88100 MOV AX,0081 + 3281:37B7 50 PUSH AX + 3281:37B8 B8E848 MOV AX,48E8 + 3281:37BB 50 PUSH AX + 3281:37BC 9AD6029900 CALL 0099:02D6 + 3281:37C1 83C408 ADD SP,+08 + 3281:37C4 EB1A JMP 37E0 + 3281:37C6 B82000 MOV AX,0020 + 3281:37C9 50 PUSH AX + 3281:37CA B82E01 MOV AX,012E + 3281:37CD 50 PUSH AX + 3281:37CE B88100 MOV AX,0081 + 3281:37D1 50 PUSH AX + 3281:37D2 B80F49 MOV AX,490F + 3281:37D5 50 PUSH AX + 3281:37D6 9AD6029900 CALL 0099:02D6 + 3281:37DB 83C408 ADD SP,+08 + 3281:37DE EB00 JMP 37E0 + 3281:37E0 B82D00 MOV AX,002D + 3281:37E3 50 PUSH AX + 3281:37E4 B88200 MOV AX,0082 + 3281:37E7 50 PUSH AX + 3281:37E8 9A96029900 CALL 0099:0296 + 3281:37ED 59 POP CX + 3281:37EE 59 POP CX + 3281:37EF B82849 MOV AX,4928 + 3281:37F2 50 PUSH AX + 3281:37F3 9A3F039900 CALL 0099:033F + 3281:37F8 59 POP CX + 3281:37F9 837ED800 CMP WORD PTR [BP-28],+00 + 3281:37FD 7505 JNZ 3804 + + Here is the first point of interest. The call on the + following line will display the "what is xxxx" message. Ŀ + + 3281:37FF 9A1B019900 CALL 0099:011B < + + 3281:3804 FF46D8 INC WORD PTR [BP-28] + 3281:3807 837ED802 CMP WORD PTR [BP-28],+02 + 3281:380B 7D03 JGE 3810 + 3281:380D E9D2FE JMP 36E2 + 3281:3810 8B46DA MOV AX,[BP-26] + 3281:3813 3D0500 CMP AX,0005 + 3281:3816 7603 JBE 381B + 3281:3818 E97401 JMP 398F + 3281:381B 8BD8 MOV BX,AX + 3281:381D D1E3 SHL BX,1 + 3281:381F 2E CS: + 3281:3820 FFA72438 JMP [BX+3824] + 3281:3824 3038 XOR [BX+SI],BH + 3281:3826 6E DB 6E + 3281:3827 38AC38EA CMP [SI+EA38],CH + 3281:382B 3827 CMP [BX],AH + 3281:382D 396439 CMP [SI+39],SP + 3281:3830 B81000 MOV AX,0010 + 3281:3833 50 PUSH AX + 3281:3834 16 PUSH SS + 3281:3835 8D46E2 LEA AX,[BP-1E] + 3281:3838 50 PUSH AX + 3281:3839 9AFB149900 CALL 0099:14FB + 3281:383E 83C406 ADD SP,+06 + 3281:3841 8D46E2 LEA AX,[BP-1E] + 3281:3844 50 PUSH AX + 3281:3845 9A0F00B81B CALL 1BB8:000F + 3281:384A 59 POP CX + 3281:384B 8B46DC MOV AX,[BP-24] + 3281:384E BA5800 MOV DX,0058 + 3281:3851 F7E2 MUL DX + 3281:3853 05F740 ADD AX,40F7 + 3281:3856 50 PUSH AX + 3281:3857 8D46E2 LEA AX,[BP-1E] + 3281:385A 50 PUSH AX + 3281:385B 9A0E00661A CALL 1A66:000E + 3281:3860 59 POP CX + 3281:3861 59 POP CX + 3281:3862 0BC0 OR AX,AX + 3281:3864 7505 JNZ 386B + 3281:3866 C746DEFFFF MOV WORD PTR [BP-22],FFFF + 3281:386B E92101 JMP 398F + 3281:386E B81000 MOV AX,0010 + 3281:3871 50 PUSH AX + 3281:3872 16 PUSH SS + 3281:3873 8D46E2 LEA AX,[BP-1E] + 3281:3876 50 PUSH AX + 3281:3877 9AFB149900 CALL 0099:14FB + 3281:387C 83C406 ADD SP,+06 + 3281:387F 8D46E2 LEA AX,[BP-1E] + 3281:3882 50 PUSH AX + 3281:3883 9A0F00B81B CALL 1BB8:000F + 3281:3888 59 POP CX + 3281:3889 8B46DC MOV AX,[BP-24] + 3281:388C BA5800 MOV DX,0058 + 3281:388F F7E2 MUL DX + 3281:3891 050841 ADD AX,4108 + 3281:3894 50 PUSH AX + 3281:3895 8D46E2 LEA AX,[BP-1E] + 3281:3898 50 PUSH AX + 3281:3899 9A0E00661A CALL 1A66:000E + 3281:389E 59 POP CX + 3281:389F 59 POP CX + 3281:38A0 0BC0 OR AX,AX + 3281:38A2 7505 JNZ 38A9 + 3281:38A4 C746DEFFFF MOV WORD PTR [BP-22],FFFF + 3281:38A9 E9E300 JMP 398F + 3281:38AC B81000 MOV AX,0010 + 3281:38AF 50 PUSH AX + 3281:38B0 16 PUSH SS + 3281:38B1 8D46E2 LEA AX,[BP-1E] + 3281:38B4 50 PUSH AX + 3281:38B5 9AFB149900 CALL 0099:14FB + 3281:38BA 83C406 ADD SP,+06 + 3281:38BD 8D46E2 LEA AX,[BP-1E] + 3281:38C0 50 PUSH AX + 3281:38C1 9A0F00B81B CALL 1BB8:000F + 3281:38C6 59 POP CX + 3281:38C7 8B46DC MOV AX,[BP-24] + 3281:38CA BA5800 MOV DX,0058 + 3281:38CD F7E2 MUL DX + 3281:38CF 051941 ADD AX,4119 + 3281:38D2 50 PUSH AX + 3281:38D3 8D46E2 LEA AX,[BP-1E] + 3281:38D6 50 PUSH AX + 3281:38D7 9A0E00661A CALL 1A66:000E + 3281:38DC 59 POP CX + 3281:38DD 59 POP CX + 3281:38DE 0BC0 OR AX,AX + 3281:38E0 7505 JNZ 38E7 + 3281:38E2 C746DEFFFF MOV WORD PTR [BP-22],FFFF + 3281:38E7 E9A500 JMP 398F + 3281:38EA B81000 MOV AX,0010 + 3281:38ED 50 PUSH AX + 3281:38EE 16 PUSH SS + 3281:38EF 8D46E2 LEA AX,[BP-1E] + 3281:38F2 50 PUSH AX + 3281:38F3 9AFB149900 CALL 0099:14FB + 3281:38F8 83C406 ADD SP,+06 + 3281:38FB 8D46E2 LEA AX,[BP-1E] + 3281:38FE 50 PUSH AX + 3281:38FF 9A0F00B81B CALL 1BB8:000F + 3281:3904 59 POP CX + 3281:3905 8B46DC MOV AX,[BP-24] + 3281:3908 BA5800 MOV DX,0058 + 3281:390B F7E2 MUL DX + 3281:390D 052A41 ADD AX,412A + 3281:3910 50 PUSH AX + 3281:3911 8D46E2 LEA AX,[BP-1E] + 3281:3914 50 PUSH AX + 3281:3915 9A0E00661A CALL 1A66:000E + 3281:391A 59 POP CX + 3281:391B 59 POP CX + 3281:391C 0BC0 OR AX,AX + 3281:391E 7505 JNZ 3925 + 3281:3920 C746DEFFFF MOV WORD PTR [BP-22],FFFF + 3281:3925 EB68 JMP 398F + 3281:3927 B81000 MOV AX,0010 + 3281:392A 50 PUSH AX + 3281:392B 16 PUSH SS + 3281:392C 8D46E2 LEA AX,[BP-1E] + 3281:392F 50 PUSH AX + + Next point of interest. When you execute this line, the + game will pause and wait for you to enter the code word from + the manual. Ŀ + + + 3281:3930 9AFB149900 CALL 0099:14FB < + + 3281:3935 83C406 ADD SP,+06 + 3281:3938 8D46E2 LEA AX,[BP-1E] + 3281:393B 50 PUSH AX + 3281:393C 9A0F00B81B CALL 1BB8:000F + 3281:3941 59 POP CX + 3281:3942 8B46DC MOV AX,[BP-24] + 3281:3945 BA5800 MOV DX,0058 + 3281:3948 F7E2 MUL DX + 3281:394A 053B41 ADD AX,413B + 3281:394D 50 PUSH AX + 3281:394E 8D46E2 LEA AX,[BP-1E] + 3281:3951 50 PUSH AX + 3281:3952 9A0E00661A CALL 1A66:000E + 3281:3957 59 POP CX + 3281:3958 59 POP CX + 3281:3959 0BC0 OR AX,AX + 3281:395B 7505 JNZ 3962 + 3281:395D C746DEFFFF MOV WORD PTR [BP-22],FFFF + 3281:3962 EB2B JMP 398F + 3281:3964 33D2 XOR DX,DX + 3281:3966 B8B80B MOV AX,0BB8 + 3281:3969 52 PUSH DX + 3281:396A 50 PUSH AX + + Next point of interest. This call is the final + evaluation of the entered word (or phrase). On return, it + checks a checksum value. This whole next section of code + (up to 3281:39Ad) simply test the validity of the keyword you + entered. I have marked the all jumps that happened when I + entered my keyword with an " * ". + + 3281:396B 9A71139900 CALL 0099:1371 + 3281:3970 59 POP CX + 3281:3971 59 POP CX + 3281:3972 8946E0 MOV [BP-20],AX + 3281:3975 8B46DC MOV AX,[BP-24] + 3281:3978 BA5800 MOV DX,0058 + 3281:397B F7E2 MUL DX + 3281:397D 8BD8 MOV BX,AX + 3281:397F 8B874C41 MOV AX,[BX+414C] + 3281:3983 3B46E0 CMP AX,[BP-20] + 3281:3986 7505 *JNZ 398D + 3281:3988 C746DEFFFF MOV WORD PTR [BP-22],FFFF + 3281:398D EB00 JMP 398F + 3281:398F 837EDE00 CMP WORD PTR [BP-22],+00 + 3281:3993 7402 *JZ 3997 + 3281:3995 EB0C JMP 39A3 + 3281:3997 FF46D6 INC WORD PTR [BP-2A] + 3281:399A 837ED602 CMP WORD PTR [BP-2A],+02 + 3281:399E 7D03 *JGE 39A3 + 3281:39A0 E937FD JMP 36DA + 3281:39A3 837EDE00 CMP WORD PTR [BP-22],+00 + 3281:39A7 7504 *JNZ 39AD + 3281:39A9 0E PUSH CS + 3281:39AA E8E8FC CALL 3695 + + This is the last point of interest. The next + instruction is where we set the key (by moving FFFFh to the + memory location DS:0744h). This is what we need to fake to + allow the system to run. Ŀ + + 3281:39AD C7064407FFFF MOV WORD PTR [0744],FFFF < + 3281:39B3 B8FFFF MOV AX,FFFF + 3281:39B6 50 PUSH AX + 3281:39B7 9AC0479900 CALL 0099:47C0 + 3281:39BC 59 POP CX + 3281:39BD 8BE5 MOV SP,BP + 3281:39BF 5D POP BP + 3281:39C0 CB RETF + + Ok, we have now finished the doc check, and control has + returned (when the RETF instruction was executed) to + 21DD:3EA9. We are now ready to continue with the game. + + + Notice the instruction at 3281:39AD. This is where EFH + sets that external flag. But how did I determine this. + Well, by luck. If you look through the entire routine, you + will not find any other instructions placing a value in the + data segment (DS). And since I decided a long time ago that + EFH was written in a higher level language, we can assume + that it is writting to some variable. + + So, hoping that we have found the flag, we go back to + step 1. This time, we manualy edit the word at DS:0744 and + place the value FFFFh there. We then skip over the call the + the doc check and execute the game. Then before our eyes, + shit happenes. The game comes up, and everything is fine. + By George you've got it. + + So how do we fix the program to always return a good doc + check. Well, we could go about it 2 ways. The first, is you + could simple modify the instruction at 3281:3935 to perform a + long jump to 3281:39AD. This would force set the value no + matter what was typed. But who the fuck wants to have to + type anything. I sure don't so lets think of another way. + + If we look at the entire doc check routine, we will see + that it does nothing but handle the doc check (remember when + we first bypassed the check. The screen came up and + everything looked fine until it dropped you out. So we can + assume that the actual screen is not setup in doc check. So + I suggest placing a small patch right in the begining of the + doc check. + + But what should this patch do? (BTW: it's late and I + don't know If I'm using ?s right. So if not TOO FUCKING + BAD). Well, all it should do is place the value FFFFh at + DS:0744h. Here is the assembly language routine to do it. + + 50 PUSH AX + B8FFFF MOV AX,FFFF + 3E DS: + A34407 MOV WORD PTR [0744],AX + 58 POP AX + CB RETF + + This small routine will place the value FFFFh at DS:744 + and then exit back to the main loop. Simple huh (note, you + don't really need the save AX or load AX with FFFFh for that + matter but I did it for clarity). + + So now that we have the patch, and now where to put it, + how do we get it there. Well, thats where the file editor + comes in, but first you will need 2 things. The hex + equivlent of out patch (in this case the 10 bytes : + 50,B8,FF,FF,3E,A3,44,07,58,CB) and some string to search for. + I suggest usings the first 14 bytes of the routines we are + going to write over (the code at address 3281:36A5). Those + bytes are 55, 8B, EC, 83, EC ,2A ,C7, 46, DE ,00 ,00, B8, 06, + and 00. When selecting the search string, select only + instructions that ARN'T call, jump, loop or any instruction + that has a memory address in them. This value will NOT be + the same when you do the search. + + Now, using for file editor (I used PCTOOLS, but NORTON's + will do) search for our string (55,8B, etc). When it is + found (somewhere near sector 200) write down the sector #. + Now, go and edit that sector. Find our search string (55,8B, + etc) and replace it with the patch string (50,B8,FF, etc). + Now save the sector. + + Your down. Try playing the game. It should load up, + and then go right from the title page (or the intro) to the + game without stopping at the doc check. If your doesn't, + then you fucked up. Restart from the beginning (NO, this + file didn't fuck up, and I DON'T MAKE MISTAKES). + + Well, you did it. You have now removed your first doc + check. Don't ya feel real good. With time, you will be able + to remove any type of doc check. + + + -BUCKAROO BANZAI + + + At this time I would just like to say + + `ALL CRACKING GROUPS SUCK!' diff --git a/textfiles.com/piracy/CRACKING/c101-90.003 b/textfiles.com/piracy/CRACKING/c101-90.003 new file mode 100644 index 00000000..2ebdf93c --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c101-90.003 @@ -0,0 +1,399 @@ + + CRACKING 101 - 1990 edition + + Lesson 3 + + Ŀ + CHAMBER OF THE SCI-MUTANT PREISTEST + + + + Oh shit, I have finally found a newer program that has + on disk copy protection. Good, you'all need a refresher + course on so here it is (YO JB study hard, you might learn + something). + + CHAMBER of the SCI-MUTANT PREISTEST (CSMP) is a really + fucked up game but was simple to unprotect. So, lets dive + right in. We will be using DEBUG here (although I used + periscope but then shit I'm special) to do the crack. Lets + dive in. When we first load CSMP (the file ERE.COM) and + unassemble it here is what we get. + + u 100 10B + + 119A:0100 8CCA MOV DX,CS + 119A:0102 81C2C101 ADD DX,01C1 + 119A:0106 52 PUSH DX + 119A:0107 BA0F00 MOV DX,000F + 119A:010A 52 PUSH DX + 119A:010B CB RETF + + I included the register listing for a reason. NOTICE + that this piece of code just seem to stop (the RETF) + statement. Well, what is really does is place the address + (segment and offset) of the real starting point on to the + stack and the execute a far return to that location. Now + this might fool a real beginner (or at least make him worry a + bit but us...no way). + + If you take the current CS value and add 1C1 to it (in + segment addition) you will get the segment address 135B (that + is if you are using my example of 119A. If not then you will + not get 135B but trust me, it's the right value). + + So since we want to be at the real program, execute the + code until 10B (ie use the command "G 10B") then trace + through the next instruction. + + If you now unassemble the code, here is what it should + look like. + + -u 000f 36 + + 135B:000F 9C PUSHF + 135B:0010 50 PUSH AX + 135B:0011 1E PUSH DS + 135B:0012 06 PUSH ES + 135B:0013 0E PUSH CS + 135B:0014 1F POP DS + 135B:0015 0E PUSH CS + 135B:0016 07 POP ES + 135B:0017 FC CLD + 135B:0018 89260B00 MOV [000B],SP + 135B:001C C70600000102 MOV WORD PTR [0000],0201 + 135B:0022 B013 MOV AL,13 + 135B:0024 A23500 MOV [0035],AL + 135B:0027 A2FF01 MOV [01FF],AL + 135B:002A A22F02 MOV [022F],AL + 135B:002D A23901 MOV [0139],AL + 135B:0030 B280 MOV DL,80 + 135B:0032 B408 MOV AH,08 + 135B:0034 CD21 INT 21 + 135B:0036 7232 JB 006A + + + Since we are looking for a disk based copy protection, + it might be a good time to look for INT 13. So search the + current segment for INT 13 with the command + + S 135B:0 FFFF CD 13 + + But shit, nothing. You mean this program doesn't use + int 13. Be real. Reread the first lesson. You know the one + that talks about self modifing code. This is what we have + here. Let's take a closer look at the last bit of code but + this time, with my comments added. + + -u 000f 36 + + ; The first part of the code simple sets up for the return to + ; dos as well as sets ES and DS + + 135B:000F 9C PUSHF + 135B:0010 50 PUSH AX + 135B:0011 1E PUSH DS + 135B:0012 06 PUSH ES + 135B:0013 0E PUSH CS + 135B:0014 1F POP DS ; Set DS to CS + 135B:0015 0E PUSH CS + 135B:0016 07 POP ES ; Set ES to DS + 135B:0017 FC CLD + + 135B:0018 89260B00 MOV [000B],SP + + ; The next instruction sets up a variable that is used in the + ; routine that reads in the sectors from the disk. More on + ; later. + + 135B:001C C70600000102 MOV WORD PTR [0000],0201 + + ; Now, here is the self modifing code. Notice at AL is 13 + ; (INT 13h ... Get it). Look at the first memory location + ; (35h) and remember that DS = CS. With this in mind, when + ; then instuction at 135B:0024 is executed byte at 135B:0035 + ; will be changed to 13h. That will in fact change the + ; INT 21h at 135B:0034 to an INT 13h. And so on, and so on. + + 135B:0022 B013 MOV AL,13 ; New value + 135B:0024 A23500 MOV [0035],AL ; Change to INT 13h + 135B:0027 A2FF01 MOV [01FF],AL ; Change to INT 13h + 135B:002A A22F02 MOV [022F],AL ; Change to INT 13h + 135B:002D A23901 MOV [0139],AL ; Change to INT 13h + + ; If you lookup DOS function 08 you will find it's CONSOLE + ; INPUT. Now does that seem out of place to you. + + 135B:0030 B280 MOV DL,80 + 135B:0032 B408 MOV AH,08 + 135B:0034 CD21 INT 21 ; Changed to INT 13h + 135B:0036 7232 JB 006A + + + Whoa, that was tricky. If you execute up to 135B:30 + here is what it should look like.. + + + 135B:0030 B280 MOV DL,80 + 135B:0032 B408 MOV AH,08 + 135B:0034 CD13 INT 13 + 135B:0036 7232 JB 006A + + AHA, now we are getting somewhere. If we lookup what + disk function 08 means, you won't be suprised. Function 08h + is GET DRIVE TYPE. It will tell what type of disk drive we + have. Remember, if you are loading off of a hard disk then + it wants to use a different routine. Since we want it to + think we are loading off of disk, then we want to take this + jump. So for now, force the jmp by setting IP to 6A. + + At 135B:006A you find another jmp instruction + + 135B:006A EB6B JMP 00D7 + + + This jumps to the routine that does the actual disk + check. Here is the outer loop of that code (With my comments + of course). + + ; This first part of this routine simply test to see how many + ; disk drives you have. + + + 135B:00D7 CD11 INT 11 + 135B:00D9 25C000 AND AX,00C0 + 135B:00DC B106 MOV CL,06 + 135B:00DE D3E8 SHR AX,CL + 135B:00E0 FEC0 INC AL + 135B:00E2 FEC0 INC AL + 135B:00E4 A20200 MOV [0002],AL + + ; Next, so setup for the actual disk check + + + 135B:00E7 C606090000 MOV BYTE PTR [0009],00 + 135B:00EC B9F127 MOV CX,27F1 + 135B:00EF 8BE9 MOV BP,CX + 135B:00F1 B107 MOV CL,07 + 135B:00F3 F8 CLC + + ; This calls the protection routine part 1 + + 135B:00F4 E82F00 CALL 0126 + + 135B:00F7 B9DE27 MOV CX,27DE + 135B:00FA 8BE9 MOV BP,CX + 135B:00FC B108 MOV CL,08 + 135B:00FE F9 STC + + ; This calls the protection routine part 2 + + 135B:00FF E82400 CALL 0126 + + 135B:0102 8D1E5802 LEA BX,[0258] + 135B:0106 8D361C01 LEA SI,[011C] + 135B:010A 8BCD MOV CX,BP + 135B:010C AC LODSB + 135B:010D 8AC8 MOV CL,AL + + ; This calls the protection routine part 3 + + 135B:010F E8E300 CALL 01F5 + + ; Makes the final check + + 135B:0112 7271 JB 0185 + 135B:0114 AC LODSB + 135B:0115 0AC0 OR AL,AL + 135B:0117 75F4 JNZ 010D ; If not correct, try again + 135B:0119 EB77 JMP 0192 ; Correct, continue program + 135B:011B 90 NOP + + + There are calls to 2 different subroutines. The routine + at 126 and the routine at 1F5. If you examine the routine at + 126 you find that it makes several calls to the routine at + 1F5. Then you you examine the routine at 1F5 you see the + actual call to INT 13. Here is the code for both routine + with comments + + + ; First, it sets up the sector, head and drive information. + ; DS:000A holds the sector to read + + 135B:0126 880E0A00 MOV [000A],CL + 135B:012A 8A160900 MOV DL,[0009] + 135B:012E B600 MOV DH,00 + + ; Sets the DTA + + 135B:0130 8D365802 LEA SI,[0258] + 135B:0134 7213 JB 0149 + + ; Resets the disk + + 135B:0136 33C0 XOR AX,AX + 135B:0138 CD13 INT 13 + + ; Calls the the check + + 135B:013A B90114 MOV CX,1401 ; TRACK 14 sector 1 + 135B:013D 8BDE MOV BX,SI + 135B:013F E8B300 CALL 01F5 + + + ; The next track/sector to read in is stored in BP + + 135B:0142 8BCD MOV CX,BP + 135B:0144 E8AE00 CALL 01F5 + 135B:0147 7234 JB 017D ; If an error occured, + ; trap it. + + + 135B:0149 88160900 MOV [0009],DL ; Reset drive + 135B:014D 8A0E0A00 MOV CL,[000A] ; reset sector + 135B:0151 E8A100 CALL 01F5 ; check protection + 135B:0154 722F JB 0185 ; Check for an error + + 135B:0156 8D5C20 LEA BX,[SI+20] + + 135B:0159 8BCD MOV CX,BP ; Get next T/S + 135B:015B B010 MOV AL,10 ; Ignore this + 135B:015D E89500 CALL 01F5 ; Check protection + 135B:0160 7223 JB 0185 ; check for error + + ; The next sector of code checks to see if what was read in + ; is the actual protected tracks + + ; First check + + 135B:0162 8DBCAC00 LEA DI,[SI+00AC] + 135B:0166 B91000 MOV CX,0010 + 135B:0169 F3 REPZ + 135B:016A A7 CMPSW + + ; NOTE: If it was a bad track, it will jmp to 185. A good + ; read should just continue + + 135B:016B 7518 JNZ 0185 + + ; Second check + + 135B:016D 8D365802 LEA SI,[0258] + 135B:0171 8D3E3702 LEA DI,[0237] + 135B:0175 B90400 MOV CX,0004 + 135B:0178 F3 REPZ + 135B:0179 A7 CMPSW + + ; see NOTE above + + 135B:017A 7509 JNZ 0185 + + ; This exit back to the main routine. + + 135B:017C C3 RET + + ; Here is the start of the error trap routines. Basicly what + ; they do is check an error count. If it's not 0 then it + ; retries everything. If it is 0 then it exit back to dos. + + 135B:017D FEC2 INC DL + 135B:017F 3A160200 CMP DL,[0002] + 135B:0183 72B1 JB 0136 + 135B:0185 E85400 CALL 01DC + 135B:0188 8B260B00 MOV SP,[000B] + 135B:018C 2BC9 SUB CX,CX + 135B:018E 58 POP AX + 135B:018F 50 PUSH AX + 135B:0190 EB1F JMP 01B1 + + + ** Here is the actual code the does the check ** + + ; ES:BX points to the buffer + + 135B:01F5 1E PUSH DS + 135B:01F6 07 POP ES + + ; SI is set to the # of retries + + 135B:01F7 56 PUSH SI + 135B:01F8 BE0600 MOV SI,0006 + + ; Remember how I said we would use what was in DS:0000 later. + ; well, here is where you use it. It loads in the FUNCTION + ; and # of sectors from what is stored in DS:0000. This is + ; just a trick to make the int 13 call more vague. + + 135B:01FB A10000 MOV AX,[0000] + 135B:01FE CD13 INT 13 + + ; If there is no errors, then exit this part of the loop + + 135B:0200 7309 JNB 020B + 135B:0202 F6C480 TEST AH,80 + + ; Check to see if it was a drive TIMEOUT. If so, then set + ; an error flag and exit + + 135B:0205 7503 JNZ 020A + + ; It must have been a load error. Retry 6 times + + 135B:0207 4E DEC SI + 135B:0208 75F1 JNZ 01FB + + ; Set the error flag + + 135B:020A F9 STC + + ; restore SI and return + + 135B:020B 5E POP SI + 135B:020C C3 RET + + + If you follow through all of that. You will see that + the only real way out is the jmp to "135B:0192" at 135B:0119. + So, how do we test it. Simple. Exit back to dos and let's + add a temporary patch. + + Reload ERE.COM under debug. Execute the program setting + a breakpoint at 135B:0022 (if you remember, that is right at + the begining of the self modifing code). When execution + stops, change you IP register to 192. Now execute the code. + + Well shit, we are at the main menu. We just bypassed + the entire protection routine. So, now where to add the + patch. We will be adding the patch at 135B:0022. But what + should the patch be. In this case, simply jumping to + 135B:0192 will do. So, reload ERE.COM under debug. Execute + the code until 135B:0022. Now unassemble it. Here is the + code fragment we need. + + 135B:0022 B013 MOV AL,13 + 135B:0024 A23500 MOV [0035],AL + 135B:0027 A2FF01 MOV [01FF],AL + 135B:002A A22F02 MOV [022F],AL + 135B:002D A23901 MOV [0139],AL + + Here is the code we want to use as the patch + + 135B:0022 E96D01 JMP 192 + + So, to add the patch, we search the file ERE.COM using + PC-TOOLS. For our search string we use + + B0 13 A2 35 00 A2 FF 01 A2 2F 02 A2 39 01 + + PC-TOOLS should find the search string at reletive + sector #13. Edit the sector and change "B0 13 A2" to + "E9 6D 01" (our patch) and save the sector. + + BOOM! your done and CSMP is cracked. Fun huh. You just + kicked 5 seconds off of the load time. Preaty fucken good. + Well, I hope this textfile helped. + + + -Buckaroo Banzai + -Cracking Guru diff --git a/textfiles.com/piracy/CRACKING/c101-90.004 b/textfiles.com/piracy/CRACKING/c101-90.004 new file mode 100644 index 00000000..d21cca65 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c101-90.004 @@ -0,0 +1,1172 @@ + + CRACKING 101 - 1990 Edition + + Lesson 4 + revision 1 + + Ŀ + REMOVING THE DOC CHECK FOR STAR CONTROL + + + < + + Added for revision 1 - + + First, let me tell you about a major fuckup I made. + When I first wrote this file, I left out a major part of the + patch. For all of the user who got that version, I'm sorry + but even I make mistakes at 3:00 in the morning. Anyway, + just replace the original with this updated version + + - Buckaroo Banzai + + > + + Hey, Buckaroo Banzai .. Cracking Guru back once again to + help you lesser crackist learn. This time, we will be going + over Star Control. This is the last lesson in the original + 4. From here on out, I will simply release lessons as I + write them. + + I want to say a few things about some of the groups out + there right now. Speed isn't everything. I really wish that + for example when you remove a doc check, most of us want it + REMOVED. We don't want to have to enter your group name or + even typing 1 letter is to much. We shouldn't even see the + menu for the doc check. Now, I don't direct this to all of + you, but there seems to have been a move from quality to + quickness. Let's go back to the days of SPI (and INC when + they were first getting started) and crack right. If there + is a doc check, remove it, not just fake it. + + Nuff said, on with the tutorial. + + Star Control (SC for here out) is a preaty good game. + The protection on it wasn't too hard, but if you didn't read + enough in to it, you would just kill the title music also. + + So, how do we go about cracking SC. Well for this one I + opted to break out when SC asks for the code from the code + wheel. Originaly I did this just for the hell of it, but it + turned out to be a luck guess and made life a lot easier. + + As usual we will be using periscope to crack SC. I used + PSKEY (using int 3 as the trap interrupt not int 2) to pop in + at the input routine. So lets get started. Load up PS and + PSKEY, then execute Star Control. When you get to the doc + check, break out. + + Now you should be at the usual IRET insturction that's + part of PSKEY. Now comes the tricky part. Since we are + using a key trap to break out during the input sequence, we + could be anywhere inside the entire input routine. So in + cases like this I suggest finding a reference point. + + So how do you pick the reference point. Well, since + this doc check must be entered via the keyboard you can bet + somewhere it will call INT 16h (bios keyboard) (although + there are times when this is not true, it rare). I think we + should go off and find that call to that interrupt. + + So we trace (using the 'T' command) through some code + and finally come apon the follow subroutine .... + + ( NOTE: all comments were added by me ) + + + ; This is the actual routine that is used to get a key + + 2A00:09D4 55 PUSH BP + 2A00:09D5 8BEC MOV BP,SP + 2A00:09D7 8A6606 MOV AH,[BP+06] + 2A00:09DA 8AD4 MOV DL,AH + 2A00:09DC 80E20F AND DL,0F + 2A00:09DF CD16 INT 16 ; Call to bios. We will + 2A00:09E1 7509 JNZ 09EC ; use this as our + 2A00:09E3 80FA01 CMP DL,01 ; reference point + 2A00:09E6 7504 JNZ 09EC + 2A00:09E8 33C0 XOR AX,AX + 2A00:09EA EB0A JMP 09F6 + 2A00:09EC 80FA02 CMP DL,02 + 2A00:09EF 7405 JZ 09F6 + 2A00:09F1 0BC0 OR AX,AX + 2A00:09F3 7501 JNZ 09F6 + 2A00:09F5 48 DEC AX + 2A00:09F6 5D POP BP + 2A00:09F7 CB RETF + + So we write down the address of our REFERENCE point and + get ready to procede. Now, It's really kinda boring to keep + trying to trace through the entire input routine while trying + to enter the code string, so what we want to do next, is to + figure out the input routine. A quick look at this last + section of code shows that it only reads in a character but + really does not handle it. + + So, we exit via the RETF at 9F7 enter the next level of + the subroutine. Again, if you manual trace through this + routine (as well as the next level up) you see that it simple + exits out rather quickly. This is definitly not the top loop + of the imput routine. + + So, we trace through the next level up, and again exit + quickly to a higher level. But this time, as we trace + through, we find that the it loops back on itself. AHA, the + outer input loop. Here is the code to the entire input loop. + I have marked the place where you should enter from the lower + level. + + ( String input loop -- Outer level ) + + 7C00:0835 FF365220 PUSH [2052] + 7C00:0839 FF365020 PUSH [2050] + 7C00:083D 9A2802FD41 CALL 41FD:0228 ; Entery here + 7C00:0842 888670FE MOV [BP+FE70],AL + 7C00:0946 0AC0 OR AL,AL + 7C00:0848 7503 JNZ 084D + 7C00:084A E99200 JMP 08DF + 7C00:084D 2AE4 SUB AH,AH + 7C00:084F 2D0800 SUB AX,0008 + 7C00:0852 745A JZ 08AE + 7C00:0854 48 DEC AX + 7C00:0855 48 DEC AX + 7C00:0856 7503 JNZ 085B + 7C00:0858 E90901 JMP 0964 + 7C00:085B 2D0300 SUB AX,0003 + 7C00:085E 7503 JNZ 0863 + 7C00:0860 E90101 JMP 0964 + 7C00:0863 8A9E70FE MOV BL,[BP+FE70] + 7C00:0867 2AFF SUB BH,BH + 7C00:0869 F687790B57 TEST BYTE PTR [BX+0B79],57 + 7C00:086E 746F JZ 08DF + 7C00:0870 F687790B03 TEST BYTE PTR [BX+0B79],03 + 7C00:0875 740C JZ 0883 + 7C00:0877 F687790B02 TEST BYTE PTR [BX+0B79],02 + 7C00:087C 7405 JZ 0883 + 7C00:087E 80AE70FE20 SUB BYTE PTR [BP+FE70],20 + 7C00:0883 8A8670FE MOV AL,[BP+FE70] + 7C00:0887 C49E7EFE LES BX,[BP+FE7E] + 7C00:088B 8BB682FE MOV SI,[BP+FE82] + 7C00:088F 26 ES: + 7C00:0890 8800 MOV [BX+SI],AL + 7C00:0892 FF8682FE INC WORD PTR [BP+FE82] + 7C00:0896 FFB688FE PUSH [BP+FE88] + 7C00:089A 8D8678FE LEA AX,[BP+FE78] + 7C00:089E 50 PUSH AX + 7C00:089F 9A56049324 CALL 2493:0456 + 7C00:08A4 83C404 ADD SP,+04 + 7C00:08A7 0BC0 OR AX,AX + 7C00:08A9 7534 JNZ 08DF + 7C00:08AB EB27 JMP 08D4 + 7C00:08AD 90 NOP + 7C00:08AE 83BE82FE00 CMP WORD PTR [BP+FE82],+00 + 7C00:08B3 7404 JZ 08B9 + 7C00:08B5 FF8E82FE DEC WORD PTR [BP+FE82] + 7C00:08B9 B008 MOV AL,08 + 7C00:08BB 50 PUSH AX + 7C00:08BC 9A1003443D CALL 3D44:0310 + 7C00:08C1 8D8684FE LEA AX,[BP+FE84] + 7C00:08C5 16 PUSH SS + 7C00:08C6 50 PUSH AX + 7C00:08C7 9A6A00843D CALL 3D84:006A + 7C00:08CC B047 MOV AL,47 + 7C00:08CE 50 PUSH AX + 7C00:08CF 9A1003443D CALL 3D44:0310 + 7C00:08D4 8D8678FE LEA AX,[BP+FE78] + 7C00:08D8 16 PUSH SS + 7C00:08D9 50 PUSH AX + 7C00:08DA 9A8202C93C CALL 3CC9:0282 + 7C00:08DF 83BE8CFE00 CMP WORD PTR [BP+FE8C],+00 + 7C00:08E4 7503 JNZ 08E9 + 7C00:08E6 E94CFF JMP 0835 ; <Ŀ + + as you can see, at this point it loops back on itself. + This is what tells use that it's the outer loop. Knowing + that, we can just set a code breakpoint at 8E9 (the next + instruction after the loop) and execute the code. + + At this point, the SC will pause waiting for you to + enter the code key. Use the code wheel and enter the correct + key (after all, it's kinda hard to crack a game without + having the proper codes right...) + + So, we have now exited the input loop with everything + intact (ie: the proper code was entered). Next step is to + figure out what happens when the proper code is entered. + Well, since you have entered the proper code, just follow + this routine out. Remember back to lesson 2. What we want + to do is find the call the to routine that does the doc check + and remove it somehow (a PROPER crack). So since everything + is in the right place, if we just keep jumping over the code + we should find our way out. + + So after jumping over many instructions, we come the the + follow piece of code + + 7C00:0B74 8BE5 MOV SP,BP + 7C00:0B76 5D POP BP + 7C00:0B77 CB RETF + + By now, you should know that what you are looking at is + the exit routine for a higher level language's (C or pascal) + code. So we have found the end of the doc check. After + tracing through the RETF you find yourself looking down a cmp + and a conditional jump. Here is the code (NOTE! I have + included the actual call to the doc check just for reference) + + 45E2:0235 9A46010F4A CALL 7C00:146 ; Call to Doc Check + 45E2:023A 83C404 ADD SP,+04 + 45E2:023D 0BC0 OR AX,AX + 45E2:023F 7465 JZ 02A6 + + Notice the value of the AX register. Since right after + the doc check, it is acted upon, then it has some importance. + So, now that we know where the doc check takes place, how do + we remove it. + + Well, We could patch it with the code + + 45E2:0235 B40100 MOV AX,0001 + 45E2:0238 90 NOP + 45E2:0239 90 NOP + + This patch will work (I know, it's how I first patched + the program). But there is one small problem. If you run + the program after adding this patch, you will find that the + title music doesn't play. So, this is now a good place to + put the patch. + + So where then. Well, make note of the address of the + call to the doc check. Now, restart the process but this + time right after SC switches in to graphics mode, break out. + + Now, set a breakpoint at the address from above (in my + case 45E2:0235). Let SC run in to the intro. You will find + that although the title screen comes up, the music doesn't + kick in before the breakpoint is reached. + + No, they couldn't...they wouldn't.. well they did. The + music routines for the intro are stored in the routine for + the doc check. Here is the entire doc check. I have + commented on some of the code + + + ; these first few calls seem to load something from disk + + + 7C00:0146 55 PUSH BP + 7C00:0147 8BEC MOV BP,SP + 7C00:0149 81EC9001 SUB SP,0190 + 7C00:014D 57 PUSH DI + 7C00:014E 56 PUSH SI + 7C00:014F 8B4608 MOV AX,[BP+08] + 7C00:0152 0B4606 OR AX,[BP+06] + 7C00:0155 740E JZ 0165 + 7C00:0157 FF7608 PUSH [BP+08] + 7C00:015A FF7606 PUSH [BP+06] + 7C00:015D 9A65341E2D CALL 2D1E:3465 + 7C00:0162 83C404 ADD SP,+04 + 7C00:0165 FF365220 PUSH [2052] + 7C00:0169 FF365020 PUSH [2050] + 7C00:016D 9A2802FD41 CALL 41FD:0228 + 7C00:0172 0AC0 OR AL,AL + 7C00:0174 75EF JNZ 0165 + 7C00:0176 B80200 MOV AX,0002 + 7C00:0179 898664FF MOV [BP+FF64],AX + 7C00:017D 898672FF MOV [BP+FF72],AX + 7C00:0181 2BC0 SUB AX,AX + 7C00:0183 898662FF MOV [BP+FF62],AX + 7C00:0187 89866AFF MOV [BP+FF6A],AX + 7C00:018B 898674FF MOV [BP+FF74],AX + 7C00:018F B80100 MOV AX,0001 + 7C00:0192 898666FF MOV [BP+FF66],AX + 7C00:0196 89866CFF MOV [BP+FF6C],AX + 7C00:019A 898670FF MOV [BP+FF70],AX + 7C00:019E 898676FF MOV [BP+FF76],AX + 7C00:01A2 B80300 MOV AX,0003 + 7C00:01A5 898668FF MOV [BP+FF68],AX + 7C00:01A9 89866EFF MOV [BP+FF6E],AX + 7C00:01AD 898678FF MOV [BP+FF78],AX + + ; Although I have NO IDEA what the hell is being setup + ; here I suspect that it is the must + + 7C00:01B1 C746860400 MOV WORD PTR [BP-7A],0004 + 7C00:01B6 C746880100 MOV WORD PTR [BP-78],0001 + 7C00:01BB C7468A0200 MOV WORD PTR [BP-76],0002 + 7C00:01C0 C7468C0000 MOV WORD PTR [BP-74],0000 + 7C00:01C5 C7468E0000 MOV WORD PTR [BP-72],0000 + 7C00:01CA C746900500 MOV WORD PTR [BP-70],0005 + 7C00:01CF C746920600 MOV WORD PTR [BP-6E],0006 + 7C00:01D4 C746940700 MOV WORD PTR [BP-6C],0007 + 7C00:01D9 C746960C00 MOV WORD PTR [BP-6A],000C + 7C00:01DE 894698 MOV [BP-68],AX + 7C00:01E1 C7469A0500 MOV WORD PTR [BP-66],0005 + 7C00:01E6 C7469C0D00 MOV WORD PTR [BP-64],000D + 7C00:01EB C7469E0000 MOV WORD PTR [BP-62],0000 + 7C00:01F0 C746A00100 MOV WORD PTR [BP-60],0001 + 7C00:01F5 C746A20200 MOV WORD PTR [BP-5E],0002 + 7C00:01FA C746A40800 MOV WORD PTR [BP-5C],0008 + 7C00:01FF B80400 MOV AX,0004 + 7C00:0202 8946A6 MOV [BP-5A],AX + 7C00:0205 8946A8 MOV [BP-58],AX + 7C00:0208 C746AA0600 MOV WORD PTR [BP-56],0006 + 7C00:020D C746AC0800 MOV WORD PTR [BP-54],0008 + 7C00:0212 C746AE0700 MOV WORD PTR [BP-52],0007 + 7C00:0217 C746B00900 MOV WORD PTR [BP-50],0009 + 7C00:021C C746B20A00 MOV WORD PTR [BP-4E],000A + 7C00:0221 8946B4 MOV [BP-4C],AX + 7C00:0224 C746B60C00 MOV WORD PTR [BP-4A],000C + 7C00:0229 C746B80300 MOV WORD PTR [BP-48],0003 + 7C00:022E C746BA0B00 MOV WORD PTR [BP-46],000B + 7C00:0233 C746BC0D00 MOV WORD PTR [BP-44],000D + 7C00:0238 C746BE0B00 MOV WORD PTR [BP-42],000B + 7C00:023D C746C00500 MOV WORD PTR [BP-40],0005 + 7C00:0242 C746C20100 MOV WORD PTR [BP-3E],0001 + 7C00:0247 C746C40700 MOV WORD PTR [BP-3C],0007 + 7C00:024C C746C60000 MOV WORD PTR [BP-3A],0000 + 7C00:0251 C746C80600 MOV WORD PTR [BP-38],0006 + 7C00:0256 C746CA0200 MOV WORD PTR [BP-36],0002 + 7C00:025B C746CC0300 MOV WORD PTR [BP-34],0003 + 7C00:0260 C746CE0800 MOV WORD PTR [BP-32],0008 + 7C00:0265 C746D00900 MOV WORD PTR [BP-30],0009 + 7C00:026A C746D20A00 MOV WORD PTR [BP-2E],000A + 7C00:026F C746D40B00 MOV WORD PTR [BP-2C],000B + 7C00:0274 C746D60C00 MOV WORD PTR [BP-2A],000C + 7C00:0279 C746D80A00 MOV WORD PTR [BP-28],000A + 7C00:027E C746DA0500 MOV WORD PTR [BP-26],0005 + 7C00:0283 C746DC0D00 MOV WORD PTR [BP-24],000D + 7C00:0288 C746DE0800 MOV WORD PTR [BP-22],0008 + 7C00:028D C746E00900 MOV WORD PTR [BP-20],0009 + 7C00:0292 C746E20300 MOV WORD PTR [BP-1E],0003 + 7C00:0297 C746E40B00 MOV WORD PTR [BP-1C],000B + 7C00:029C C78692FE0000 MOV WORD PTR [BP+FE92],0000 + 7C00:02A2 C78694FE2B00 MOV WORD PTR [BP+FE94],002B + 7C00:02A8 C78696FE0200 MOV WORD PTR [BP+FE96],0002 + 7C00:02AE C78698FE0300 MOV WORD PTR [BP+FE98],0003 + 7C00:02B4 89869AFE MOV [BP+FE9A],AX + 7C00:02B8 C7869CFE0500 MOV WORD PTR [BP+FE9C],0005 + 7C00:02BE C7869EFE0600 MOV WORD PTR [BP+FE9E],0006 + 7C00:02C4 C786A0FE0E00 MOV WORD PTR [BP+FEA0],000E + 7C00:02CA C786A2FE2B00 MOV WORD PTR [BP+FEA2],002B + 7C00:02D0 C786A4FE0900 MOV WORD PTR [BP+FEA4],0009 + 7C00:02D6 C786A6FE0A00 MOV WORD PTR [BP+FEA6],000A + 7C00:02DC C786A8FE0B00 MOV WORD PTR [BP+FEA8],000B + 7C00:02E2 C786AAFE0C00 MOV WORD PTR [BP+FEAA],000C + 7C00:02E8 C786ACFE2B00 MOV WORD PTR [BP+FEAC],002B + 7C00:02EE C786AEFE0F00 MOV WORD PTR [BP+FEAE],000F + 7C00:02F4 C786B0FE0D00 MOV WORD PTR [BP+FEB0],000D + 7C00:02FA C786B2FE1000 MOV WORD PTR [BP+FEB2],0010 + 7C00:0300 C786B4FE1100 MOV WORD PTR [BP+FEB4],0011 + 7C00:0306 C786B6FE1200 MOV WORD PTR [BP+FEB6],0012 + 7C00:030C C786B8FE1300 MOV WORD PTR [BP+FEB8],0013 + 7C00:0312 C786BAFE1400 MOV WORD PTR [BP+FEBA],0014 + 7C00:0318 C786BCFE1500 MOV WORD PTR [BP+FEBC],0015 + 7C00:031E C786BEFE1600 MOV WORD PTR [BP+FEBE],0016 + 7C00:0324 C786C0FE1700 MOV WORD PTR [BP+FEC0],0017 + 7C00:032A C786C2FE0800 MOV WORD PTR [BP+FEC2],0008 + 7C00:0330 C786C4FE1800 MOV WORD PTR [BP+FEC4],0018 + 7C00:0336 C786C6FE2B00 MOV WORD PTR [BP+FEC6],002B + 7C00:033C C786C8FE1900 MOV WORD PTR [BP+FEC8],0019 + 7C00:0342 C786CAFE2B00 MOV WORD PTR [BP+FECA],002B + 7C00:0348 C786CCFE1A00 MOV WORD PTR [BP+FECC],001A + 7C00:034E C786CEFE1B00 MOV WORD PTR [BP+FECE],001B + 7C00:0354 C786D0FE1C00 MOV WORD PTR [BP+FED0],001C + 7C00:035A C786D2FE1D00 MOV WORD PTR [BP+FED2],001D + 7C00:0360 C786D4FE1E00 MOV WORD PTR [BP+FED4],001E + 7C00:0366 C786D6FE1F00 MOV WORD PTR [BP+FED6],001F + 7C00:036C C786D8FE2000 MOV WORD PTR [BP+FED8],0020 + 7C00:0372 C786DAFE2100 MOV WORD PTR [BP+FEDA],0021 + 7C00:0378 C786DCFE0700 MOV WORD PTR [BP+FEDC],0007 + 7C00:037E C786DEFE2200 MOV WORD PTR [BP+FEDE],0022 + 7C00:0384 C786E0FE2300 MOV WORD PTR [BP+FEE0],0023 + 7C00:038A C786E2FE2400 MOV WORD PTR [BP+FEE2],0024 + 7C00:0390 C786E4FE2500 MOV WORD PTR [BP+FEE4],0025 + 7C00:0396 C786E6FE2600 MOV WORD PTR [BP+FEE6],0026 + 7C00:039C C786E8FE2B00 MOV WORD PTR [BP+FEE8],002B + 7C00:03A2 C786EAFE2700 MOV WORD PTR [BP+FEEA],0027 + 7C00:03A8 C786ECFE2800 MOV WORD PTR [BP+FEEC],0028 + 7C00:03AE C786EEFE2900 MOV WORD PTR [BP+FEEE],0029 + 7C00:03B4 C786F0FE2A00 MOV WORD PTR [BP+FEF0],002A + 7C00:03BA 8D46F4 LEA AX,[BP-0C] + 7C00:03BD 50 PUSH AX + 7C00:03BE 8D867AFF LEA AX,[BP+FF7A] + 7C00:03C2 50 PUSH AX + 7C00:03C3 8D862CFF LEA AX,[BP+FF2C] + 7C00:03C7 50 PUSH AX + 7C00:03C8 8D8628FF LEA AX,[BP+FF28] + 7C00:03CC 50 PUSH AX + 7C00:03CD E832FC CALL 0002 ; Music Plays + 7C00:03D0 0BC0 OR AX,AX + 7C00:03D2 7503 JNZ 03D7 + 7C00:03D4 E99B07 JMP 0B72 + 7C00:03D7 FF36AA1E PUSH [1EAA] + 7C00:03DB 9A0200443D CALL 3D44:0002 + 7C00:03E0 FF36AE1E PUSH [1EAE] + 7C00:03E4 FF36AC1E PUSH [1EAC] + 7C00:03E8 9A0C008D3D CALL 3D8D:000C + 7C00:03ED B80201 MOV AX,0102 + 7C00:03F0 50 PUSH AX + 7C00:03F1 9ADE02443D CALL 3D44:02DE + 7C00:03F6 B80400 MOV AX,0004 + 7C00:03F9 BA4000 MOV DX,0040 + 7C00:03FC 52 PUSH DX + 7C00:03FD 50 PUSH AX + 7C00:03FE 8D868CFE LEA AX,[BP+FE8C] + 7C00:0402 50 PUSH AX + 7C00:0403 9A7000963B CALL 3B96:0070 ; Music plays + 7C00:0408 89868EFE MOV [BP+FE8E],AX + 7C00:040C 899690FE MOV [BP+FE90],DX + 7C00:0410 0BD0 OR DX,AX + 7C00:0412 7471 JZ 0485 + 7C00:0414 2BC0 SUB AX,AX + 7C00:0416 898686FE MOV [BP+FE86],AX + 7C00:041A 898684FE MOV [BP+FE84],AX + 7C00:041E FFB690FE PUSH [BP+FE90] + 7C00:0422 FFB68EFE PUSH [BP+FE8E] + 7C00:0426 9A0A00F93C CALL 3CF9:000A + 7C00:042B 898688FE MOV [BP+FE88],AX + 7C00:042F 89968AFE MOV [BP+FE8A],DX + 7C00:0433 833EB41E00 CMP WORD PTR [1EB4],+00 + 7C00:0438 7514 JNZ 044E + 7C00:043A 8B4608 MOV AX,[BP+08] + 7C00:043D 0B4606 OR AX,[BP+06] + 7C00:0440 740C JZ 044E + 7C00:0442 B80100 MOV AX,0001 + 7C00:0445 50 PUSH AX + 7C00:0446 9AF4019324 CALL 2493:01F4 + 7C00:044B 83C402 ADD SP,+02 + 7C00:044E 2AC0 SUB AL,AL + 7C00:0450 50 PUSH AX + 7C00:0451 9A4803443D CALL 3D44:0348 + 7C00:0456 9A57331E2D CALL 2D1E:3357 + 7C00:045B 9A9911A73B CALL 3BA7:1199 + 7C00:0460 8D8684FE LEA AX,[BP+FE84] + 7C00:0464 16 PUSH SS + 7C00:0465 50 PUSH AX + 7C00:0466 9A04007E3D CALL 3D7E:0004 ; Music plays + 7C00:046B FFB68AFE PUSH [BP+FE8A] + 7C00:046F FFB688FE PUSH [BP+FE88] + 7C00:0473 9AF001F93C CALL 3CF9:01F0 + 7C00:0478 FFB690FE PUSH [BP+FE90] + 7C00:047C FFB68EFE PUSH [BP+FE8E] + 7C00:0480 9A78068D3D CALL 3D8D:0678 ; Music plays + 7C00:0485 8B4608 MOV AX,[BP+08] + 7C00:0488 0B4606 OR AX,[BP+06] + 7C00:048B 7429 JZ 04B6 + 7C00:048D 833EB41E00 CMP WORD PTR [1EB4],+00 + 7C00:0492 740C JZ 04A0 + 7C00:0494 B80100 MOV AX,0001 + 7C00:0497 50 PUSH AX + 7C00:0498 9AF4019324 CALL 2493:01F4 ; Music Plays + 7C00:049D 83C402 ADD SP,+02 + 7C00:04A0 9A8C341E2D CALL 2D1E:348C + 7C00:04A5 FF7608 PUSH [BP+08] + 7C00:04A8 FF7606 PUSH [BP+06] + 7C00:04AB 9A2A006342 CALL 4263:002A + 7C00:04B0 50 PUSH AX + 7C00:04B1 9A54006342 CALL 4263:0054 + + ; this is the start of the actual doc check. OH! As you can + ; tell, I wasn't too intrested in the music routines, but + ; thought it might be fun to track them down + + 7C00:04B6 9AD0098D3D CALL 3D8D:09D0 ; Show Doc check + ; screen + 7C00:04BB B80301 MOV AX,0103 + 7C00:04BE 50 PUSH AX + 7C00:04BF 9ADE02443D CALL 3D44:02DE + 7C00:04C4 C746F60B00 MOV WORD PTR [BP-0A],000B + 7C00:04C9 C746F87900 MOV WORD PTR [BP-08],0079 + 7C00:04CE C746FA2801 MOV WORD PTR [BP-06],0128 + 7C00:04D3 C746FC4500 MOV WORD PTR [BP-04],0045 + 7C00:04D8 B008 MOV AL,08 + 7C00:04DA 50 PUSH AX + 7C00:04DB 9A1003443D CALL 3D44:0310 + 7C00:04E0 8D867AFF LEA AX,[BP+FF7A] + 7C00:04E4 16 PUSH SS + 7C00:04E5 50 PUSH AX + 7C00:04E6 9A36007E3D CALL 3D7E:0036 ; Show alien's face + + 7C00:04EB C746E6A000 MOV WORD PTR [BP-1A],00A0 + 7C00:04F0 C746EA0100 MOV WORD PTR [BP-16],0001 + 7C00:04F5 C746840300 MOV WORD PTR [BP-7C],0003 + 7C00:04FA 2AC0 SUB AL,AL + 7C00:04FC 50 PUSH AX + 7C00:04FD 9A1003443D CALL 3D44:0310 + 7C00:0502 8B46F8 MOV AX,[BP-08] + 7C00:0505 050700 ADD AX,0007 + 7C00:0508 8946E8 MOV [BP-18],AX + 7C00:050B FFB62EFF PUSH [BP+FF2E] + 7C00:050F FFB62CFF PUSH [BP+FF2C] + 7C00:0513 FFB62EFF PUSH [BP+FF2E] + 7C00:0517 FFB62CFF PUSH [BP+FF2C] + 7C00:051B 9AE400FC44 CALL 44FC:00E4 + 7C00:0520 8BF0 MOV SI,AX + 7C00:0522 9A1201E245 CALL 45E2:0112 + 7C00:0527 B90500 MOV CX,0005 + 7C00:052A 8BD0 MOV DX,AX + 7C00:052C 8BC6 MOV AX,SI + 7C00:052E 8BDA MOV BX,DX + 7C00:0530 2BD2 SUB DX,DX + 7C00:0532 F7F1 DIV CX + 7C00:0534 8BD0 MOV DX,AX + 7C00:0536 4A DEC DX + 7C00:0537 8BC3 MOV AX,BX + 7C00:0539 8BDA MOV BX,DX + 7C00:053B 2BD2 SUB DX,DX + 7C00:053D F7F3 DIV BX + 7C00:053F 42 INC DX + 7C00:0540 8BC2 MOV AX,DX + 7C00:0542 D1E2 SHL DX,1 + 7C00:0544 D1E2 SHL DX,1 + 7C00:0546 03D0 ADD DX,AX + 7C00:0548 52 PUSH DX + 7C00:0549 9A2801FC44 CALL 44FC:0128 + 7C00:054E 89868EFE MOV [BP+FE8E],AX + 7C00:0552 899690FE MOV [BP+FE90],DX + 7C00:0556 C78672FE0000 MOV WORD PTR [BP+FE72],0000 + + ; This is the start of the loop the prints out the stupid + ; message + + 7C00:055C 52 PUSH DX + 7C00:055D 50 PUSH AX + 7C00:055E 9A4602FC44 CALL 44FC:0246 + 7C00:0563 8946EC MOV [BP-14],AX + 7C00:0566 8956EE MOV [BP-12],DX + 7C00:0569 FFB690FE PUSH [BP+FE90] + 7C00:056D FFB68EFE PUSH [BP+FE8E] + 7C00:0571 9AF201FC44 CALL 44FC:01F2 + 7C00:0576 8946F0 MOV [BP-10],AX + 7C00:0579 8D46E6 LEA AX,[BP-1A] + 7C00:057C 16 PUSH SS + 7C00:057D 50 PUSH AX + 7C00:057E 9A8202C93C CALL 3CC9:0282 + 7C00:0583 8346E80A ADD WORD PTR [BP-18],+0A + 7C00:0587 FFB690FE PUSH [BP+FE90] + 7C00:058B FFB68EFE PUSH [BP+FE8E] + 7C00:058F B80100 MOV AX,0001 + 7C00:0592 50 PUSH AX + 7C00:0593 9A7E01FC44 CALL 44FC:017E + 7C00:0598 89868EFE MOV [BP+FE8E],AX + 7C00:059C 899690FE MOV [BP+FE90],DX + 7C00:05A0 FF8672FE INC WORD PTR [BP+FE72] + 7C00:05A4 83BE72FE05 CMP WORD PTR [BP+FE72],+05 + 7C00:05A9 7CB1 JL 055C + + ; Reads in the code to check (I think. Oh hell it really + ; doesn't matter) + + 7C00:05AB 9A1201E245 CALL 45E2:0112 + 7C00:05B0 B90C00 MOV CX,000C + 7C00:05B3 99 CWD + 7C00:05B4 F7F9 IDIV CX + 7C00:05B6 895682 MOV [BP-7E],DX + 7C00:05B9 9A1201E245 CALL 45E2:0112 + 7C00:05BE B90C00 MOV CX,000C + 7C00:05C1 99 CWD + 7C00:05C2 F7F9 IDIV CX + 7C00:05C4 8956F2 MOV [BP-0E],DX + 7C00:05C7 9A1201E245 CALL 45E2:0112 + 7C00:05CC B90C00 MOV CX,000C + 7C00:05CF 99 CWD + 7C00:05D0 F7F9 IDIV CX + 7C00:05D2 8956FE MOV [BP-02],DX + 7C00:05D5 9A1201E245 CALL 45E2:0112 + 7C00:05DA B90C00 MOV CX,000C + 7C00:05DD 99 CWD + 7C00:05DE F7F9 IDIV CX + 7C00:05E0 8996F4FE MOV [BP+FEF4],DX + 7C00:05E4 FFB62AFF PUSH [BP+FF2A] + 7C00:05E8 FFB628FF PUSH [BP+FF28] + 7C00:05EC FF7682 PUSH [BP-7E] + 7C00:05EF 9A2801FC44 CALL 44FC:0128 + 7C00:05F4 89868EFE MOV [BP+FE8E],AX + 7C00:05F8 899690FE MOV [BP+FE90],DX + 7C00:05FC 52 PUSH DX + 7C00:05FD 50 PUSH AX + 7C00:05FE 8D86F6FE LEA AX,[BP+FEF6] + 7C00:0602 16 PUSH SS + 7C00:0603 50 PUSH AX + 7C00:0604 9A9A02FC44 CALL 44FC:029A + 7C00:0609 FFB62AFF PUSH [BP+FF2A] + 7C00:060D FFB628FF PUSH [BP+FF28] + 7C00:0611 8B46FE MOV AX,[BP-02] + 7C00:0614 050C00 ADD AX,000C + 7C00:0617 50 PUSH AX + 7C00:0618 9A2801FC44 CALL 44FC:0128 + 7C00:061D 89868EFE MOV [BP+FE8E],AX + 7C00:0621 899690FE MOV [BP+FE90],DX + 7C00:0625 52 PUSH DX + 7C00:0626 50 PUSH AX + 7C00:0627 8DBEF6FE LEA DI,[BP+FEF6] + 7C00:062B 16 PUSH SS + 7C00:062C 07 POP ES + 7C00:062D B9FFFF MOV CX,FFFF + 7C00:0630 33C0 XOR AX,AX + 7C00:0632 F2 REPNZ + 7C00:0633 AE SCASB + 7C00:0634 F7D1 NOT CX + 7C00:0636 49 DEC CX + 7C00:0637 8BF1 MOV SI,CX + 7C00:0639 8D82F6FE LEA AX,[BP+SI+FEF6] + 7C00:063D 16 PUSH SS + 7C00:063E 50 PUSH AX + 7C00:063F 9A9A02FC44 CALL 44FC:029A + 7C00:0644 FFB62AFF PUSH [BP+FF2A] + 7C00:0648 FFB628FF PUSH [BP+FF28] + 7C00:064C 8B46F2 MOV AX,[BP-0E] + 7C00:064F 051800 ADD AX,0018 + 7C00:0652 50 PUSH AX + 7C00:0653 9A2801FC44 CALL 44FC:0128 + 7C00:0658 89868EFE MOV [BP+FE8E],AX + 7C00:065C 899690FE MOV [BP+FE90],DX + 7C00:0660 52 PUSH DX + 7C00:0661 50 PUSH AX + 7C00:0662 8DBEF6FE LEA DI,[BP+FEF6] + 7C00:0666 16 PUSH SS + 7C00:0667 07 POP ES + 7C00:0668 B9FFFF MOV CX,FFFF + 7C00:066B 33C0 XOR AX,AX + 7C00:066D F2 REPNZ + 7C00:066E AE SCASB + 7C00:066F F7D1 NOT CX + 7C00:0671 49 DEC CX + 7C00:0672 8BF1 MOV SI,CX + 7C00:0674 8D82F6FE LEA AX,[BP+SI+FEF6] + 7C00:0678 16 PUSH SS + 7C00:0679 50 PUSH AX + 7C00:067A 9A9A02FC44 CALL 44FC:029A + 7C00:067F FFB62AFF PUSH [BP+FF2A] + 7C00:0683 FFB628FF PUSH [BP+FF28] + 7C00:0687 8B86F4FE MOV AX,[BP+FEF4] + 7C00:068B 052400 ADD AX,0024 + 7C00:068E 50 PUSH AX + 7C00:068F 9A2801FC44 CALL 44FC:0128 + 7C00:0694 89868EFE MOV [BP+FE8E],AX + 7C00:0698 899690FE MOV [BP+FE90],DX + 7C00:069C 52 PUSH DX + 7C00:069D 50 PUSH AX + 7C00:069E 8DBEF6FE LEA DI,[BP+FEF6] + 7C00:06A2 16 PUSH SS + 7C00:06A3 07 POP ES + 7C00:06A4 B9FFFF MOV CX,FFFF + 7C00:06A7 33C0 XOR AX,AX + 7C00:06A9 F2 REPNZ + 7C00:06AA AE SCASB + 7C00:06AB F7D1 NOT CX + 7C00:06AD 49 DEC CX + 7C00:06AE 8BF1 MOV SI,CX + 7C00:06B0 8D82F6FE LEA AX,[BP+SI+FEF6] + 7C00:06B4 16 PUSH SS + 7C00:06B5 50 PUSH AX + 7C00:06B6 9A9A02FC44 CALL 44FC:029A + 7C00:06BB C746E8B200 MOV WORD PTR [BP-18],00B2 + 7C00:06C0 8D86F6FE LEA AX,[BP+FEF6] + 7C00:06C4 8946EC MOV [BP-14],AX + 7C00:06C7 8C56EE MOV [BP-12],SS + 7C00:06CA 8DBEF6FE LEA DI,[BP+FEF6] + 7C00:06CE 16 PUSH SS + 7C00:06CF 07 POP ES + 7C00:06D0 B9FFFF MOV CX,FFFF + 7C00:06D3 33C0 XOR AX,AX + 7C00:06D5 F2 REPNZ + 7C00:06D6 AE SCASB + 7C00:06D7 F7D1 NOT CX + 7C00:06D9 49 DEC CX + 7C00:06DA 894EF0 MOV [BP-10],CX + 7C00:06DD B084 MOV AL,84 + 7C00:06DF 50 PUSH AX + 7C00:06E0 9A1003443D CALL 3D44:0310 + 7C00:06E5 8D46E6 LEA AX,[BP-1A] + 7C00:06E8 16 PUSH SS + 7C00:06E9 50 PUSH AX + 7C00:06EA 9A8202C93C CALL 3CC9:0282 ; Displays the code + ; to check + + 7C00:06EF 8346E80A ADD WORD PTR [BP-18],+0A + 7C00:06F3 FFB62AFF PUSH [BP+FF2A] + 7C00:06F7 FFB628FF PUSH [BP+FF28] + 7C00:06FB B85B00 MOV AX,005B + 7C00:06FE 50 PUSH AX + 7C00:06FF 9A2801FC44 CALL 44FC:0128 + 7C00:0704 89868EFE MOV [BP+FE8E],AX + 7C00:0708 899690FE MOV [BP+FE90],DX + 7C00:070C 52 PUSH DX + 7C00:070D 50 PUSH AX + 7C00:070E 9A4602FC44 CALL 44FC:0246 + 7C00:0713 8946EC MOV [BP-14],AX + 7C00:0716 8956EE MOV [BP-12],DX + 7C00:0719 FFB690FE PUSH [BP+FE90] + 7C00:071D FFB68EFE PUSH [BP+FE8E] + 7C00:0721 9AF201FC44 CALL 44FC:01F2 + 7C00:0726 8946F0 MOV [BP-10],AX + 7C00:0729 2AC0 SUB AL,AL + 7C00:072B 50 PUSH AX + 7C00:072C 9A1003443D CALL 3D44:0310 + 7C00:0731 8D46E6 LEA AX,[BP-1A] + 7C00:0734 16 PUSH SS + 7C00:0735 50 PUSH AX + 7C00:0736 9A8202C93C CALL 3CC9:0282 ; Displays "PROPER + ; response" msg + + 7C00:073B 8B86F4FE MOV AX,[BP+FEF4] + 7C00:073F 2B46F2 SUB AX,[BP-0E] + 7C00:0742 898672FE MOV [BP+FE72],AX + 7C00:0746 0346FE ADD AX,[BP-02] + 7C00:0749 898676FE MOV [BP+FE76],AX + 7C00:074D 0BC0 OR AX,AX + 7C00:074F 7D09 JGE 075A + 7C00:0751 050C00 ADD AX,000C + 7C00:0754 898676FE MOV [BP+FE76],AX + 7C00:0758 EB0A JMP 0764 + 7C00:075A 3D0C00 CMP AX,000C + 7C00:075D 7C05 JL 0764 + 7C00:075F 83AE76FE0C SUB WORD PTR [BP+FE76],+0C + 7C00:0764 8B4682 MOV AX,[BP-7E] + 7C00:0767 038672FE ADD AX,[BP+FE72] + 7C00:076B 898674FE MOV [BP+FE74],AX + 7C00:076F 0BC0 OR AX,AX + 7C00:0771 7D09 JGE 077C + 7C00:0773 050C00 ADD AX,000C + 7C00:0776 898674FE MOV [BP+FE74],AX + 7C00:077A EB0A JMP 0786 + 7C00:077C 3D0C00 CMP AX,000C + 7C00:077F 7C05 JL 0786 + 7C00:0781 83AE74FE0C SUB WORD PTR [BP+FE74],+0C + 7C00:0786 8BB6F4FE MOV SI,[BP+FEF4] + 7C00:078A D1E6 SHL SI,1 + 7C00:078C 8BB262FF MOV SI,[BP+SI+FF62] + 7C00:0790 89B672FE MOV [BP+FE72],SI + 7C00:0794 8B8676FE MOV AX,[BP+FE76] + 7C00:0798 D1E0 SHL AX,1 + 7C00:079A D1E0 SHL AX,1 + 7C00:079C 03F0 ADD SI,AX + 7C00:079E D1E6 SHL SI,1 + 7C00:07A0 8B8292FE MOV AX,[BP+SI+FE92] + 7C00:07A4 8986F4FE MOV [BP+FEF4],AX + 7C00:07A8 3D2B00 CMP AX,002B + 7C00:07AB 7515 JNZ 07C2 + 7C00:07AD 8BB674FE MOV SI,[BP+FE74] + 7C00:07B1 D1E6 SHL SI,1 + 7C00:07B3 D1E6 SHL SI,1 + 7C00:07B5 03B672FE ADD SI,[BP+FE72] + 7C00:07B9 D1E6 SHL SI,1 + 7C00:07BB 8B4286 MOV AX,[BP+SI-7A] + 7C00:07BE 8986F4FE MOV [BP+FEF4],AX + 7C00:07C2 C78684FE7800 MOV WORD PTR [BP+FE84],0078 + 7C00:07C8 B85100 MOV AX,0051 + 7C00:07CB 898686FE MOV [BP+FE86],AX + 7C00:07CF 898688FE MOV [BP+FE88],AX + 7C00:07D3 C7868AFE0900 MOV WORD PTR [BP+FE8A],0009 + 7C00:07D9 C78678FE7900 MOV WORD PTR [BP+FE78],0079 + 7C00:07DF C7867AFE5900 MOV WORD PTR [BP+FE7A],0059 + 7C00:07E5 C7867CFE0000 MOV WORD PTR [BP+FE7C],0000 + 7C00:07EB 8D86F6FE LEA AX,[BP+FEF6] + 7C00:07EF 89867EFE MOV [BP+FE7E],AX + 7C00:07F3 8C9680FE MOV [BP+FE80],SS + 7C00:07F7 C78682FE0000 MOV WORD PTR [BP+FE82],0000 + 7C00:07FD FFB62AFF PUSH [BP+FF2A] + 7C00:0801 FFB628FF PUSH [BP+FF28] + 7C00:0805 8B86F4FE MOV AX,[BP+FEF4] + 7C00:0809 053000 ADD AX,0030 + 7C00:080C 50 PUSH AX + 7C00:080D 9A2801FC44 CALL 44FC:0128 + 7C00:0812 89868EFE MOV [BP+FE8E],AX + 7C00:0816 899690FE MOV [BP+FE90],DX + 7C00:081A 52 PUSH DX + 7C00:081B 50 PUSH AX + 7C00:081C 8D8630FF LEA AX,[BP+FF30] + 7C00:0820 16 PUSH SS + 7C00:0821 50 PUSH AX + 7C00:0822 9A9A02FC44 CALL 44FC:029A + 7C00:0827 B047 MOV AL,47 + 7C00:0829 50 PUSH AX + 7C00:082A 9A1003443D CALL 3D44:0310 + 7C00:082F C7868CFE0000 MOV WORD PTR [BP+FE8C],0000 + + ; All the code you just saw. I have no clue what it does + ; (hey at least I'm honest) but it wasn't important. + + ; Here is the imput outer loop + + 7C00:0835 FF365220 PUSH [2052] + 7C00:0839 FF365020 PUSH [2050] + 7C00:083D 9A2802FD41 CALL 41FD:0228 + 7C00:0842 888670FE MOV [BP+FE70],AL + 7C00:0846 0AC0 OR AL,AL + 7C00:0848 7503 JNZ 084D + 7C00:084A E99200 JMP 08DF + 7C00:084D 2AE4 SUB AH,AH + 7C00:084F 2D0800 SUB AX,0008 + 7C00:0852 745A JZ 08AE + 7C00:0854 48 DEC AX + 7C00:0855 48 DEC AX + 7C00:0856 7503 JNZ 085B + 7C00:0858 E90901 JMP 0964 + 7C00:085B 2D0300 SUB AX,0003 + 7C00:085E 7503 JNZ 0863 + 7C00:0860 E90101 JMP 0964 + 7C00:0863 8A9E70FE MOV BL,[BP+FE70] + 7C00:0867 2AFF SUB BH,BH + 7C00:0869 F687790B57 TEST BYTE PTR [BX+0B79],57 + 7C00:086E 746F JZ 08DF + 7C00:0870 F687790B03 TEST BYTE PTR [BX+0B79],03 + 7C00:0875 740C JZ 0883 + 7C00:0877 F687790B02 TEST BYTE PTR [BX+0B79],02 + 7C00:087C 7405 JZ 0883 + 7C00:087E 80AE70FE20 SUB BYTE PTR [BP+FE70],20 + 7C00:0883 8A8670FE MOV AL,[BP+FE70] + 7C00:0887 C49E7EFE LES BX,[BP+FE7E] + 7C00:088B 8BB682FE MOV SI,[BP+FE82] + 7C00:088F 26 ES: + 7C00:0890 8800 MOV [BX+SI],AL + 7C00:0892 FF8682FE INC WORD PTR [BP+FE82] + 7C00:0896 FFB688FE PUSH [BP+FE88] + 7C00:089A 8D8678FE LEA AX,[BP+FE78] + 7C00:089E 50 PUSH AX + 7C00:089F 9A56049324 CALL 2493:0456 + 7C00:08A4 83C404 ADD SP,+04 + 7C00:08A7 0BC0 OR AX,AX + 7C00:08A9 7534 JNZ 08DF + 7C00:08AB EB27 JMP 08D4 + 7C00:08AD 90 NOP + 7C00:08AE 83BE82FE00 CMP WORD PTR [BP+FE82],+00 + 7C00:08B3 7404 JZ 08B9 + 7C00:08B5 FF8E82FE DEC WORD PTR [BP+FE82] + 7C00:08B9 B008 MOV AL,08 + 7C00:08BB 50 PUSH AX + 7C00:08BC 9A1003443D CALL 3D44:0310 + 7C00:08C1 8D8684FE LEA AX,[BP+FE84] + 7C00:08C5 16 PUSH SS + 7C00:08C6 50 PUSH AX + 7C00:08C7 9A6A00843D CALL 3D84:006A + 7C00:08CC B047 MOV AL,47 + 7C00:08CE 50 PUSH AX + 7C00:08CF 9A1003443D CALL 3D44:0310 + 7C00:08D4 8D8678FE LEA AX,[BP+FE78] + 7C00:08D8 16 PUSH SS + 7C00:08D9 50 PUSH AX + 7C00:08DA 9A8202C93C CALL 3CC9:0282 + 7C00:08DF 83BE8CFE00 CMP WORD PTR [BP+FE8C],+00 + 7C00:08E4 7503 JNZ 08E9 + 7C00:08E6 E94CFF JMP 0835 + + ; Next comes the code that checks your entry. If you follow + ; it through you will see it handles not only clearing the + ; screen and printing the "GOOD GOING" message but it also + ; handles bad entries, etc. + + 7C00:08E9 8BB682FE MOV SI,[BP+FE82] + 7C00:08ED C682F6FE00 MOV BYTE PTR [BP+SI+FEF6],00 + 7C00:08F2 8DBE30FF LEA DI,[BP+FF30] + 7C00:08F6 8DB6F6FE LEA SI,[BP+FEF6] + 7C00:08FA 16 PUSH SS + 7C00:08FB 07 POP ES + 7C00:08FC B9FFFF MOV CX,FFFF + 7C00:08FF 33C0 XOR AX,AX + 7C00:0901 F2 REPNZ + 7C00:0902 AE SCASB + 7C00:0903 F7D1 NOT CX + 7C00:0905 2BF9 SUB DI,CX + 7C00:0907 F3 REPZ + 7C00:0908 A6 CMPSB + 7C00:0909 7405 JZ 0910 + 7C00:090B 1BC0 SBB AX,AX + 7C00:090D 1DFFFF SBB AX,FFFF + 7C00:0910 3D0100 CMP AX,0001 + 7C00:0913 1BC0 SBB AX,AX + 7C00:0915 F7D8 NEG AX + 7C00:0917 8986F2FE MOV [BP+FEF2],AX + 7C00:091B 0BC0 OR AX,AX + 7C00:091D 7509 JNZ 0928 + 7C00:091F 837E8401 CMP WORD PTR [BP-7C],+01 + 7C00:0923 7703 JA 0928 + 7C00:0925 E91C02 JMP 0B44 + 7C00:0928 0BC0 OR AX,AX + 7C00:092A 7506 JNZ 0932 + 7C00:092C 837E8403 CMP WORD PTR [BP-7C],+03 + 7C00:0930 740A JZ 093C + 7C00:0932 0BC0 OR AX,AX + 7C00:0934 745E JZ 0994 + 7C00:0936 837E8403 CMP WORD PTR [BP-7C],+03 + 7C00:093A 7358 JNB 0994 + 7C00:093C B047 MOV AL,47 + 7C00:093E 50 PUSH AX + 7C00:093F 9A1003443D CALL 3D44:0310 + 7C00:0944 8D867AFF LEA AX,[BP+FF7A] + 7C00:0948 16 PUSH SS + 7C00:0949 50 PUSH AX + 7C00:094A 9A36007E3D CALL 3D7E:0036 + 7C00:094F 83BEF2FE00 CMP WORD PTR [BP+FEF2],+00 + 7C00:0954 7518 JNZ 096E + 7C00:0956 FF7680 PUSH [BP-80] + 7C00:0959 FFB67EFF PUSH [BP+FF7E] + 7C00:095D 9A1C04F93C CALL 3CF9:041C + 7C00:0962 EB16 JMP 097A + 7C00:0964 C7868CFE0100 MOV WORD PTR [BP+FE8C],0001 + 7C00:096A E972FF JMP 08DF + 7C00:096D 90 NOP + 7C00:096E FF7680 PUSH [BP-80] + 7C00:0971 FFB67EFF PUSH [BP+FF7E] + 7C00:0975 9A7204F93C CALL 3CF9:0472 + 7C00:097A 89867EFF MOV [BP+FF7E],AX + 7C00:097E 895680 MOV [BP-80],DX + 7C00:0981 B008 MOV AL,08 + 7C00:0983 50 PUSH AX + 7C00:0984 9A1003443D CALL 3D44:0310 + 7C00:0989 8D867AFF LEA AX,[BP+FF7A] + 7C00:098D 16 PUSH SS + 7C00:098E 50 PUSH AX + 7C00:098F 9A36007E3D CALL 3D7E:0036 + 7C00:0994 B047 MOV AL,47 + 7C00:0996 50 PUSH AX + 7C00:0997 9A1003443D CALL 3D44:0310 + 7C00:099C 8D46F6 LEA AX,[BP-0A] + 7C00:099F 16 PUSH SS + 7C00:09A0 50 PUSH AX + 7C00:09A1 9A6A00843D CALL 3D84:006A + 7C00:09A6 B008 MOV AL,08 + 7C00:09A8 50 PUSH AX + 7C00:09A9 9A1003443D CALL 3D44:0310 + 7C00:09AE 8D8684FE LEA AX,[BP+FE84] + 7C00:09B2 16 PUSH SS + 7C00:09B3 50 PUSH AX + 7C00:09B4 9A6A00843D CALL 3D84:006A + 7C00:09B9 83BEF2FE00 CMP WORD PTR [BP+FEF2],+00 + 7C00:09BE 7503 JNZ 09C3 + 7C00:09C0 E98500 JMP 0A48 + 7C00:09C3 2AC0 SUB AL,AL + 7C00:09C5 50 PUSH AX + 7C00:09C6 9A1003443D CALL 3D44:0310 + 7C00:09CB 8B46F8 MOV AX,[BP-08] + 7C00:09CE 050700 ADD AX,0007 + 7C00:09D1 8946E8 MOV [BP-18],AX + 7C00:09D4 FFB62EFF PUSH [BP+FF2E] + 7C00:09D8 FFB62CFF PUSH [BP+FF2C] + 7C00:09DC 2BC0 SUB AX,AX + 7C00:09DE 50 PUSH AX + 7C00:09DF 9A2801FC44 CALL 44FC:0128 + 7C00:09E4 89868EFE MOV [BP+FE8E],AX + 7C00:09E8 899690FE MOV [BP+FE90],DX + 7C00:09EC C78672FE0000 MOV WORD PTR [BP+FE72],0000 + 7C00:09F2 EB04 JMP 09F8 + 7C00:09F4 FF8672FE INC WORD PTR [BP+FE72] + 7C00:09F8 83BE72FE05 CMP WORD PTR [BP+FE72],+05 + 7C00:09FD 7C03 JL 0A02 + 7C00:09FF E94201 JMP 0B44 + 7C00:0A02 52 PUSH DX + 7C00:0A03 50 PUSH AX + 7C00:0A04 9A4602FC44 CALL 44FC:0246 + 7C00:0A09 8946EC MOV [BP-14],AX + 7C00:0A0C 8956EE MOV [BP-12],DX + 7C00:0A0F FFB690FE PUSH [BP+FE90] + 7C00:0A13 FFB68EFE PUSH [BP+FE8E] + 7C00:0A17 9AF201FC44 CALL 44FC:01F2 + 7C00:0A1C 8946F0 MOV [BP-10],AX + 7C00:0A1F 8D46E6 LEA AX,[BP-1A] + 7C00:0A22 16 PUSH SS + 7C00:0A23 50 PUSH AX + 7C00:0A24 9A8202C93C CALL 3CC9:0282 + 7C00:0A29 8346E80A ADD WORD PTR [BP-18],+0A + 7C00:0A2D FFB690FE PUSH [BP+FE90] + 7C00:0A31 FFB68EFE PUSH [BP+FE8E] + 7C00:0A35 B80100 MOV AX,0001 + 7C00:0A38 50 PUSH AX + 7C00:0A39 9A7E01FC44 CALL 44FC:017E + 7C00:0A3E 89868EFE MOV [BP+FE8E],AX + 7C00:0A42 899690FE MOV [BP+FE90],DX + 7C00:0A46 EBAC JMP 09F4 + 7C00:0A48 B084 MOV AL,84 + 7C00:0A4A 50 PUSH AX + 7C00:0A4B 9A1003443D CALL 3D44:0310 + 7C00:0A50 C746E88C00 MOV WORD PTR [BP-18],008C + 7C00:0A55 FFB62AFF PUSH [BP+FF2A] + 7C00:0A59 FFB628FF PUSH [BP+FF28] + 7C00:0A5D B85C00 MOV AX,005C + 7C00:0A60 50 PUSH AX + 7C00:0A61 9A2801FC44 CALL 44FC:0128 + 7C00:0A66 89868EFE MOV [BP+FE8E],AX + 7C00:0A6A 899690FE MOV [BP+FE90],DX + 7C00:0A6E 52 PUSH DX + 7C00:0A6F 50 PUSH AX + 7C00:0A70 9A4602FC44 CALL 44FC:0246 + 7C00:0A75 8946EC MOV [BP-14],AX + 7C00:0A78 8956EE MOV [BP-12],DX + 7C00:0A7B FFB690FE PUSH [BP+FE90] + 7C00:0A7F FFB68EFE PUSH [BP+FE8E] + 7C00:0A83 9AF201FC44 CALL 44FC:01F2 + 7C00:0A88 8946F0 MOV [BP-10],AX + 7C00:0A8B 8D46E6 LEA AX,[BP-1A] + 7C00:0A8E 16 PUSH SS + 7C00:0A8F 50 PUSH AX + 7C00:0A90 9A8202C93C CALL 3CC9:0282 + 7C00:0A95 2AC0 SUB AL,AL + 7C00:0A97 50 PUSH AX + 7C00:0A98 9A1003443D CALL 3D44:0310 + 7C00:0A9D 8346E80B ADD WORD PTR [BP-18],+0B + 7C00:0AA1 FFB690FE PUSH [BP+FE90] + 7C00:0AA5 FFB68EFE PUSH [BP+FE8E] + 7C00:0AA9 B80100 MOV AX,0001 + 7C00:0AAC 50 PUSH AX + 7C00:0AAD 9A7E01FC44 CALL 44FC:017E + 7C00:0AB2 89868EFE MOV [BP+FE8E],AX + 7C00:0AB6 899690FE MOV [BP+FE90],DX + 7C00:0ABA 52 PUSH DX + 7C00:0ABB 50 PUSH AX + 7C00:0ABC 9A4602FC44 CALL 44FC:0246 + 7C00:0AC1 8946EC MOV [BP-14],AX + 7C00:0AC4 8956EE MOV [BP-12],DX + 7C00:0AC7 FFB690FE PUSH [BP+FE90] + 7C00:0ACB FFB68EFE PUSH [BP+FE8E] + 7C00:0ACF 9AF201FC44 CALL 44FC:01F2 + 7C00:0AD4 8946F0 MOV [BP-10],AX + 7C00:0AD7 8D46E6 LEA AX,[BP-1A] + 7C00:0ADA 16 PUSH SS + 7C00:0ADB 50 PUSH AX + + + ; Lot's of code Huh? + + + 7C00:0ADC 9A8202C93C CALL 3CC9:0282 + 7C00:0AE1 C746E8BC00 MOV WORD PTR [BP-18],00BC + 7C00:0AE6 FFB690FE PUSH [BP+FE90] + 7C00:0AEA FFB68EFE PUSH [BP+FE8E] + 7C00:0AEE B80100 MOV AX,0001 + 7C00:0AF1 50 PUSH AX + 7C00:0AF2 9A7E01FC44 CALL 44FC:017E + 7C00:0AF7 89868EFE MOV [BP+FE8E],AX + 7C00:0AFB 899690FE MOV [BP+FE90],DX + 7C00:0AFF 52 PUSH DX + 7C00:0B00 50 PUSH AX + 7C00:0B01 9A4602FC44 CALL 44FC:0246 + 7C00:0B06 8946EC MOV [BP-14],AX + 7C00:0B09 8956EE MOV [BP-12],DX + 7C00:0B0C FFB690FE PUSH [BP+FE90] + 7C00:0B10 FFB68EFE PUSH [BP+FE8E] + 7C00:0B14 9AF201FC44 CALL 44FC:01F2 + 7C00:0B19 8946F0 MOV [BP-10],AX + 7C00:0B1C 8D46E6 LEA AX,[BP-1A] + 7C00:0B1F 16 PUSH SS + 7C00:0B20 50 PUSH AX + 7C00:0B21 9A8202C93C CALL 3CC9:0282 + 7C00:0B26 B80100 MOV AX,0001 + 7C00:0B29 50 PUSH AX + 7C00:0B2A 9AF4019324 CALL 2493:01F4 + 7C00:0B2F 83C402 ADD SP,+02 + 7C00:0B32 B047 MOV AL,47 + 7C00:0B34 50 PUSH AX + 7C00:0B35 9A1003443D CALL 3D44:0310 + 7C00:0B3A 8D46F6 LEA AX,[BP-0A] + 7C00:0B3D 16 PUSH SS + 7C00:0B3E 50 PUSH AX + 7C00:0B3F 9A6A00843D CALL 3D84:006A + 7C00:0B44 83BEF2FE00 CMP WORD PTR [BP+FEF2],+00 + 7C00:0B49 7508 JNZ 0B53 + 7C00:0B4B FF4E84 DEC WORD PTR [BP-7C] + 7C00:0B4E 7403 JZ 0B53 + 7C00:0B50 E9A7F9 JMP 04FA + 7C00:0B53 FF76F4 PUSH [BP-0C] + 7C00:0B56 8D867AFF LEA AX,[BP+FF7A] + 7C00:0B5A 50 PUSH AX + 7C00:0B5B FFB62EFF PUSH [BP+FF2E] + 7C00:0B5F FFB62CFF PUSH [BP+FF2C] + 7C00:0B63 FFB62AFF PUSH [BP+FF2A] + 7C00:0B67 FFB628FF PUSH [BP+FF28] + 7C00:0B6B E88EF5 CALL 00FC + 7C00:0B6E 8B86F2FE MOV AX,[BP+FEF2] + 7C00:0B72 5E POP SI + 7C00:0B73 5F POP DI + + ; Here is the exit code I was talking about + + 7C00:0B74 8BE5 MOV SP,BP + 7C00:0B76 5D POP BP + 7C00:0B77 CB RETF + 7C00:0B78 B85A06 MOV AX,065A + 7C00:0B7B CB RETF + 7C00:0B7C B89006 MOV AX,0690 + 7C00:0B7F CB RETF + + + Ok, after looking through all of that, can you tell me + where to put the patch. Simple. How about right at the + begining of the doc check right after the music routines (ie + address 7C00:04B6). Hey yeah ... good idea. But how do we + want to patch it. Well, since this is a higher level + language, we just can't use RETF. We must reset the stack. + Since I hate large patches, a simply decided on the + follow patch + + 7C00:04B6 E9BB06 JMP B74 + + Ok, by jumping to 0B74, we still get the music but the + actual doc check is not executed. But there is still a + problem. Remember how I said that AX was tested after the + doc check. Well, we still have to fake the check. The + easiest way, is to simply NOP the condition jmp. Here is the + section of code again + + + 45E2:0235 9A46010F4A CALL 7C00:146 ; Call to Doc Check + 45E2:023A 83C404 ADD SP,+04 + 45E2:023D 0BC0 OR AX,AX + 45E2:023F 7465 JZ 02A6 + + If you remember, when you enter the right code, AX will + be set to 0001 when we exit to 45E2:023A. If we OR 0001 and + 0001 we get 0001. Here is the binary ... + + + 0000 0000 0000 0001 ( remember OR means + if either is bit + or 0000 0000 0000 0001 is 1 ) + + 0000 0000 0000 0001 + + Clearly we don't want to branch at the JZ at 45E2:023F. + So, to finish the patch we simply NOP that jmp. + + Oh boy.. that was hard. So let's test it out. But + first, a little forsight. We will need a unique string of + bytes to search for when making the patch. I say we use the + code from 7C00:04C4 to 7C00:04CE and from 45E2:0235 to + 45E2:023F. Yea, write down the hex equivelent and then + restart. Again break in right after the switch to graphics. + Now add the patch (ie A 7C00:04B6 , etc.). Now + execute the program. + + SHIT! It worked, we are fucking amazing. Ok, now + adding the patch permenatly. Using PCTOOLS (or whatever) + search the file STARCON.EXE for the bytes mention above + (ie: C746F60B00C746F87900C746FA2801) But wait, now + matches...Hmmm strange. It was there just a minute ago...but + wait there... another file STARCON.OVL (as we all know .OVL + mean OVERLAY). Let's try searching this one. + + There we go, that's better (it should should up on the + 13 sector read in). Now to add the patch. Simply find the + search bytes and the go backwards until the first occurance + of the hex byte 9A. Add the patch here. Save it. + + Next, add the patch to 45E2:023F. Search for the bytes + 83C4040BC07465. The should appear on sector 3 (give or take + a few sectors). Now simply change the 2 bytes 74 65 to 90 90 + and save the sector. Now, you are good to go. + + Well shit, this has been some hell of a textfile. 1113 + lines in all. But what detail. Ok I hope you learned + something from all of this. And this end the first part of + CRACKING 101 - the 1990 edition. From here out all lessons ( + lesson 5 and up) will be released on their own. + + I would like the thank Phantom Phlegm for pushing me to + finish this shit. + + Till lesson 5 this is Buckaroo Banzai, signing off. + + + OH... I can be reached for personal help via E-MAIL on LORD + WOLFEN's CASTLE or TOS... diff --git a/textfiles.com/piracy/CRACKING/c2.txt b/textfiles.com/piracy/CRACKING/c2.txt new file mode 100644 index 00000000..c082271e --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c2.txt @@ -0,0 +1,495 @@ +HOW TO CRACK, by +ORC, A TUTORIAL +LESSON C (2) - How to crack, Cracking as an art +[INSTANT ACCESS] + + cracking Instant Access (2) - strainer for the +HCU + +[SEE LESSON C.1 for the first part of this cracking session] + Here follow the relevant protection routines for the first +(The "Registration") number_code of Instant Access, with my +comments: you have to investigate a little the following code. + Later, when you'll crack on your own, try to recognize the +many routines that fiddle with input BEFORE the relevant (real +protection) one. In this case, for instance, a routine checks the +correctness of the numbers of your input: + +This_loop_checks_that_numbers_are_numbers: +1B0F:2B00 C45E06 LES BX,[BP+06] ; set/reset pointer +1B0F:2B03 03DF ADD BX,DI +1B0F:2B05 268A07 MOV AL,ES:[BX] ; get number +1B0F:2B08 8846FD MOV [BP-03],AL ; store +1B0F:2B0B 807EFD30 CMP BYTE PTR [BP-03],30 +1B0F:2B0F 7C06 JL 2B17 ; less than zero? +1B0F:2B11 807EFD39 CMP BYTE PTR [BP-03],39 +1B0F:2B15 7E05 JLE 2B1C ; between 0 & 9? +1B0F:2B17 B80100 MOV AX,0001 ; no, set flag=1 +1B0F:2B1A EB02 JMP 2B1E ; keep flag +1B0F:2B1C 33C0 XOR AX,AX ; flag=0 +1B0F:2B1E 0BC0 OR AX,AX ; is it zero? +1B0F:2B20 7507 JNZ 2B29 ; flag NO jumps away +1B0F:2B22 8A46FD MOV AL,[BP-03] ; Ok, get number +1B0F:2B25 8842CC MOV [BP+SI-34],AL ; Ok, store number +1B0F:2B28 46 INC SI ; inc storespace +1B0F:2B29 47 INC DI ; inc counter +1B0F:2B2A C45E06 LES BX,[BP+06] ; reset pointer +1B0F:2B2D 03DF ADD BX,DI ; point next number +1B0F:2B2F 26803F00 CMP BYTE PTR ES:[BX],00 ; input end? +1B0F:2B33 75CB JNZ 2B00 ; no:loop next num + + You now obviously understand that the "real" string is +stored inside memory location [BP+SI-34]... set a memory +breakpoint on this area to get the next block of code that +fiddles with the transformed input. Notice how this routine +"normalizes" the input, strips the "-" off and puts the 10 +numbers together: +user input: 1 2 1 2 1 2 1 2 1 2 End + 1E7F:92E2 31 32 31 32 31 32 31 32 31 32 00 45 AF 1F 70 9B + Stack ptr: 0 1 2 3 4 5 6 7 8 9 A B C D E F + Let's now look at the "real" protection routine: the one + +that checks these numbers and throw you out if they are not +"sound". Please pay attention to the following block of code: + +check_if_sum_other_9_numbers_=_remainder_of_the_third_number: +:4B79 8CD0 MOV AX,SS ; we'll work inside the stack... +:4B7B 90 NOP +:4B7C 45 INC BP +:4B7D 55 PUSH BP ; save real BP +:4B7E 8BEC MOV BP,SP ; BP = stackpointer +:4B80 1E PUSH DS ; save real Datasegment +:4B81 8ED8 MOV DS,AX ; Datasegment = stacksegment +:4B83 83EC04 SUB SP,+04 +:4B86 C45E06 LES BX,[BP+06] ; BX points input_start +:4B89 268A07 MOV AL,ES:[BX] ; load first number +:4B8C 98 CBW ; care only for low +:4B8D C45E06 LES BX,[BP+06] ; reset pointer +:4B90 50 PUSH AX ; save 1st number +:4B91 268A4701 MOV AL,ES:[BX+01] ; load 2nd number +:4B95 98 CBW ; only low +:4B96 8BD0 MOV DX,AX ; 2nd number in DX +:4B98 58 POP AX ; get 1st number +:4B99 03C2 ADD AX,DX ; sum with second +:4B9B C45E06 LES BX,[BP+06] ; reset pointer +:4B9E 50 PUSH AX ; save sum +:4B9F 268A4707 MOV AL,ES:[BX+07] ; load 8th number +:4BA3 98 CBW ; only low +:4BA4 8BD0 MOV DX,AX ; 8th number in DX +:4BA6 58 POP AX ; old sum is back +:4BA7 03C2 ADD AX,DX ; sum 1+2+8 +:4BA9 C45E06 LES BX,[BP+06] ; reset pointer +:4BAC 50 PUSH AX ; save sum +:4BAD 268A4703 MOV AL,ES:[BX+03] ; load 4rd number +:4BB1 98 CBW ; only low +:4BB2 8BD0 MOV DX,AX ; #4 in DX +:4BB4 58 POP AX ; sum is back +:4BB5 03C2 ADD AX,DX ; sum 1+2+8+4 +:4BB7 C45E06 LES BX,[BP+06] ; reset pointer +:4BBA 50 PUSH AX ; save sum +:4BBB 268A4704 MOV AL,ES:[BX+04] ; load 5th number +:4BBF 98 CBW ; only low +:4BC0 8BD0 MOV DX,AX ; #5 in DX +:4BC2 58 POP AX ; sum is back +:4BC3 03C2 ADD AX,DX ; 1+2+8+4+5 +:4BC5 C45E06 LES BX,[BP+06] ; reset pointer +:4BC8 50 PUSH AX ; save sum +:4BC9 268A4705 MOV AL,ES:[BX+05] ; load 6th number +:4BCD 98 CBW ; only low + +:4BCE 8BD0 MOV DX,AX ; #6 in DX +:4BD0 58 POP AX ; sum is back +:4BD1 03C2 ADD AX,DX ; 1+2+8+4+5+6 +:4BD3 C45E06 LES BX,[BP+06] ; reset pointer +:4BD6 50 PUSH AX ; save sum +:4BD7 268A4706 MOV AL,ES:[BX+06] ; load 7th number +:4BDB 98 CBW ; only low +:4BDC 8BD0 MOV DX,AX ; #7 in DX +:4BDE 58 POP AX ; sum is back +:4BDF 03C2 ADD AX,DX ; 1+2+8+4+5+6+7 +:4BE1 C45E06 LES BX,[BP+06] ; reset pointer +:4BE4 50 PUSH AX ; save sum +:4BE5 268A4708 MOV AL,ES:[BX+08] ; load 9th number +:4BE9 98 CBW ; only low +:4BEA 8BD0 MOV DX,AX ; #9 in DX +:4BEC 58 POP AX ; sum is back +:4BED 03C2 ADD AX,DX ; 1+2+8+4+5+6+7+9 +:4BEF C45E06 LES BX,[BP+06] ; reset pointer +:4BF2 50 PUSH AX ; save sum +:4BF3 268A4709 MOV AL,ES:[BX+09] ; load 10th # +:4BF7 98 CBW ; only low +:4BF8 8BD0 MOV DX,AX ; #10 in DX +:4BFA 58 POP AX ; sum is back +:4BFB 03C2 ADD AX,DX ; 1+2+8+4+5+6+7+9+10 +:4BFD 0550FE ADD AX,FE50 ; clean sum to 0-51 +:4C00 BB0A00 MOV BX,000A ; BX holds 10 +:4C03 99 CWD ; only AL +:4C04 F7FB IDIV BX ; remainder in DX +:4C06 C45E06 LES BX,[BP+06] ; reset pointer +:4C09 268A4702 MOV AL,ES:[BX+02] ; load now # 3 +:4C0D 98 CBW ; only low +:4C0E 05D0FF ADD AX,FFD0 ; clean # 3 to 0-9 +:4C11 3BD0 CMP DX,AX ; remainder = pampered #3? + +:4C13 7407 JZ 4C1C ; yes, go on good guy +:4C15 33D2 XOR DX,DX ; no! beggar off! Zero DX +:4C17 33C0 XOR AX,AX ; and FLAG_AX = FALSE +:4C19 E91701 JMP 4D33 ; go to EXIT +let's_go_on_if_first_check_passed: +:4C1C C45E06 LES BX,[BP+06] ; reset pointer +:4C1F 268A4701 MOV AL,ES:[BX+01] ; now load #2 anew +:4C23 98 CBW ; only low +:4C24 05D7FF ADD AX,FFD7 ; pamper adding +3 +:4C27 A38D5E MOV [5E8D],AX ; save SEC_+3 +:4C2A 3D0900 CMP AX,0009 ; was it < 9? (no A-F) +:4C2D 7E05 JLE 4C34 ; ok, no 0xletter +:4C2F 832E8D5E0A SUB WORD PTR [5E8D],+0A ; 0-5 if A-F +:4C34 C45E06 LES BX,[BP+06] ; reset pointer +:4C37 268A07 MOV AL,ES:[BX] ; load 1st input number +:4C3A 98 CBW ; only low +:4C3B 05C9FF ADD AX,FFC9 ; pamper adding +7 +:4C3E A38F5E MOV [5E8F],AX ; save it in FIR_+7 +:4C41 0BC0 OR AX,AX ; if #1 > 7 +:4C43 7D05 JGE 4C4A ; no need to add 0xA +:4C45 83068F5E0A ADD WORD PTR [5E8F],+0A ; FIR_+7 + 0xA +now_we_have_the_sliders_let's_prepare_for_loop: + +:4C4A C45E0E LES BX,[BP+0E] ; Set pointer to E +:4C4D 26C747020000 MOV WORD PTR ES:[BX+02],0000 ; 0 flag +:4C53 26C7070000 MOV WORD PTR ES:[BX],0000 ; 0 flag +:4C58 C706975E0900 MOV WORD PTR [5E97],0009 ; counter=9 +:4C5E E99500 JMP 4CF6 ; Jmp check_counter +loop_8_times: +:4C61 C45E06 LES BX,[BP+06] ; reset pointer +:4C64 031E975E ADD BX,[5E97] ; add running counter +:4C68 268A07 MOV AL,ES:[BX] ; load # counter+1 +:4C6B 98 CBW ; only low +:4C6C 50 PUSH AX ; save 10th number +:4C6D A18D5E MOV AX,[5E8D] ; ld SEC_+3 down_slider +:4C70 BA0A00 MOV DX,000A ; BX holds 0xA +:4C73 F7EA IMUL DX ; SEC_+3 * 0xA +:4C75 03068F5E ADD AX,[5E8F] ; plus FIR_+7 up_slider +:4C79 BAA71E MOV DX,1EA7 ; fixed segment +:4C7C 8BD8 MOV BX,AX ; BX = Lkup_val=(SEC_+3*10+FIR_+7) +:4C7E 8EC2 MOV ES,DX ; ES = 1EA7 +:4C80 268A870000 MOV AL,ES:[BX+0000] ; ld 1EA7:[Lkup_val] +:4C85 98 CBW ; only low: KEY_PAR +:4C86 8BD0 MOV DX,AX ; save KEY_PAR in DX +:4C88 58 POP AX ; repops 10th number +:4C89 03C2 ADD AX,DX ; RE_SULT=KEY_PAR+#10 +:4C8B 05D0FF ADD AX,FFD0 ; polish RE_SULT +:4C8E 99 CWD ; only low: RE_SULT +:4C8F 8956FC MOV [BP-04],DX ; save here KEY_PAR [9548] +:4C92 8946FA MOV [BP-06],AX ; save here RE_SULT [9546] +:4C95 0BD2 OR DX,DX ; KEY_PAR < 0? +:4C97 7C0F JL 4CA8 ; yes: KEY_PAR < 0 +:4C99 7F05 JG 4CA0 ; no: KEY_PAR > 0 +:4C9B 3D0900 CMP AX,0009 ; KEY_PAR = 0 +:4C9E 7608 JBE 4CA8 ; no pampering if RE_SULT < 9 +:4CA0 836EFA0A SUB WORD PTR [BP-06],+0A ; else pamper +:4CA4 835EFC00 SBB WORD PTR [BP-04],+00 ; and SBB [9548] +:4CA8 C45E0E LES BX,[BP+0E] ; reset pointer to E +:4CAB 268B4F02 MOV CX,ES:[BX+02] ; charge CX [958C] +:4CAF 268B1F MOV BX,ES:[BX] ; charge BX slider [958A] +:4CB2 33D2 XOR DX,DX ; clear DX to zero +:4CB4 B80A00 MOV AX,000A ; 10 in AX +:4CB7 9A930D2720 CALL 2027:0D93 ; call following RO_routine + + This is the only routine called from our protection, inside the +loop (therefore 8 times), disassembly from WCB. Examining this +code please remember that we entered here with following +configuration: DX=0, AX=0xA, CX=[958C] and BX=[958A]... + 1.0D93 56 push si ; save si + 1.0D94 96 xchg ax, si ; ax=si, si=0xA + 1.0D95 92 xchg ax, dx ; dx=0xA ax=dx + 1.0D96 85C0 test ax, ax ; TEST this zero + 1.0D98 7402 je 0D9C ; zero only 1st time + 1.0D9A F7E3 mul bx ; BX slider! 0/9/5E/3B2... + 1.0D9C >E305 jcxz 0DA3 ; cx=0? don't multiply! + 1.0D9E 91 xchg ax, cx ; cx !=0? cx = ax & ax = cx + 1.0D9F F7E6 mul si ; ax*0xA in ax + 1.0DA1 03C1 add ax, cx ; ax= ax*0xA+cx = M_ULT + 1.0DA3 >96 xchg ax, si ; ax=0xA; si evtl. holds M_ULT + 1.0DA4 F7E3 mul bx ; ax= bx*0xA + 1.0DA6 03D6 add dx, si ; dx= dx_add + 1.0DA8 5E pop si ; restore si + 1.0DA9 CB retf ; back to caller with two + parameters: DX and AX +Back_to_main_protection_loop_from_RO_routine: +:4CBC C45E0E LES BX,[BP+0E] ; reset pointer +:4CBF 26895702 MOV ES:[BX+02],DX ; save R_DX par [958C] +:4CC3 268907 MOV ES:[BX],AX ; save R_AX par [958A] +:4CC6 0346FA ADD AX,[BP-06] ; add to AX RE_SULT [9546] +:4CC9 1356FC ADC DX,[BP-04] ; add to DX KEY_PAR [9548] +:4CCC C45E0E LES BX,[BP+0E] ; reset pointer +:4CCF 26895702 MOV ES:[BX+02],DX ; save R_DX+KEY_PAR [958C] + +:4CD3 268907 MOV ES:[BX],AX ; save R_AX+RE_SULT [958A] +:4CD6 FF0E8D5E DEC WORD PTR [5E8D] ; down_slide SEC_+3 +:4CDA 7D05 JGE 4CE1 ; no need to add +:4CDC 83068D5E0A ADD WORD PTR [5E8D],+0A ; pamper adding 10 +:4CE1 FF068F5E INC WORD PTR [5E8F] ; up_slide FIR_+7 +:4CE5 A18F5E MOV AX,[5E8F] ; save upslided FIR_+7 in AX +:4CE8 3D0900 CMP AX,0009 ; is it over 9? +:4CEB 7E05 JLE 4CF2 ; no, go on +:4CED 832E8F5E0A SUB WORD PTR [5E8F],+0A ; yes, pamper -10 +:4CF2 FF0E975E DEC WORD PTR [5E97] ; decrease loop counter +check_loop_counter: +:4CF6 833E975E03 CMP WORD PTR [5E97],+03 ; counter = 3? +:4CFB 7C03 JL 4D00 ; finish if counter under 3 +:4CFD E961FF JMP 4C61 ; not yet, loop_next_count +loop_is_ended: +:4D00 C45E06 LES BX,[BP+06] ; reset pointer to input +:4D03 268A4701 MOV AL,ES:[BX+01] ; load 2nd number (2) +:4D07 98 CBW ; only low +:4D08 05D0FF ADD AX,FFD0 ; clean it +:4D0B BA0A00 MOV DX,000A ; DX = 10 +:4D0E F7EA IMUL DX ; AX = SEC_*10 = 14 +:4D10 C45E06 LES BX,[BP+06] ; reset pointer +:4D13 50 PUSH AX ; save SEC_*10 +:4D14 268A07 MOV AL,ES:[BX] ; load 1st number (1) +:4D17 98 CBW ; only low +:4D18 8BD0 MOV DX,AX ; save in DX +:4D1A 58 POP AX ; get SEC_*10 +:4D1B 03C2 ADD AX,DX ; sum SEC_*10+1st number +:4D1D 05D0FF ADD AX,FFD0 ; clean it +:4D20 99 CWD ; only low +:4D21 C45E0A LES BX,[BP+0A] ; get pointer to [9582] +:4D24 26895702 MOV ES:[BX+02],DX ; save 1st (1) in [9584] +:4D28 268907 MOV ES:[BX],AX ; save FINAL_SUM (15) [9582] +:4D2B 33D2 XOR DX,DX ; DX = 0 +:4D2D B80100 MOV AX,0001 ; FLAG TRUE ! +:4D30 E9E6FE JMP 4C19 ; OK, you_are_a_nice_guy +EXIT: +:4D33 59 POP CX ; pop everything and +:4D34 59 POP CX ; return with flag +:4D35 1F POP DS ; AX=TRUE if RegNum OK +:4D36 5D POP BP ; with 1st # in [9584] +:4D37 4D DEC BP ; with FINAL_SUM in [9582] +:4D38 CB RETF + + Let's translate the preceding code: first of all the pointers: +At line :4B86 we have the first of a long list of stack ptrs: + LES BX,[BP+06] + This stack pointer points to the beginning of the input string, +which, once polished from the "-", has now a length of 10 bytes, +concluded by a 00 fence. At the beginning, before the main loop, +9 out of our 10 numbers are added, all but the third one. + Notice that protection has jumped # 3 (and added # 8 out of the +line). The rest is straightforward. Now, at line :4BFD we have +our first "cleaning" instruction. You see: the numbers are +hexadecimal represented by the codes 0x30 to 0x39. If you add +FE50 to the minimum sum you can get adding 9 numbers (0x30*9 = +0x160) You get 0. The maximum you could have adding 9 numbers, +on the contrary is (0x39*9=0x201), which, added to FE50 gives +0x51. So we'll have a "magic" number between 0x0 and 0x51 instead +of a number between 0x160 and 0x201. Protection pampers this +result, and retains only the last ciffer: 0-9. Then protection +divides this number through 0xA, and what happens? DX get's the +REMAINDER of it. + If we sum the hexcodes of our (1212-1212-12) we get 0x1BE (we +sum only 9 out of then numbers: the third "1" -i.e. "31"- does +not comes into our count); 0x1BE, cleaned and pampered gives E. +Therefore (0xE/0xA = 1) We get 1 with a remainder of 4. + You may observe that of all possible answers, only sums +finishing with A, B, C, D, E or F give 1 (and rem=0,1,2,3,4 or +5). Sums finishing 0 1 2 3 4 5 6 7 8 or 9 give 0 as result and +themselves as reminder. The chance of getting a 0,1,2,3 or 4 are +therefore bigger as the chance of getting a 5, 6, 7, 8 or 9. We +are just observing... we do not know yet if this should play a +role or not. + Now this remainder is compared at :4C11 with the third number +polished from 0x30-0x39 to 0-9. This is the only protection check +for the registration number input: If your third number does not +match with the remainder of the sum of all the 9 others numbers +of your input you are immediately thrown out with FLAG AX=FALSE +(i.e. zero). + To crack the protection you now have to MODIFY your input string +accordingly. Our new input string will from now on be "1242-1212- +12": we have changed our third number (originally a "2") to a "4" +to get through this first strainer in the correct way. Only now +protection starts its mathematical part (We do not know yet why +it does it... in order to seed the random product number? To +provide a check for the registration number you'll input at the +end? We'll see). +- Protection saves the second number of your input (cleaned + with FFD7) in SEC_+3 [5E8D], pampering it if it is bigger + than 9 (i.e. if it is 0xA-0xF). Here you'll have therefore + following correspondence: 0=7 1=8 2=9 3=0 4=1 5=2 6=3 7=4 + 8=5 9=6. The second number of your input has got added +3. + This is value SEC_+3. In (lengthy) C it would look like + this: + If (RegString(2)is lower than 7) RegString(2) = RegString(2)+3 + Else Regstring(2) = ((RegString(2)-10)+3) +- Protection saves your first number in FIR_+7 [5E8F] with a + different cleaning parameter (FFC9). The next pampering + adds 0xA if it was not 7/8/9 therefore you have here + following correspondence 7=0 8=1 9=2 0=3 1=4 2=5 3=6 4=7 + 5=8 6=9). This is value FIR_+7. In (lengthy) C it would + look like this: + If (RegString(1) is lower than 3) RegString(1) = RegString(1)+7 + Else Regstring(1) = ((RegString(1)-10)+7) + So protection has "transformed" and stored in [5E8D] and [5E8F] +the two numbers 1 and 2. In our RegString: 1242-1212-12 the first +two numbers "12" are now stored as "94". These will be used as +"slider" parameters inside the main loop, as you will see. + Only now does protection begin its main loop, starting from the +LAST number, because the counter has been set to 9 (i.e. the +tenth number of RegString). The loop, as you'll see, handles only +the numbers from 10 to 3: it's an 8-times loop that ends without +handling the first and second number. What happens in this +loop?... Well, quite a lot: Protection begins the loop loading +the number (counter+1) from the RegString. Protection then loads +the SEC_+3 down_slider parameter (which began its life as second +number "transformed"), multiplies it with 0xA and then adds the +up_slider parameter FIR_+7 (at the beginning it was the first +number transformed). + This sum is used as "lookup pointer" to find a parameter +inside a table of parameters in memory, which are all numbers +between 0 and 9. Let's call this value Lkup_val. +Protection looks for data in 1EA7:[Lkup_val]. In our case (we +entered 1242-1212-12, therefore the first SEC_+3 value is 9 and +the first FIR_+7 value is 4): [Lkup_val] = 9*0xA+4; 0x5A+4 = +0x5E. At line :4C80 therefore AL would load the byte at 1EA7:005E +(let's call it KEY_PAR), which now would be ADDED to the # +counter+1 of this loop. In our case KEY_PAR at 1EA7:005E it's a +"7" and is added to the pampered 0x32=2, giving 9. + Let's establish first of all which KEY_PAR can possibly get +fetched: the maximum is 0x63 and the minimum is 0x0. The possible +KEY_PARs do therefore dwell in memory between 1EA7: and +1EA7:0063. Let's have a look at the relative table in memory, +where these KEY_PARs are stored ("our" first 0x5Eth byte is +underlined): +1EA7:0000 01 03 03 01 09 02 03 00-09 00 04 03 08 07 04 04 +1EA7:0010 05 02 09 00 02 04 01 05-06 06 03 02 00 08 05 06 +1EA7:0020 08 09 05 00 04 06 07 07-02 00 08 00 06 02 04 07 +1EA7:0030 04 04 09 05 09 06 00 06-08 07 00 03 05 09 00 08 +1EA7:0040 03 07 07 06 08 09 01 05-07 04 06 01 04 02 07 01 +1EA7:0050 03 01 08 01 05 03 03 01-02 08 02 01 06 05 07 02 +1EA7:0060 05 09 09 08 02 09 03 00-00 04 05 01 01 03 08 06 +1EA7:0070 01 01 09 00 02 05 05 05-01 07 01 05 08 07 01 09 +1EA7:0080 08 07 07 04 04 08 03 00-06 01 09 08 08 04 09 09 +1EA7:0090 00 07 05 02 03 01 03 08-06 05 07 06 03 07 06 07 +1EA7:00A0 04 02 02 05 02 04 06 02-06 09 09 01 05 02 03 04 +1EA7:00B0 04 00 03 05 00 03 08 07-06 04 08 08 02 00 03 06 +1EA7:00C0 09 00 00 06 09 04 07 02-00 01 01 01 01 00 01 FF +1EA7:00D0 00 FF FF FF FF 00 FF 01-00 00 00 00 00 00 00 00 + + An interesting table, where all the correspondences are +between 0 and 9... are we getting some "secret" number here? But, +hey, look there... funny, isn't it? Instead of only 0-0x63 bytes +we have roughly the DOUBLE here: 0-0xC8 bytes (the 01 sequence +starting at CA "feels" like a fence). We'll see later how +important this is. At the moment you should only "perceive" that +something must be going on with a table that's two time what she +should be. + As I said the result of KEY_PAR + input number is polished +(with a FFDO) and pampered (subtracting, if necessary, 0xA). +Therefore the result will be the (counter+1) input number + +KEY_PAR (let's call it RE_SULT], in our case, (at the beginning +of the loop) a 9. Now (DX=0 because of the CWD instruction) DX +will be saved in [9548] and RE_SULT in [9546]. + Now Protection prepares for the RO_routine: resets its pointer +and charges CX and BX from [958C] and from [958A] respectively, +charges AX with 0xA and sets DX to zero. + The routine performs various operations on AX and DX and saves +the results in the above mentioned locations [958A] and [958C]. + Now KEY_PAR and RE_SULT are added respectively to the DX and AX +value we got back from the RO_routine call, and saved once more +in the last two locations: AX+RE_SULT in [958A] and DX+KEY_PAR +in [958C] + Now the value in SEC_+3 is diminished by 1 (if it was 9 it's now +8, if it was zero it will be pampered to 9). It's a "slider" +parameter (in this case a down_slider), typically used in +relatively complicated protections to give a "random" impression +to the casual observer. The value in FIR_+7, on the contrary, is +augmented by one, from 4 to 5... up_sliding also. + Protection now handles the next number of your input for the +loop. In our case this loop uses following protection +configuration with our "sliding" parameters: + Input # pamp_2nd pamp_1st Lookup value KEY_PAR # RE_SULT +# 10 = 2, SEC_+3= 9, FIR_+7= 4, Lkup_val = 0x5E, KEY=7 +2 = 9 +# 9 = 1, SEC_+3= 8, FIR_+7= 5, Lkup_val = 0x55, KEY=3 +1 = 4 +# 8 = 2, SEC_+3= 7, FIR_+7= 6, Lkup_val = 0x4C, KEY=4 +2 = 6 +# 7 = 1, SEC_+3= 6, FIR_+7= 7, Lkup_val = 0x43, KEY=7 +1 = 7 +# 6 = 2, SEC_+3= 5, FIR_+7= 8, Lkup_val = 0x3A, KEY=0 +2 = 2 +# 5 = 1, SEC_+3= 4, FIR_+7= 9, Lkup_val = 0x31, KEY=4 +1 = 5 +# 4 = 2, SEC_+3= 3, FIR_+7= 0, Lkup_val = 0x1E, KEY=5 +2 = 7 +# 3 = 4, SEC_+3= 2, FIR_+7= 1, Lkup_val = 0x15, KEY=2 +4 = 5 +Notice how our "regular" input 21212124 has given an "irregular" +94672575. + You may legitimately ask yourself what should all this mean: +what are these RE_SULTs used for? Well they are used to slide +another parameter: this one inside the called routine... this is +what happens to AX and DX inside the routine, and the lines after +the called routine: +:4CBF 26895702 MOV ES:[BX+02],DX ; save R_DX par [958C] +:4CC3 268907 MOV ES:[BX],AX ; save R_AX par [958A] +:4CC6 0346FA ADD AX,[BP-06] ; add to AX RE_SULT [9546] +:4CC9 1356FC ADC DX,[BP-04] ; add to DX KEY_PAR [9548] +:4CCC C45E0E LES BX,[BP+0E] ; reset pointer to E +:4CCF 26895702 MOV ES:[BX+02],DX ; save R_DX+KEY_PAR [958C] +:4CD3 268907 MOV ES:[BX],AX ; save R_AX+RE_SULT [958A] + + :4CC6 :4CC9 :4CCF Odd_DX :4CD3 slider_sum + RE_SULT [958A] [958C] [958C] [958A] + + 0 0 0 0 0 + 9 5A 0 0 9 + 4 3AC 0 0 5E + 6 24F4 0 0 3B2 + 7 71CE 1 1 24FB + 2 7220 4 E 71D0 + 5 7572 4 90 7225 + 7579 + +Now the loops ends, having handled the input numbers from tenth +to third. Protection loads the second number and multiplies it +by 10 (let's call this result SEC_*10), in our case 2*0xA=14. +Protection loads the first number and adds it to the +multiplication, in our case 1+0x14=0x15 (FINAL_SUM]. +Now everything will be added to FFDO to "clean" it. +Pointer will now be set to the end of the input number. +DX, zeroed by CDW, will be saved as parameter in [9584] and the +cleaned and pampered sum will be saved in [9582]. +FLAG is set to true and this routine is finished! No parameter +are passed and the only interesting thing is what actually +happens in the locations [9582], [9584], [958A] and [958C], i.e.: +FINAL_SUM, 0, slider_sum, odd_dx. + In the next lesson we'll crack everything, but I'll give you +already some hints here, in case you would like to go ahead on +your own: we'll see how the scheme used for the third (the +registration) number show analogies and differences with the +scheme we have studied (and cracked) here for the first number. +Our 3434-3434-3434-3434-34 input string for the registration +number will be transformed in the magic string +141593384841547431, but this will not work because the "magic" +12th number: "1" will not correspond to the remainder calculated +inside this check through the previous locations of the other +checks. + Here the things are more complicated because every little +change in your input string transforms COMPLETELY the "magic" +string... therefore in order to pass the strainer you'll have to +change 3434-3434-3434-3434-34 in (for instance) 7434-3434-3434- +3434-96. The "magic" string 219702960974498056 that this +registration input gives will go through the protection strainer. +Only then we'll be able to step over and finally crack the whole +protection... it's a pretty complicated one as I said. Now crack +it pupils... you have three months time. From this crack depends +your admission to the Uni, there will be no other admission text +till summer 1997 (it's a hell of work to prepare this crap)... +work well. + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) some tricks of the trade I may not +know but YOU've discovered. I'll probably know most of them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + + ++ORC an526164@anon.penet.fi + diff --git a/textfiles.com/piracy/CRACKING/c3.txt b/textfiles.com/piracy/CRACKING/c3.txt new file mode 100644 index 00000000..66d0a7cd --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c3.txt @@ -0,0 +1,1512 @@ +-------------------------------------------------------- +LESSON C (3) - How to crack Windows, cracking as anArt: +Web trends, Instant Access (end) and the proximity trick +-------------------------------------------------------- +I. [WEB TRENDS] +It's really amazing: I began this tutorial in february 1996... +the year is not yet finished but many things have already +changed, and how! First of all the Web proves to be even more +significant that I would ever have thought: it's -de facto- an +ANTI-ESTABLISHMENT and ANTI-CONSUME "permanent" tool... more than +that: it's an EVOLVING and SHARP tool! +I do not know if you will agree with me, but it seems to me that +it is now NOT ANY MORE NECESSARY to buy any of the following +things (and this is a quite incomplete list: + +1) Newspapers Are almost all on the Web for free +2) Magazines Are almost all on the Web for free +3) Software All on the Web for free +4) Books on the Web (even the *images* inside the + books you would have bought are somewhere) +5) Post_stamps e-mail is free and ubiquitous +6) Hard_disks free megabytes everywhere on the Web (for + pages and/or software, quite a lot of + offering (at the moment, middle november + 1996 you can get -for free- about 80 + megabytes for each email address you have). + Should you do not deem this space enough, + you may multiply them -ad libitum- using one + of the many free "alias e-mail addresses" + generators or, as a brilliant scholar of + mine (re)discovered, you may easily "caper" + (the passwords of) pages established by the + lusers. + + I assure you that I used to spend quite a lot of money +buying all the preceding items. The case of the CD-ROM magazines +(and of software in general) seems to me to be the most relevant. +In my earlier lessons I advised you to buy CD-ROM software at +"kilo" prices in second hand shops (obviously never when the +magazines themselves do appear)... even this trick is now +useless: there is NO software that you cannot find on the Web +(I'll bet that the CD-ROM mags are not making any easy money any +more now). This truth may be difficult to slurp until you learn +HOW to search effectively on the Web, a very difficult art -per +se-, that all real crackers should master. A little tip: if you +are in a hurry do your searches using your own search engines +instead of using only the ubiquitous AltaVista, FTP and +Webcrawler (which you SHOULD use, of course, but not alone). + And loo! Good old Internet, made by governments and +universities with public money and no private partecipation +whatsoever reveals itself to be the most striking revolution of +the last years in spite of the continuous blah blah about free +markets and private initiative... quite funny, isn't it? + New promising patterns are emerging: it is clear (to me) +that the future of cracking lays in JavaScript applets: Netscape +has opened quite a Pandora Box... now everybody is scrambling to +close it... TOO LATE! Find the relevant documentation, tutorials, +software, tools, examples... even teachers! Everything is there +for free on the Web! Study it, and when you are ready study it +again... take it easy: we have a long cracking future before +us... + Here is a nice example (by LaDue) of an interesting applet: +this one forges an e-mail from the browsers of your page sending +it to the address contained in the string "toMe". The browser of +your page initiates the mail by connecting (involuntarily) to +port 25 (int mailPort=25). + Now, let's just academically imagine... you would put your +own address (faked email address but working depot when you need +to fetch the messages, as usual) in the string "toMe"... well, +scanning incoming mail you could get the full e-mail address, +including the user name, of many people who have seen your page. + See LaDue example at: + http://www.math.gatech.edu/~mladue/PenPal.java + + JavaScript and Java are two completely different things: The +coincidence in the name is only a stupid marketing move from +Netscape. JavaScript is so easy it's a shame, and this makes it +the ideal weapon for masscracking (Java on the countrary is a +"real" programming language). The implications of easy Javascript +use, of internet growth and of the "on the fly" JavaScript +workings for the drafting of much more interesting applets are +obvious, I'll let them to the intuition (and fantasy) of my +cleverest readers. + +II.[INSTANT ACCESS] End + I'll admit it: I am a little deceived: the +HCU strainer +(Instant access protection scheme) has been solved only by very +few (pretty competent) crackers. The amount of people that has +NOT cracked instant access (and that as relentlessy asked for +more "clues") stood in no sound relation to the very few that +solved it. I intended to give my complete solution in this lesson +C3 to allow everybody to have (good) software for free... but too +few worked hard on it to let you all lazy ones deserve a "ready- +made" solution... I will therefore publish here one of the +"incomplete" (albeit very good) solutions. + The solution cracks the scheme but requires a little work +of your part to accomplish it... what I mean is this: studying +the following you'll be able to crack every Instant access +protected code in a couple of hours, not immediatly... this is +good, will make the lazy lurkers work (at least a little :=) + Here it is (C++ code of the solution and admission letter), +I only took off the name of the candidate: + +Cracking Instant Access_____________ +by xxxxxxxx +Application for 1996 Higher Cracking University + + This is my solution to the strainer for admittance into your +HCU. While I was successful in bypassing the protection (and +hence now have a nice collection of software for free) I am the +first to admit that my solution is not the best. However, I am +very proud of the work I have done on this project and it is by +far the most difficult crack I've ever done. In the past I've +traced programs, and when they did something I did not like, I +looked at the jumps immediately before that and reversed them. + Because of idiot programming this worked about 60% of the +time, however in many programs I was just stuck. With the hints +you provided in your tutors I was able to actually disassemble +the program and understand why it did things. Believe me this is +a big jump. Anyway, here is my solution. + I have dozens of handwritten notes and pages of code that +I copied out of soft-ice, and any that are important I will type +into this report, however most turned out to be unimportant. I +have also created a "Magic" number generator and a reverse +generator. I am very proud that I was able to create these, +because the "Magic" number seemed so mysterious at first, and now +I have complete mastery of it, a great feeling of power. + I began the project by following the introductory steps in +lessons C1 and C2. I got lost somewhere in C2, but I kept going. +I got to the end with a vague understanding of what was happening +and decided that I needed to understand this fully before I could +do anything useful towards cracking it. + I left my computer alone and read through the code again, +making notes and explanations for my own use. About the third +time through everything clicked, it was like a light bulb going +off in my head. You mentioned that not everything in Lesson C1 +was correct. + Here is a list of what I found to be incorrect. +1. The offsets in the code were not the same. (this is a good +idea to keep people from cheating when pinpointing the correct +code) +2. The pointers to where things are saved in memory were not the +same. +3. You wrote that the 1st digit plus 7 was saved and then you +wrote that the 2nd plus 3 was saved. It is the other way around! +1st plus 3 and 2nd plus 7. (just checking if we are paying +attention huh?) + I think that's all of the one's I found although there were +many specific instances of each one. So here's what I did. + I did a search on the 18 digit code I typed in. I found it +at 30:8xxxxx and did a bpr on it. I let it run, and looked each +time something accessed that area. Eventually I found code that +checked if the digits were between 30 and 39 and copied them to +DS:8CD8. So there lies the code with the "-" 's stripped off of +it. I did a bpr on this area. It copied itself to DS:8CB8, and +I bpr'ed that as well. I discovered that what was going on was, +it copied itself, then that copy was transformed into the "Magic" +number. + So I did a little stack fishing, and found a CALL at offset +5C04 which copies the code from 8CB8 and converts it into the +"Magic" number. At this point I traced into the call and got +really fucking lost, so I stepped back had a sip of Vodka and +thought. I don't care HOW the "magic" gets there, only that it +is there. I figured once I figured out what "magic" I needed I +could trace over the call that put it there, and then put in +whatever "magic" I wanted. So I traced on to see what happened +to the "magic" number that had been produced. I had a bpr on the +"magic" and it stopped on the first line of code below. + The code is copied from my handwritten notes, so not +everything is accurate (I only wrote down what I thought was +important) +2b67:2598 mov al, es:[bx] ; 12th digit of magic + mov [bp-03], al ; ?????? + mov al, [bp-03] ; maybe an inefficient compiler +result + add al, d0 ; clean it + mov [bp-04], al ; save it in [8ca6] + les bx, bp+06 + add bx, si ; point to 12th again + mov byte ptr es:bx, 30 ; make it a '0' + push then more crap and then +:253d mov al, es:bx ; 1st digit + mov ah, 00 add ax,ffd0 ; clean it + cwd + add [bp-06], ax ; [8c90] is zero to start +this loop repeats 18 times, summing up the "magic" number, with +the 12th set to 0 + +:256e mov [bp-07], al ; save remainder of sum/a in [8c8f] + cmp [al, bp-05] ; is 12th (in al) save as remainder +of sum/a ? Aha!, this is what you were talking about at the end +of C2, where the remainder doesn't match the 12th number. +I knew I was on the right track. I could feel it. +I traced down farther after the remainder check (I used +8888-8888-8888-8888-88 as my code from then on because it passed +this check and was easy to remember) and I found code which +compared the value at ds:8D00 with the value at ds:8D0C and if +it did not match jumped to beggar off. + Then it checks if ds:8D06 is equal to ds:8D0E and if not +equal jumps to beggar off. So I knew that 8D00 must equal 8D0C +and that 8D06 must equal 8D0E. + All I needed to do was figure out where these came from. I +bpr'ed on 8D0C and found code which wrote the number to it. + I did not copy the ASM down, but this is what I wrote: +move 15th of "Magic" into AX fix it to 0-9 by +- A +put it in SI +mov 16th into AX +mul si by A +add ax to si +mov 17th to AX +mul si by A +add ax to it +put 18th in AX +mul si by A +add AX to it ; This is ds:8D0C !!!! +So now I knew where this came from, the last 4 digits of the +"magic" I bpr'ed on 8D0E and found out quickly that the first +digit of the "magic" was put into ds:8D0E. +Things were looking good. However, I was unable to figure out how +ds:8D06 and ds:8D00 were created. I know they are related to the +product code because they only change when it does. But they are +put there by a MOVSW command and I cannot figure out how to +predict where they are copied from, because it is only done once +and it is never from the same place, so all my attempts to bpr +on the spot they are copied from failed because it copies from +a new spot each time. + I felt dejected. I could not figure it out, even after days +of pointless tracing. + I stepped back and thought, and drank a can of Coke at 2 +a.m... + +(note from +ORC: Coke is dangerous for your health and your cracking +purposes... drink only Martini-Wodka and use by all means only russian +Wodka) + + ...I still had not figured out how the "magic" worked. I +decided to do that and come back to the problem of the numbers +generated from the Product Code. + I knew the call at cs:5C04 completely generated the "magic" +so I started there. I traced through it several times and found +that it made a CALL 3517 three times, then looped 6 times. So it +called 3517 a total of 18 times. I also noticed that the CALL +changed the number, but nothing else did, it just set up the +calls. + So I traced into CALL 3517 and came up with this: +mov ax,ss +nop inc bp +push bp +mov bp,sp +push ds +mov ds,ax +xor ax a bunch more unimportant stuff +:356b mov al,es:[bx} ; al = 18th digit + cbw push ax + mov ax, A + sub ax,[5dad] ; subtract 6 from a to get 4 + imul [5db1] pop dx ; 18th digit + add dx,ax add dx, -30 ;clean it + mov [5db5], dx ;save it then fix [5db5] to be +between 0 and 9 + mov al, es:[bx] ; load 18th again + cbw push ax + mov ax,a + sub ax,[5dad] + imul [5db3] + pop dx ; 18th digit + add dx, ax + add dx, -30 ;clean it +:35bb mov [5db7], dx ;save it. +:35d9 mov bx,[5dad] + mov es, bp+1a + add bx,[bp+18] + mov al,es:[bx-1] ; al = 6th digit + mov [5dc3], al ; save it + mov bx,[5dad] + mov es,[bp+1e] + add bx,[bp+1c] + mov al,es:[bx-1] ; 12th digit + mov [5dc4], al ; save it more junk then +3605: mov bx,[5dbf] ; this is the beginning of a loop + mov es,[bp+1a] + add bx,[bp+18] + mov al,es:[bx-1] ; 5th digit + push ax ; save it + mov ax,[5db5] ; [5db5] created above using 18th digit + mov dx,A + imul dx ;[5db] *A + les bx,[bp+0c] + add bx,ax + add bx,[5db7] ; created using 18th + pop ax ;5th digit + sub al,es:[bx};subtract a value from the lookup table + les bx add bx,[5dbf] + mov es:[bx],al ; Put new value in 6th spot fix it +so that it's between 0 and 9 by +- A +:3656 mov bx,[5dbf] + mov es,[bp+1e] + add bx,[bp+1c] + mov al,es:[bx-1] ; 11th digit + push ax mov ax,[5db5] + mov dx,a + imul dx + les bx + add bx,ax + add bx,[5db7] + pop ax ;11th digit + sub al,es:[bx] ; subtract a value from lookup +table + les bx, [bp+1c] + add bx,[5db7] + mov es:[bx],al ;put it in 12th spot fix it to be +between 0 and 9 The loop above repeats doing the same thing, +changing 2 numbers, but not always the same two. The next time +through it changes 5th and 11th, after that the 4th and 10th, 3rd +and 9th then the 2nd and 8th using this same pattern. After the +loop it changes the 1st and 7th using the values of the original +6th and 12th which were saved in [5dc3] and [5dc4] using the same +pattern. I quickly wrote a program in C which would produce this +number, and it worked fine. + I traced into the second call of 3517 and found that the +parameters passed to it changed which values where used to create +[5db5] and [5db7], whether they increment or decrement, whether +you add 0 or 64 to your index for the lookup and the digits which +are changed. All three calls to 3517 have a different +arrangement, but the their arrangement is the same each time they +are called. For instance, the three calls are looped over 6 +times, on each instance that the 1st call is executed it will +change the 6th,12th,5th, 11th, etc. So I modified my C program +to mimic the behaviour of each call and looped it six times, +expecting this to be the "magic" number. To my surprise it was +not right. + So I followed the code until after the 3 CALL 3517's had +been made, this was the number my generator had given me, so it +must do something more afterwards. + I found the following code, still within the cs:5c04 call +:44C1 mov al,es:[bx+si-2] ; 17th digit + add al,d0 ;clean it + mov [5dc1], al ;save it + les bx + mov al,es:[bx+si-2] ; 18th digit + add al,d0 ;clean it + mov [5dc2],al ;save it + mov [5dbf],0 + jmp 455f :44df + les bx + add bx,[5dbf] + mov al,[5dc1] ;17th cleaned + sub es:[bx],al ;1st digit has 17th cleaned +subtracted from it fix it between 0 and 9 + mov al,[5dc2] ;18th cleaned 4520 + sub es:[bx],al ;7th - 18th cleaned is put in 7th +spot fix it between 0 and 9 +:455b inc word ptr [5dbf] + mov ax,[5dbf] + cmp ax,[5dad] ; run six times + jge 456b + jmp 44df 456b: blah blah continue on. +This loop executes six times each time incrementing the digit to +be changed by one so that the first change changes the 1st digit, +and the next time through the loop the 2nd then the 3rd.....till +the sixth. The second change alters the 7th through the 12th +digits. I added code to do this at the end of my Generator, and +I now had a "Magic" number generator. However this did not do me +much good in itself. The breakthrough was reversing this program +(it wasn't hard, but getting all the bugs out was really tough) +so that it takes a "magic" number as input and tells you what +registration number will produce it. I have included the source +code for both programs to prove that they are my own work. The +coding is not the best, they are my own crude tools, and they do +the job I need them for. But now I am home free. Even without +knowing how the product code is manipulated to come up with +ds:8D00 and ds:8d06 I can crack it. Here's what I did. + The product code given me was 3850-0118-6260-1057-23 I +traced to where ds:8D00 and ds:8D06 are placed they were: +ds:8D00 = E03 ds:8D06 = 3 I knew the last 4 digits when added, +and multiplied as explained above must be E03 so this is what I +wrote down, using my calculator + DFC + 7 =E03 +This is the final answer, but I need to work backwards from here + 166 * A = DFC + 15E + 8 = 166 + 23 * A = 15E + 1E +5 = 23 + 3 * A = 1E +Just working things backwards from the way the program did it I +figured out the last 4 digits of the magic code need to be 3587 +in order for it to produce E03 as a result. I also know that the +first digit must be equal to ds:8d06 which is 3 so I now have: + 3___-____-____-__35-87 +as a "magic" number and I fill it in with 1's + 3111-1111-111X-1135-87 +I left the 12th number as an X because I remember that the +remainder of the sum of all the digits except the 12th must be +equal to the 12th. + 3+1+1+1+1+1+1+1+1+1+1+1+1+3+5+8+7 = 26 26/A + 26 26/A = 3 with a remainder of 8, +so the 12th digit is an 8! + My "magic" number should be 3111-1111-1118-1135-87 +So I run my UNINSTAN program, which tells me that in order to get +that "magic" I need to enter the following registration code: +4798-8540-6989-6899-53 I enter this in, the "Retrieve" button is +enabled and I install Norton Utilities without a hassle! I used +the same method to install Wine Select (I've been interested in +wine since reading about your Pomerol), Labels Unlimited (which +I use for what else? Barcodes!), Harvard Graphics, and Lotus Ami +Pro, which I'm using to write this report on! + Well, that's it. That is how I cracked Instant Access. As +I mentioned above it is not the best way, but I gave everything +I had and it's the best I could do. + I have succeeded because I have beaten the protection, and +because I taught myself a lot along the way. I'm sure you already +have a "magic" number generator of your own, but I included mine +so you could see it. If I just knew how the product code produces +those 2 numbers I could create a product code to registration +number converter, which I assume is what the operators at Instant +Access have when you call them to buy stuff. + One last note about this assignment. I know that you have +realized that Instant Access was hard to find. I want to tell you +how I got it, a bit a social engineering in itself. After +searching every library and book/magazine store in the city I got +on the Internet and asked. Nobody had it. + So I found the Instant Access homepage. ... + +(this will not be published, coz I, +ORC, do not want to expose my crackers, +but the way this guy got hold of the protection scheme is in itself worth +is access to the +HCU) + +...So as you can see, I have gone to great lengths for admittance +into your University, and I hope I have earned it. I am proud to +wear my + + +...address follows +And here are the two C++ programs: + +INSTANT.CPP----------------------------------- +// Template for byte patch files +#include +#include +#include +#include +#include + + +void main() +{ + char fix(char x); + + char *t; //*stopstring + int save1, save2,fdbf,fdbs, i; + static int table[208] = {1,3,3,1,9,2,3,0, 9,0,4,3,8,7,4,4, + 5,2,9,0,2,4,1,5, 6,6,3,2,0,8,5,6, + 8,9,5,0,4,6,7,7, 2,0,8,0,6,2,4,7, + 4,4,9,5,9,6,0,6, 8,7,0,3,5,9,0,8, + 3,7,7,6,8,9,1,5, 7,4,6,1,4,2,7,1, + 3,1,8,1,5,3,3,1, 2,8,2,1,6,5,7,2, + 5,9,9,8,2,9,3,0, 0,4,5,1,1,3,8,6, + 1,1,9,0,2,5,5,5, 1,7,1,5,8,7,1,9, + 8,7,7,4,4,8,3,0, 6,1,9,8,8,4,9,9, + 0,7,5,2,3,1,3,8, 6,5,7,6,3,7,6,7, + 4,2,2,5,2,4,6,2, 6,9,9,1,5,2,3,4, + 4,0,3,5,0,3,8,7, 6,4,8,8,2,0,3,6, + 9,0,0,6,9,4,7,2, 0,1,1,1,1,0,1} ; + + + //_clearscreen(_GCLEARSCREEN); + printf("Enter the 18 digit Reg code: "); + gets(t); + +for (i=1; i<=6 ; i++) + { + save1 = t[5]; // save the sixth digit + save2 = t[11]; // save the twelfth digit + + fdbf = 0xFFC+t[17]-0x1000-0x30 ; // create [5db5] + if (fdbf < 0x0) + fdbf += 0xA; // fix it if necessary + else if (fdbf >= 0xA) + fdbf -= 0xA; + fdbs = fdbf; // and [5db7] + + t[5] = t[4] - table[fdbf*0xA+fdbs] ; // sixth number + t[5] = fix(t[5]); + + t[11] = t[10] - table[fdbf*0xA+fdbs+0x64]; // 12th +number + t[11] = fix(t[11]); + + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[4] = t[3] - table[fdbf*0xA+fdbs] ; // 5th number + t[4] = fix(t[4]); + + t[10] = t[9] - table[fdbf*0xA+fdbs+0x64]; // 11th +number + t[10] = fix(t[10]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[3] = t[2] - table[fdbf*0xA+fdbs] ; // 4th number + t[3] = fix(t[3]); + + t[9] = t[8] - table[fdbf*0xA+fdbs+0x64]; // 10th number + t[9] = fix(t[9]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[2] = t[1] - table[fdbf*0xA+fdbs] ; // 3rd number + t[2] = fix(t[2]); + + t[8] = t[7] - table[fdbf*0xA+fdbs+0x64]; // 9th number + t[8] = fix(t[8]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[1] = t[0] - table[fdbf*0xA+fdbs] ; // 2nd number + t[1] = fix(t[1]); + + t[7] = t[6] - table[fdbf*0xA+fdbs+0x64]; // 8th number + t[7] = fix(t[7]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[0] = save1 - table[fdbf*0xA+fdbs]; // first digit + t[0] = fix(t[0]); + t[6] = save2 - table[fdbf*0xA+fdbs+0x64]; // 7th digit + t[6] = fix(t[6]); + + //puts(t); + // end of first call +//////////////////////////////////////////////// + + save1 = t[5]; // save the sixth digit + save2 = t[17]; // save the 18th digit + + fdbf = t[10]+0x4-0x30 ; // create [5db5] + if (fdbf < 0x0) + fdbf += 0xA; // fix it if necessary + else if (fdbf >= 0xA) + fdbf -= 0xA; + + fdbs = t[9]+0x4-0x30; // and [5db7] + if (fdbs < 0x0) + fdbs += 0xA; // fix it if necessary + else if (fdbs >= 0xA) + fdbs -= 0xA; + + + t[5] = t[4] - table[fdbf*0xA+fdbs] ; // sixth number + t[5] = fix(t[5]); + + t[17] = t[16] - table[fdbf*0xA+fdbs+0x64]; // 18th +number + t[17] = fix(t[17]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[4] = t[3] - table[fdbf*0xA+fdbs] ; // 5th number + t[4] = fix(t[4]); + + t[16] = t[15] - table[fdbf*0xA+fdbs+0x64]; // 17th +number + t[16] = fix(t[16]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[3] = t[2] - table[fdbf*0xA+fdbs] ; // 4th number + t[3] = fix(t[3]); + + t[15] = t[14] - table[fdbf*0xA+fdbs+0x64]; // 16th +number + t[15] = fix(t[15]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[2] = t[1] - table[fdbf*0xA+fdbs] ; // 3rd number + t[2] = fix(t[2]); + + t[14] = t[13] - table[fdbf*0xA+fdbs+0x64]; // 15th +number + t[14] = fix(t[14]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[1] = t[0] - table[fdbf*0xA+fdbs] ; // 2nd number + t[1] = fix(t[1]); + + t[13] = t[12] - table[fdbf*0xA+fdbs+0x64]; // 14th +number + t[13] = fix(t[13]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[0] = save1 - table[fdbf*0xA+fdbs]; // first digit + t[0] = fix(t[0]); + t[12] = save2 - table[fdbf*0xA+fdbs+0x64]; // 13th +digit + t[12] = fix(t[12]); + + //puts(t); + // end of second call +//////////////////////////////////////////////// + + + save1 = t[11]; // save the 12th digit + save2 = t[17]; // save the 18th digit + + fdbf = t[1]+0x4-0x30 ; // create [5db5] + if (fdbf < 0x0) + fdbf += 0xA; // fix it if necessary + else if (fdbf >= 0xA) + fdbf -= 0xA; + + fdbs = t[2]+0x4-0x30; // and [5db7] + if (fdbs < 0x0) + fdbs += 0xA; // fix it if necessary + else if (fdbs >= 0xA) + fdbs -= 0xA; + + + t[17] = t[16] - table[fdbf*0xA+fdbs] ; // 18th number + t[17] = fix(t[17]); + + t[11] = t[10] - table[fdbf*0xA+fdbs+0x64]; // 12th +number + t[11] = fix(t[11]); + + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[16] = t[15] - table[fdbf*0xA+fdbs] ; // 17th number + t[16] = fix(t[16]); + + t[10] = t[9] - table[fdbf*0xA+fdbs+0x64]; // 11th +number + t[10] = fix(t[10]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[15] = t[14] - table[fdbf*0xA+fdbs] ; // 16th number + t[15] = fix(t[15]); + + t[9] = t[8] - table[fdbf*0xA+fdbs+0x64]; // 10th number + t[9] = fix(t[9]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[14] = t[13] - table[fdbf*0xA+fdbs] ; // 15th number + t[14] = fix(t[14]); + + t[8] = t[7] - table[fdbf*0xA+fdbs+0x64]; // 9th number + t[8] = fix(t[8]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[13] = t[12] - table[fdbf*0xA+fdbs] ; // 14th number + t[13] = fix(t[13]); + + t[7] = t[6] - table[fdbf*0xA+fdbs+0x64]; // 8th number + t[7] = fix(t[7]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[12] = save2 - table[fdbf*0xA+fdbs]; // 13th digit + t[12] = fix(t[12]); + + t[6] = save1 - table[fdbf*0xA+fdbs+0x64]; // 7th digit + t[6] = fix(t[6]); + + + // end of third call +//////////////////////////////////////////////// + + + } // end of for loop + + // Now we finish it up + save1 = t[16] + 0xD0 - 0x100; // [5dc1] + save2 = t[17] + 0xD0 - 0x100; // [5dc2] + + for (i=0; i<6; i++) + { + t[i] = t[i] - save1; + t[i] = fix(t[i]); + + t[i+6] = t[i+6] - save2; + t[i+6] = fix(t[i+6]); + } + + printf("'Magic' code is: "); + for (i=0; i<18 ;i++) // output the string (only first 18) + putc(t[i], stdout); + printf("\n\n Created by xxxxx for +Orc's HCU 1996"); + +} // end of main() + + +char fix(char x) +{ + if (x < '0') + x = x+0xA; + + else if (x > 0x39) + x -= 0xA; + + return x; +} + +--------------------------------------------------- +UNINSTANT.CPP + +#include +#include +#include +#include +#include + + +void main() +{ + char fix(char x); + + char *t; + int save1, save2,fdbf,fdbs, i,q, fdbssave,fdbfsave; + static int table[208] = {1,3,3,1,9,2,3,0, 9,0,4,3,8,7,4,4, + 5,2,9,0,2,4,1,5, 6,6,3,2,0,8,5,6, + 8,9,5,0,4,6,7,7, 2,0,8,0,6,2,4,7, + 4,4,9,5,9,6,0,6, 8,7,0,3,5,9,0,8, + 3,7,7,6,8,9,1,5, 7,4,6,1,4,2,7,1, + 3,1,8,1,5,3,3,1, 2,8,2,1,6,5,7,2, + 5,9,9,8,2,9,3,0, 0,4,5,1,1,3,8,6, + 1,1,9,0,2,5,5,5, 1,7,1,5,8,7,1,9, + 8,7,7,4,4,8,3,0, 6,1,9,8,8,4,9,9, + 0,7,5,2,3,1,3,8, 6,5,7,6,3,7,6,7, + 4,2,2,5,2,4,6,2, 6,9,9,1,5,2,3,4, + 4,0,3,5,0,3,8,7, 6,4,8,8,2,0,3,6, + 9,0,0,6,9,4,7,2, 0,1,1,1,1,0,1} ; + +printf("Enter the 18 digit 'Magic' code: "); +gets(t); + +save1 = t[16] + 0xD0 - 0x100; // [5dc1] +save2 = t[17] + 0xD0 - 0x100; // [5dc2] + +for (i=5; i>=0 ; i--) // fix it before main loop + { + t[i] = t[i] +save1; + t[i] = fix(t[i]); + + t[i+6] = t[i+6] + save2; + t[i+6] = fix(t[i+6]); + } + +for (i=1; i<=6 ; i++) +{ +// begin third call + fdbf = 0x4+t[1]-0x30 ; // create [5db5] + if (fdbf < 0x0) + fdbf += 0xA; // fix it if necessary + else if (fdbf >= 0xA) + fdbf -= 0xA; + fdbs = 0x4+t[2]-0x30 ; // create [5db7] + if (fdbs < 0x0) + fdbs += 0xA; // fix it if necessary + else if (fdbs >= 0xA) + fdbs -= 0xA; + + + save1 = t[6]; //save 7th + save2 = t[12]; // and 13th + + for (q=1; q<=5; q++) // put [ ]'s where they were at end +of loop + { + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + } + fdbssave = fdbs; + fdbfsave = fdbf; + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[6] = t[7] + table[fdbf*0xA+fdbs+0x64]; // 7th digit + t[6] = fix(t[6]); + + t[12] = t[13] + table[fdbf*0xA+fdbs]; // 13th digit + t[12] = fix(t[12]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[7] = t[8] + table[fdbf*0xA+fdbs+0x64]; // 8th digit + t[7] = fix(t[7]); + + t[13] = t[14] + table[fdbf*0xA+fdbs]; // 14th digit + t[13] = fix(t[13]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[8] = t[9] + table[fdbf*0xA+fdbs+0x64]; // 9th digit + t[8] = fix(t[8]); + + t[14] = t[15] + table[fdbf*0xA+fdbs]; // 15th digit + t[14] = fix(t[14]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + + t[9] = t[10] + table[fdbf*0xA+fdbs+0x64]; // 10th digit + t[9] = fix(t[9]); + + t[15] = t[16] + table[fdbf*0xA+fdbs]; // 16th digit + t[15] = fix(t[15]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[10] = t[11] + table[fdbf*0xA+fdbs+0x64]; // 11th +digit + t[10] = fix(t[10]); + + t[16] = t[17] + table[fdbf*0xA+fdbs]; // 17th digit + t[16] = fix(t[16]); + + t[11] = save1 + table[fdbfsave*0xA+fdbssave+0x64]; // +12th digit + t[11] = fix(t[11]); + + t[17] = save2 + table[fdbfsave*0xA+fdbssave]; // 18th digit + t[17] = fix(t[17]); + +// end of third call + + +// begin second call + fdbf = 0x4+t[10]-0x30 ; // create [5db5] + if (fdbf < 0x0) + fdbf += 0xA; // fix it if necessary + else if (fdbf >= 0xA) + fdbf -= 0xA; + fdbs = 0x4+t[9]-0x30 ; // create [5db7] + if (fdbs < 0x0) + fdbs += 0xA; // fix it if necessary + else if (fdbs >= 0xA) + fdbs -= 0xA; + + + save1 = t[0]; //save first + save2 = t[12]; // and 13th + + for (q=1; q<=5; q++) // put [ ]'s where they were at end +of loop + { + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + } + fdbssave = fdbs; + fdbfsave = fdbf; + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[0] = t[1] + table[fdbf*0xA+fdbs]; // 1st digit + t[0] = fix(t[0]); + + t[12] = t[13] + table[fdbf*0xA+fdbs+0x64]; // 13th digit + t[12] = fix(t[12]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[1] = t[2] + table[fdbf*0xA+fdbs]; // 2nd digit + t[1] = fix(t[1]); + + t[13] = t[14] + table[fdbf*0xA+fdbs+0x64]; // 14th digit + t[13] = fix(t[13]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[2] = t[3] + table[fdbf*0xA+fdbs]; // 3rd digit + t[2] = fix(t[2]); + + t[14] = t[15] + table[fdbf*0xA+fdbs+0x64]; // 15th digit + t[14] = fix(t[14]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + + t[3] = t[4] + table[fdbf*0xA+fdbs]; // 4th digit + t[3] = fix(t[3]); + + t[15] = t[16] + table[fdbf*0xA+fdbs+0x64]; // 16th digit + t[15] = fix(t[15]); + + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + + t[4] = t[5] + table[fdbf*0xA+fdbs]; // 5th digit + t[4] = fix(t[4]); + + t[16] = t[17] + table[fdbf*0xA+fdbs+0x64]; // 17th digit + t[16] = fix(t[16]); + + t[5] = save1 + table[fdbfsave*0xA+fdbssave]; // 6th +digit + t[5] = fix(t[5]); + + t[17] = save2 + table[fdbfsave*0xA+fdbssave+0x64]; // 18th +digit + t[17] = fix(t[17]); +// end of second call +// begin first call + fdbf = 0xFFC+t[17]-0x1000-0x30 ; // create [5db5] + if (fdbf < 0x0) + fdbf += 0xA; // fix it if necessary + else if (fdbf >= 0xA) + fdbf -= 0xA; + fdbs = fdbf; // and [5db7] + + save1 = t[0]; //save first + save2 = t[6]; // and 7th + + for (q=1; q<=5; q++) // put [ ]'s where they were at end +of loop + { + fdbf -= 1; // decrement + if (fdbf == -1) + fdbf = 9; + fdbs -= 1; + if (fdbs == -1) + fdbs = 9; + } + fdbssave = fdbs; + fdbfsave = fdbf; + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[0] = t[1] + table[fdbf*0xA+fdbs]; // 1st digit + t[0] = fix(t[0]); + + t[6] = t[7] + table[fdbf*0xA+fdbs+0x64]; // 7th digit + t[6] = fix(t[6]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[1] = t[2] + table[fdbf*0xA+fdbs]; // 2nd digit + t[1] = fix(t[1]); + + t[7] = t[8] + table[fdbf*0xA+fdbs+0x64]; // 8th digit + t[7] = fix(t[7]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[2] = t[3] + table[fdbf*0xA+fdbs]; // 3rd digit + t[2] = fix(t[2]); + + t[8] = t[9] + table[fdbf*0xA+fdbs+0x64]; // 9th digit + t[8] = fix(t[8]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + + t[3] = t[4] + table[fdbf*0xA+fdbs]; // 4th digit + t[3] = fix(t[3]); + + t[9] = t[10] + table[fdbf*0xA+fdbs+0x64]; // 10th digit + t[9] = fix(t[9]); + + fdbf += 1; // increment + if (fdbf == 10) + fdbf = 0; + fdbs += 1; + if (fdbs == 10) + fdbs = 0; + + t[4] = t[5] + table[fdbf*0xA+fdbs]; // 5th digit + t[4] = fix(t[4]); + + t[10] = t[11] + table[fdbf*0xA+fdbs+0x64]; // 11th digit + t[10] = fix(t[10]); + + t[5] = save1 + table[fdbfsave*0xA+fdbssave]; // 6th +digit + t[5] = fix(t[5]); + + t[11] = save2 + table[fdbfsave*0xA+fdbssave+0x64]; // 12th +digit + t[11] = fix(t[11]); +// end of first call +} // end for loop + +printf("\nTo Get That 'Magic' Use: "); +for (i=0; i<18 ;i++) // output the string (only first 18) + putc(t[i], stdout); + printf("\n\n Created by +xxxxx for +Orc's HCU 1996"); + +} // end of main() + + +char fix(char x) +// fixes chars to between 0 and 9 +{ + if (x < '0') + x = x+0xA; + + else if (x > 0x39) + x -= 0xA; + + return x; +} + +III. THE [DATADUMP_WINDOW] TRICK & HOW TO SEARCH THE WEB. + +[WINFORMANT 4 HOW TO FIND IT] + I have chosen (as usual) an older windows application for +Win 3.1. (Version 1.10, by Joseph B. Albanese), in order to +terminate completely the "password lessons" and at the same time +show you a nice little trick that can be very useful in cracking +*ALL* protected programs (password protected or time protected +or function disabled): memory windows_dumping. There is in almost +all protection routines, as you have already learned, a moment +when on the stack appears the ECHO of the real, "correct" +passnumber or password, in order to compare the input of the user +with it. + The location of this ECHO varies, but it will be most of the +time in a range of +- 0x90 bytes from the user input. This is due +to datadump windows restraints inside the tools used by the +protectionists I'll not delve inside here, and this use is bound +to diminish (especially after this lesson :=). + You'll find the files that I use in this lesson searching +the web with the usual search_tools and search_strategies: These +are names, lengths and dates of the relevant files... this will +allow you to FTPMAIL them after having located them through an +ARCHIE_search: + CTL3D DLL 20976 17/08/93 4:36 + README WRI 2688 08/05/94 1:54 + SS3D2 VBX 88096 11/06/92 18:42 + STDLL DLL 10880 06/05/94 22:57 + THREED VBX 64432 17/07/93 0:00 + WIN4MANT EXE 562271 07/06/96 17:51 + WIN4MANT HLP 190608 08/05/94 0:36 + XLIST VBX 15248 15/02/93 0:00 + + Please do not underestimate the importance of *EXACT NAMES* +on the Web (be it of people, of subjects or of software)... as +a matter of fact the Web corroborates (every day more). The old +intuition from Persio: NOMEN ATQUE OMEN: how true! Think a moment +about it, the importance of the NAMES on the Web is astonishing +(and growing)! + 1) It is true for http://... addresses: domains must be +unique and registered (and the Web registration burocrats will +get from you 100 dollars per year just to keep them registered); +2) It is true for programs (you must know BEFOREHAND the name of +a file to find it quickly on the Web); 3) It's even true for your +own site denomination (try searching for "Bill's" page instead +than for "WIKKY_WAKKY's" page... that's (reversing this approach) +one of the reason I have a "+" inside my handle, this confuses +the search engines just enough to give me a little more anonymity +(search for me! You'll get quite a lot of Warcraft stuff :=). + Enough! If you do not know neither why all this happen nor +how to search the Web, but are interested in these matters (as +you should), study the web search engines themselves and read the +relevant help files (search AltaVista and WebCrawler for +"FTPMAIL", "WWW via e-mail", "AGORA", "search strategies" etc). + It's amazing how few crackers (not to mention the lusers) +do actually read the help files of the search engines they are +using, which should be your bible (or the coran, or some other +crap, for all I care about religions), your alpha and omega! The +(growing) amount of junk on the Web makes your ability to search +effectively the little grains of interesting truths that are +escaping the growing heavy censorship of our enemies even more +important. + Back to our [Winformant] cracking now, and back to our +stackdump window trick... here you are: + +[WINFORMANT CRACKING] + This application is -per se- absolutely crap, I doubt you'll +ever use it: this program is so primitive it must have been one +of the first crappy visual basic experiments made by his +programmer... but this [Winformant] program is nevertheless very +interesting for us coz it possesses a curious (and pretty rare) +"deactivate" mode, i.e. you can "unregister" it on the fly if you +feel the need to... it beats me why the programmer wanted such +a feature inside... he was just probably collecting little +routines and mixing them without sound reasons. + This feature is as rare as useless, but it is worth for +cracking scholars that (should) investigate password algorithms +with valid and invalid codes without having to reinstall +everything only in order to delete previous valid codes. + For your cracking exercises you should therefore choose +programs that have "REVERSIBLE" protections (like this +Winformant... very rare) or that can be re-registered a billion +times (that's a more frequent protection pattern). Programs that +keep the valid registration on *.ini or special files can also +be useful... you just need to change a couple of lines in these +files to restore the "unregistered" mode. + The trick we'll use in this lesson: "password proximity", +bases on the fact that the protectionists need to keep an eye on +their protection when they "build" it and have to *see* closely +the relationships between +1) USER INPUT PASSNUMBER (i.e. the input registration number +that the user should have bought, but could be a fake bad guy +input) +2) USER INPUT TRANSFORMED (i.e. the result of the working of +the protectionist's algorithm on the user input passnumber) +and the +3) CORRECT PASSNUMBER ANSWER (The BINGO!) i.e., the Passnumber +calculated with some algorithm on the bases of the USER INPUT +NAME (the name of the user, eventually transformed in USER INPUT +TRANSFORMED). + In order to clear bugs these relationships must be +constantly checked when they prepare the protection... i.e. when +they are writing the protection code. + Most of the time all these data will therefore dwell inside +a small stack... that means they will be "visible" in the SAME +"watchwindow" inside the protectionist's debugger... and they use +the same turbodebugger (or Winice) YOU are using! + This means that most of the time the "ECHO" will swell not +very far away from the USER INPUT. Therefore proceed as follows: + +Fire Winice +Fire Winformant +Choose HELP +Choose REGISTRATION +Fill the registration fields + this is mine: "+ORC+ORC" as "Registrant" + and "12121212" as "Activation" code +CTRL+D ;switch to Winice +task ;let's see the names + +:task +TaskName SS:SP StackTop StackBot StackLow TaskDB hQueue Events +WINWORD 1AD7:85F2 4A52 8670 7532 1247 122F 0000 +PROGMAN 1737:200A 0936 2070 1392 066F 07F7 0000 +DISKOMAT *2C5F:6634 1D3C 6AC6 5192 2CB7 2C9F 0000 + +hwnd DISKOMAT ;which window is getting the input? + +:hwnd diskomat +WinHandle Hqueue QOwner Class Name Window Procedure +0EB4(0) 2C9F DISKOMAT #32769 04A7:9E6B + 0F34(1) 2C9F DISKOMAT #32768 USER!BEAR306 + 365C(1) 2C9F DISKOMAT #32770 2C3F:0BC6 + 36BC(2) 2C9F DISKOMAT Button 2C3F:1CEA + 3710(2) 2C9F DISKOMAT Edit 2C3F:24BE + 3758(2) 2C9F DISKOMAT Edit 2C3F:24BE + 37A0(2) 2C9F DISKOMAT Button 2C3F:1CEA + 37E4(2) 2C9F DISKOMAT Button 2C3F:1CEA +... and many more irrelevant windows. + +bmsg relevant_window wm_gettext ;let's pinpoint the code, here + ;the relevant window is the first "edit" one (obviously), + ;i.e. wHnd 3710 you could also use GetWindowsText or + ;GetDlgItmText to locate the relevant routines + +:bmsg 3710 wm_gettext ;set breakpoint +CTRL+D ;run the babe +Break Due to BMSG 3710 WM_GETTEXT C=01 + Hwnd=3710 wParam=0050 lParam=2C5F629A msg=000D WM_GETTEXT +2C3F:000024BE B82F2C MOV AX,2C2F + +So! Now that we have pinpointed the code... let's snoop around +a little: first thing to do is a good stack command which, here, +will work OK (in other cracking sessions it may not -magic +involved- but do not worry: if it does not work immediately, just +pinpoint a little more... for instance on GetWindowText() (always +good) or do a BPRW diskomat (also very useful), and then try and +retry the stack... should this too fail to work, do search for +your input in memory (in the 30:0 lffffffff selector, as usual) +and breakpoint range on it with ReadWrite, and then stack, stack, +stack... till you get the "real" list of calls coming from your +babe's protection (in our example the babe's name is "DISKOMAT"). + +:stack +USER(19) at 073F:124C [?] through 073F:1239 +CTL3D(02) at 2C3F:0D53 [?] through 2C3F:0D53 +DISKOMAT(01) at 2C97:20B9 [?] through 2C97:20B9 +DISKOMAT(01) at 2C97:3D94 [?] through 2C97:3D94 +DISKOMAT(01) at 2C97:49E2 [?] through 2C97:4918 +DISKOMAT(04) at 2C7F:EA20 [?] through 2C7F:EA20 +USER(01) at 04A7:19BE [?] through USER!GETWINDOWTEXT +=> CTL3D(02) at 2C3F:24BE [?] through 04A7:3A3C + +Beautiful stack picture! Immediately BPX on 2C7F:EA20 (on your +computer the segment will differ, the offset will be the SAME). + +2C7F:EA20 9A25ABA704 CALL USER!GETWINDOWTEXT +2C7F:EA25 8E4608 MOV ES,[BP+08] +2C7F:EA28 26FFB42C02 PUSH WORD PTR ES:[SI+022C] +2C7F:EA2D 8D865CFF LEA AX,[BP+FF5C] +2C7F:EA31 16 PUSH SS +2C7F:EA32 50 PUSH AX +2C7F:EA33 6A50 PUSH 50 +2C7F:EA35 9A25ABA704 CALL USER!GETWINDOWTEXT +2C7F:EA3A 8D46AE LEA AX,[BP-52] ;load ptr "+ORC+ORC" +2C7F:EA3D 16 PUSH SS ;save pointer segment +2C7F:EA3E 50 PUSH AX ;save pointer offset +2C7F:EA3F 9A768D872C CALL 2C87:8D76 ;strlen "ORC+ORC" +2C7F:EA44 83C404 ADD SP,+04 +2C7F:EA47 3D2800 CMP AX,0028 +2C7F:EA4A 762C JBE EA78 +... +2C7F:EA78 8D442C LEA AX,[SI+2C] +2C7F:EA7B FF7608 PUSH WORD PTR [BP+08] +2C7F:EA7B FF7608 PUSH WORD PTR [BP+08] +2C7F:EA7E 50 PUSH AX +2C7F:EA7F 9AE002772C CALL 2C77:02E0 +2C7F:EA84 0BC0 OR AX,AX +2C7F:EA86 740F JZ EA97 +2C7F:EA88 687F2C PUSH 2C7F +2C7F:EA8B 68E4ED PUSH EDE4 +2C7F:EA8E 6A00 PUSH 00 +2C7F:EA90 6A00 PUSH 00 +2C7F:EA92 6A00 PUSH 00 +2C7F:EA94 E94501 JMP EBDC +2C7F:EA97 8D46AE LEA AX,[BP-52] ;load ptr "+ORC+ORC" +2C7F:EA9A 16 PUSH SS ;various algor on input +2C7F:EA9B 50 PUSH AX ;we do not care +2C7F:EA9C 8D860AFF LEA AX,[BP+FF0A] +2C7F:EAA0 16 PUSH SS +2C7F:EAA1 50 PUSH AX +2C7F:EAA2 6A51 PUSH 51 +2C7F:EAA4 8D442C LEA AX,[SI+2C] +2C7F:EAA7 FF7608 PUSH WORD PTR [BP+08] +2C7F:EAAA 50 PUSH AX +2C7F:EAAB 9ABA00772C CALL 2C77:00BA +2C7F:EAB0 0BC0 OR AX,AX +2C7F:EAB2 0F851101 JNE EBC7 +2C7F:EAB6 8D8E5CFF LEA CX,[BP+FF5C] ;ptr "12121212" +2C7F:EABA 16 PUSH SS +2C7F:EABB 51 PUSH CX +2C7F:EABC 9A768D872C CALL 2C87:8D76 ;strlen "12121212" +2C7F:EAC1 83C404 ADD SP,+04 +2C7F:EAC4 50 PUSH AX +2C7F:EAC5 8D865CFF LEA AX,[BP+FF5C] ;ptr "12121212" +2C7F:EAC9 16 PUSH SS +2C7F:EACA 50 PUSH AX +2C7F:EACB 8D860AFF LEA AX,[BP+FF0A] ...etc + +OK, it's enough: now what obviously follows is to "algorithmize" +this second string, and somewhere, then, you'll have a compare +that checks and divides good guys from bad fellows. + +BUT NOW IT'S ALSO THE MAGIC MOMENT OF THE ECHO! We know it, we +feel it: The echo is somewhere... what can we do to find it? +Should we search "12121212" in memory? No, look how many +locations we would find... + +:s 30:0 lffffffff '12121212' +Pattern Found at 0030:0005AD6A +Pattern Found at 0030:0048AD6A +Pattern Found at 0030:007DED98 +Pattern Found at 0030:007E25F8 +Pattern Found at 0030:008E0FE1 +Pattern Found at 0030:008E1433 +Pattern Found at 0030:008E186F +Pattern Found at 0030:008E1904 +Pattern Found at 0030:008E601A +Pattern Found at 0030:80509D6A +Pattern Found at 0030:8145AD6A +Pattern Not Found + + And now...should we look for all occurrences of this string +and get a memory dump of +- 0x90 around it till we find the +echo... that's not zen... that's boring, even if we know that the +relevant ones will ALWAYS be the ones that have MORE than +80000000 in their "offset", i.e., in this case, only two: +Pattern Found at 0030:80509D6A +Pattern Found at 0030:8145AD6A + But this procedure is not always true, and in other +protection there will be a proliferation of locations with the +aim of deterring casual crackers... clearly the above method is +no good... there must be some other way... YES THERE IS! + THE LAST loading of the numeric input string in the code +(the one after the strlen count) is most of the time (exspecially +in Visual Basic and Delphy programs) the "right" one for our +cracking purposes, coz the protections follow (most of the time) +this pattern (remember that we are here inside a stack "heavy" +section of the code... if you want to crack higher I suggest you +read some good literature about stack working and stack magics +inside the 80386/80486/80586 processors). + This is the usual sequence: + + LOAD NAME + COUNT NAMELENGTH + LOAD NAME_AGAIN + TRANSFORM NAME + LOAD PASSCODE + COUNT PASSCODE_LENGTH + LOAD PASSCODE_AGAIN + <- ECHO CHECK here + TRANSFORM PASSCODE + <- ECHO CHECK here + COMPARE TRANSFORMED_NAME WITH TRANSFORMED_PASSCODE + + So... what does this mean? This means that at line +2C7F:EAC5 8D865CFF LEA AX,[BP+FF5C] ;ptr "12121212" +you'll already have your echo somewhere... just dump the memory +around the pointer [BP+FF5C]: + +:d 2c5f:61e8 + +2C5F:61E8 +02 62 2F 06 02 00 26 2E-A3 4E A3 4E 01 00 38 30 .b/...&..N.N..80 +33 37 2D 36 34 36 2D 33-38 33 36 00 01 06 02 00 37-646-3836..... +2F 06 75 62 C3 2E B7 04-F2 24 2F 06 CE 6E 2F 06 /.ub.....$/..n/. +49 00 5A 00 00 00 01 00-04 2C 2F 06 AE 24 36 62 I.Z......,/..$6b +74 62 7A 2E B7 04 36 62-01 00 C2 62 2F 2C 26 2E tbz...6b...b/,&. +03 01 BA 0F AE 24 5F 02-C9 01 5E 02 BA 01 5F 02 .....$_...^..._. +31 32 31 32 31 32 31 32-00 00 0C 00 BC 02 00 00 12121212........ +00 00 00 00 49 00 BA 0F-AE 24 F2 24 2F 06 00 00 ....I....$.$/... +AF 17 00 00 00 00 E2 5F-7A 62 FE FF 79 1B BA 0F ......._zb..y... +96 0B 01 00 02 4E 00 00-37 01 8A 62 D2 0F 8F 17 .....N..7..b.... +2F 06 00 00 00 00 37 01-98 62 20 10 16 03 2F 06 /.....7..b .../. +C2 62 2B 4F 52 43 2B 4F-52 43 00 0D AE 24 2F 06 .b+ORC+ORC...$/. + 2C5F:62A7 + +and look... everybody is there! The stack pointers points in the +middle of this dump, at the string "12121212". 0x50 bytes before +is our good old ECHO (i.e. the CORRECT passnumber) and 0x50 bytes +afterwards is my beautiful input name "+ORC+ORC". + Therefore the "right" code for "+ORC+ORC" is 8037-646-3836. +It cannot be so easy! You'll protest. It is: this crap protection +is already cracked and hunderts of Visual Basic/Delphy schemes +are absolutely identical. + Now begins the hard work: if you really want to learn, +accomplish the following tasks: +- First of all "Unregister" and find anew your own code for + your own handle. *DO NOT* use serial numbers with any other + name that your own handle. +- Study the two coding algorithms, the one for the input name + and the one for the input passnumber, this will be useful + for ALL your future cracking sessions. +- Find the compare locations, i.e. the code block that sets + the two usual flags "good guy, you may move on" and "bad + cracker, beggar off", and create a patch crack for this + protection, that will allow anybody, with any name and any + password number to get through. + +Please accomplish all of the preceding tasks: once you do it +you'll have FINISHED the password protection schemes part of my +tutorial and you'll be able to pass over to the (very +interesting) world of disabled and crippled functions (all these +"demos" that do not save and do not print... I'll teach you how +to do it, starting in Februar 1997). + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + + "If you give a man a crack he'll be hungry again + tomorrow, but if you teach him how to crack, he'll + never be hungry again" + ++ORC 526164@anon.penet.fi + diff --git a/textfiles.com/piracy/CRACKING/c4.txt b/textfiles.com/piracy/CRACKING/c4.txt new file mode 100644 index 00000000..285b30dc --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c4.txt @@ -0,0 +1,1747 @@ + HOW TO CRACK, A TUTORIAL - LESSON 4 + by +ORC (the old red cracker) + +How to crack, an approach LESSON 1 +How to crack, tools and tricks of the trade LESSON 2 +How to crack, hands on, paper protections LESSON 3 (1-2) +-> How to crack, hands on, time limits LESSON 4 +How to crack, hands on, disk-Cdrom access LESSON 5 +How to crack, funny tricks LESSON 6 (1-2) +How to crack, intuition and luck LESSON 7 +How to crack windows, an approach LESSON 8 +How to crack windows, tools of the trade LESSON 9 +How to crack, advanced cracking LESSON A (1-2) +How to crack, zen-cracking LESSON B +How to crack, cracking as an art LESSON C +How to crack INDEX + +LESSON 4 - HOW TO CRACK, HANDS ON, Time Limits + +For 'time protections' we intend a serie of protection schemes +which are aimed to restrict the use of an application +ONE +-to a predetermined amount of days, say 30 days, starting with +the first day of installation... 'CINDERELLA' TIME PROTECTIONS +TWO +-to a predetermined period of time (ending at a specific fixed +date) independently from the start date... 'BEST_BEFORE' TIME +PROTECTIONS +THREE +-to a predetermined amount of minutes and/or seconds each time +you fire them... 'COUNTDOWN' TIME PROTECTIONS +FOUR +-to a predetermined amount of 'times' you use them, say 30 +times. Strictly speaking these protections are not 'time' +dependent, but since their schemas are more or less on the +same lines as in the cases ONE, TWO and THREE, we will examine +them inside this part of my tutorial. Let's call them 'QUIVER' +protections since, as with a quiver, you only have a +predetermined amount of 'arrows' to shoot (and if you never +went fishing with bow and arrows, on a mountain river, you do +not know what's real zen... the fish springs out suddendly, but +you 'knew' it, and your fingers had already reacted... a lot of +broken arrows on the rocks, though :=) + + As first example I have chosen a double protected +application: it has a time protection (of the 'Cinderella' type, +limited to 90 days) as well as a 'quiver' protection +scheme, which is the other -not time bounded- current variante +of the shareware protections... i.e. you should use this program +only 25 times before a protection lock. +It's a relatively 'old' windows protection (april 1995). I found +the program on a cheap cd-rom, which I bought (in a bunch with +9 others) a month ago: 6000 megabytes of bad protected software +for the price of a good glass of wine! PCPLUS SUPER CD n13, +originally edited in July 1995. I believe it should be pretty +easy to find it or to find this program on the Web if you do not +already have it inside your collection of cheap CD-ROM. Another +advantage of this program, from our perspective, is that the +whole PCFILE.EXE represents de facto the protection scheme +itself... not excessively overbloated: only 8912 bytes, when the +'real' application works inside the (huge and overbloated) +pcf.dll, which will be called only if the user passes the +protection. You can easily print the WHOLE disassembled listing +of PCFILE.EXE (46 Wordperfect pages), that you'll quickly get +through wcb (for instance). For once you'll have a COMPLETE and +COMPLICATED protection scheme under your eyes. + Basically we'll study here the 'beginning' of more complex +time protection schemes, the ones we'll crack with our later +lessons. Some protection elements are here still 'nav', but the +protectionists have -at least- worked a little against easy +cracks... which makes this protection even more interesting for +us :=) + This program shows even a 'nasty' behaviour: should you use +it after the locking snapped, it will obliterate the whole (main) +pcf.dll from your harddisk, without any warning. This obviously +does not mean anything at all here, but it's the secret to more +advanced (and nastier) protection schemes, so you better have a +look at it too. Nice, enough let's start now. +[PCFILE] (aka the 'dll counter' method) +PCFILE, version 8, (PCFILE.EXE, 8912 bytes, 17 apr 1995, Atlantic +Coast software) is a database program which will be disabled +after having 90 days from its first use or after having used it +25 times, whichever comes first. + We'll begin as usual: just use your wordprocessor search +capacities to search inside the whole directory (and +subdirectories) of PCFILE for words like 'demo' 'order' 'contact' +'expire' 'disabling' 'evaluation' and so on (alternatively, like +I do, you can write your own little C utility to do it even more +quickly and automatically on the whole 600 megabytes CD-ROM you +have inserted on your drive :=)... You'll see immediately that +only two of the PC-files can interest us: PCFILE.EXE and +PCFRES.DLL. A quick 'turbodumping' of PCFILE.EXE itself will +fetch all filenames and nagstrings we need to be happy from the +end of the file... here they are: +A) 010C PCF.DAT +B) 0114 PCF.DLL +1) 2.011C PC-FIle demo has been disabled... +2) 2.01A2 The PC-File demo program has reached the maximum + allowable 25 sessions... +3) 2.0298 This demo version of PC-File 8 is designed... +4) 2.035A The PC-File demo program has reached... 90 days +5) 2.0474 This is the last demo session... + +When I see something like this I know that the crack is already +made... it's so easy I can't understand why they don't just give +their software away for free... money I suppose, people seem to +be obsessed with this prepuberal problem... how stupid, besides: +neminem pecunia divitem fecit. +Beside, snooping inside files can be graet fun! At times you find +some 'real' info inside them... Have a look at lotus Wordpro, +for instance, you'll read something like: 'You idiot! Can't flow +a partial paragraph!'; 'Yow! Need to SetFoundry() on this object!'; +'Dude! I couldn't find myself!'; 'Ain't nothing to pop!' and many +other amenities which throw a crude light on the life (and possible +blunders) of commercial programmers and on the well know fact +that most application are throw out FULL of bugs just in order +to make money ('bugs for bucks'). +OK, back to our cracking: let's just search for the above NUMBERS +inside the code of PCFILE: +1) PC-File has been disabled: 011C + + 1.1100 >C8040100 enter 0104, 00 + 1.1104 56 push si + 1.1105 C70632060000 mov word ptr [0632], 0000 + 1.110B 6A00 push 0000 + 1.110D B81401 mov ax, 0114; THIS is PCF.DLL + 1.1110 8946FE mov [bp-02], ax + 1.1113 50 push ax + 1.1114 9A2E0D0212 call 1:0D2E ;what happens here? + 1.1119 83C404 add sp, 0004 + 1.111C 40 inc ax + 1.111D 7532 jne 1151 + 1.111F 1E push ds + 1.1120 681C01 push 011C ;HERE**** + 1.1123 8D86FCFE lea ax, [bp-0104] + 1.1127 16 push ss + 1.1128 50 push ax + 1.1129 9A6E110000 call USER._WSPRINTF + +Therefore this target will be disabled after a check at the +beginning of WinMain (1.1100) if ax, after having been +incremented is non zero. We should have a look at the routine at +1:0D2E to see what happens... but let's first check the other +nagstrings... no point in delving immediatly inside routines. + +2) The PC-File demo has reached the maximum allowable 25 +sessions... 01A2 + 1.11C9 >807EFC66 cmp byte ptr [bp-04], 66 + 1.11CD 7C0F jl 11DE + 1.11CF 6AFF push FFFF + 1.11D1 9A36120000 call USER.MESSAGEBEEP + 1.11D6 6A00 push 0000 + 1.11D8 1E push ds + 1.11D9 68A201 push 01A2 ; HERE **** + 1.11DC EB62 jmp 1240 +Therefore 25 sessions if byte ptr [bp-04] >= 66 (as you can see, +the protectionists did not use anything vaguely similar to 25dec, +which is 19hex). + +3) This demo version of PC-File 8 is designed... : 0298 + + 1.11DE >807EFC4D cmp byte ptr [bp-04], 4D + 1.11E2 7518 jne 11FC + 1.11E4 6A00 push 0000 + 1.11E6 1E push ds + 1.11E7 689802 push 0298 ;HERE **** + 1.11EA 1E push ds + 1.11EB FF361000 push word ptr [0010] + 1.11EF 6A00 push 0000 + 1.11F1 9A48120000 call USER.MESSAGEBOX + 1.11F6 C70632060100 mov word ptr [0632], 1 ;Flag 632! +This 'Welcome nagged user' message appears therefore only THE +FIRST time you run, when our byte ptr [bp-04] has been set to 4D. +That figures: 66h - 4Dh = 19h, which are the 25 times allowed... +the programmers from Atlantic Coast must have thought something +like 'Stupid crackers will not fetch our nice clever protection: +he'll be searching for byte 19h! Ah!' Note the flag set in +location [632] if it's the first run :=) + +4) The PC-File demo program has reached... 90 days : 035A + 1.1211 833E320600 cmp word ptr [0632], 0000 + 1.1216 7565 jne 127D + 1.1218 A13406 mov ax, [0634] + 1.121B 8B163606 mov dx, [0636] + 1.121F 2B062C06 sub ax, [062C] + 1.1223 1B162E06 sbb dx, [062E] + 1.1227 83FA76 cmp dx, 0076 + 1.122A 7251 jb 127D + 1.122C 7705 ja 1233 + 1.122E 3D00A7 cmp ax, A700 + 1.1231 764A jbe 127D + + 1.1233 >6AFF push FFFF + 1.1235 9A3C130000 call USER.MESSAGEBEEP + 1.123A 6A00 push 0000 + 1.123C 1E push ds + 1.123D 685A03 push 035A ; HERE! + +There, location [634] in ax and location [636] in dx. +ax subtracts location [62C] and dx subtracts with carry location +[62E]. Is it more than 76h? (Which is 118 dec), Tell user he has +reached 90 days. Is it exactly 76h? Then have a look at ax, if +it is more than A700 then tell user the same. + +5) This is the last demo session... : 0474 + + 1.132D >56 push si + 1.132E 9AFFFF0000 call KERNEL._LCLOSE + 1.1333 807EFC66 cmp byte ptr [bp-04], 66 + 1.1337 7C19 jl 1352 + 1.1339 6AFF push FFFF + 1.133B 9AFFFF0000 call USER.MESSAGEBEEP + 1.1340 6A00 push 0000 + 1.1342 1E push ds + 1.1343 687404 push 0474 ;HERE**** + 1.1346 1E push ds + 1.1347 FF361000 push word ptr [0010] + 1.134B 6A10 push 0010 + 1.134D 9AFFFF0000 call USER.MESSAGEBOX + + 1.1352 >1E push ds + 1.1353 681401 push 0114 ;this is PCF.DLL + 1.1356 6A01 push 0001 + 1.1358 9AFFFF0000 call KERNEL.WINEXEC ;exec PCF.DLL + + And here, finally we have our good old [bp-04] -once more- +compared to 66h. Notice that there is no Jumpequal nor +jumpgreater check. This means that the program ALREADY KNOWS that +the user has reached here for the first time the fatidic 66. This +means (of course) that this code will be examined AFTER having +incremented the counter of the protection, which must therefore +happen somewhere between 1.123D and 1.132D (the end of routine +4 and the beginning of routine 5). If you have printed the whole +disassembled listing of PCFILE.EXE and if you have read my other +lessons about dead listing (-> 9.3 and 9.4) you do not need any +more to read the following part of this lesson. Choose your +armchair and sit there with a pen, your listing and a good +cocktail (may I suggest a good Martini-Wodka? Don't use anything +else but Moskowskaja). The moment to start 'feeling' the code has +come! You can do everything alone. Write colored arrows on your +listing! The first (or the fourth) simphony of Mahler on your CD! +Everything will appear! + Indeed, if you prefer to follow here, behold: at 1.12B2 we +have a call KERNEL._LOPEN wich opens the file PCF.DLL (0114): + + 1.12AD 681401 push 0114 ;want pcf.dll + 1.12B0 6A01 push 0001 + 1.12B2 9AFFFF0000 call KERNEL._LOPEN ;open it + +and at 1.12CD we have the exact point where, inside pcf.dll, a +byte will be modified (at 10AF8): + + 1.12C6 6A01 push 0001 + 1.12C8 68F80A push 0AF8 + 1.12CB 6A00 push 0000 + 1.12CD 9AFFFF0000 call KERNEL._LLSEEK + +The only modification takes place therefore inside PCF.DLL, a +monstruosity of 1088832 bytes, where location 10af8 grows WITHOUT +any change in the date of the dll. You can easily check this: +* copy pcf.dll pcf.ded +* (run pcfile a couple of time) +* fc /b pcf.dll pcf.ded +fc /b is file compare /binary, good old (and quick) dos, duh? +And this is what you get... + + Comparing files PCF.DLL and PCF.DED + 00010AF8: 55 50 + +Et voila mesdames et messieurs, found the other way round, please +note that this more 'practical' method can also be used *before* +beginning the dead listing examination of the file (and would +have given you the '0AF8' string to search for). + +Well, what did we learn? A lot: an hidden counter grows in +another file without leaving many traces. The 'quiver' +protection snaps after growing more than 66h, having started at +4Dh. The flag for first time user is inside [0632]. [0634] and +[0636] are used for the current date, [062C] and [062E] are the +original date against which they are checked in a funny way. + There are two different protections, therefore we'll need +two different cracks to deprotect this cram. Let's begin with the +easiest one. +Our FIRST crack, must destroy the counter that increases inside +pcf.dll (the '25' session allowance). This will be made cracking +following instruction: + 1.12F3 FE46FC inc byte ptr [bp-04] +which is obviously the increasing instruction we are searching +for (BECAUSE it's the only 'inc byte ptr' in the whole stupid +program, AND because it is located short after the _LLSEEK, AND +because it's incrementing nobody else than our good old [bp- +04]... what do you want more, a neon green flashing arrow light +on the top of it?) +We'll very simply "noop" this instruction, transforming it, for +instance, in 40 90 48 (inc ax, nop, dec ax = do nothing). Well, +yes, that was it for the '25 sessions' lock protection, thankyou, +you may use the program a zillion times now. What now? Ah, yes, +the DATE lock, let's have a look once more at it: + 1.1218 A13406 mov ax, [0634] + 1.121B 8B163606 mov dx, [0636] + 1.121F 2B062C06 sub ax, [062C] + 1.1223 1B162E06 sbb dx, [062E] + 1.1227 83FA76 cmp dx, 0076 ;118 (-90=1c) + 1.122A 7251 jb 127D + 1.122C 7705 ja 1233 + 1.122E 3D00A7 cmp ax, A700 ;(42572) + 1.1231 764A jbe 127D + + 1.1233 >6AFF push FFFF + 1.1235 9A3C130000 call USER.MESSAGEBEEP + 1.123A 6A00 push 0000 + 1.123C 1E push ds + 1.123D 685A03 push 035A ;HERE! 90 days! + +Therefore, if location [636] is > than 76, the nag snaps. +This 76 is calculated through what SEEMS a simple comparison +between the actual date and the installation date. + + 1.1218 A13406 mov ax, [0634] ;load date ax + 1.121B 8B163606 mov dx, [0636] ;load date dx + 1.121F 2B062C06 sub ax, [062C] ;subtract first date + 1.1223 1B162E06 sbb dx, [062E] ;subtract first date + 1.1227 83FA76 cmp dx, 0076 ;allowed limit (?) + 1.122A 7251 jb 127D ;ok: you may + 1.122C 7705 ja 1233 ;beggar off + 1.122E 3D00A7 cmp ax, A700 ;well, what's this + 1.1231 764A jbe 127D ;then? + + In the reality there are various mathematical checkings +going on here, as the second check on ax = A700 shows. This DOES +NOT need to concern us much (we'll crack this code, later, +changing the 'first time user' flag), but it's useful you have +a rough understanding of what goes on inside these schemes, +therefore let's delve a little inside it. + Basically, the good old dos function GetSystemDate (21/2A) +works like this: On entry: ah = 2a +On return: +al = day of the week (0 = Sunday, 1 = Monday...) +cx = year +dh = month +dl = day +Short before the 90 days check, the protection calls two +routines: +1:09B4 (GetSystemDate) and 1:0D64 (FetchInstallationCode) + The first one fetches the date (1.9D3-1.9D7) and the Time +(21/2C, at 1.9E2), get's ONCE MORE the system date (1.9F7) +subtracts the years against 1980 (1.A20: sub cx, 07BC) and then +makes quite a lot of maniuplation of these data (around 1.C7D, +where one year LESS than the current year will be stored in +[SI+03], in order to calculate the total amount of days). The +second one prepares the numbers for the sub ax and sbb dx of the +90 days check. + As I said all this does not need to concern you much, coz +the protectionists have mad a 'protecion blunder': they have made +every time snapping depending on a flag, the one in [0632]. + What happens is: THE FIRST THING this program makes, smack +at the beginning of WinMain, is to set to zero (FALSE) the +abovementioned flag: + 1.1105 C70632060000 mov word ptr [0632], 0000 +Only in case of first time use, this flag will be set to TRUE at + 1.11F6 C70632060100 mov word ptr [0632], 0001 +knowing that, anyway, as soon as the program runs again this flag +will be reset to FALSE by Winmain. +And, as we saw, this flag is checked both for the 90 days snap: + 1.1211 833E320600 cmp word ptr [0632], 0000 +and for the 'This is your last day Cinderella' Warning: + 1.1315 >833E320600 cmp word ptr [0632], 0000 +A good fundamental crack will therefore be the 'automatical' +setting to TRUE of this flag by our Winmain: + 1.1105 C70632060100 mov word ptr [0632], 0001 +Everytime the program runs it will believe that's the first time +it does it. +I know, theoretically, having nooped the increase inside PCF.DLL, +the counter should remain always at 4D, which would set ANEW the +flag to true every run... but we do not want the first 'welcome' +nagscreen either, do we? Therefore: +****** Crack for PCFILE version 8, by +ORC, march 1997 *** +psedit pcf.dll +search 4E 49 44 4D (4D only if you did not run it) +modify in 4E 49 44 50 (second time run) +psedit pcfile.exe +search 83 C4 06 FE 46 FC +modify in 83 C4 06 40 90 48 (nooped increase) +search C7 06 32 06 00 00 +modify in C7 06 32 06 01 00 (flag always true) +********************************************* +As second example I have chosen a fairly interesting 'CINDERELLA' +protection scheme of a Window application which can be useful for +our purposes: Link Check (Version 5.1), an application written +in august 1996. I'll crack here the Windows 3.1 version, for +reasons explained in lesson 9.4, but you'll easily find the Win95 +version on the net, whose protection scheme works on the same +lines. +Link Check is a suite of three (3) diagnostic programs which +allows the user to examine different areas of the system. +1) Link Check (WLCHECK.EXE) enables the user to view the links +between an executable file and the modules it requires to run on +the system. +2) Memory Check (WMCHECK.EXE) allows the user to view, load and +unload modules currently in memory. +3) Function Check (WFCHECK.EXE) allows the user to view actual +function calls inside modules. +WLCHECK EXE 40400 24/08/96 5:10 +WMCHECK EXE 37104 18/08/96 5:10 +WFCHECK EXE 45424 24/08/96 5:10 +WLCCOMM DLL 46960 18/08/96 5:10 +KSLHOOKS DLL 29568 15/08/96 1:00 +The protection scheme inside this program allows a 21 days use +of the program, then 'disables' it. Even in the first 21 +'allowed' days there are some functions that are disabled, +anyway. Another interesting feature of the protection scheme, is +that once you register, an 'electronic key' will be created and +sended to you in order to unlock Link Check for the full retail +version (which, as usual, means that the shareware version you +are using CAN be unlocked). +Therefore this application: +is TIME-LIMITED +has been CRIPPLED +has some DISABLED functions +can be UNLOCKED. +A wonderful world of cracking possibilities! Let's rub our hands! +So much to find! So much to learn! Thanks, Karri Software Ltd! +(100422.3521@compuserve.com) +For these protection schemes we must use both the 'Winice' live +approach and the 'dead listing' one. (both described elsewhere +in my tutorial). +Let's begin at the beginning, i.e. searching for strings inside +the WLCHECK.EXE we'll find nothing. +You'll soon realise that the protection scheme hides inside the +two *.dll WLCCOMM.DLL & KSLHOOKS.DLL... the real problem, with +this kind of protections, is that the 'modalities' to unlock it +are not known, i.e., that you cannot just crack the unlock +procedure itself, but you must reverse engineer the program long +enough to find the 'switch' that fires your cracked 'unlock' +procedure, in order to 'register' this program and in order to +be able to use it ad libitum. +What happens with time protections? +The first problem for the protectionists is the tampering with +the system date. Even a stupid user could set the system clock +backwards in order to use a program of the CINDERELLA sort. +Your target would be easily fooled by any stupid user if it did +just set a variable [START_DATE] and then simply check the system +time with something like + IF SystemTime > [START_DATE+30] then beggar off + ELSE OK +Therefore (almost) all this program use some sort of 'diode' +location. Like diodes, which let current through in only one +direction, these locations can only grow... i.e, if you set the +system time to 1 January 2000 and then run the program, it will +throw you off, as expected, but even when you go back to your +current year and date this will be 'remembered'...and the +protection will NOT allow you any more to use the program even +should you (theoretically) still have some free 'try me' days... +your setting at year 2000 screwed up your license for ever. + IF SystemTime > [START_DATE+30] then [MARK_HERE] + ELSE continue + If [MARK_HERE] = TRUE then beggar off + ELSE OK +Let's try altering the system date on our WLCHECK.EXE target... +Woa! As I said... it does not work anymore. + +It's fairly easy to get at this part through Winice: Just bpx +WritePrivateProfileString (which is a very interesting function +indeed) and then have a good look at the pointers: You'll quick +find out that KSLHOOKS (Segment 0B) writes his own xCLSID value +inside system.ini. The block of KSLHOOKS.DLL's code responsable +for this is the following: +11.0569 9AE4013500 call 7:01E4 ;'Value' and 'SYSTEM.INI' +11.056E 83C408 add sp, 8 ;adjusting stack +11.0571 8D843901 lea ax, [si+0139] +11.0575 57 push di +11.0576 50 push ax ;pushing 'xCLSID' +11.0577 8D46FA lea ax, [bp-06] +11.057A 16 push ss +11.057B 50 push ax ;pushing 'Value' +11.057C 8D468A lea ax, [bp-76] +11.057F 16 push ss +11.0580 50 push ax ;pushing '{6178-0503...}' +11.0581 8D46EE lea ax, [bp-12] +11.0584 16 push ss +11.0585 50 push ax ;pushing 'SYSTEM.INI' +11.0586 9AFFFF0000 call KERNEL.WRITEPRIVATEPROFILESTRING +11.058B 33C0 xor ax, ax +11.058D 5E pop si +11.058E 5F pop di +11.058F C9 leave +11.0590 CB retf + +The call to 7.01E4 fetches the strings 'Value' and 'SYSTEM.INI' +which are 'hardwired' there byte by byte, for instance, 'INI' is +fetched like this: + 7.0234 26C6440749 mov byte ptr es:[si+07], 49 ;I + 7.0239 26C644084E mov byte ptr es:[si+08], 4E ;N + 7.023E 26C6440949 mov byte ptr es:[si+09], 49 ;I + +What is really interesting in this part of the protection scheme, +is that the function WritePrivateProfileString is one of the MOST +COMMON functions used for this kind of protections, being the +function normally used in order to 'keep track' inside an 'INI' +file of the particular configuration of an application that the +user has chosen... as a matter of fact this program creates an +hidden WLCHECK.SWL file inside c:\windows where it writes its +data, it also writes, through the above code, + +[xCLSID] +Value={0000006236-0017105173-6326000000} +inside system.ini + +and then it writes ANOTHER string inside the reg.dat 'register' +of the windows directory. A short digression, about registrations +in the reg.dat of the Windows directory. If you never had a look +at the reg.dat file (wich you should not have only firing +regedit.exe, but using the switch /v TROUGH THE COMMAND LINE +run!) you are in for a big surprise. If you are used to install +and de-install programs as much as I do, you'll be able to see, +for instance, real BATTLES between big or widespread software +packages (for instance Coreldraw and PaintShopPro) fought +there... but you'll also find some cryptic messages like +WB_10=VMWB20 + FILTER = 000000000e + OPTION = 0000000005 + TAG = 0000001857 + KEY = 0000184F +or, even more cryptic: +VxDSettings = {0000006178-0419758349-4326000000} +And this is actually our target, as you can see... the first +thing you should know is that some protection schemes hyde the +date checking part of their protection inside reg.dat. +The above value is the 'ID' of our target, and the ciffer in the +'middle' varies with the date and with the passing of the time. + As we said, once the protection snaps, there is no 'normal' +way to reinstall a working copy of the program, even substituting +ALL the files with fresh ones and deleting the 'secret' +WLCHECK.SWL will not help... in order to reinstall this program +or to use it for the eternity (in 21 days chunks) you would have +to do the following every time the limit snaps: +A) regedit /v + delete key VxD +B) edit system.ini + manually delete the block +"[xCLSID] + Value={0000006236-0017105173-6326000000}" +C) attrib c:\windows\wlcheck.swl -r -s -h + del c:\windows\wlcheck.swl +D) reinstall everything anew and run 21 more days... clearly not +a satisfactory solution, exspecially given the fact that some +routines are disabled... therefore let's delve a little more +inside this protection scheme... we'll find a much neater crack, +you'll see... :=) +Since the 'legitimate' user will get 'an electronic key' from the +protectionists, there must exist, somewhere, a small menu of the +kind 'Enter your electronic key, legitimate sucker'... we could +find it searching with a little imagination (and/or zen) inside +our listings, but in these cases, it's much more quicker a small +run with WRT (Windows Resource Toolkit) by borland. Since we are +already inside KSLHOOKS.DLL, let's begin with this one. +Wrt loads kslhooks.dll and shows you immediatly that there are +only three dialog items, the last one, tagged as 'dialog 503' +represents the 'Unlock' little window: ('Please enter your key'), +which has two buttons: OK (1) and Cancel (2). Let's use WRT +'ID_tagging' option: we'll immediatly fetch the ID number of the +'Please enter your key' field: 2035. +2035 dec is 7F3 hex, therefore we now just need to search 07F3 +inside our listing... and we land immediatly here: + 6.00DE >8B760A mov si, [bp+0A] + 6.00E1 FF760E push word ptr [bp+0E] + 6.00E4 6A08 push 0008 + 6.00E6 9AFFFF0000 call USER.GETWINDOWLONG + 6.00EB 8946FC mov [bp-04], ax + 6.00EE 8956FE mov [bp-02], dx + 6.00F1 83FE01 cmp si, 0001 + 6.00F4 7556 jne 014C + 6.00F6 FF760E push word ptr [bp+0E] + 6.00F9 68F307 push 07F3 ;HERE! **** + 6.00FC 9AFFFF0000 call USER.GETDLGITEM + 6.0101 50 push ax + 6.0102 8D4698 lea ax, [bp-68] + 6.0105 16 push ss + 6.0106 50 push ax + 6.0107 6A63 push 0063 + 6.0109 9AFFFF0000 call USER.GETWINDOWTEXT + 6.010E 8D4698 lea ax, [bp-68] + 6.0111 16 push ss + +This block of code is part of an Exported function from +kslhooks.dll: KSLHOOKPROC4 - Ord:0006h +Here is the whole sequence: + :CALL_PLEASE_ENTER_ELECTROKEY + 6.00DE >8B760A mov si, [bp+0A] + ... + 6.00F9 68F307 push 07F3 ;HERE *** +is called (being at 6.00DE) from + :ENTER 68 + 6.0082 C8680000 enter 0068, 00 + ... + 6.009B 7441 je 00DE ;HERE *** +which (being at 6.00082) is called from + :PUSH_82 + 6.000F 68FFFF push selector KSLHOOKPROC4 + 6.0012 688200 push 0082 ;HERE *** + 6.0015 FF36200C push word ptr [0C20] + 6.0019 9AFFFF0000 call KERNEL.MAKEPROCINSTANCE +Much interesting, but we are not yet there... +let's see if we have other occurrences of our 7F3h instance +(which, as we saw through WRT, corresponds to the 'Enter your +Key' field of the 'Unlock' window). Yes, we have one more +occurrence (always inside KSLHOOKS.DLL): + + 4.030A >81FEF307 cmp si, 07F3 ;HERE *** + 4.030E 7515 jne 0325 ;don't care if not unlock + 4.0310 FF760E push word ptr [bp+0E] ;nID + 4.0313 56 push si ;=7F3, =unlock, =hDlg + 4.0314 9AFFFF0000 call USER.ISDLGBUTTONCHECKED + 4.0319 0BC0 or ax, ax ;mashed button? + 4.031B 7408 je 0325 ;Yeah, jump... + 4.031D C45EFC les bx, [bp-04] + 4.0320 2689B7B104 mov es:[bx+04B1], si + 4.0325 >83FE02 cmp si, 0002 ;...here + +Now, IsDlgButtonChecked is a 'typical' windows function with +following structure: + UINT IsDlgButtonChecked(HWND hFlg, int nID) +where the handle of the dialog box contaning the button control +is specified in hDlg. The ID value of the desired button is +passed in nID. For two-state buttons this function returns zero +if the button is unchecked and non zero if it is checked, -1 if +an error occurs. +What else can we do? +Let's search for the limit (21 days, that corresponds to 15h) +inside our code. Well, we'll find two interesting occurrences +inside the OTHER dll module: WLCCOMM.DLL: + :OCCURRENCE_1_OF_21_DAYS_LIMIT + 1.3E25 >80BEFFFE15 cmp byte ptr [bp-0101], 15 ;here*** + 1.3E2A 7403 je 3E2F ;Please restart... + 1.3E2C E9B900 jmp 3EE8 ;xor ax and retf +and now, look what we have immediately afterwards... + 1.3E2F >FF760E push word ptr [bp+0E] + 1.3E32 1E push ds + 1.3E33 681306 push 0613 ;Please restart... + 1.3E36 1E push ds + 1.3E37 68EE05 push 05EE ;Retail version... + 1.3E3A 6A40 push 0040 + 1.3E3C 9A90080000 call USER.MESSAGEBOX + 1.3E41 FF760E push word ptr [bp+0E] + 1.3E44 6A01 push 0001 + 1.3E46 9AE03E0000 call USER.ENDDIALOG + 1.3E4B E99A00 jmp 3EE8 ;xor ax and retf + +Now, string 0613 is +"Please restart the program for the reatil version to take +effect" +and string 05EE is +"Retail version successfully unlocked" +...clearly we have found the part of the code where the user gets +the appropriate message once he has digited the correct key +inside the unlock window in KSLHOOKS. +But let's use a little more our 'new' WRT approach. Examining the +'dialog' items through WRT, we'll see that inside WLCCOMM.DLL +there are 'two' About Link check templates, a 'nice' one (for +registered users) and a 'nag' one (for Cinderella's users). +The nice one is WLCCOMM.DIALOG 130, and its second part reads +'This copy of Link check is licensed to' +FIELD 1 = 603 (25bh) +FIELD 2 = 604 (25Ch) +The 'nag' one is WLCCOMM.DIALOG 131 and its second part reads +'UNREGISTERED Shareware notice...' with two buttons: +'How do I register' which is 601 (259h) and +What do I get for it which is 602 (25ah). +Well... let's have a look around our code... and here is +(obviously) the relevant part of it inside WLCCOMM.DLL: + + 1.3C60 >8B760E mov si, [bp+0E] + 1.3C63 FF7606 push word ptr [bp+06] + 1.3C66 6AF4 push FFF4 + 1.3C68 9A8A1D0000 call USER.GETWINDOWWORD + 1.3C6D 56 push si + 1.3C6E 685B02 push 025B ;here*** + 1.3C71 9A803C0000 call USER.GETDLGITEM + 1.3C76 394606 cmp [bp+06], ax + 1.3C79 7421 je 3C9C + 1.3C7B 56 push si + 1.3C7C 685C02 push 025C ;here*** + 1.3C7F 9ADA3C0000 call USER.GETDLGITEM + 1.3C84 394606 cmp [bp+06], ax + 1.3C87 7413 je 3C9C + 1.3C89 FF760A push word ptr [bp+0A] + 1.3C8C FF7608 push word ptr [bp+08] + 1.3C8F FF7606 push word ptr [bp+06] + 1.3C92 6A01 push 0001 + 1.3C94 9A08039E3D call KSLCONTROLCOLOR + 1.3C99 E94E02 jmp 3EEA + +Whereby, here is the part for the shareware user: + 1.3EA6 >81FE5902 cmp si, 0259 ;How do I register? + 1.3EAA 7513 jne 3EBF + 1.3EAC FF760E push word ptr [bp+0E] + 1.3EAF 1E push ds + 1.3EB0 688B06 push 068B + 1.3EB3 6A01 push 0001 + 1.3EB5 6A00 push 0000 + 1.3EB7 687217 push 1772 + 1.3EBA 9AD43E0000 call USER.WINHELP + 1.3EBF >81FE5A02 cmp si, 025A ;What do I get for it? + 1.3EC3 7523 jne 3EE8 + 1.3EC5 FF760E push word ptr [bp+0E] + 1.3EC8 1E push ds + 1.3EC9 689706 push 0697 + 1.3ECC 6A01 push 0001 + 1.3ECE 6A00 push 0000 + 1.3ED0 687117 push 1771 + 1.3ED3 9AFFFF0000 call USER.WINHELP + 1.3ED8 EB0E jmp 3EE8 + +and as you can easily see, here lays the 'working' for the two +mushbuttons of the shareware version. +Shareware starts at 1.3EA6 and will be called from here + 1.3DB9 >81FE5802 cmp si, 0258 + 1.3DBD 7403 je 3DC2 + 1.3DBF E9E400 jmp 3EA6 + +Unlocked version starts at 1.3C60 and will be called from here: + + 1.3C3E C8FE0400 enter 04FE, 00 + 1.3C42 57 push di + 1.3C43 56 push si + 1.3C44 1E push ds + 1.3C45 B87938 mov ax, selector 2:0000 + 1.3C48 8ED8 mov ds, ax + 1.3C4A 8B460C mov ax, [bp+0C] + 1.3C4D 2D1900 sub ax, 0019 + 1.3C50 740E je 3C60 ;***here! UNLOCKED + 1.3C52 2DF700 sub ax, 00F7 + 1.3C55 7465 je 3CBC ;copyright, 1st part + 1.3C57 48 dec ax + 1.3C58 7503 jne 3C5D ;(jmp 3EE8) out + 1.3C5A E94901 jmp 3DA6 + +Well... if [bp+0C] is 19 (dec25) then we'll jump to our unlocked +routine? + + ******************************************** + BELOW IS WORK FROM THE STUDENTS OF THE +HCU + wlcheck for windows 3.1 + ******************************************** + +Starting with the nag screen, here is a silly fix for it that works on many programs +that use windows resource windows (such as an about box) as the nag screen. + +Load up the file with the nagscreen in it (as listed above) with WRT (I am using +borland resource workshop - same program, different version) and delete it. +I am serious; try it: it works! + +save the .DLL and it recompiles the binary without the nagscreen. +(Those borland people scare me sometimes) +--------------------------------------------------------- +Back to more serious work... +Since we are learning methods here, this is where I get to go +after individual parts of the protection and defeat them. I will +work on finding the flag to register the program later, first I +want to do a little digging. + +Looking through our dead listing of kslhooks.dll: + +Going through our lesson so far, our file included a file reference +to SYSTEM.INI by means of a byte-at-a-time string creation rather +than a full data statement + +(Note: i do this sometimes to make it hard for simpletons to change +my name in my programming +---but i at lest jumble the lines around so it isnt so obvious) + +I will show you two ways of removing this particular hurdle, here is +the first, and most obvious: (THE NULL TERMINATOR) +--------------------------------------------------------- +here is the full code from the disassembly: +--------------------------------------------------------- +:0007.01E3 90 nop +:0007.01E4 55 push bp +:0007.01E5 8BEC mov bp, sp +:0007.01E7 57 push di +:0007.01E8 56 push si +:0007.01E9 8B7E06 mov di, [bp+06] +:0007.01EC 8B760A mov si, [bp+0A] +:0007.01EF 8E4608 mov es, [bp-08] + +:0007.01F2 26C60556 mov byte ptr es:[di], 56 ;V +:0007.01F6 26C6450161 mov byte ptr es:[di+01], 61 ;a +:0007.01FB 26C645026C mov byte ptr es:[di+02], 6C ;l +:0007.0200 26C6450375 mov byte ptr es:[di+03], 75 ;u +:0007.0205 26C6450465 mov byte ptr es:[di+04], 65 ;e +:0007.020A 26C6450500 mov byte ptr es:[di+05], 00 ; <00> (end of string) + +:0007.020F 8E460C mov es, [bp-0C] + +:0007.0212 26C60453 mov byte ptr es:[si], 53 ;S +:0007.0216 26C6440159 mov byte ptr es:[si+01], 59 ;Y +:0007.021B 26C6440253 mov byte ptr es:[si+02], 53 ;S +:0007.0220 26C6440354 mov byte ptr es:[si+03], 54 ;T +:0007.0225 26C6440445 mov byte ptr es:[si+04], 45 ;E +:0007.022A 26C644054D mov byte ptr es:[si+05], 4D ;M +:0007.022F 26C644062E mov byte ptr es:[si+06], 2E ; . +:0007.0234 26C6440749 mov byte ptr es:[si+07], 49 ;I +:0007.0239 26C644084E mov byte ptr es:[si+08], 4E ;N +:0007.023E 26C6440949 mov byte ptr es:[si+09], 49 ;I +:0007.0243 26C6440A00 mov byte ptr es:[si+0A], 00 ;<00> (end of string) + +:0007.0248 5E pop si +:0007.0249 5F pop di +:0007.024A C9 leave +:0007.024B CB retf + +--------------------------------------------------------------------------- + +to me this looks like an easy section to defeat - this because the full +filename is here, and because it is in a standard string format +terminating in hex zero (00) a.k.a.: NULL + +as with programs with unencrypted passwords (yes even some programs +you may use.. like X-WING have no encryption whatsoever - just try +scanning FRONTEND.OVL for DANTOOINE with a hex editor, and all the +passwords are sitting there for you to zero-out) + +in other words, why bother disabling the function that calls this +data when you can simply change each character in SYSTEM.INI to a +hex zero + +i did and just as i suspected, out of the three places that are +causing us hassles, SYSTEM.INI, WLCHECK.SWL, and the registry (REG.DAT) +I no longer have to deal with one of them + +just run it, you will see: no more added line in system.ini + +NOW FOR THE OTHER WAY: +(This one is more useful for a cracker point of view since good +protections tend to be smarter than letting you view filenames +like we saw above) + +This is where we go back to the WRITEPRIVATEPROFILESTRING function +and check it out. + +A text search of the dead listing reveals quickly: + +:0011.0535 90 nop +:0011.0536 C8760000 enter 0076, 00 +:0011.053A 57 push di +:0011.053B 56 push si +:0011.053C 8B7606 mov si, [bp+06] +:0011.053F 33C0 xor ax, ax +:0011.0541 B93200 mov cx, 0032 +:0011.0544 8D7E8A lea di, [bp-76] +. +. +. + +:0011.0584 16 push ss +:0011.0585 50 push ax +:0011.0586 9AFFFF0000 call KERNEL.WRITEPRIVATEPROFILESTRING +:0011.058B 33C0 xor ax, ax +:0011.058D 5E pop si +:0011.058E 5F pop di +:0011.058F C9 leave +:0011.0590 CB retf + +notice the end of the function and how it exits... + +5E POP SI +5F POP DI +C9 LEAVE +CB RETF + +In order to give the function a little meat to play with but still +return early, lets insert this code right at the start of the function, +right after push si. + +:0011.0536 C8760000 enter 0076, 00 +:0011.053A 57 push di +:0011.053B 56 push si +:0011.053C 5E pop si +:0011.053D 5F pop di +:0011.053E C9 leave +:0011.053F CB retf + +and it really works out, the function gets called, it starts, quits, +and returns... veni, vidi, crakki. + +a quick hex edit of the dll to alter this.. +searching for a good string to replace, we get 2 occurrances of: + + 8b760633c0b93200 + +They are GETPRIVATEPROFILESTRING and WRITEPRIVATEPROFILESTRING respectively. +Go ahead and do the same damage that you did above to both of them. You will notice that +they are very similar functions, with exactly the same method of beginning +and ending. + +so we can change both occurrances toto: + 5e5fc9cbc0b93200 + +NOTE: +This patch takes care of the system.ini change, so no need to do a +zero-out of the file. +It didnt do any good for the .swl file however, because does some +other method of storing it's data. +********************************************** +Here is a little clue in how to find the other filenames that may be +hidden in the file. + +From the SYSTEM.INI example, which has a period (hex 2E) and a file +extension, i knew to look for ", 2E" (COMMA SPACE 2E) in the text +editor while reading kslhooks.alf +i decided to give it another whirl and see if there were any other +surprises + +Just looking for 2E will work, but you will find many occurrances of +it in hex data, so it is best to try to differentiate it as much as +possible for sanity reasons. + +Apparently it bears fruit... +-------------------------------------------------------------------------- +Here is the first block of code i landed in: +-------------------------------------------------------------------------- +:0003.00B0 F3 repz +:0003.00B1 A5 movsw +:0003.00B2 13C9 adc cx, cx +:0003.00B4 F3 repz +:0003.00B5 A4 movsb +:0003.00B6 1F pop ds +:0003.00B7 39460A cmp [bp+0A], ax COMPARE AND JUMP... +:0003.00BA 7516 jne 00D2 + +:0003.00BC C646FA2E mov byte ptr [bp-06], 2E ; . <----- A .SWL FILENAME EXTENSION +:0003.00C0 C646FB53 mov byte ptr [bp-05], 53 ;S +:0003.00C4 C646FC57 mov byte ptr [bp-04], 57 ;W +:0003.00C8 C646FD4C mov byte ptr [bp-03], 4C ;L +:0003.00CC 8846FE mov [bp-02], al +:0003.00CF EB0E jmp 00DF + +:0003.00D1 90 nop +:0003.00D2 8D7EFA lea di, [bp-06] + +* Possible StringData Ref from Data Seg 013 ->".LIC" <---- A NEW FILENAME EXTENSION ".LIC" + | +:0003.00D5 BE1800 mov si, 0018 + +-------------------------------------------------------------------------- +what it looks like to me is that WHEN registered, the +.SWL file extension is replaced by a .LIC file extension + +though changing the name of the SWL file to LIC +does not seem to have any beneficial result at this time + +it may once the other file checks have been disabled +regardless, it is apparent that there is a file with a .LIC +extension that gets created upon successfully registering +this software +-------------------------------------------------------------------------- +note that because there appears only once a .SWL reference in +the KSLHOOKS.DLL, my guess is that if i hex-zero the .SWL like i +did the SYSTEM.INI reference, it would not matter because the file +write command and file read command apparently use the same +string for their data. in other words, changing .SWL to anything, +the file would just have a different name. + +testing this out, i found that i was correct. hexing out .SWL with +zeroes resulted in a file in my windows directory called WLCHECK +with no extension, rather than .SWL (sometimes it would be nice if +my theories wouldnt be quite so correct) + +so we are at least in the ballpark, but no real improvements yet. + +It is still going to take more looking to do anything with this yet + +---------------------------------------------------------- + +Now let's try for the registry... +Scan the file for REG, and you will inveitable find quite a few +registry commands. which are registry key edit functions. + + +:0011.033A C8300100 enter 0130, 00 +:0011.033E 57 push di +:0011.033F 56 push si + +:0011.0340 8B5E06 mov bx, [bp+06] +:0011.0343 8B4E08 mov cx, [bp+08] +:0011.0346 81C32D01 add bx, 012D +:0011.034A 1E push ds +:0011.034B 8BFB mov di, bx +. +. +:0011.037D 9AFFFF0000 call SHELL.REGCREATEKEY +. +. +and it ends JUST LIKE the previoous functions +with a: + +5E POP SI +5F POP DI +C9 LEAVE +CB RETF + +so we just hexedit the changes... + +2 occurrances of: + 010057568b5e068b + +(regopenkey and regcreatekey respectively - feel free to +look for yourself in the dead listing) + +it is just fine to change both to: + 010057565e5fc9cb + +and just like in the case of the writeprivateprofilestring, +we have cracked the registry. + +NOW - + +2 out of 3 of the hoops have been jumped +Now it is time to test the .SWL file and afterwards we will +deal with the NAG feature itself. + +Here is where i get curious to see the differences in the +before and after... i want to see exactly what i have left +to conquer, and the resultant file differences in wlcheck.swl +BEFORE the 21 day date expires, and AFTER it expires. + +I wrote a program a while back to datecrack stuff like this - +but as we already know, this program is a little smarter than +the average 'check today's date' type of protection. + +The way my program (cdate.exe) works is relatively simple: +it alters the system date upon program entry, and changes it +back to normal. The interesting thing about this is that it +allows future dates to be set as well as past ones since i +didnt care to put a block on WHICH dates could be set with it. + +Note that this one works fine past midnight because it has a +calendar built in, so if you are to write one yourself +remember that when midnight comes and your calendar strangely +goes off by a day every time you pass midnight while using a +datecracked program. + +CDATE USAGE: +cdate mm dd yyyy + +So, since all that is left to crack is the swl file, i can +delete it with my handy RM command - which like all of +my little unix tools strips all attribs from the file +(ignores them really)... + +rm c:\windows\wlcheck.swl + +...And i can run wlcheck.exe again (this time with false +future date) + +cdate wlcheck 9 9 1999 (it's now 1997 so this works fine) + +note the result: expired program!!! + +exit wlcheck and try running it normally (no funky date this time) +guess what... STILL expired. +that means it records not only date info, but EXPIRED info as +well, exactely as +ORC said. + +Do the little effect of RM C:\WINDOWS\WLCHECK.SWL again and run +wlcheck + +It isn't expired now + +That means that the ONLY recorder for 'expired software' is in that +file... doing a little dos file compare between a copy of the swl +file before, and after (the BAD one), here are my results +again i used CP.EXE to copy the swl file since it strips attribs +and i dont have to worry about them now. +----------------------------------------------------------- +C:\WLCHECK\> FC WLCHECK.SWL WLCHECK.BAD + +Comparing files wlcheck.swl and wlcheck.bad shows them to be quite +different (you can try this for yourself if you like) +------------------------------------------------------------ + +There are a few ways we could go about this. +We could either try to make it so the 21 day period cannot +expire, or remove the command that records the info to the +file. In all honesty, we will probably have to do both in +order to deprotect it completely. +********************************************************** + +maybe we should do a little windows directory listing just +to see if there are any more surprises + +dir /a c:\windows\wlc* + +what do we see: +wlcheck.ini, wlcheck.ord, and wlcheck.swl + +that is all fine, no more surprises yet (if you didnt expect +a wlcheck.ini file: WHY NOT? + +if you edit wlcheck.ord, it is just your order blank from when +you filled out the wlcheck form nothing impressive, but at least +it has the product serial number listed at the bottom - sometimes +handy +********************************************************* +I cannot seem to find any more windows file commands, so i decided +to see if they had included in the dll their own file access commands +that means... look for int21 + +(there are a TON of int21 calls in this program! - and to think +that some people think that dos cracking is dead...) + +these are the KSL file i/o and system functions, with direct +access to hardware through DOS. + +upon searching for int21 calls - specifically int21 with ah=2a +b42a (mov ah, 2a) = get system date + +I found 3 instances + +2 occurrances of: + 008C D89045558BEC1E8ED856 B42A + +changed to + 00CB D89045558BEC1E8ED856 B42A + +(CB = retf) + +an interesting thing happens, on the first run, it works fine, +writes the .swl file, and goes on it's merry way + +on any subsequent runs, it says expired +that tells me that the changes i made, set the date to a nothing value +in the wlcheck.swl file + +in easier to understand lingo, i hit the nail on the head. +i found the date checker - in old int21 style. + +if you wish to play with this more yourself, go ahead. by all means. + +i still havent worried with the 3rd date check, which is the hex string: + 9045558BEC1E8ED856 B42A + +About this time, I begin to think - maybe there is a better way... +(I have gotten a bit tired of playing around, and I want to fully crack it) +---------------------------------------------------------- +Now we get down to the nitty gritty. + +The above is necessary work.. handy for other protection schemes. +It is, however, not incredibly useful here in this one. If you run wlcheck +or one of the other executables, you will notice something frustrating: +you cannot print. Only registered users get that option. That means we +either have to crack more functions, like above, or just go ahead and +register the thing and get it over with. + +So we shall. +------------------------------------------------------------ +Time to go into the WLCCOMM.DLL... + +remember how i said +ORC mentioned 2 occurrances of 15 that were interesting? +i search for " 15" (a space in front so it didn't get every 15 in the +wsccomm file listing) + +i didnt find what i wanted other than the original one, so i looked for 0015 +and i found one that looked promising.. + +:0001.3F5D C786E7FB1500 mov word ptr [bp-0419], 0015 +:0001.3F63 B001 mov al, 01 +:0001.3F65 8886CEFB mov [bp+FBCE], al +:0001.3F69 8886E9FB mov [bp+FBE9], al +:0001.3F6D 8886EAFB mov [bp+FBEA], al +:0001.3F71 C68648FC15 mov byte ptr [bp-03B8], 15 + +(I must remember to check for bgoth from now on) + +just below all that, i saw something strange... +several 'set value to 1' - in other words, it looks like we see a bunch +of flags + +changing the below statement to 00 returns this error: this is an old +version (and quits) - not extremely useful, but a green light shall we say. + +:0001.3F63 B001 mov al, 01 +:0001.3F65 8886CEFB mov [bp-0432], al +:0001.3F69 8886E9FB mov [bp-0417], al +:0001.3F6D 8886EAFB mov [bp-0416], al + +going further down... +we have a comparison (in the form of an 'OR') + +:0001.3F86 9AFFFF0000 call KSLHOOKS.Ord{0038h} + +:0001.3F8B 8BF8 mov di, ax <--- backing up ax + + This program apparently wants to save whatever came out of the strange + kslhooks call above before making this compare... + +:0001.3F8D 0BF8 or di, ax <--- COMPARE BOTH + + Note the special nature of this compare.. since both values are + the same, it is basically the same as saying if ax is zero, it + stays zero, if it is not, it becomes a 1 since the result of any + compare is stored in ax + + di still has the saved value in it however... for future use by the program + as you will see below, it is flag containing error codes + +:0001.3F8F 750F jne 3FA0 <--- FIRST JUMP IF NONZERO + + This smells to me like a 'beggar off jerk'... + (i already know what i have here, do you?) + +:0001.3F91 B80100 mov ax, 0001 <--- SET A FLAG?!? + + This just gets better and better, but i still look before i try anything, + I don't want to jump the gun and assume anything without proof... + +:0001.3F94 C45E06 les bx, [bp+06] +:0001.3F97 268987A400 mov es:[bx+00A4], ax + +:0001.3F9C E9D600 jmp 4075 <--- 2nd JMP +:0001.3F9F 90 nop + + HERE is where jmp 1 takes me... + +:0001.3FA0 8B760A mov si, [bp+0A] +:0001.3FA3 83FF0A cmp di, 000A +:0001.3FA6 7510 jne 3FB8 +:0001.3FA8 56 push si +:0001.3FA9 1E push ds + +* StringData Ref from Data Seg 002 ->"An upgrade is required. + Continuing as shareware only." + | +:0001.3FAA 68CF06 push 06CF + + AND WOULD YOU LOOK AT THAT EVIL MESSAGE! + it is very clear that the beggar off guess was correct... + +just go down a few lines and you will see ALL SORTS of nasty +error messages, including the shareware expiry message we get +when we try to run after 21 days (note that it would have been +much easier had we scanned the text for keywords like shareware, +reg, exp, or others we could imagine... but that would not work +with all programs, and we are here to learn how to crack ALSO +protections that do not do us the favour of carrying their doom +inside... therefore the approach above is much more solide :-) + + +paging down a little we see this at the location JMP 2 sent us at 4075... + +:0001.4075 1F pop ds +:0001.4076 5E pop si +:0001.4077 5F pop di +:0001.4078 C9 leave +:0001.4079 CA0600 retf 0006 + +it just quits... but if you remember up above, it set a flag before it +did so! + +now how do we get it to ignore those nasty error messages and we ALWAYS +jump to 4075 with the flag set? + +looking back at our decision code from above: + + +:0001.3F86 9AFFFF0000 call KSLHOOKS.Ord{0038h} + +:0001.3F8B 8BF8 mov di, ax +:0001.3F8D 0BF8 or di, ax +:0001.3F8F 750F jne 3FA0 <---- evil jump + +:0001.3F91 B80100 mov ax, 0001 +:0001.3F94 C45E06 les bx, [bp+06] +:0001.3F97 268987A400 mov es:[bx+00A4], ax +:0001.3F9C E9D600 jmp 4075 <---- good jump + +notice the jne? there are quite a few ways of attacking this, but think +about it, there are a few things that must be done. + +first, the jne could be changed to a je (or jz) but if we do that, we +have to WAIT 21 days to be able to use the program, or screw up the date +at install, or something dumb like that (not a good crack) + +if AX is set to anything, it is deemed an error by the program and the error +code is saved in DI. So we need to make sure ax is zero, and it might be +smart to cover our bases and set di to zero as well (you never know if some +value had been sitting in it to be confused as an error for our crazy +program wlcheck to find and complain about) + +so if we set both to zero, then the jne CANNOT ever jump out and we stay long +enough for us to set the AX flag and go along happily. + +it just so happens that there is a simple way to set any variable to zero +(if you are familiar with assembly, ignore this, i am putting this in +here for those who havent become as familiar with it as the rest of us - +this is a tutorial after all isnt it?) + +xor ax, ax <--- sets ax to zero +xor di, di <--- sets di to zero + +if you are lazy like i am, you can search your dead listing for both +(the listing is so large, that you can probably find examples of many byte +values that you need) + +it turns out that the values are: + +33 C0 xor ax, ax +33 FF xor di, di + +and here's how our code will look: + + +:0001.3F86 9AFFFF0000 call KSLHOOKS.Ord{0038h} + +:0001.3F8B 33C0 xor ax, ax +:0001.3F8D 33FF xor di, di + +:0001.3F8F 750F jne 3FA0 + +:0001.3F91 B80100 mov ax, 0001 +:0001.3F94 C45E06 les bx, [bp+06] +:0001.3F97 268987A400 mov es:[bx+00A4], ax +:0001.3F9C E9D600 jmp 4075 + + +simply enough, now we just need to make the changes in the wlccomm.dll + +***************************************************** + +Crack for 16-bit wlcheck by +gthorne of the +HCU: + +pop into your favorite hex editor and load WLCCOMM.DLL +(File Size: 46,960 bytes) + +search for byte pattern: + 8BF80BF8750F + +replace with: + 33C033FF750F + +and run it... +it is registered! +---------------------------------------------------------- +Note for showoffs: + +If you wish it to say that it is registered to you, go to +the about box, and run the "registration" part of the program +BEFORE you crack it, entering data in the order form as you +want it to be registered. + +The target stores this info in the windows directory, in +the file: WLCHECK.ORD. +After cracking, that info is displayed proudly in the about box. +***************************************************** + +None of the many changes listed at the beginning of this +section are necessary now, not since we have a good, clean +crack. +Don't disregard the work though, some programs I've seen are +defeatable with the kind of work done before the register flag +was found. + +If this were a program with no flag to register, it would have +REQUIRED all that work anyway, and then some. + + +******************************************** +wlcheck for windows 95 +******************************************** + +Ok, building on my fellow +cracker's good work it was +pretty easy to defeat the Win'95 protection, which follows +the same lines as the 16 bit one above... I lost +some time on a stupid beta version of wlcheck for win 95, +that I had inside my collection though... how stupid. +This will teach me to ALWAYS work methodically. +Therefore: +FIRST OF ALL +perform an archie or ftp search for wlck95, you'll find a +whole bunch of servers carrying it, choose a ftp-server +near you and get it ftpmailed to you or download it (as +you prefer). +You'll soon find all the relevant data: +WLCHK955.ZIP 213.156 bytes + +SECOND +You have it, unzip it and examine it: +FILE_ID DIZ 438 23/08/96 5:10 FILE_ID.DIZ +WLCHK95 EXE 70.656 23/08/96 5:10 WLCHK95.EXE +KSLHKS95 DLL 52.224 21/08/96 1:00 KSLHKS95.DLL +WMCHK95 EXE 63.488 23/08/96 5:10 WMCHK95.EXE +WLCHK95 HLP 33.759 23/08/96 5:10 WLCHK95.HLP +WFCHK95 EXE 77.824 23/08/96 5:10 WFCHK95.EXE +WMCHK95 HLP 32.463 23/08/96 5:10 WMCHK95.HLP +WFCHK95 HLP 29.696 23/08/96 5:10 WFCHK95.HLP +README TXT 8.689 23/08/96 5:10 README.TXT +WLCCOM95 DLL 73.216 26/03/97 20:11 WLCCOM95.DLL + +(ignore the date of the last dll, that's just because I tampered +with it yesterday). + +THIRD +Using what we have learned (quite a lot) let's work on +wlccom95.dll: here the relevant part of the dead listing: + +* Referenced by a Jump at Address:|:1C005B50(C) +| +:1C005B76 C685C3FBFFFF05 mov byte ptr [ebp+FFFFFBC3], 05 +:1C005B7D C685C4FBFFFF01 mov byte ptr [ebp+FFFFFBC4], 01 +:1C005B84 66C785DDFBFFFF1500 mov word ptr [ebp+FFFFFBDD], 0015 +:1C005B8D C685DFFBFFFF01 mov byte ptr [ebp+FFFFFBDF], 01 +:1C005B94 C685E0FBFFFF01 mov byte ptr [ebp+FFFFFBE0], 01 +:1C005B9B C6853EFCFFFF15 mov byte ptr [ebp+FFFFFC3E], 15 +:1C005BA2 8B450C mov eax, [ebp+0C] +:1C005BA5 66C780A80000000000 mov word ptr [ebx+000000A8], 0000 +:1C005BAE 8D8598FAFFFF lea eax, [ebp+FFFFFA98] +:1C005BB4 50 push eax + +* Reference To: kslhks95._KslHookProc1@4, Ord:0000h + | +:1C005BB5 E872420000 Call 1C009E2C +:1C005BBA 66894598 mov [ebp-68], ax +:1C005BBE 0FBF4598 movsx word ptr eax, [ebp-68] +:1C005BC2 85C0 test eax, eax +:1C005BC4 0F8516000000 jne 1C005BE0 +:1C005BCA 8B450C mov eax, [ebp+0C] +:1C005BCD 66C780A80000000100 mov word ptr [ebx+000000A8], 0001 +:1C005BD6 B801000000 mov eax, 00000001 +:1C005BDB E946010000 jmp 1C005D26 + +* Referenced by a Jump at Address: |:1C005BC4(C) +| +:1C005BE0 0FBF4598 movsx word ptr eax, [ebp-68] +:1C005BE4 83F80A cmp eax, 0000000A +:1C005BE7 0F8516000000 jne 1C005C03 +:1C005BED 6A40 push 00000040 + +* Possible StringData Ref from Data Obj ->"License Expired" + | +:1C005BEF 6828E8001C push 1C00E828 + +* Possible StringData Ref from Data Obj ->"An upgrade is required. Continuing " + ->"as shareware only." + | +:1C005BF4 6838E8001C push 1C00E838 +:1C005BF9 8B4508 mov eax, [ebp+08] +:1C005BFC 50 push eax + +* Reference To: USER32.MessageBoxA, Ord:0188h + | +:1C005BFD FF151C04011C Call dword ptr [1C01041C] + +* Referenced by a Jump at Address:|:1C005BE7(C) +| +:1C005C03 0FBF4598 movsx word ptr eax, [ebp-68] +:1C005C07 83F807 cmp eax, 00000007 +:1C005C0A 0F8516000000 jne 1C005C26 +:1C005C10 6A40 push 00000040 + +* Possible StringData Ref from Data Obj ->"License Violated" + | +:1C005C12 6870E8001C push 1C00E870 + +* Possible StringData Ref from Data Obj ->"The license file has been changed. " + ->"Continuing as shareware only." + | +:1C005C17 6884E8001C push 1C00E884 +:1C005C1C 8B4508 mov eax, [ebp+08] +:1C005C1F 50 push eax + +* Reference To: USER32.MessageBoxA, Ord:0188h + | +:1C005C20 FF151C04011C Call dword ptr [1C01041C] + +* Referenced by a Jump at Address:|:1C005C0A(C) +| +:1C005C26 0FBF4598 movsx word ptr eax, [ebp-68] +:1C005C2A 83F808 cmp eax, 00000008 +:1C005C2D 0F8516000000 jne 1C005C49 +:1C005C33 6A40 push 00000040 + +* Possible StringData Ref from Data Obj ->"License Violated" + | +:1C005C35 68C8E8001C push 1C00E8C8 + +* Possible StringData Ref from Data Obj ->"This seems to be an unlicensed " + ->"copy. Continuing as shareware " + ->"only." + | +:1C005C3A 68DCE8001C push 1C00E8DC +:1C005C3F 8B4508 mov eax, [ebp+08] +:1C005C42 50 push eax + +* Reference To: USER32.MessageBoxA, Ord:0188h + | +:1C005C43 FF151C04011C Call dword ptr [1C01041C] + +* Referenced by a Jump at Address:|:1C005C2D(C) +| +:1C005C49 8D8598FAFFFF lea eax, [ebp+FFFFFA98] +:1C005C4F 50 push eax + +* Reference To: kslhks95._KslHookProc2@4, Ord:0001h + | +:1C005C50 E8D1410000 Call 1C009E26 +:1C005C55 66894598 mov [ebp-68], ax +:1C005C59 33C0 xor eax, eax +:1C005C5B 8A853EFCFFFF mov al , [ebp+FFFFFC3E] +:1C005C61 83F80D cmp eax, 0000000D +:1C005C64 0F8536000000 jne 1C005CA0 + +* Possible StringData Ref from Data Obj ->"Link Check evaluation license " + ->"has expired." + | +:1C005C6A 6820E9001C push 1C00E920 +:1C005C6F 8D459C lea eax, [ebp-64] +:1C005C72 50 push eax +:1C005C73 E871030000 call 1C005FE9 +:1C005C78 83C408 add esp, 00000008 +:1C005C7B 6A10 push 00000010 + +* Possible StringData Ref from Data Obj ->"License Expiry" + | +:1C005C7D 684CE9001C push 1C00E94C +:1C005C82 8D459C lea eax, [ebp-64] +:1C005C85 50 push eax +:1C005C86 8B4508 mov eax, [ebp+08] +:1C005C89 50 push eax + +* Reference To: USER32.MessageBoxA, Ord:0188h + | +:1C005C8A FF151C04011C Call dword ptr [1C01041C] +:1C005C90 8B450C mov eax, [ebp+0C] +:1C005C93 50 push eax +:1C005C94 E857E3FFFF call 1C003FF0 +:1C005C99 33C0 xor eax, eax +:1C005C9B E986000000 jmp 1C005D26 + +* Referenced by a Jump at Address:|:1C005C64(C) +| +:1C005CA0 0FBF4598 movsx word ptr eax, [ebp-68] +:1C005CA4 83F804 cmp eax, 00000004 +:1C005CA7 0F8536000000 jne 1C005CE3 + +* Possible StringData Ref from Data Obj ->"This is an old version," + | +:1C005CAD 685CE9001C push 1C00E95C +:1C005CB2 8D459C lea eax, [ebp-64] +:1C005CB5 50 push eax +:1C005CB6 E82E030000 call 1C005FE9 +:1C005CBB 83C408 add esp, 00000008 +:1C005CBE 6A10 push 00000010 + +* Possible StringData Ref from Data Obj ->"License Violation" + | +:1C005CC0 6874E9001C push 1C00E974 +:1C005CC5 8D459C lea eax, [ebp-64] +:1C005CC8 50 push eax +:1C005CC9 8B4508 mov eax, [ebp+08] +:1C005CCC 50 push eax + +* Reference To: USER32.MessageBoxA, Ord:0188h + | +:1C005CCD FF151C04011C Call dword ptr [1C01041C] +:1C005CD3 8B450C mov eax, [ebp+0C] +:1C005CD6 50 push eax +:1C005CD7 E814E3FFFF call 1C003FF0 +:1C005CDC 33C0 xor eax, eax +:1C005CDE E943000000 jmp 1C005D26 + +* Referenced by a Jump at Address:|:1C005CA7(C) +| +:1C005CE3 0FBF4598 movsx word ptr eax, [ebp-68] +:1C005CE7 85C0 test eax, eax +:1C005CE9 0F8D2D000000 jnl 1C005D1C + +* Possible StringData Ref from Data Obj ->"An unexpected error has occurred." + | +:1C005CEF 6888E9001C push 1C00E988 +:1C005CF4 8D459C lea eax, [ebp-64] +:1C005CF7 50 push eax +:1C005CF8 E8EC020000 call 1C005FE9 +:1C005CFD 83C408 add esp, 00000008 +:1C005D00 6A10 push 00000010 + +* Possible StringData Ref from Data Obj ->"System Error" + | +:1C005D02 68ACE9001C push 1C00E9AC +:1C005D07 8D459C lea eax, [ebp-64] +:1C005D0A 50 push eax +:1C005D0B 8B4508 mov eax, [ebp+08] +:1C005D0E 50 push eax + +* Reference To: USER32.MessageBoxA, Ord:0188h + | +:1C005D0F FF151C04011C Call dword ptr [1C01041C] +:1C005D15 33C0 xor eax, eax +:1C005D17 E90A000000 jmp 1C005D26 + +* Referenced by a Jump at Address:|:1C005CE9(C) +| +:1C005D1C B801000000 mov eax, 00000001 +:1C005D21 E900000000 jmp 1C005D26 + +* Referenced by a Jump at Addresses:|:1C005BDB(U), +:1C005C9B(U), :1C005CDE(U), :1C005D17(U), :1C005D21(U) +| +:1C005D26 5F pop edi +:1C005D27 5E pop esi +:1C005D28 5B pop ebx +:1C005D29 C9 leave +:1C005D2A C20800 ret 0008 +******************************************* +OK! let's crack... +Well it's all pretty obvious: +After having prepared the call with a lot of parameters + +:1C005B76 C685C3FBFFFF05 mov byte ptr [ebp+FFFFFBC3], 05 +:1C005B7D C685C4FBFFFF01 mov byte ptr [ebp+FFFFFBC4], 01 +:1C005B84 66C785DDFBFFFF1500 mov word ptr [ebp+FFFFFBDD], 0015 +:1C005B8D C685DFFBFFFF01 mov byte ptr [ebp+FFFFFBDF], 01 +:1C005B94 C685E0FBFFFF01 mov byte ptr [ebp+FFFFFBE0], 01 +:1C005B9B C6853EFCFFFF15 mov byte ptr [ebp+FFFFFC3E], 15 + +note the two x15 parameters... that will of course be the 21 +days limit... well, our target calls the kslhks95._KslHookProc1@4 +function with all its params and upon return the 32 bit version +uses the SAME protection scheme used in the 16 bit one: it has an +"evil" and a "good" jump: + +* Reference To: kslhks95._KslHookProc1@4, Ord:0000h + | +:1C005BB5 E872420000 Call 1C009E2C +:1C005BBA 66894598 mov [ebp-68], ax +:1C005BBE 0FBF4598 movsx word ptr eax, [ebp-68] +:1C005BC2 85C0 test eax, eax ;is it zero? +:1C005BC4 0F8516000000 EVIL jne 1C005BE0 ;not 0: bagger off +:1C005BCA 8B450C mov eax, [ebp+0C] +:1C005BCD 66C780A80000000100 mov word ptr [ebx+000000A8], 0001 ;OK, guy +:1C005BD6 B801000000 mov eax, 00000001 ;eat another good flag +:1C005BDB E946010000 HOLY jmp 1C005D26 ;and be happy for ever + +if you throw another look at the listing you'll see all the nasty +messages following the evil jump +* Referenced by a Jump at Address: |:1C005BC4(C) +| +:1C005BE0 0FBF4598 movsx word ptr eax, [ebp-68] +:1C005BE4 83F80A cmp eax, 0000000A + +and the subsequent compare eax ARE intersting, they give +you an exact look upon the inner working of our target: +here +eax=A means "License expired" +eax=7 means "License violated" (changed) +eax=8 means "License violated" (unlicensed) +eax=4 means "old version" etcetera... +as a matter of fact it may well be that the crack we +made goes crazy after 21 days (it won't if you push +the date around, we checked) use... in that case it +will be only a question of "fine tuning" of this crack, +and you already know where the relevant protection scheme +dwells... We do not want to wait 21 days just to be +absolutely sure that the crack works perfectly... so it +seems, and so it should be... should it have another +check somewhere (that I do not see now), I promise you +that you'll find the crack for it in three weeks time, +but I'm pretty sure you will not need it :-) + +Well, we learned a lot: +Time/Disabling protections may vary a lot, but even in +apparently very complicated schemes (like the wlcheck one), +wich do tamper with a lot of more or less hidden files, +there can be a very simple "hollow" point, where you +can cut mustard with a neat targeted crack... you need to +understand and to "feel" a little the program, though, and +I'm now beginning to understand what +ORC means with his +zen mystique of "feeling" the code. +So here is the simple crack for wlcheck 32 bits: + +search for + +:1C005BC2 85C0 test eax, eax +:1C005BC4 0F8516000000 jne 1C005BE0 +:1C005BCA 8B450C mov eax, [ebp+0C] +:1C005BCD 66C780A80000000100 mov word ptr [ebx+000000A8], 0001 + +85C00F8516000000 +and at the third occurrence of it +(well, if you want -instead of searching the third occurrence of that +string- to type a long string... then search directly for the whole set +85C00F85160000008B450C66C780A80000000100) do as you like, as far as +you land where you should: + :1C005BC2 85C0 test eax, eax + :1C005BC4 0F8516000000 jne 1C005BE0 +it's the time to crack your target! Noop the first 8 bytes out, +that is from 85C0 until the three subsequent zeros of instruction +:1C005BC2 ... you may even use the nop=90x instruction like the +lamers if you fancy... here there is absolutely no checking-protection +that examine eventual patchings... noop as you like. +*************************************** +Thinking about it we believe that the aim of this first lesson of +the "4" series from +ORC was the following: +he found an apparently +overcomplicated protection only to show us that, hidden behind +everything, a single neat crack was needed... as the fellow +cracker +of the 16 bit version observed, +he gave us a single (but decisive) +hint: he spoke about the second occurrence of the 15x byte, which +proved decisive -as you already did read- in individuating the +"hollow" point of our target. +As this lesson 4.1 was intended as second "+HCU" lesson, we believe +(and hope) that in finding the neat cracks for the 16 and the 32 bit +versions of wlcheck (which is a damn useful program in our trade, btw) +we have accomplished our task. +Now a question arises: +Should really all time protections be variations of this scheme? +(we do not know... we are awaiting the next "4" lesson of +ORC +like everybody else). In that case there is not a single program +(now) able to elude us :-) +Another system: inside win.ini: +[License] +Installed=854824551 +Expires=857416551 +LastUsed=854824717 +i.e. calculated in seconds, +Where 30 days allowance is 857416551 - 854824551 = 2592000 +2592000/30 = 86400 (one day) +86400/24 = 3600 (one hour) +3600/60 = 60 (one minute) + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are -or will be- on the Web. +You'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. Do not annoy me with requests for warez, everything is +on the Web, learn how to search, for Jimmy Olden sake. + +"If you give a man a crack he'll be hungry again +tomorrow, but if you teach him how to crack, he'll +never be hungry again" + ++ORC na526164@anon.penet.fi + diff --git a/textfiles.com/piracy/CRACKING/c5.txt b/textfiles.com/piracy/CRACKING/c5.txt new file mode 100644 index 00000000..85746001 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c5.txt @@ -0,0 +1,488 @@ +HOW TO CRACK, by +ORC, A TUTORIAL + +Lesson 5.1: Disk & CD-Rom access (basics) + +LESSON 5 (1) - HOW TO CRACK, HANDS ON - Disk/CDROM access (plus +bypasses "on the fly") + +Somewhere I have to put the bypasses (loader programs) in this +tutorial, allow me to put them here: + +Preparing a loader to bypass a protection [MARIO ANDRETTI] + At time the protectionists hook vectors in order to impose +a particular protection. In this (and similar) cases a good +crack-way is to prepare a "loader" program, that "de-hooks" the +vector used for the protection. This kind of crack can be used +also for internet cracking (on some firewall configurations, see +lesson A.2). + As example let's take "Mario andretti racing challenge", a +stupid game that uses the SAME (!) protection scheme you'll still +find to day on some access routines of military servers around +the witlessly called "free" world. + +In order to crack this cram you would prepare a loader on the +following lines: + +loc code instruction what's going on +------------------------------------------------------- +:0100 EB44 JMP 0146 +... +:0142 0000 <- storing for offset of INT_21 +:0144 5887 <- storing for segment of INT_21 +:0146 FA CLI +:0147 0E PUSH CS +:0148 1F POP DS +:0149 BCB403 MOV SP,03B4 +:014C FB STI +:014D 8C1EA901 MOV [01A9],DS <- save DS +:0151 8C1EAD01 MOV [01AD],DS three +:0155 8C1EB101 MOV [01B1],DS times +:0159 B82135 MOV AX,3521 <- get INT_21 +:015C CD21 INT 21 in ES:BX +:015E 891E4201 MOV [0142],BX <- store offset +:0162 8C064401 MOV [0144],ES <- store segment +:0166 BA0201 MOV DX,0102 +:0169 B82125 MOV AX,2521 <- set INT_21 to +:016C CD21 INT 21 DS:0102 +:016E 0E PUSH CS +:016F 07 POP ES <- ES= current CS +:0170 BBB403 MOV BX,03B4 +:0173 83C30F ADD BX,+0F +:0176 B104 MOV CL,04 +:0178 D3EB SHR BX,CL <- BX= 3C +:017A B8004A MOV AX,4A00 <- Modify memory block +:017D CD21 INT 21 to 3C paragraphs +:017F BA9E01 MOV DX,019E <- ds:dx=program name +:0182 BBA501 MOV BX,01A5 <- es:bx = param. block +:0185 B8004B MOV AX,4B00 <- load ma.com +:0188 CD21 INT 21 +:018A 2E8B164201 MOV DX,CS:[0142] <- reset old int_21 +:018F 2E8E1E4401 MOV DS,CS:[0144] +:0194 B82125 MOV AX,2521 +:0197 CD21 INT 21 +:0199 B8004C MOV AX,4C00 <- terminate with return +:019C CD21 INT 21 code +:019E 6D612E636F6D00 "ma.com" + 0000 fence +:01A7 B2015887 +:01AB B2015887 +:O1AF B2015887 + 0000 fence + +let's now prepare a routine that hooks INT_21: + +push all +CMP AX,2500 <- go on if INT_21 service 25 +JNZ ret +CMP Word Ptr [0065], C00B <- go on if location 65 = C00B +JNZ ret +MOV Byte Ptr [0060], EB <- crack instructions +MOV Byte Ptr [0061], 3C +MOV Byte Ptr [0062], 40 <- INC AX +MOV Byte Ptr [0063], 90 <- NOP +MOV Byte Ptr [0064], 48 <- DEC AX +pop all +JMP FAR CS:[0142] <- JMP previous INT_21 + + From now on this loader will work every time that a program +with location [0065] containing an 0R AX,AX instruction (0BC0: +it's the case of ma.com) calls INT_21 service 25 (hook a vector), +the target program will be modified on the fly and will get, at +location [0060], the instruction JMP 3C locations ahead, despite +the fact that it has routines capable of self checking in order +to make sure it has not been modified. + The most important thing is the routine that YOU write that +will precede the call to INT_21 (or any other INT) service 25 (or +any other service) in order to crack on the fly the offending +program. I'll show you another one, this one for [Reach for the +skies] (reach.com): + +push all +CMP AH,3D <- is it service 3D? (open file) +JNZ ret <- no, so ret +CMP DX,13CE <- you wanna open file at 13CE? +JNZ ret <- no, so ret +MOV AX,[BP+04] <- in this case +MOV DS,AX +CMP Byte Ptr [B6DA],74 <- old instructions +JNZ 015B +CMP Byte Ptr [B6DB],0F <- ditto +JNZ 015B +CMP Byte Ptr [B6DC],80 <- ditto, now we now where we are +JNZ 015B +MOV Byte Ptr [B6DA],EB <- crack +MOV Byte Ptr [B697],40 <- camouflaged no-opping +MOV Byte Ptr [B698],48 <- cam nop +MOV Byte Ptr [B699],90 <- cam nop +MOV Byte Ptr [B69A],40 <- cam nop +MOV Byte Ptr [B69B],48 <- cam nop +MOV DX,CS:[0165] +MOV DS,CS:[0167] +MOV AX,2521 <- set hook +INT 21 +POP all +JMP FAR CS:[0165] +Here you did change the instruction 740F in the instruction EB0F, +and you did "noop" the instructions at B697-B69B. (Well, more +elegantly than "noop" them with "90" bytes, you choose a INC AX, +DEC AX, NOP, INC AX, DEC AX sequence instead! There are sound +reasons to use a sequence of "working" instructions instead of +NOPs: recent protection schemes "smell" patched nops inside the +program and trash everything if they find more than -say- three +consecutive NOPs! You should always try to choose THE LESS +INTRUSIVE and MORE "CAMOUFLAGED" solution when you crack!) + You can apply this kind of crack, on the same lines, to many +programs that perform self checking of the code and hook the +vectors. + +REAL DISK ACCESS STUFF + Now we may come to the subject of this lesson: + As usual, let's begin from the beginning: history is always +the key that allows an understanding of present and future, in +cracking matters too. As the older 5 1/4 inch big black floppy +disks were still used (the 320K/8 tracks or 360K/9 tracks ones, +that were really "floppy" and have nowadays almost disappeared) +one of the more common methods to protect a program, was to +format the "master" (key) disk in a weird way. Old floppy disk +for the PC did usually store 360K at 9 sectors per track. + Some basics for those of you that do not know anything: in +order to defeat this kind of cracks you need to know two things: +the floppy disk parameter block (FDPB) and the interrupt routines +dealing with format/read disk (basically INT_13). + Most often, the protection scheme is to either format one +or more sectors or tracks with sector sizes other than the +standard 512 bytes, or to either give one of the sectors a wild +sector number like 211 or just not format a whole track of +eight/nine/15 sectors. If you, for instance, have got the same +(very old) copy of VisiCalc master I do, you'll find that sector +8 on track 39 is missing entirely. The interrogation with +assembly or with an "ad hoc" utility (I use the tools I wrote +myself, but you 'll be able to find many such utilities in public +domain, the oldest one, from 1984 (!) being the seasoned [U-ZAP] +an "Ultra utility" from the "Freesoft company") will tell you +which sector numbers were altered, their size in bytes, and if +they were formatted with a CRC error (another not so fancy +trick). + The floppy disk parameters are stored in the BIOS: interrupt +vector 1E contains the address of the floppy disk parameter +block. The FDPB's contents are the following: +Offset Function crackworthy? Example +0 Step rate & head unload no DF +1 head load time no 02 +2 Motor on delay no 25 +3 Number of bytes per sector yes 02 +4 Last sector number yes 12 +5 Gap length yes 1B +6 Data track length yes FF +7 Format gap length yes 54 +8 Format byte no F6 +9 Head settle time no 0F +A Motor start time no 02 + +0) Offset #0: the left "nybble" (single digit) of this value + is the step rate time for the disk drive head. The right + nybble is the disk head unload time. These values are best + left alone. +1) Offset #1: again, don't fool around with these values. The + left nybble is the disk head load time, and the right + nybble is the direct memory access mode select. +2) Wait time until motor is turned off. Not normally of use. +3) Bytes-per-sector value: AH-HAH! If you place a "0" in this + value, the PC expects all sectors to be 128 bytes long. A + "1" means a sector size of 256 bytes, a "2" means 512 + bytes (this is the standard DOS value), and a "3" means + 1024 bytes per sector. +4) Highest sector number on a track: this is used for + formatting and tells DOS how many sectors there are on each + track. +5) Gap length for diskette reads: this is what you fool around + with if you keep getting CRC errors when you try to read a + non-standard size sector. Normally, you can just leave this + alone except when formatting with a U-Format tool. +6) Data length: This contains the number of bytes in a sector + when the value in table byte #4 doesn't contain a 0, 1, 2, + or 3. +7) Number of bytes in the gap between sectors: this is also + only used when formatting special tracks. +8) Format fill byte: When formatting, this is the + initialization byte that will be placed in all new sectors. +9) Head settle time: leave this alone. +A) Motor start time: don't fool with this either. +In order to modify globally the number of tracks on a given disk +and the number of sectors per track you can always format with +the DOS command switches "/t:" and "/n:" + FORMAT /t:tracks /n:sectors + + If you want to find out what the existing parameters are, +run [Debug.exe] or [Symdeb.exe] and enter the following commands: +- d 0:78 l 4 <- get FDPB address + 0000:0070 22 05 00 <- debugger's likely response +- d 0:522 l a <- get 10 FDPB values + 0000:520 DF 02 25 02 12 1B FF... <- see preceding table + + Remember that all standard disk formats under DOS support +a sector size of 512 bytes, therefore, for one-sided 5.25 inch +floppies: + 40t*8s*512b=163.840 bytes (160Kb) + 40t*9s*512b=184.320 bytes (180Kb) +and for two-sided 5.25 inch floppies: + 40t*8s*512b*2sides=327.680 bytes (320Kb) + 40t*9s*512b*2sides=368.640 bytes (360Kb) + Beginning with DOS version 3.0 (Yeah, more and more +history!) a new floppy disk format has been supported: The IBM +AT (80286 CPU) introduced the so called "high capacity" 5.25 u- +inch floppy, capable of storing 1.2M at 15 sectors per track: + 80t*15s*512b*2sides=1.228.800 bytes (1.2Mb) + Later on were introduced the to-day universally used 3.5 +inch floppies, the ones inside a rigid small plastic cartridge, +and we have, similarly: + 3.5-inch double sided/double density 720K + 3.5-inch double sided/quad density (HD) 1440K + 3.5-inch double sided/high density 2880K + + +[INT_13, AH=18, Set media type for format] + In order to create weird layouts, the protectionists use +interrupt 13h, service 18h, that specifies to the formatting +routines the number of tracks and sectors per track to be placed +on the media: +* Registers on entry: AH=18h; CH=Nø of tracks; CL= Sectors + per track; DL= Drive number (A=0; B=1;C=2... bit 7 is set + if the drive is an hard disk) +* Registers on Return: DI: Offset address of 11-byte + parameter table; ES: Segment address of 11-byte parameter + table. + +[INT_13, AH=2, Read disk sectors] +In order to read them, they have to use INT_13, service 2, read +disk sectors, with following layout: +* Registers on entry: AH=2h; AL= Nø of sectors; BX= Offset + address of data buffer; CH=track; CL= Sector; DH= Head + (side) number; DL= Drive number; ES: Segment address of + data buffer. +* Registers on Return: AH= return code. If the carry flag is + not set, AH=0, therefore the weird sector has been read, if + on the contrary the carry flag is set, AH reports the + status byte as follows: +76543210 HEX DEC Meaning +1 80h 128 Time out - drive crazy + 1 40h 064 Seek failure, could not move to track + 1 20h 032 Controller kaputt + 1 10h 016 Bad CRC on disk read + 1 09h 009 DMA error - 64K boundary crossed + 1 08h 008 DMA overrun + 1 04h 004 Bad sector - sector not found + 11 03h 003 Write protect! + 1 02h 002 Bad sector ID (address mark + 1 01h 001 Bad command + +[Return code AH=9: DMA boundary error] + One of the possible errors should be explained, coz it is +used in some protection schemes: AH=9 DMA boundary error, means +that an illegal boundary was crossed when the in formation was +placed into RAM. DMA (Direct memory access) is used by the disk +service routines to place information into RAM. If a memory +offset address ending in three zeros (ES:1000, ES: 2000...) falls +in the middle of the area being overlaid by a sector, this error +will occur. + +[INT_13, AH=4 Verify disk sectors] + Another possible protection interrupt is interrupt 13H, +service 4, Verify disk sectors. Disk verification takes place on +the disk and DOES NOT involve verification of the data on the +disk against data in memory! This function has no buffer +specification, does not read or write a disk: it causes the +system to read the data in the designated sector or sectors and +to check its computed cyclic redundancy check (CRC) against data +stored on the disk. See INT_13, AH=2 registers and error report. + +[CRC] + The CRC is a checksum, that detects general errors. When a +sector is written to disk, an original CRC is calculated AND +WRITTEN ALONG with the sector data. The verification service +reads the sector, recalculates the CRC, and compares the +recalculated CRC with the original CRC. + + + + We saw that some protection schemes attempt to disguise +interrupt calls. This is particularly frequent in the disk access +protection schemes that utilize INT_13 (the "disk" interrupt). + If you are attempting to crack such programs, the usual +course of action is to search for occurrences of "CD13", which +is machine language for interrupt 13. One way or another, the +protection scheme has to use this interrupt to check for the +special sectors of the disk. If you examine a cross section of +the program, however, you'll find programs which do not have +"CD13" in their machine code, but which clearly are checking the +key disk for weird sectors. How comez? + There are several techniques which can be used to camouflage +the protection scheme from our nice prying eyes. I'll describe +here the three such techniques that are more frequent: +1) The following section of code is equivalent to issuing an +INT 13 command to read one sector from drive A, side 0, track +29h, sector ffh, and then checking for a status code of 10h: + cs:1000 MOV AH,02 ;read operation + cs:1002 MOV AL,01 ;1 sector to read + cs:1004 MOV CH,29 ;track 29h + cs:1006 MOV CL,FF ;sector ffh + cs:1008 MOV DX,0000 ;side 0, drive A + cs:100B XOR BX,BX ;move 0... + cs:100D MOV DS,BX ;...to DS register + cs:100F PUSHF ;pusha flags + cs:1010 PUSH CS ;pusha CX + cs:1011 CALL 1100 ;push address for next + instruction onto stack and branch + cs:1014 COMP AH,10 ;check CRC error + cs:1017 ... rest of verification code + ... + ... + cs:1100 PUSHF ;pusha flags + cs:1101 MOV BX,004C ;address of INT_13 vector + cs:1104 PUSH [BX+02] ;push CS of INT_13 routine + cs:1107 PUSH [BX] ;push IP of INT_13 routine + cs:1109 IRET ;pop IP,CS and flags +Notice that there is no INT 13 command in the source code, so if +you had simply used a debugger to search for "CD13" in the +machine code, you would never have found the protection routine. + +2) Another technique is to put in a substitute interrupt +instruction, such as INT 10, which looks harmless enough, and +have the program change the "10" to "13 (and then back to "10") +on the fly. A search for "CD13" would turn up nothing. + +3) The best camouflage method for interrupts I have ever +cracked (albeit not on a INT 13) was a jump to a section of the +PROGRAM code that reproduces in extenso the interrupt code. This +elegant (if a little overbloated) disguise mocks every call to +the replicated interrupt. + +LOADING ABSOLUTE DISK SECTORS +Old good [debug.com] has been called the "swiss army knife" of +the cracker. It allows a lot of nice things, inter alia the +loading, reading, modifying and writing of absolute sectors of +the disks. The sector count starts with the first sector of track +0, next sector is track 0, second side (if double sided), then, +back to the first side, track 1, and so on, until the end of the +disk. Up to 80h (128) sectors can be loaded at one time. To use +you must specify starting address, drive (0=A, 1=B, etc...), +starting sector and number of sectors to load. + - l 100 0 10 20 +This instruction tells DEBUG to load, starting at DS:0100, from +drive A, sector 10h for 20h sectors. This allows at times the +retrieval of hidden and/or weird formatted data. If you get an +error, check the memory location for that data. Often times, part +of the data has been transferred before the error occurs, and the +remainder can be manually entered or gathered through repetitive +retries. + +Bear all this in mind learning the following cracks. +Let's now crack an "oldie" primitive: +MS Flight simulator (old version 2.12, from 1985!) +This old program used -in 1985!- following beautiful protection +scheme: on the disk you had only a "stub", called FS.COM with few +bytes, which had following instructions: + +loc code instruction what's going on +------------------------------------------------------- +:0100 FA CLI ;why not? +:0101 33C0 XOR AX,AX ;ax=0 +:0103 8ED0 MOV SS,AX ;ss=0 +:0105 BCB0C0 MOV SP,C0B0 ;SP=C0B0 +:0108 8EC0 MOV ES,AX ;ES=0 +:010A 26C70678003001 MOV Wptr ES:[0078],0130 ;Wp 0:78=130 +:0111 268C0E7A00 MOV ES:[007A],CS ;0:7A=Segment +:0116 BB0010 MOV BX,1000 ;BX=1000 +:0119 8EC3 MOV ES,BX ;ES=1000 +:011B 33DB XOR BX,BX ;BX=0 +:011D B80102 MOV AX,0201 ;AH=2 AL=1 sector +:0120 BA0000 MOV DX,0000 ;head=0 drive=0 +:0123 B96501 MOV CX,0165 ;track=1 sector=65 (!) +:0126 CD13 INT 13 ;INT 13/AH=2 +:0128 B83412 MOV AX,1234 ;AX=1234 +:012B EA00000010 JMP 1000:0000 ;JMP to data we just read +:0130 CF IRET ;Pavlovian, useless ret + + You see what's happening in this old protection scheme, +don't you? Herein you can watch the same snap that happens in +more recent (much more recent) protection schemes (as you'll see +in the next lesson): the protection searches for a weird +formatted sector and/or for particular data. + That should be no problem for you any more: you should just +reverse engineer everything (and that goes on pretty quickly: +just watch and break on the INT_13 calls), fetch the "weird" +data, tamper the whole crap and have your soup as you like it. + One more word about "old" protection schemes. Be careful not +to spurn them! Some of them are + --CLEVER + --STILL USED + --DIFFICULT TO CRACK... I mean, this older DOS programs had +nice protections... it's pretty annoying to crack windows +programs that require a registration number: as you saw in Lesson +3, you just type your name and a serial number of your choice in, +say "666666666", break into the program with WINICE, search the +"666666666" and search too, for good measure, your own name, set +a memory read breakpoint where the number dwells and look at the +code that manipulates your input. As [Chris] rightly pointed out, +you can even rip the code straight out of the program and create +a key generator which will produce a valid code. This code will +work for any name you typed in only in the "pure maths +manipulation" protection schemes, and will on the contrary be +specific, following the name you typed in, the "alpha-maths +manipulation" protection schemes (like MOD4WIN, see the Windows +lessons), watch in this case the "pseudo-random xoring" of the +letters that compose your name. + --STUNNING, coz new ideas have always been infrequent, and +they are getting more and more rare in this objectionable world +of lazy, incapable programmers patronizing us with ill-cooked +outrages like Windows'95... yeah, as usual there is no +"development" at all, quite the contrary, I would say. Take a +step backward, sip a good Martini-Wodka (please remember that +only Ice cubes, Dry Martini, Wodka Moskovskaja, Schweppes' +"Indian tonic" a green olive from Tuskany and a maltese lemon +zest will really be perfect) and watch from your balcony, with +unsullied eyes, your town and the people around you: slaves +everywhere, leaving home at 7.30 in the morning, stinking in a +progression of identical cars, forced to interminably watch +advertisement panels and endlessly listen to boorish publicity, +happy to go to work (if they happen to have the "luck" to work, +in this inequitable society) the whole day long in order to +produce other cars in order to buy, one day, a new car with a +different colour... + Why people don't look at the stars, love each other, feel +the winds, ban the stinking cars from the places where they live +and eat, study colours... name yourself a not-consumistic +activity? Why don't they read any poems any more? No poetry any +more, in the grey society of the publicity-spots slaves...poetry +will soon be forbidden, coz you cannot CONSUME as you read poems, +and in this farce of a society you are BOUND to consume, that's +the only thing they want you to do... you are CULTIVATED to +consume... no books worth to read any more... stupid american +conventional cram everywhere... boy, at times I'm missing some +well placed neutron bombs, the ones that would kill all these +useless zombies and leave noble books and good Wodka untouched. +It's difficult to believe in democracy any more... if I ever +did... all the useless zombie do -unfortunately- vote, and they +do vote for "smiling semblances", for "conventionally minded +idiots" that so act as if they would "really" be like what they +"look" like and could not care less about anything else than +making bucks and defend intolerant and petty patterns. The slaves +choose the people they have "seen" on TV... as if the egyptians +would VOTE for their pharaohs, exhilarated under the whips of +publicity... sorry, at times I forget that you are here for the +cracks, and could not care less about what I think... + + You 'll obtain the OTHER missing lessons IF AND ONLY IF you +mail me back (via anon.penet.fi) with some tricks of the trade +I may not know that YOU discovered. Mostly I'll actually know +them already, but if they are really new you'll be given full +credit, and even if they are not, should I judge that you +"rediscovered" them with your work, or that you actually did good +work on them, I'll send you the remaining lessons nevertheless. +Your suggestions and critics on the whole crap I wrote are also +welcomed. + ++ORC an526164@anon.penet.fi + + + diff --git a/textfiles.com/piracy/CRACKING/c6.txt b/textfiles.com/piracy/CRACKING/c6.txt new file mode 100644 index 00000000..7696257d --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c6.txt @@ -0,0 +1,456 @@ +HOW TO CRACK, by +ORC, A TUTORIAL + +Lesson 6.1: Funny tricks (1) + + +LESSON 6 (1) - Funny tricks. Xoring, Junking, Sliding +EXERCISE 01: [LARRY in search of the King] + Before the next step let's resume what you have learned in +the lessons 3-5, beginning with a very simple crack exercise +(again, we'll use the protection scheme of a game, for the +reasons explained in lesson 1): SEARCH FOR THE KING (Version +1.1.). This old "Larry" protection sequence, is a "paper +protection" primitive. It's a very widespread (and therefore easy +to find) program, and one of the first programs that instead of +asking meaningful passwords (which offer us the possibility to +immediately track them down in memory) asked for a random number +that the good buyer could find on the manual, whereby the bad +cracker could not. (Here you choose -with the mouse- one number +out of 5 possible for a "gadget" choosen at random). I don't need +any more to teach you how to find the relevant section of code +(-> see lesson 3). Once you find the protection, this is what you +get: + +:protection_loop + :C922 8E0614A3 MOV ES,[A314] +... + :C952 50 0E PUSH AX & CS + :C954 E81BFF CALL C872 <- call protection scheme + :C957 5B POP BX twice + :C959 8B76FA MOV SI,[BP-06] <- prepare store_room + :C95C D1E6 SHL SI,1 <- final prepare + :C95E 8942FC MOV [BP+SI-04],AX <- store AX + :C961 837EFA00 CMP Word Ptr [BP-06],+00 <- good_guy? + :C965 75BB JNZ C922 <- loop, bad guy + :C967 8E0614A3 MOV ES,[A314] + :C96B 26F606BE3501 TEST Byte Ptr ES:[35BE],01 <- bad_guy? + :C971 74AF JZ C922 <- loop, bad guy + :C973 8B46FC MOV AX,[BP-04]... <- go on good guy + +Let's see now the protection scheme called from :C954 + :C872 55 PUSH BP +... + :C8F7 90 NOP + :C8F8 0E PUSH CS + :C8F9 E87234 CALL FD6E <- call user input + :C8FC 5B POP BX + :C8FD 5B POP BX + :C8FE 8B5E06 MOV BX,[BP+06] + :C901 D1E3 SHL BX,1 + :C903 39872266 CMP [BX+6622],AX <- right answer? + :C907 7505 JNZ C90E <- no, beggar_off + :C909 B80100 MOV AX,0001 <- yes, AX=1 + :C90C EB02 JMP C910 + :C90E 2BC0 SUB AX,AX <- beggar_off with AX=0 + :C910 8BE5 MOV SP,BP + :C912 5D POP BP + :C913 CB RETF <- back to main + +Here follow 5 questions, please answer all of them: +1) Where in memory (in which locations) are stored the "right" + passnumbers? Where in memory is the SEGMENT of this + locations stored? How does the scheme get the OFFSET? +2) Would setting NOPs instructions at :C965 and :C971 crack? + Would it be a good idea? +3) Would changing :C907 to JZ crack? Would it be a good idea? +4) Would changing :C907 to JNZ C909 crack? Would it be a good + idea? +5) Write down (and try) at least 7 OTHER different patches to + crack this scheme in spades (without using any NOP!). +Uff! By now you should be able to do the above 5 exercises in +less than 15 minutes WITHOUT USING THE DEBUGGER! Just look at the +data above and find the right answers feeling them... (you 'll +now which one are the right one checking with your debugger... +score as many points as you like for each correct answer and sip +a good Martini-Wodka... do you know that the sequence should +ALWAYS be 1) Ice cubes 2) Martini Dry 3) Wodka Moskovskaja 4) +olive 5) lemon 6) Schweppes Indian tonic? + +Let's now come to the subject of this lesson: +-----> [Xoring] (Simple encryption methods) + One easy way to encrypt data is the XOR method. XOR is a bit +manipulation instruction that can be used in order to cipher and +decipher data with the same key: + Byte to encrypt key result + FF XOR A1 5E + 5E XOR A1 FF +As you can see XOR offers a very easy way to encrypt or to +decrypt data, for instance using the following routine: + encrypt_decrypt: + mov bx, offset_where_encryption/decryption_starts + xor_loop: + mov ah, [bx] <- get current byte + xor ah, encrypt_value <- engage/disengage xor + mov [bx], ah <- back where you got it + inc bx <- ahead one byte + cmp bx, offset_start_+_size <- are we done? + jle xor_loop <- no, then next cycle + ret <- back where we came from + +The encrypt_value can be always the same (fixed) or chosen at +random, for instance using INT_21, service 2Ch (get current time) +and choosing as encrypt_value the value reported in DL (but +remembering to discard the eventual value 0, coz otherwise it +would not xor anything at all!) + random_value: + mov ah,2Ch + int 21h + cmp dl,0 + je random_value + mov encrypt_value,dl + The problem with XORing (and with many other encryption +methods), is that the part of the code that calls the encryption +routine cannot be itself encrypted. You'll somewhere have, "in +clear" the encryption key. + + The protectionist do at times their best to hide the +decrypting routine, here are some common methods: + +-----> JUNK FILLING, SLIDING KEYS AND MUTATING DECRYPTORS + These are the more common protection method for the small +decryption part of the program code. This methods, originally +devised to fool signature virus scanners, have been pinched from +the polymorphic virus engines of our fellows viriwriters, and are +still in use for many simple decryption protection schemes. For +parts of the following many thanks go to the [Black Baron], it's +a real pity that so many potential good crackers dedicate so much +time to useless (and pretty repetitive) virus writing instead of +helping in our work. This said, virus studying is VERY important +for crackers coz the code of the viri is +* ULTRAPROTECTED +* TIGHT AND EFFECTIVE +* CLOAKED AND CONCEALED. + +Let's show as example of the abovementioned protection tactics +the following ultra-simple decryptor: + MOV SI,jumbled_data ;Point to the jumbled data + MOV CX,10 ;Ten bytes to decrypt +mn_loop: XOR BYTE PTR [SI],44 ;XOR (un_scramble!) a byte + INC SI ;Next byte + LOOP mn_loop ;Loop the 9 other bytes + +This small program will XOR the ten bytes at the location pointed +to by SI with the value 44. Providing the ten bytes were XORed +with 44 prior to running this decryptor the ten bytes will be +restored to their original state. +In this very simple case the "key" is the value 44. But there are +several tricks involving keys, the simplest one being the use of +a "sliding" key: a key that will be increased, or decreased, or +multiplied, or bit-shifted, or whatever, at every pass of the +loop. + +A possible protection can also create a true "Polymorph" +decryptor, a whole decryptor ROUTINE that looks completely +different on each generation. The trick is to pepper totally +random amounts of totally random instructions, including JUMPS +and CALLS, that DO NOT AFFECT the registers that are used for the +decryption. Also this kind of protection oft uses a different +main decryptor (possibly from a selection of pre-coded ones) and +oft alters on each generation also all the registers that the +decryptor uses, invariably making sure that the JUNK code that +it generates doesn't destroy any of the registers used by the +real decryptor! So, with these rules in mind, here is our simple +decryptor again: + + MOV DX,10 ;Real part of the decryptor! + MOV SI,1234 ;junk + AND AX,[SI+1234] ;junk + CLD ;junk + MOV DI,jumbled_data ;Real part of the decryptor! + TEST [SI+1234],BL ;junk + OR AL,CL ;junk +mn_loop: ADD SI,SI ;junk instr, but real loop! + XOR AX,1234 ;junk + XOR BYTE PTR [DI],44 ;Real part of the decryptor! + SUB SI,123 ;junk + INC DI ;Real part of the decryptor! + TEST DX,1234 ;junk + AND AL,[BP+1234] ;junk + DEC DX ;Real part of the decryptor! + NOP ;junk + XOR AX,DX ;junk + SBB AX,[SI+1234] ;junk + AND DX,DX ;Real part of the decryptor! + JNZ mn_loop ;Real part of the decryptor! + +As you should be able to see, quite a mess! But still executable +code. It is essential that any junk code generated by the +Polymorph protection is executable, as it is going to be peppered +throughout the decryptor. Note, in this example, that some of the +junk instructions use registers that are actually used in the +decryptor! This is fine, providing the values in these +registers aren't destroyed. Also note, that now we have random +registers and random instructions on each generation. So, a +Polymorph protection Engine can be summed up into three major +parts: + 1 .. The random number generator. + 2 .. The junk code generator. + 3 .. The decryptor generator. +There are other discrete parts but these three are the ones where +most of the work goes on! + +How does it all work? Well a good protection would +* choose a random selection of registers to use for the +decryptor and leave the remaining registers as "junk" registers +for the junk code generator. +* choose one of the compressed pre-coded decryptors. +* go into a loop generating the real decryptor, peppered with +junk code. +From the protectionist's point of view, the advantages of this +kind of method are mainly: +* the casual cracker will have to sweat to find the decryptor. +* the casual cracker will not be able to prepare a "patch" for +the lamers, unless he locates and patches the generators, (that +may be compressed) coz otherwise the decryptor will vary every +time. + +To defeat this kind of protection you need a little "zen" feeling +and a moderate knowledge of assembler language... some of the +junk instructions "feel" quite singular when you look at them +(->see lesson B). Besides, you (now) know what may be going on +and memory breakpoints will immediately trigger on decryption... +the road is open and the rest is easy (->see lessons 3-5). + +-----> Starting point number magic +For example, say the encrypted code started at address 10h, the +following could be used to index this address: + MOV SI,10h ;Start address + MOV AL,[SI] ;Index from initial address +But sometimes you'll instead find something like the following, +again based on the encrypted code starting at address 10h: + + MOV DI,0BFAAh ;Indirect start address + MOV AL,[DI+4066h) ;4066h + 0BFAAh = 10010h (and FFFF = 10h)!! +The possible combinations are obviously infinite. + + +[BIG KEYS] (Complicated encryption methods) + Prime number factoring is the encryption used to protect +sensible data and very expensive applications. Obviously for few +digit keys the decoding is much easier than for, say, 129 or 250 +digit keys. Nevertheless you can crack those huge encryption too, +using distributed processing of quadratic sieve equations (which +is far superior for cracking purpose to the sequential processing +methods) in order to break the key into prime numbers. To teach +you how to do this sort of "high" cracking is a little outside +the scope of my tutorial: you'll have to write a specific short +dedicated program, linking together more or less half a thousand +PC for a couple of hours, for a 250 bit key, this kind of things +have been done quite often on Internet, were you can also find +many sites that do untangle the mysteries (and vagaries) of such +techniques. + As References I would advocate the works of Lai Xueejia, those +swiss guys can crack *everything*. Begin with the following: +Xuejia Lai, James Massey, Sean Murphy, "Markov Ciphers and + Differential Cryptanalysis", Advances in Cryptology, + Eurocrypt 1991. +Xuejia Lai, "On the Design and Security of Block Ciphers", + Institute for Signal and Information Processing, + ETH-Zentrum, Zurich, Switzerland, 1992 +Factoring and primality testing is obviously very important for +this kind of crack. The most comprehensive work I know of is: +(300 pages with lengthy bibliography!) + W. Bosma & M. van der Hulst + Primality Testing with Cyclotomy + Thesis, University of Amsterdam Press. +A very good old book you can incorporate in your probes to build +very effective crack programs (not only for BBS accesses :=) is +*the* "pomerance" catalog: +Pomerance, Selfridge, & Wagstaff Jr. + The pseudoprimes to 25*10^9 + Math. Comp. Vol 35 1980 pp. 1003-1026 + +Anyway... make a good search with Lykos, and visit the relevant +sites... if encryption really interests you, you'll be back in +two or three (or thirty) years and you'll resume cracking with +deeper erudite knowledge. +[PATENTED PROTECTION SYSTEMS] + The study of the patented enciphering methods is also *quite* +interesting for our aims :=) Here are some interesting patents, +if you want to walk these paths get the complete texts: + [BEST] USPat 4168396 to Best discloses a microprocessor +for executing enciphered programs. Computer programs which have +been enciphered during manufacture to deter the execution of the +programs in unauthorized computers, must be decrypted before +execution. The disclosed microprocessor deciphers and executes +an enciphered program one instruction at a time, instead of on +a continuous basis, through a combination of substitutions, +transpositions, and exclusive OR additions, in which the address +of each instruction is combined with the instruction. Each unit +may use a unique set of substitutions so that a program which can +be executed on one microprocessor cannot be run on any other +microprocessor. Further, Best cannot accommodate a mixture of +encrypted and plain text programs. + [JOHNSTONE] USPat 4120030 to Johnstone describes a +computer in which the data portion of instructions are scrambled +and in which the data is of necessity stored in a separate +memory. There is no disclosure of operating with instructions +which are completely encrypted with both the operation code and +the data address portion being unreadable without a corresponding +key kernel. + [TWINPROGS] USPat 4183085 describes a technique for +protecting software by providing two separate program storages. +The first program storage is a secure storage and the second +program storage is a free storage. Security logic is provided to +check whether an output instruction has originated in the secure +store and to prevent operation of an output unit which receives +output instructions from the free storage. This makes it +difficult to produce information by loading a program into free +storage. + [AUTHENTICATOR] USPat 3996449 entitled "Operating System +Authenticator," discloses a technique for authenticating the +validity of a plain text program read into a computer, by +exclusive OR'ing the plain text of the program with a key to +generate a code word which must be a standard recognizable code +word which is successfully compared with a standard corresponding +code word stored in the computer. If there is a successful +compare, then the plain text program is considered to be +authenticated and is allowed to run, otherwise the program +is not allowed to run. + +ELEMENTS OF [PGP] CRACKING +In order to try to crack PGP, you need to understand how these +public/private keys systems work. Cracking PGP seems extremely +difficult, though... I have a special dedicated "attack" computer +that runs 24 hours on 24 only to this aim and yet have only begun +to see the light at the famous other end of the tunnel. It's +hard, but good crackers never resign! We'll see... I publish here +the following only in the hope that somebody else will one day +be able to help... +In the public key cryptosystems, like PGP, each user has an +associated encryption key E=(e,n) and decryption key D=(d,n), +wherein the encryption keys for all users are available in a +public file, while the decryption keys for the users are only +known to the respective users. In order to maintain a high level +of security a user's decoding key is not determinable in a +practical manner from that user's encoding (public) key. Normally +in such systems, since + e.multidot.d.ident.1 (mod(1 cm((p-1),(q-1)))), +(where "1 cm((p-1),(q-1))" is the least common multiple of the +numbers p-1 and q-1) + +d can be determined from e provided p and q are also known. +Accordingly, the security of the system is dependent upon the +ability to determine p and q which are the prime factors of n. +By selecting p and q to be large primes, the resultant composite +number n is also large, and correspondingly difficult to factor. +For example, using known computer-implemented factorization +methods, on the order of 10.sup.9 years is required to factor a +200 digit long number. Thus, as a practical matter, although a +user's encryption key E=(e,n) is public, the prime factors p and +q of n are effectively hidden from anyone due to the enormous +difficulty in factoring n. These aspects are described more fully +in the abundant publications on digital signatures and Public-Key +Cryptosystems. Most public/private systems relies on a message- +digest algorithm. + A message-digest algorithm maps a message of arbitrary length +to a "digest" of fixed length, and has three properties: +Computing the digest is easy, finding a message with a given +digest "inversion" is hard, and finding two messages with the +same digest "collision" is also hard. Message-digest algorithms +have many applications, not only digital signatures and message +authentication. RSA Data Security's MD5 message-digest algorithm, +developed by Ron Rivest, maps a message to a 128-bit message +digest. Computing the digest of a one-megabyte message takes as +little as a second. While no message-digest algorithm can yet +be secure, MD5 is believed to be at least as good as any other +that maps to a 128-bit digest. + As a final gift, I'll tell you that PGP relies on MD5 for a +secure one-way hash function. For PGP this is troublesome, to say +the least, coz an approximate relation exists between any four +consecutive additive constants. This means that one of the design +principles behind MD4 (and MD5), namely to design a collision +resistant function, is not satisfied. You can construct two +chaining variables (that only differ in the most significant bit +of every word) and a single message block that yield the same +hashcode. The attack takes a few minutes on a PC. From here you +should start, as I did. + +[DOS 4GW] cracking - This is only a very provisory part of this +tutorial. DOS 4GW cracking will be much better described as soon +as [Lost soul] sends his stuff, if he ever does. For (parts of) +the following I thank [The Interrupt]. + Most applications of every OS, and also of DOS 4GW, are +written in C language, coz as you'll have already learned or, +either, you'll learn, only C allows you to get the "guts" of a +program, almost approaching the effectiveness of assembler +language. + C is therefore the LANGUAGE OF CHOICE for crackers, when you +prepare your tools and do not directly use assembler routines. +Besides... you'll be able to find VERY GOOD books about C for +next to nothing in the second hand bookshops. All the lusers are +throwing money away in spades buying huge, coloured and +absolutely useless books on unproductive "bloated" languages like +Visual basic, C++ and Delphy. Good C new books are now rare +(books on assembler language have always been) and can be found +almost exclusively on the second hand market. Find them, buy +them, read them, use them for your/our aims. You can find a lot +of C tutorials and of C material on the Web, by all means DO IT! +Be a conscientious cracker... learn C! It's cheap, lean, mean and +very productive (and creative) :=) + Back to the point: most stuff is written in C and therefore +you need to find the "main" sub-routine inside the asm. With +DOS/4GW programs, search the exe file for "90 90 90 90", almost +always it'll be at the start of the compiled code. Now search for +an INT_21 executed with 4C in AH, the exec to dos code (if you +cannot "BPINT 21 AH=4C" with your tool, then search for the +sequence "b4 4c cd 21". This is the equivalent to [mov AH,4C & +int 21]: it's the most direct call, but as you'll have already +learned, there are half a dozen ways to put 4C in AX, try them +all in the order of their frequency). + A few bytes above the INT_21 service 4C, you'll find the +call to the "main" subroutine: "E8 xx xx". Now place a "CC" byte +a few bytes above the call in the exe and run the exe under a +debugger. When the computer tries to execute the instruction +you'll be throw back in the debugger coz the "CC" byte acts as +INT_01 instruction. Then proceed as usual. + +[THE "STEGONATED" PASSWORD HIDEOUT] + A last, very nice trick should be explained to every wannabe +cracker, coz it would be embarrassing to search for passwords or +protection routines that (apparently) are not there. They may be +hidden INSIDE a picture (or a *.waw file for that matter). This +is steganography, a method of disguising messages within other +media. + Depending on how many shades of grey or hues of colour you want +to have, a pixel can be expressed using 8. 16, 32 or even more +bits. If the least significant bit is changed. the shade of the +pixel is altered only one-256th, one-65,OOOth or even less. No +human eye could tell the difference. + What the protectionist does, is hijack the least significant +bit in each pixel of a picture. It uses that bit to store one bit +of a protection, or of a password (or of a file, or of a secret +message). Because digitized pictures have lots of pixels, it's +possible to store lots of data in a single picture. A simple +algorithm will transfer them to the relevant parts of the program +when it needs be, and there we'll intercept them. You'll need to +learn very well the zen-cracking techniques to smell this kind +of stuff though (-> see lesson B). + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + + You 'll obtain the OTHER missing lessons IF AND ONLY IF you +mail me back (via anon.penet.fi) with some tricks of the trade +I may not know that YOU discovered. Mostly I'll actually know +them already, but if they are really new you'll be given full +credit, and even if they are not, should I judge that you +"rediscovered" them with your work, or that you actually did good +work on them, I'll send you the remaining lessons nevertheless. +Your suggestions and critics on the whole crap I wrote are also +welcomed. + +an526164@anon.penet.fi (+ORC) + + + diff --git a/textfiles.com/piracy/CRACKING/c8a.txt b/textfiles.com/piracy/CRACKING/c8a.txt new file mode 100644 index 00000000..6045adb7 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c8a.txt @@ -0,0 +1,326 @@ +HOW TO CRACK, by +ORC, A TUTORIAL + +Lesson 8.1: How to crack Windows, an approach + +-------------------------------------------------------- + SPECIAL NOTE: Please excuse the somehow "unshaven" + character of the windows lessons... I'm cracking the + newest Windows '95 applications right now, therefore + at times I had to add "on the fly" some corrections to + the older Windows 3.1 and Windows NT findings. + "homines, dum docent, discunt". +--------------------------------------------------------- + +-> 1st THING TO REMEMBER +The NE format does give every windows executable the equivalent +of a debug symbol table: A CRACKER BLISS! + +-> UNDOCUMENTED DEBUGGING +One of the many feature of Windows based on undocumented +foundations is the "ability to debug". +A word about undocumented functions in the MS-Operating Systems: +Microsoft manipulates its rule and domination of the operating +systems in use to day (MS-DOS, Windows, Windows '95) with two +main wicked aims: +1) getting the concurrence completely bankrupt (that's the + scope of all the using of undocumented functions and + CHANGING them as soon as the concurrence uses them). The + battle against Borland was fought in this way. +2) getting all future "programmers" to use windows as a "black + box" that only Microsoft engineers (if ever) can master, so + that everybody will have to sip the ill-cooked abominations + from Microsoft without ever having a chance to alter or + ameliorate them. +Strange as it may seem, only the sublime cracker community fights +against these intolerable plans. All stupid governments and +lobbies -on the contrary- hide behind the fig-leaf of the +"market" "freedom" in order to ALLOW such heinous developments +(I'm speaking as if they were capable to opposing them even if +they wanted, which they do not. Be assured, they couldn't anyway, +"Governments" are deliberately MADE to serve Gates and all the +remaining suckers, and lobbies are the shield of feudalism. You +can forget "democracy", the only rule existing is a malevolent +oligarchy based on money, personal connections, defect of +culture, lack of knowledge and dictatorship of bad taste through +television in order to keep the slaves tamed... enough now...) +The windows situation is particularly reminiscent of the older +situation in DOS, where for years the key "load but don't +execute" function, used by debuggers, such as [DEBUG], [SYMDEB] +and [CODEVIEW], was "reserved" by Microsoft. + The windows debugging library, WINDEBUG.DLL, a number of +undocumented functions and even the interface it provides are +undocumented! The WinDebug() function is used by all available +windows debuggers, including [CVW] (CodeView for Windows), [TDW] +(TurboDebugger for Windows), [Multiscope] and [Quick C for +Windows] (the last two are GUI, not text debuggers. The use of +WinDebug() doesn't show up in MAPWIN output 'coz debuggers link +to it at run-time via the amazing GetProcAddress() function. + WinDebug() is a hacked 32-bit version, for the old Windows +3.0, of the poorly documented DOSPTrace() function from OS/2 1.x +(study these older Operating Systems! Studying the past you'll +understand EVERYTHING! Sometime I think that the only way to hack +and crack correctly is to be more a software historian than a +programmer... fac sapias et liber eris!). DOSPTrace is, in turn, +based on the ptrace() function in Unix. + Like DosPTrace(), WinDebug() takes commands such as Go, +Single-Step, Write&Read Registers, Write&Read Memory. It returns +to its caller either when the command completes or when a +breakpoint occurs (or a DLL load). These commands and +notifications appear in a large structure whose address is passed +in WinDebug(). + WinDebug() was renamed CVWIN.DLL (and TDWIN.DLL) for Windows +3.1., all crackers should study it and get the maximum possible +documentation about it. As you will see in the following, it is +worth to study also TOOLHELP.DLL (what Microsoft would like you +to fiddle with) and INT_41h (the real debugging interface). + +Interrupt handling under Windows + Interrupt handling under Windows can be tricky: you need to +use Toolhelp (a rather scaring lobotomy for your programs) or to +have special code for Standard vs. Enhanced modes, because the +information on the stack of an interrupt or exception handler +differs between the two windows modes. In addition, some handlers +would be installed using INT_21h, while others are set up using +DPMI services. Toolhelp has quite a bit of internal code that +"cooks" the interrupts and sends them to you in an easily +digestible form. + Remember that Windows uses GP faults as a "hacker" method +of doing ring transitions that are not allowed with legal 80x86 +instructions: the virtual memory system of Enhanced mode is +implemented via the page fault. + +Some tools for cracking windows (-> see lesson 9) +----------------- DEBUGGERS +CVW and TDW (you have to know the function's + segment:offset address beforehand in order + to crack a function) +WCB [Windows Codeback] by Leslie Pusztai (it's + a really cool tool!) +WDEB386 Microsoft's WDEB386 (clumsy, and requires a + second monitor) +Soft-Ice/Windows best (BY FAR!) windows debugger! NuMega is + so good I am at times really sorry to crack + their products! [WINICE] is the single, + absolutely essential debugger and snooping + utility for windows crackers. Get it! + +----------------- POST MORTEM INSPECTORS +CORONER, etc. (a lot of shareware) +MS-DrWatson Old and clumsy +Borland's Winspector THE BEST! It has the BUILDSYM utility + that allows the creation of a debug + .SYM file from an .EXE without debug + information. + + +----------------- INSPECTORS +MS-Spy Old +Borland's WinSight (Best one, select "Other") +MicroQuill's Windows DeMystifiers (from Jeff Richter): + VOYEUR (hold SHIFT picking Message Selection), COLONEL, + MECHANIC and ECOLOGIST + +----------------- SNOOPERS +[INFSPY.EXE], 231.424 bytes, version 2.05 28/8/1994 by Dean +Software Design, may be the more complete one. +[SUPERSPY.EXE], 24.576 bytes, 10,6,1994, quite handy for quick +informations. +[WINVIEW.EXE], 30.832 bytes, Version 3.00 by Scott McCraw, MS(c) +1990-1992, this is the old MS-Spy, distributed by MS +[TPWSPY.EXE], 9.472 bytes, quite primitive, but you get the +pascal source code with it. + + +-> INSIDE A WINDOWS '95 DEBUGGER + You can debug a program at the assembly-language level +without any debugging information. The DOS [DEBUG] program does +that, allowing breakpoints and single-stepping, all of which +implies that the hardware must be cooperating. Back in the time +of the 4-MHz Z-80s, you used a debugger that plugged interrupt +op codes into the instruction stream to generate breakpoints. + Nothing has changed. That's how you debug a program on a +80586 (=Pentium). The x86 architecture includes software +interrupts. The 1-byte op code xCC is the INT_03 instruction, +reserved for debuggers. You can put the INT_03 op code in place +of the program instruction op code where the break is to occur +and replace the original op code at the time of the interrupt. +In the 80386 and later, you can set a register flag that tells +the processor to generate a not-intrusive INT_01 instruction for +every machine instruction executed. That device supports single +stepping. + The Win32SDK (Windows '95 software developer's kit) includes +functions that allow one program to launch another program and +debug it. The SDK's debug API takes care of how the interrupts +and interrupt vectors get managed. The logical consequence of +such an approach is that fewer and fewer people will be able to +know what's going on inside an application. The bulk of the +programmers -in few years time- will not be able any more to +reverse engineer an application, unless the few that will still +understand assembler-language do offer them the tools to do it. +Microsoft -it is evident- would like the programmers to use a +"black box" approach to programming, writing nice little "hallo +world" application and leaving to the engineers in Microsoft +alone the capacity to push forward (and sell) real programs that +are not toy application. + The Win32 documentation seems vast, almost luxurious, until +you begin serious work and you discover its shortcomings, like +the fact that extended error codes are not documented, and +numerous APIs are documented either incorrectly or so poorly that +you must burn precious time testing them. What we definitely need +is to find some secret fellows inside Microsoft (like good old +Prometeus) that smuggles to the outside the real documentation +that the Microsoft engineers have reserved for themselves. If you +are reading this and do work for Microsoft, consider the +possibility of double-crossing your masters for the sake of +humanity and smuggle us the secret information. + In windows '95 a debugger program launches a program to be +debugged by calling the _CreateProcess function, specifying in +an argument that the program is to be debugged. Then the debugger +program enters a loop to run the program. At the top of the loop +the debugger calls _WaitForDebugEvent. + Each time _WaitForDebugEvent returns it sets indicators that +tell about the vent that suspended the program being debugged. +This is where the debugger traps breakpoints and single-step +exceptions. _WaitForDebugEvent fills in an event structure that +contains among other things the address that was interrupted end +the event that caused the interrupt. + The debugger calls _GetThreadContext to get the running +context of the debugged program, including the contents of the +registers. The debugger can, as the result of cracker +interaction, modify these values and the contents of the debugged +program's memory. + The debugger sets breakpoints by saving the op code at the +instruction to be intercepted and putting the INT_03 op code at +its place, it's always the same old marmalade. When the +breakpoint occurs, the debugger replaces the original op code in +the program's instruction memory, and decrements the interrupted +program counter in the saved context so that execution resumes +at the instruction that was broken. + To single-step a program, the debugger sets a bit in the +context's flags register that tells the processor to generate an +INT_01 for every instruction cycle. When that interrupt occurs, +the debugger checks to see if the interrupted address is at a new +source-code line number. If not, the debugger continues +execution. Otherwise, the debugger displays the new line in the +IDE and waits for the cracker to take an action that resumes the +program. + While the debugged program is suspended, the debugger +interacts with the cracker and provides full access to the +debugged program's context and memory. This access permits the +cracker to examine and modify part of the code. + To resume the debugged program, the debugger resets the +program's context by calling _SetThreadContext and calls +_ContinueDebugEvent. Then, the debugger returns to the top of the +loop to call _WaitForDebugEvent again. + To extract debug information from a Win32 executable file, +you must understand the format of that file (best thing to do, +to practice yourself, would be to reverse engineer small +programs). The executable file has two sections not found in +other executable files: ".stab" and ".stabstr". How nice that +they used names that suggest their purpose (nomen est omen). +You'll find them inside a table of fixed-length entries that +include entries for .text, .bss, .data and .idata. Inside these +sections the compilers put different parts of a program. + There are several different formats for encoding debug +information in an executable file. Borland's Turbo Debugger one +format. Microsoft's CodeView another. The gnu-win32 port from +Cygnus the stab format, an acronym meaning "symbol table", +although the table contains much more than just symbol +information. + The .stab section in a portable executable file is a table +of fixed-length entries that represent debugging information in +the stab format. The .stabstr section contains variable-length, +null terminated strings into which the .stab table entries point. + The documentation for the stab format is available in text +format on the Cygnus ftp site (ftp.cygnus.com//pub/gnu-win32). + Stabs contain, in a most cryptic format, the names and +characteristics of all intrinsic and user-defined types, the +memory address of every symbol in external memory and on the +stack, the program counter address of every function, the program +counter address where every brace-surrounded statement block +starts and ends, the memory address of line numbers within +source-code files, and anything else that a debugger needs. The +format is complex and cryptic because it is intended to support +any source-code language. It is the responsibility of a debugger +program to translate the stab entries into something meaningful +to the debugger in the language being debugged. + + Windows '95 invokes dozens of INT_21 services from 32-bit +code, including KERNEL32.DLL and possess Krn32Mutex, which +apparently controls access to certain parts of the kernel. Some +of the functions in KERNEL32 can be blocked by the Win16Mutex, +even though Microsoft says this isn't the case. + +SO, I WANNA CRACK, WHAT SHOULD I DO? + I'll show you a simple windows crack, so easy it can be done +without WINICE: let's take [WINPGP4.1.] (front-end for PGPing in +windows, by Geib - I must thank "Q" for the idea to work on this +crack). + Using WCB you'll find out quickly that the "CONGRATULATIONS +your registration number is OK" and the "SORRY, your registration +number is not correct" data blocks are at the block starting at +36.38B8 (respectively at 36.38D5 and 36.3937), that relocs to +13.081B. + Looking at 13.0000 and following code, you'll find a push +38D5 (68D538) and a push 3937 (683739) at 13.064D and 13.06AE. + The road to the crack is now open, you just need to find and +"fool" the calling routines. You'll learn the exact procedures +for this kind of WINcracks in part 2 and 3 of -> Lesson 8. Let's +now have a look at the protection scheme (disassembly from WCB): +... +13.0E88 660FBF46F8 movsx eax, word ptr [bp-08] +13.0E8D 668946F4 mov [bp-0C], eax +13.0E91 668B46F4 mov eax, [bp-0C] +13.0E95 6669C00A000300 imul eax, 0003000A +13.0E9C 668946F0 mov [bp-10], eax +13.0EA0 668B4606 mov eax, [bp+06] +13.0EA4 663B46F0 cmp eax, [bp-10] +13.0EA8 7505 jne 0EAF <- beggar_off +13.0EAA B80100 mov ax, 0001 <- flag 1 = "Right!" +13.0EAD EB04 jmp 0EB3 <- and go on +beggar_off: +13.0EAF 33C0 xor ax,ax <- flag 0 = "Nope!" +13.0EB1 EB00 jmp 0EB3 <- and go on + + I want you to have a good look at this protection scheme. +IT'S THE SAME OLD SOUP! You do remember lesson 3 and the +protection schemes of the old DOS stupid games of the '80s, don't +you? IT'S THE SAME OLD SOUP! In this "up-to-date" "new" windows +application, in WINPGP version 4.1 of 1995/1996, exactly the same +kind of protection is used to "conceal" the password! +A) compare user input with memory echo +B) beggar off if not equal with AX=0 +C) go on if equal with AX=1... how boring! + Besides, look at all the mov eax, and eax, moves preceding +the compare! That's a typical pattern for these "number_password" +protections! I wrote (years ago) a little crack utility that +searches for code blocks with a "66" as first instruction_byte +repeating in four or more consecutive instructions and it still +allows me to crack more than half of these windows password smuts +in less than three seconds flat. The IMUL instruction creates the +"magic" number, and if you give a closer look at the mathematical +part of the "conceal" routine, it could help you to crack +analogous schemes used in order to protect the "Instant access" +(c) & (tm) time_crippled software :=) + Now you could crack the above code in 101 different ways, +the most elegant one would probably substitute je 0EAF (or jZ +0EAF, that's the same) to the jne 0EAF at 13.0EA8. You just write +a 74 at the place of the 75, like you did for the cracks in +1978... how boring: it's really the same old soup! (But you'll +see some new tricks in the next lessons). + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + ++ORC 526164@anon.penet.fi + + diff --git a/textfiles.com/piracy/CRACKING/c8b.txt b/textfiles.com/piracy/CRACKING/c8b.txt new file mode 100644 index 00000000..4bc7e680 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/c8b.txt @@ -0,0 +1,449 @@ +HOW TO CRACK, by +ORC, A TUTORIAL + +Lesson 8.2: How to crack Windows, a deeper approach + +--------------------------------------------------------- + SPECIAL NOTE: Please excuse the somehow "unshaven" + character of the windows lessons... I'm cracking the + newest Windows '95 applications right now, therefore + at times I had to add "on the fly" some corrections to + the older Windows 3.1 and Windows NT findings. + "homines, dum docent, discunt". +--------------------------------------------------------- + +-> 1st THING TO REMEMBER +If you thought that DOS was a mess, please notice that windows +3.1 is a ghastly chaos, and windows 95 a gruesome nightmare of +ill-cooked spaghetti code. Old Basic "GOTO" abominations were +quite elegant in comparison with this concoction... One thing is +sure: This OS will not last... it's way too messy organised, +impossible to consolidate, slow and neurotic (but I must warn +you... I thought exactly the same things about DOS in 1981). + The most striking thing about windows 95 is that it is neither +meat not fish: neither 16 nor 32... you could call it a "24 bit" +operating system. + We'll never damage Microsoft interests enough to compensate for +this moronic situation... where you have to wait three minutes +to get on screen a wordprocessor that older OS (and even old DOS) +kick up in 5 seconds. I decide therefore, hic et nunc, to add an +ADDENDUM to this tutorial: Addendum 1 will be dedicated to teach +everybody how to crack ALL Microsoft programs that do exist on +this planet. I'll write it this sommer and give it away between +the "allowed" lessons. + Anyway you can rely on good WINICE to crack everything, you'll +find it on the web for free, I use version 1.95, cracked by [The +Lexicon] (do not bother me for Warez, learn how to use the search +engines on the web and fish them out yourself). Learn how to use +this tool... read the whole manual! Resist the temptation to +crack immediatly everything in sight... you 'll regret pretty +soon that you did not wanted to learn how to use it properly. +A little tip: as Winice is intended more for software developers +than for crackers, we have to adapt it a little to our purposes, +in order to make it even more effective: a good idea is to have +in the *.DAT initialization file following lines: + INIT = "CODE ON; watchd es:di; watchd ds:si;" + TRA = 92 +This way you'll always have the hexadecimal notation on, two very +useful watch windows for passwords deprotection and enough buffer +for your traces. + +WINDOWS 3.1. basic cracking: [ALGEBRAIC PROTECTIONS] + The most used windows protections are "registration codes", +these must follow a special pattern: have a "-" or a "+" in a +predetermined position, have a particular number in particular +position... and so on. +For the program [SHEZ], for instance, the pattern is to have a +14 bytes long alphanumeric sequence containing CDCE1357 in the +first 8 bytes. + The second level of protection is to "connect" such a +pattern to the alphanumeric contents of the NAME of the user... +every user name will give a different "access key". This is the +most commonly used system. + As most of these protections have a "-" inside the answering +code, you do not need to go through the normal cracking procedure +(described in the next lesson): +* load WINICE +* hwnd [name_of_the_crackanda_module] +* choose the window Handle of the snap, i.e, the exact + "FIELD" where the code number input arrives... say 091C(2) +* BMSG 091C WM_GETTEXT +* Run anew +* Look at the memory location(s) +* Do the same for the "Username" input FIELD. (Sometimes + linked, sometimes not, does not change much, though) +* BPR (eventually with TRACE) on the memory locations (these + will be most of the time FOUR: two NUMBERCODES and two + USERNAMES). The two "mirrored" ones are the most important + for your crack. At times there will be a "5th" location, + where the algebraic play will go on... +* Look at the code that performs algebraic manipulations on + these locations and understand what it does... +* Disable the routine or jump over it, or reverse it, or + defeat it with your own code... there are thousand + possibilities... +* Reassemble everything. + +Uff... quite a long cracking work just to crack some miserable +program... isn'there a quicker way? OF COURSE THERE IS! Actually +there are quite a lot of them (see also the crack of Wincat Pro +below): Look at the following code (taken from SNAP32, a screen +capture utility for Windows 95, that uses a pretty recent +protection scheme): + + XOR EBX,EBX ; make sure EBX is zeroed + MOV BL, [ESI] ; load input char in BL + INC ESI ; point at the next character + MOV EDI,EBX ; save the input character in EDI + CMP EBX,+2D ; input char is a "-" ? + JZ ok_it's_a_+_or_a_- + CMP EBX,+2B ; input char is a "+" ? + JNZ Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it +:ok_it's_a_+_or_a_- + XOR EBX,EBX ; EBX is zeroed + MOV BL,[ESI] ; recharge BL + INC ESI ; point to next char (do not check - or +) +:Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it + XOR EBP,EBP ; zero EBP + CMP DWORD PTR [boguschecker], +01 + ... + +even if you did not read all my precedent lessons, you do not +need much more explications... this is a part of the algebraic +check_procedure inside the SNAP32 module... you could also get +here through the usual + USER!BOZOSLIVEHERE + KERNEL!HMEMCPY + USER!GLOBALGETATOMNAME +Windows wretched and detestable APIs used for copy protections, +as usual with WINICE cracking, and as described elsewhere in my +tutorial. + The above code is the part of the routine that checks for the +presence of a "+" or a "-" inside the registration number (many +protections scheme requires them at a given position, other need +to jump over them). + Now sit down, make yourself comfortable and sip a good Martini- +Wodka (invariably very useful in order to crack... but be aware +that only Moskowskaia russian Wodka and a correct "Tumball" glass +will do, do not forget the lemon)... what does this "-" stuff +mean for us little crackers? + It means that we can search directly for the CMP EBX,+2B +sequence inside any file protected with these schemes... and +we'll land smack in the middle of the protection scheme! That's +amazing... but you will never underrate enough the commercial +programmers... the only really amazing thing is how simpleton the +protectionists are! You don't believe me? Try it... you 'll get +your crack at least 4 out of 5 times. + Yes I know, to find this code is not yet to crack it... but for +this kind of copy protection (that's the reason it is so +widespread) there is no single solution... each makes a slightly +different algebraic manipulation of the alphanumeric and of the +numeric data. It's up to you to crack the various schemes... here +you can only learn how to find them and circumvene them. I'll not +give you therefore a "debug" crack solution. You'll find it +yourself using my indications (see the crack of the Wincat Pro +program below). + +WHERE ARE THE CODES? WHERE ARE THE MODIFIED FILES? WHERE DO THE +PROTECTIONS KEEP COUNT OF THE PASSING DAYS? +Most of the time the protection schemes use their own *.ini files +in the c:\WINDOWS directory for registration purposes... at time +they even use the "garbage sammler" win.ini file. Let's take as +example WINZIP (versions 5 and 5.5), a very widespread program, +you'll surely have one shareware copy of it somewhere between +your files. + In theory, winzip should be registered per post, in order to +get a "NEW" copy of it, a "registered" copy. + This scares most newby crackers, since if the copy you have +it's not full, there is no way to crack it and make it work, +unless you get the REAL stuff. The youngest among us do not +realize that the production of a real "downsized" demo copy is +a very expensive nightmare for the money-infatuated commercial +programmers, and that therefore almost nobody does it really... +nearly all "demos" and "trywares" are therefore CRIPPLED COMPLETE +PROGRAMS, and not "downsized" demos, independently of what the +programmers and the protectionists have written inside them. + Back to Winzip... all you need, to crack winzip, is to add a +few lines inside the win.ini file, under the heading [WinZip], +that has already been created with the demo version, before the +line with "version=5.0". + I will not help you any further with this... I'll leave it to +you to experiment with the correct sequences... inside win.ini +you must have following sequence (these are only template to +substitute for your tries inside WINICE... you'll get it, believe +me): + [WinZip] + name=Azert Qwerty + sn=######## + version=5.5 + + The *important* thing is that this means that you DO NOT NEED +to have a "new registered version" shipped to you in order to +make it work, as the protectionist sellers would like you to +believe. The same applies most of the time... never believe what +you read in the read.me or in the registration files... + This brings me to a broader question: NEVER believe the +information they give you... never believe what television and/or +newspapers tell you... you can be sure that the only reason they +are notifying you something is to hinder you to read or +understand something else... this stupid_slaves_society can only +subsist if nobody thinks... if you are really interested in what +is going on, real information can be gathered, but surely not +through the "conventional" newspapers and/or news_agencies (and +definitely NEVER through television, that's really only for the +stupid slaves)... yes, some bit of information can be +(laboriously) gathered... it's a cracking work, though. + +HOW TO CRACK INFORMATION [WHERE WHAT] +* INTERNET + In the middle of the hugest junk collection of the planet, some +real information can be laboriously gathered if you do learn how +to use well the search engines (or if you do build your ones... +my spiders are doing most of the work for me... get your robots +templates from "Harvest" or "Verify" and start your "spider +building" activity beginning from Martijn Koster's page). As +usual in our society, in the Internet the real point is exactly +the same point you'll have to confront all your life long: HOW +TO THROW AWAY TONS OF JUNK, HOW TO SECLUDE MYRIADS OF USELESS +INFORMATION and HOW TO FISH RARE USEFUL INFORMATION, a very +difficult art to learn per se. Internet offers some information, +though, mainly BECAUSE it's (still) unregulated. You want a +proof? You are reading it. + +* SOME (RARE) NEWSPAPERS. + The newspaper of the real enemies, the economic powers that +rule this slaves world, are paradoxically most of the time the +only ones worth studying... somewhere even the real rulers have +to pass each other some bits of real information. The "Neue +Zuercher Zeitung", a newspaper of the Swiss industrials from +Zuerich, is possibly the best "not_conformist trend analyzer" +around that you can easily find (even on the web). These +swissuckers do not give a shit for ideology, nor preconcerted +petty ideas, the only thing they really want is to sell +everywhere their ubiquitous watches and their chocolates... in +order to do it, a land like Switzerland, with very high salaries +and a good (and expensive) social system, must use something +brilliant... they found it: a clear vision of the world... as a +consequence this newspaper is very often "against" the trend of +all the other medias in the world, the ones that are used only +in order to tame the slaves... If the only language you know is +english (poor guy) you could try your luck with the weekly +"Economist"... you'll have to work a lot with it, coz it has been +tailored for the "new riches" of the Tatcher disaster, but you +can (at times) fish something out of it... they do a lot of +idiotic propaganda, but are nevertheless compelled to write some +truth. American newspapers (at least the ones you can get here +in Europe) are absolute shit... one wonders where the hell do the +americans hyde the real information. + On the "non-capitalistic" side of information there is a +spanish newspaper "El Pais" that seems to know about what's going +on in South America, but it's so full of useless propaganda about +irrelevant Spanish politics that it's not really worth reading. +The monthly "Le Monde diplomatique" offers something too... this +one exaggerates a little on the pauperistic "third world" side, +but has a lot of useful information. See what you can do with all +this information (or disinformation?) + +[BELIEVE THE COUNTRARY] + Another good rule of thumb in choosing your medias is the +following... if all medias around you assure, for instance, that +"the Serbians are evil"... the only logical consequence is that +the Serbians are not so evil at all and that "the Croats" or some +other Yugoslavian shits are the real culprits. This does not mean +at all that the Serbians are good, I warn you, it means only what +I say: something is surely hidden behind the concerted propaganda +you hear, the best reaction is to exaggerate in the other +direction and believe the few bit of information that do say the +countrary of the trend. This rule of thumb may be puerile, but +it works somehow most of the time... if somewhere everybody +writes that the commies are bad then THERE the commies must not +be so bad at all and, conversely, if everybody in another place +writes that the commies are all good and nice and perfect (like +the Soviet propaganda did) then THERE the commies are surely not +so good... it's a matter of perspective, much depends on where +you are, i.e. whose interests are really at stake. There is NEVER +real information in this society, only propaganda... if you still +do not believe me do yourself a little experiment... just read +the media description of a past event (say the Vietnam war) as +written AT THE MOMENT of the event and (say) as described 10 +years later. You'll quickly realize how untrustworthy all +newspapers and medias are. + +* SEMIOTICS You'll have to study it (as soon as you can) to +interpret what they let you believe, in order to get your +bearings. A passing knowledge of ancient RHETORIC can help quite +a lot. Rhetoric is the "Softice" debugger you need to read +through the propaganda medias: concentrate on Periphrasis, +Synecdoche, Antonomasia, Emphasis, Litotes and Hyperbole at the +beginning... you'll later crack higher with Annominatio, +Polyptoton, Isocolon and all the other lovely "figurae +sententiae". + +Enough, back to software cracking. + +HOW A REGISTRATION CODE WORKS [WINCAT] + Let's take as an example for the next crack, a Username- +algebraic registration code, WINCAT Pro, version 3.4., a 1994 +shareware program by Mart Heubel. It's a good program, pretty +useful to catalogue the millions of files that you have on all +your cd-roms (and to find them when you need them). +The kind of protection Wincat Pro uses is the most utilized +around: the username string is manipulated with particular +algorithms, and the registration key will be made "ad hoc" and +depends on the name_string. It's a protection incredibly easy to +crack when you learn how the relevant procedures work. + [WINCAT Pro] is a good choice for cracking studies, coz you +can register "over your registration" one thousand times, and you +can herefore try for this crack different user_names to see all +the algebrical correspondences you may need to understand the +protection code. + In this program, when you select the option "register", you +get a window where you can input your name and your registration +number (that's what you would get, emailed, after registering +your copy). If you load winice and do your routinely hwnd to +individuate the nag window, and then breakpoint on the +appropriate memory ranges you'll peep in the working of the whole +bazaar (this is completely useless in order to crack these +schemes, but it'll teach you a lot for higher cracking, so you +better do it also with two or three other programs, even if it +is a little boring): a series of routines act on the input (the +name) of the user: the User_name_string (usn). First of all the +usn_length will be calculated (with a REPNZ SCASB and a following +STOSB). Then various routines store and move in memory the usn +and the registration_number (rn) and their relative lengths. In +order to compare their lengths and to check the correct +alphanumeric correspondence between usn and rn, the program first +uppercases the usn and strips all eventual spaces away. + Here the relevant code (when you see an instruction like +SUB AL,20 you should immediately realize that you are in a +uppercasing routine, which is important for us, since these are +mostly used for password comparisons)... here the relevant Winice +unassemble and my comments: +253F:00000260 AC LODSB <- get the usn chars +253F:00000261 08C0 OR AL,AL <- check if zero +253F:00000263 740F JZ 0274 <- 0: so usn finished +253F:00000265 3C61 CMP AL,61 <- x61 is "a", man +253F:00000267 72F7 JB 0260 <- not a lower, so loop +253F:00000269 3C7A CMP AL,7A <- x7A is "z", what else? +253F:0000026B 77F3 JA 0260 <- not a lower, so loop +253F:0000026D 2C20 SUB AL,20 <- upper it if it's lower +253F:0000026F 8844FF MOV [SI-01],AL<- and hyde it away +253F:00000272 EBEC JMP 0260 <- loop to next char +253F:00000274 93 XCHG AX,BX +... +The instruction MOV [SI-01],AL that you see here is important +at times, coz it points to the location of the "pre-digested" +usn, i.e. the usn formatted as it should be for the number +comparison that will happen later. In some more complicated +protection schemes the reasoning behind this formatting is the +following: "Stupid cracker will never get the relation algorhitm +usn <-> rn, coz he does not know that usn AND rn are slightly +changed before comparing, ah ah... no direct guessing is +possible". Here is only "polishing": you have to "polish" a +string before comparing it in order to concede some mistakes to +the legitimate user (too many spaces in the name, upper-lower +case mismatch, foreign accents in the name etc.) You just need +to know, for now, that this checking is usually still 5 or 6 +calls ahead of the real checking (it's what we call a "green +light"). + You should in general realize that the real checking of the +algebrical correspondence follows after a whole series of memory +operations, i.e.: cancelling (and erasing) the previous (if ever) +attempts; reduplicating the usn and the rn somewhere else in +memory; double checking the string lengths (and saving all these +values somewhere... be particularly attentive when you meet stack +pointers (for instance [BP+05]): most of the programs you'll find +have been written in C (what else?). C uses the stack (SS:SP) to +pass parameters or to create local variables for his procedures. +The passwords, in particular, are most of the time compared to +data contained within the stack. If inside a protection a BP +register points to the stack you have most of the time fished +something... remember it pupils: it will spare you hours of +useless cracking inside irrelevant routines. Back to our CATWIN: +another little check is about the "minimal" length allowed for +a user name, in our babe, for instance, the usn must have at +least 6 chars: + 230F:00003483 3D0600 CMP AX,0006 + 230F:00003486 730F JAE 3497 <- go to nice_name +:too_short + 230F:00003488 BF9245 MOV DI,4592 <- no good: short + After a lot of other winicing you'll finally come across +following section of the code: +2467:00000CA3 B90100 MOV CX,0001 +2467:00000CA6 03F1 ADD SI,CX +2467:00000CA8 2BC1 SUB AX,CX +2467:00000CAA 7213 JB 0CBF +2467:00000CAC 40 INC AX +2467:00000CAD 368B4F04 MOV CX,SS:[BX+04] <- here +2467:00000CB1 0BC9 0R CX,CX +2467:00000CB3 7D02 JGE 0CB7 +2467:00000CB5 33C9 XOR CX,CX +2467:00000CB7 3BC1 CMP AX,CX +2467:00000CB9 7606 JBE 0CC1 +2467:00000CBB 8BC1 MOV AX,CX +2467:00000CBD EB02 JMP 0CC1 +2467:00000CBF 33C0 XOR AX,AX +2467:00000CC1 AA STOSB <- and here +2467:00000CC2 8BC8 MOV CX,AX +2467:00000CC4 F3A4 REPZ MOVSB <- and here! +2467:00000CC6 8EDA MOV DS,DX +2467:00000CC8 FC RETF 0008 + + This is obviously the last part of the checking routine +(I'll not delve here with the mathematical tampering of it, if +you want to check its workings, by all means, go ahead, it's +quite interesting, albeit such study is NOT necessary to crack +these schemes). The important lines are obviously the MOV +CX,SS:[BX+04], the STOSB and the REPZ MOVSB (as usual in password +protection schemes, you do remember lesson 3, don't you?). + You should be enough crack-able :=) by now (if you have read +all the precedent lessons of my tutorial), to find out easily, +with these hints, how the working of the protection goes and +where dwells in memory the ECHO of the correct rn (passkey) that +matches the name you typed in. Remember that in these kind of +cracks the ECHO is present somewhere (90% of the cases). There +are obviously one thousand way to find such ECHOs directly, +without going through the verificayions routines... for instance +you could also find them with a couple of well placed +snap_compares, it's a "5 minutes" cracking, once you get the +working of it. I leave you to find, as interesting exercise, the +routine that checks for a "-" inside the rn, a very common +protection element. + In order to help you understand the working of the protection +code in [Wincat Pro] I'll give you another hint, though: if you +type "+ORC+ORC+ORC" as usn, you'll have to type 38108-37864 as +rn, if you usn as usn "+ORC+ORC" then the relative rn will be +14055-87593. But these are my personal cracks... I have offered +this information only to let you better explore the mathematical +tampering of this specific program... you'll better see the +snapping mechanism trying them out (going through the routines +inside Winice) alternatively with a correct and with a false +password. Do not crack Wincat with my combination! If you use a +different usn than your own name to crack a program you only show +that you are a miserable lamer... no better than the lamers that +believe to "crack" software using huge lists of serial numbers... +that is really software that they have stolen (Yeah: stolen, not +cracked). You should crack your programs, not steal them... +"Warez_kids" and "serial#_aficionados" are only useless zombies. +I bomb them as soon as I spot them. YOU ARE (gonna be) A CRACKER! +It makes a lot of a difference, believe me. + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + + "If you give a man a crack he'll be hungry again + tomorrow, but if you teach him how to crack, he'll + never be hungry again" + +an526164@anon.penet.fi + + + diff --git a/textfiles.com/piracy/CRACKING/caligo.nfo b/textfiles.com/piracy/CRACKING/caligo.nfo new file mode 100644 index 00000000..b0182f1a --- /dev/null +++ b/textfiles.com/piracy/CRACKING/caligo.nfo @@ -0,0 +1,81 @@ + + + + + + + + + + + + + + + + <<=-- UNiVERSAL *iMPROVED* PATCHER VOLUME o6.o4.1997 --=>> + <<=-- 13 cRACkZ iNCLuDED --=>> + + ---------------------------------------------------------------------------- + +o6.o4.1997: - converted my old .UPV to the new format + +o1.o4.1997: - TRON [nOW REMOVED ALL NAGS] + +31.o3.1997: - VGANoid & TRON [nAGSCREENS] + - Conquest v2.1 [nOW 'REGISTER'] + +3o.o3.1997: - Conquest v2.1 [lAST NAGSCREEN] + - Protect EXE/COM 6.0 [nAGSCREEN] + +29.o3.1997: - Show-Log 1.0b9 [1st NAGSCREEN] + +28.o3.1997: - new PGP-key [ARGHL] :,-( + +23.o3.1997: - Computer Aided Poetry (C.A.P.) [dELAY] + - modified PkLite Crack - [wORKS 1oo% !] + +21.o3.1997: - modified CD-Commander Pro [nOW REGISTER] + +2o.o3.1997: - CD-Commander Pro v1.01 [dELAY] + - FidoRoute v2.o [dELAY] + +17.o3.1997: - Windows 3.1 [lOGO] + +16.o3.1997: - added thiZ nfo + - PkLite [yOU CAN NOW USE THE -e PARAMETER] + +15.o3.1997: - CrossPoint [sERIAL] + - mIRC v4.7x [sERIAL] + +11.o3.1997: - Paint Shop Pro v3.11 [nAGSCREEN] + +o2.o3.1997: - Clock v4.58 [nAGSCREEN] + +o1.o3.1997: - started my .UPV + - KBD.SYS v5.o [nAGSCREEN] + + -------------------------=[ DAILY UPDATE ! ]=------------------------------- + +> You can always get the NEWEST version of this archive at + +> http://cracking.home.ml.org/ + + -------------------------=[ DAILY UPDATE ! ]=------------------------------- + +Typ Bits/ID Datum Benutzer +ff 768/D51EBB7D 1997/03/28 Lord Caligo - + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQBtAzM7vVkAAAEDALPuYPwA8cG0VeGUfP6lGhVSNbyBp9m8Vk2YTbTEixAVg692 +EcJ81QAcmo2tB91MXslXtFHshfGu7/3dNiY8cb9xLoOSTUW2zNDg/3fRGej5qiQA +LB/cPFhO1HRA1R67fQAFEbQgTG9yZCBDYWxpZ28gLSA8Y2FsaWdvQGxvcmRzLmNv +bT6JAHUDBRAzO71ZTtR0QNUeu30BASjBAwCZUHjIt7hsS8IsTCgqwwci3bXk+go8 +v6zl1mDtOrV3Wp7xbLwhn/K9Gr4zPt7PaZU7rbT2KUIG0kcLNpdufNqLCbFHXsIs +MZDEh3MhmH1P2g7TiBCSwiNsZnq8Lw/QtLI= +=SNsU +-----END PGP PUBLIC KEY BLOCK----- + + [lord caligo - ] diff --git a/textfiles.com/piracy/CRACKING/cbd-tut01.txt b/textfiles.com/piracy/CRACKING/cbd-tut01.txt new file mode 100644 index 00000000..44e0a4d7 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/cbd-tut01.txt @@ -0,0 +1,192 @@ + _CbD_ Tutorial 01 + _CbD_ vs. Ultisoft, Inc. + +Ok I know the title sounds strange, _CbD_ vs. Ultisoft, Inc. but i decide this would be a good title for this tutorial seeing how i will be attacking 5 of there programs in this tutorial. Well let me tell you how this war began, I know you dont care, but i am going to tell you anyway. Well I was on Windows95.com and was looking for a good casino game, well what i found was a lot of programs by this Ultisoft, Inc., and the bad part is that they were mostly slot games, NO FUN. well i also seen that some of them where VB4 programs so i thought ok this might be a good program to practice what (razzia) said about VB4 protections. Ok so i downloaded a few of them. +I then unzipped and checked to see if they would aloow me to register them, guess what as soon as i started the program a big blue screen pops up asking me to register, hmm ok that answers that question. Well now lets see if the program is any good. Ha Ha Ha this games sucks, well i decided to crack it anyway. so now on to the cracks + + +target #1 +Name: Cherry Slots +Author: Ultisoft, Inc. +Tools: Softice 3.xx +you can get it at (http://wwwsoftsite.com/ulti/95chry44.zip) + +ok i will do this crack in several steps so even the newest of crackers can follow, before i start i want to thank razzia for his exellent tutorial on VB4 , so Thanks. Ok now go get the program from softsite.com (it is small like 150k) +ok you got it. lets crack it. + +Step #1 + Lets look at the File. So in Explorer select it and do QuickView (right click select quickview) + now scroll down and see what the Import Table says, Hmm VB40032.DLL. Ah this is a VB4 + program. Ok now we know that or GetWindowTextA and GetDlgItemTextA wont work for us + so we will have to use HMEMCPY to get into the program. Wait didnt i read a tutorial by razzia + talking about VB4 programs hmm, yeah now i remember. ok lets try and recall what it was he wrote + (if you never read it you should, but i will use alot of his methods here for those of you who have + no idea). + +Step #2 + ok lets start this little puppy, so run cherry.exe. OK now a big ugly blue screen pops up and what is + this the middle button is (REGISTATION CODE) hmm wonder what that does. So click on it and find out + ah the old enter your registration Number box (Like you would really buy this game). ok first lets type in + a few numers to see if it has a pre-set length for the reg number 12345678901244567865, hmm + nope has no pre-set length. Ok that is fine lets just clear that text out and enter hmm 7777777 + seven 7's (my favorite) and then press REGISTER. hmm We get the old faithfull Registration Failed + thats fine just click ok. hmm or box is gone now What they only give us one chance (assholes). + +Step #3 + Ok now look in the menu and you will see Register so click on it, What is this our box is back. Good lets enter 7777777 again now DONT PRESS REGISTER YET now we need to get in Softice and set some + BreakPoints so Press Ctrl-D, boom. Into Softice we go now lets set some BreakPonits. + so at the ---> : type BPX HMEMCPY and press [ENTER] ok now we have a BreakPoint set + on the HMEMCPY fuction. ok now press Ctrl-D again and boom back to Cherry Slots we go + Now you can press REGISTER and continue on to step 4. + +Step #4 + Ok if you done it right you should be looking at the softice screen, and if not then go back and start over + from step #1. Ok now we are looking at the call made to HMEMCPY so lets get out of that as we need + not be there. but first lets disable that BreakPoint as we dont need it anymore so do a --> BD 0 <--- now press F11 and then softice should blink and then pop you right back in. Ok now we are + in the Fuction that made the call well this to is not really that important to us. What we need to be in is the + VB40032.DLL so press F10 til you see the text (on the line between the Code window and the command window) VB4xxxxxxx ok now that should look like somthing this (Address's may look different) + +0137:0F730116 CALL EBP +0137:0F730118 MOV [ESP+14] , EAX +0137:0F73011C CMP DWORD PTR [ESP+2C] , 00 +0137:0F730121 JNZ 0F73070C +0137:0F730127 MOV EAX, [ESP+14] +0137:0F73012B POP EBP +0137:0F73012C POP EDI +0137:0F73012D POP ESI + + Yours may differ just a bit. Ok now we are in the VB4xxxx section of the code. Next we will look at some + of razzia's VB tutorial + + razzia has done all the hard work for us and found the VB4 dll code + that compares two strings (in WideChar format !). + Here is what it looks like + +: 56 push esi +: 57 push edi +: 8B7C2410 mov edi, [esp + 10] +: 8B74240C mov esi, [esp + 0C] +: 8B4C2414 mov ecx, [esp + 14] +: 33C0 xor eax, eax +: F366A7 repz cmpsw ;<-- here the (WideChar) strings at ds:esi +: 7405 je 0F79B362 ; and es:edi get compared +: 1BC0 sbb eax, eax +: 83D8FF sbb eax, FFFFFFFF +: 5F pop edi +: 5E pop esi +: C20C00 ret 000C + + Now you have enogh to crack this program. + Ok now for the final step + +Step #5 + Now we know the code lets find it in our program so we need to search for it + we can do this by typeing the following in the command window + + S 0 L FFFFFFFFF 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14 then press [ENTER] + + you should get something like this + + Procedure found at 0030:0F79B348 (0F79B348) + + Now we set a Break Point on it BPX 0030:0F79B348 and press F5 we will break again + into softice were you should see the above code + + ok Now we have the question (Does the program have a set serial Number that we have to + enter or does it just compare certian letters or numbers of our serial code.) + well lets just have a look at some of the some of the values here + + So type this ----> ed esi <-------- and you should see the following in the data window + +013F : 0044A612 33 00 36 00 32 00 - 34 37 00 00 00 00 60 00 3 . 1 . 6 . 2 . 4 . 7 . . . ' . + + Well what is this hmm look kinda strange there dont it hmmm could this be the serial number + hmm well it is 6 numbers long and if you took the spaces out it would read 316247 + well lets see if this could be the serial number. So we do a BD 1 to disable our BreakPoint + and then press CTRL -D and you should return to Cherry Slots and the Registration Failed + box should be up. So clear it and press goto register once more this time enter the code + we got from VB4xxxxx it should be 316247 and then press register you should get the congradulations you have now registered this peice of shit software. Blah Blah + ok that is it the game is now registered. Ok if you want to distribute your cracked game + you can now look in your cherry slots Dir and you should see a file named + cherry.key this is all you need so pass it around and any needs only to put it in thier + cherry slots and they are registered to. + + Although this is easy and takes only a few minutes i am going to look at makeing a patch to just get + the nag screens to go away without a correct serial numbers just as practice. + + you can use these same steps to crack all of UltiSofts VB games. + + +PART 2 + + The War is Still On + _CbD_ vs. UltiSoft + + + After looking around there page i found that they also had a few games that was not + VB games so i decided to check them + + + + +target #2 +Name: Animated Black Jack +Author: Ultisoft, Inc. +you can get it at (http://wwwsoftsite.com/ulti/95anbj11exe) +Tools Needed : W32DASM + + Ok I downloaded this one and then used QuickView and then i seen this was not + a VB Program, so first i ran the program then noticed it had the same old + registration box as the others.. Ok well i decided to use softice and Break on + the old GetWindowTextA and GetDlgItemTextA well then i tried a fake number + and nothing i didnt pop into softice hmmm well lets try GetWindowText and GetDlgItemText + well nothing still no softice. So i decided to load it in W32DASM and look at the functions + well i saw tons of them this program uses everything but is own. Ok well lets have a look at some + of them (Damn there is so many ) well several look as if we could set breakpoints on and + try , but hmm lets look some more . lets look at the string references (the button should + be [Strn Ref] ) damn so so many wel lets loog for anything dealing with registration + + We See ( 2. In the Registered Version) hmm well we could look at that + but What is that funny looking one right under it ? + + all it says is ("508150") Hmm that looks funny it is 6 numbers and we have seen + that all of there codes are six numbers. no way it cant be that easy can it ? + well lets just check so we start up Black Jack and then we put 508150 for a + registration number and press [ENTER] knowing this wont work + and Boom Thank you for Registering our ShitWare hmm ok now + I have lost all respect for these guys (not that i ever had any) they have to be + very stupid to hard code there # that way hmm i think instead of sending them + the registration few i will send them Programing For Dummies Books + Well thats it for that one and any of the other programs they have that are not vb + is the same way... + Oh yeah there installers sux and will hang so just use the task manager and end task on + the installer (CTRL + ALT + DEL) End TASK INSTALLER + + ok this is a list of there programs that i have cracked useing these methods + +VB +Cherry Slots #316247 +Dynamite Slots #884916 +Extreme Slots #196458 + +Other +Double Wide Slots # 317541 +Animated Black Jack # 508150 + +All there other programs are on the site +http://www.softsite.com/ulti + + Well I really Hope this helped you in some way if nothing than showing that sometime the protection + can be so easy. + + + _CbD_ [ME/C4N'97] + + + + + + + + + diff --git a/textfiles.com/piracy/CRACKING/cbd-tut02.txt b/textfiles.com/piracy/CRACKING/cbd-tut02.txt new file mode 100644 index 00000000..1c6e2b9f --- /dev/null +++ b/textfiles.com/piracy/CRACKING/cbd-tut02.txt @@ -0,0 +1,156 @@ + _CbD_'s Tutorial #2 + Rummy 500 + +Well here is a look a at different way for Cracking VB3 programs +Target: RUMMY 500 (Version 3.8) +Get it Here:Comes with the Tutorial +Tools Needed: Softice v3.xx + + Ok Lets talk about the program first. Well it is ok for a VB3 game and considering it was + done by women. ( Not a sexest remark) ;-) anyway this is really a nice game if you like + the card game rummy, BUT this lady seems to think that she must put nag screens + everywhere. Hmmm I hate that so that is what is driving this crack. There are nags + at the end of every hand (with a 10sec delay) and this is just not fair to us who wish + to evaluate it at its full. ;-). Ok that is enough about the program. + + Now as always we will be doning this in steps, so lets get started. + +Step #1 + Ok we have to find out a little info about the program so we use QuickView + (See Tut #1 for info on QuickView) to find out a little about our pup here. + Hmm looks like a VB3 file. Ok well that takes care of that cause we know + we cant crack VB programs cause they dont use any of the normal fuctions + that we set our BreakPoints on right? WRONG if you have read my tut #1 or + razzia's VB tut's you will know we can crack VB programs just as if not + faster than any other... Ok Now lets do a little searching to see if we can find out + any info on the program, so we look in the dir that we installed to and Whats this + 2 files that might be of some use one is Rummy500.faq and the other is Readme.txt + so lets see whats in them First the Faq. hmm nothing there that seems to help + so next the Readme.txt..... Whats this do you see what i see + +**************************************************************************** +IMPORTANT NOTE: MeggieSoft Games does not process any registrations between +December 15th and January 15th. Any registrations received during this +period will be processed after January 15th. The registration reminder +will not be displayed between December 20th and January 15th. +**************************************************************************** + + No way it cant be that simple not with a program that has so many nags + well lets try anyway. Change you systems date to say January 1 that would + give us 15 days. Hmm well they are right no 10 sec delays but yup + there is still a nag screen and we just cant live with this can we ;-) + but it was nice of them to tell us anyway. So change your date back + so we can enter a Reg Number and crack it. + +Step #2 + Ok now we have not found anything that we can really use to help us other + than knowing that it is a VB3 program so lets get started cracking it + first lets start the program and wait for that nagging 10sec delay to go by + and then press register, Damn more screens what is this shit... + ok press Enter Registration, Hmm Name and number well that is not good + that means most likely this wont be just some serial number for us to + find in softice that was hardcoded in, Not that this will make it any harder + just take a few more minutes. + +Step #3 + Ok now enter a name i use (CbD! Cracked) Dont use this cause you are + cracking it not me ;-) . Now enter a Serial number i use (7777777) now + press enter and see what happens. Hmm not a good serial number + well shit we knew that already so press ok. Hmm well we get another shot + at it with out haveing to start over good i like this. + +Step #4 + Press Ctrl-D and pop into softice ( If you dont have softice you cant do this crack) + now lets set a BreakPoint on hmemcpy so do this BPX HMEMCPY and press + enter. now we have a Breakpoint that should pop us into SI(SoftIce) when we + hit enter in the registration screen so now (If you didnt have any other BreakPoints + Set and if you did Clear Them before you go on you can do a BC * and then press + enter and reset the HMEMCPY breakpoint so it is your only one) press Ctrl-D + and you should land back in the registration srceen + +Step #5 + Press enter Boom back to SoftIce we go ok now we are in the HMEMCPY fuction + we dont want to be here so we press F11 to get back to the fuction that called HMEMCPY + but wait this little program had 2 boxes remember 1 for the Name 1 for the number + so this is most likely the Name fuction and this (You can crack it from here but takes forever) + is not what we want , we want the serial number right. Ok so press F5 and Pop right + back in SoftIce we go and Yes back to the HMEMCPY function so Press F11 again + to get out of it. Now we should be looking at something like this + +17CF:0B40 CALL KERNEL!HMEMCPY +17CF:0B45 PUSH WORD PTR [DI] +17CF:0B47 CALL KERNEL!LOCALUNLOCK +17CF:0B4C MOV AX,SI + + Ok the Address's may differ but the code should look the same, Well this dont look to + intresting to us right now so lets step in the code a bit with F10 so press F10 + you see the lines advancing as you press the key, ok well you will see a few POP's + and then LEAVE and RET <---(interesting) we are in a fuction that called HMEMCPY + and now we seem the be fixing to return from the one that called this one hmm ok + lets keep pressing F10 do this about 10 times or so or until you see the code below + (Note You should Press F10 a total of 14 times after the last F11) there will be a RET + that will land you at +0C0D POP DS <------ Should land here +0C0E POP BP <----- Hmm what is this ? +0C0F RETF 000C <---- This looks to me like a compare Return cause it loads 2 values then + Returns most likely to were they are compared + ( I kow this already cause i traced it down for you ) + Now here is what my window looked like when i steped through 14 times + + EAX=056AOOOB EBX=000275EA ECX=00000000 EDX=06700000 ESI=00021B74 + EDI=00020106 EBP=000062AO RSP=000062AO EIP=OOOOOCOE o d I s Z a P c + CS=17CF DS=2B57 SS=2B57 ES=3387 FS=059F GS=011B + + ----RUMMY500(02)------------------------------------dword---------------PROT---(0)-- + 2B57:000062A0 0F0E:62BC 0000: 1807 3387:115K 000D:000C .b...... ..3.... + 2B57:000062B0 0106:OD7C 1B74: 0002 2B57:0002 0381:62D8 ].....t...W+.b.. + 2B57:000062C0 0001:1807 115E: 0000 000C:3387 37F4:000D ...... ..3.....7 + 2B57:000062D0 0BF4:0002 0386: 17CF 0751:632A 0001:1207 ......*CQ....... + 2B57:000062E0 115E:0000 000C: 3387 0D7C:000D 17CF:OBF4 .....3.......... + 2B57:000062F0 0106:2B57 01E6: 0106 0000:33D7 3032:33D7 W+.......3...320 + 2B57:00006300 3632:2D30 3933: 2D36 0588:0035 6352:0043 0-266-395...C.Rc + + ----USER!BOZOSLIVEHERE+001C---------------------------------------------------PROT16- + 17CF:OCOA CALL 25C2 + 17CF:OCOD POP DS <----- Load Value #1 + 17CF:OCOE POP BP <----- Load Value #2 + 17CF:OCOF RETF OOOC <---- Go back and caompare them + 17CF:OC12 MOV AX,171F + 17CF:OC15 MOV ES,AX + + ----------------------------------- USER(OA)---------------------------------------- + + Hmm then we should be able to check the values of DS & BP + (I already know the one that holds the Good Serial #) + So lets do this ED BP and press enter You should see something like + the above Data Window . ( Note Make sure you window fairly wide so you can see + all the data or scroll down. Now I cant say for sure but everytime i have done this + I have gotten a valid Code (I havent looked very deep into the program yet) + so i cant give you the exact reason this code is here but i will soon make a key gen + and give full explanation of the code so look for it soon. Well now if you look you + will notice that there are a string of numbers divided by a "-" mine is + 3202-266-395 well my code was 202-266-395 This will not werk for you + as it is different for every computer even if The names are the same (Note + Do Not use Specail charactors in the name ie _ [ / ] - + < > use only numbers + or letters) so look to see what yours is. you may or may not have 4 numbers + in the first part of the string if you do ignore the first number as it is not part of the + code, if you notice the same number appears just before the string so drop that one + off and one use xxx-xxx-xxx well that should do it just clear your breakpoints(BC *) + and return to the program (Ctrl-D) and then enter you Code and Boom there you are + no more nag srceens.. But please Do register as the Author done a good job one + this one even if they did put so many nags in it and the Fee is only $12 like that is + to much....... + + + Well hope This helped you some and helped you to understand a little + more about VB programs. and if not atleast you got a cool game, without nags + (unless you still cant carck it ) and even then you know how to get rid of the + 10 sec delays CHANGE THE DATE... duhhhh ok well thats all for this one + All tutorials i write will be availible from Http://users.quicklink.net/~cbd/c4n or + http://mexelite.home.ml.org ENJOY........... _CbD_ [ME/C4N'97] + + Oh yeah i almost forgot you can change the back of the cards to + what ever you wish by editing the rummy500.bmp file in a + editor such as PaintBrush (Comes with windows). Just though + you might want to know that. Mine say Cracked by CbD ;-) + diff --git a/textfiles.com/piracy/CRACKING/cbd-tut03.txt b/textfiles.com/piracy/CRACKING/cbd-tut03.txt new file mode 100644 index 00000000..94efb3d4 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/cbd-tut03.txt @@ -0,0 +1,273 @@ + _CbD_ Tutorial #3 + Function Disabled Protections Defeated + Date 7-28-97 + Target: WinScan version 2.0.06 + +About the Protection: + Function Disabled Protections are very comman now days and are one of + the most popular among high priced software or specialty software. But + there days of stoping us are over........ Now !!!!!! + +Target: + WinScan ver 2.0.06 + WinScan is an intelligent scan, trace and vector editing program designed for use with TWAIN compliant scanners and popular vector illustration packages such as CorelDRAW. This is a very handy program + if you are in the graphics industry or if you make vinyl signs with plotters (As i Do)... + +Where to get it : + http://www.airmark.com/ + +Tools Needed: + SoftIce (SI) (Required) + W32dasm ( optional) + Hiew Hexeditor (included with Tutorial) (Required) + Borland Resource Work Shop (optional) + +Pre Crack Notes: + Ok there are several different steps in this crack and there are really 3 cracks that will be done + each one of them will have several steps each. If you dont have the optional Tools above + you will only be able do complete the first 2 parts of this tutorial. (The important ones) + the Last section of the crack only removes the DEMO messages at start and in the about box. + it will change them to the registered Messages instead.. ( Big Deal i know)... + +The Crack.......... + Ok you should have gotten the programs you need by now so lets start the crack. + +Step #1 : + Fire up your program (WinScan) and have a look at it, You should see the Big ugly blue box that + says this is a DEMO version of the program (Like we didnt know this) it is not that big of a deal + because it goes away if you click on it . But now open one of the sample .bmp files that + are in the WinScan Dir. Now try to save the file, you will get a box that says + " This Command is not Allowed Blah Blah Blah" ok so it dont want us to save, But we want to + I mean shit how can you evalutate software if you cant save the work to see its quality? + well I dont think you can so we will cure this problem :-). + Just remember that this little message came to us in the form of a message box. + +Step #2: + Now we have a good idea that we are getting the nag from a message box so + if we can break at the message we can see what calls it right. or we could use + W32dasm and located the point that the message is called. well that would take + a bit longer to trace out the code that calls it so we will save that for later or for those + that want to learn a bit more about finding this type of protection calls. + so for now we are just gonna use SI (as it is all that is really needed) to break on the + message that we get when we try to save. So lets start.... + First press Ctrl-D to get in SI(Softice) and lets see what we have here, Lets see if we + have any breakpoints left over from a project that you was working on before you + started this one so do this BL This will give you a listing of all breakpoints you + have set in SI. Well we dont want those to cause us problems in this crack so we + will do one of 2 things (1) Clear them with BC * (2) disable them with BD * if you + dont need the BP's (BreakPoints) you can clear them, if you will need them for + another project then just disable them for now. Ok now that we have that out of the + way( Bare in Mind i write my tut's so anyone can follow them even if they have + never cracked before) Lets set our BreakPoints that we will need for this crack + so lets Do this BPX MESSAGEBOXA <--- This will make SI break when the + call to the Messagebox is made. For now that is the only one we need so lets + Ctrl-D back to our target WinScan. +Step #3: + Ok now lets set all this in motion, So try to save this file with the [SAVE] from the menu + or the Disk Icon in the Toolbar. Boom to softice we go Now we are in SI at the + point our program is ready to show us the nag. Now lets think about what we + want to do here (1) we want to find out where this call came from (2) we want to + make it go to the real save Dlg Box and not this nag. So we will do a F11 so we + can get back to what called this function. You will pop back into WinScan where + you will see the Nag. Press Ok and you will pop back to SI Now we are not there yet + cause if you look on the Line between the Command window and the Code window + you will see MFC blah blah blah well this is the place that our message box was called + but this is not our program, Our program called this to get the box so what we will do is + press F10 (single Step) till we get back to our program so press F10 till you see + WinScan on the line between the command and code windows. when you get there + you should see somthing like the following + +(note the addresses may not be the same on yours) + +0137:00455AF5 CALL 0045D800 <----- This is what calls our little MessageBox +0137:00455AFA JMP 00455B1E <---- Ok we told him he cant save so lets go back +0137:00455AFC MOV ECX, [EBP-14] <---- not important. + +ok now we found the call so lets scroll up a few lines and see what we can see. Should like like this + +(note the addresses may not be the same on yours) +0137:00455AE0 MOV EAX,[EAX+4] <--- set demo flag +0137:00455AE3 CMP DWORD PTR [EAX + 000000C4] ,00 <-- check and see if this is a demo ver +0137:00455AEA JZ 00455B16 <---- if Zero then this is a Full ver else this is a Demo +0137:00455AEC PUSH FF <--- save some info +0137:00455AEE PUSH 10 <--- save some more info +0137:00455AF0 PUSH 0000009D <--- yup save even more info +0137:00455AF5 CALL 0045D800 <----- This is what calls our little MessageBox +0137:00455AFA JMP 00455B1E <---- Ok we told him he cant save so lets + go on working +0137:00455AFC MOV ECX, [EBP-14] <---- not important. + + ok if you look real close i think you can see what we need to do now and if you cant i will + tell you: +0137:00455AEA JZ 00455B16 This jump here will send us to the real save dialog that we + want . + So we need to change the JZ to a JNZ so that the program will think that if we are a DEMO + we should jump to the real Save Dialog and not the Nag. But before we do this lets get some info + that we will need for part 2 of the crack so Do a D xxxx:00455AEA (xxxx is the address you see) + now look in your data window for something like this + +0137:00455AEA 74 2A 6A FF 6A 10 68 9D - 00 00 00 E8 06 7D 00 00 + ^ ^ ^ ^ ^ ^ ^ ^ + You will need all these number sets that have a ^ under them so right them down + (Note if you do not have a Data window just above your code window type WD and press enter + in the commad window and it should open up you should also have your Registers window + open as well and to do this type WR and press enter in the command window) + Well lets see if we are right do this + A xxxx:00455AEA and press enter (note where the xxxx is put the right address you see on + your screen) + now you should see somthing like this + +A xxxx:00455AEA +xxxx:00455AEA + + in your command window + you need to type in this + + JNZ 00455B16 + + then press enter and then press enter again to get back to the command line + now lets see if this werks so press Ctrl-D and when you pop back to WinScan + try to save again WOW you can now save . Well the only thing is that you cant use the + Save As function so we need to fix that to and to do this we follow the same steps as above + but instead of pressing the Save we press Save As from the Menu + and you will break right back in the same Message that you did before + you need only to follow then same steps as above to get back to the WinScan + call and then scroll back up and find the JZ that will send us to where we want to go + + if you cant seem to make it werk here is the steps for this one + +Step #1: + Ok now lets set all this in motion, So try to save this file with the [SAVE AS] from the menu + Boom to softice we go Now we are back in SI at the same + point our program is ready to show us the nag. Now lets think about what we + want to do here (1) we want to find out where this call came from (2) we want to + make it go to the real save Dlg Box and not this nag. So we will do a F11 so we + can get back to what called this function. You will pop back into WinScan where + you will see the Nag. Press Ok and you will pop back to SI Now we are not there yet + cause if you look on the Line between the Command window and the Code window + you will see MFC blah blah blah well this is the place that our message box was called + but this is not our program, Our program called this to get the box so what we will do is + press F10 (single Step) till we get back to our program so press F10 till you see + WinScan on the line between the command and code windows. when you get there + you should see somthing like the following + +(note the addresses may not be the same on yours) + +0137:00455BD5 CALL 0045D800 <----- This is what calls our little MessageBox +0137:00455BDA JMP 00455BFE <---- Ok we told him he cant save so lets go back +0137:00455BDC MOV ECX, [EBP-14] <---- not important. + +ok now we found the call so lets scroll up a few lines and see what we can see. Should like like this + +(note the addresses may not be the same on yours) +0137:00455BC0 MOV EAX,[EAX+4] <--- set demo flag +0137:00455BC3 CMP DWORD PTR [EAX + 000000C4] ,00 <-- check and see if this is a demo ver +0137:00455BCA JZ 00455BF6 <---- if Zero then this is a Full ver else this is a Demo +0137:00455BCC PUSH FF <--- save some info +0137:00455BDE PUSH 10 <--- save some more info +0137:00455BD0 PUSH 0000009D <--- yup save even more info +0137:00455BD5 CALL 0045D800 <----- This is what calls our little MessageBox +0137:00455BDA JMP 00455BFE <---- Ok we told him he cant save so lets + go on working +0137:00455BDC MOV ECX, [EBP-14] <---- not important. + + ok if you look real close i think you can see what we need to do now and if you cant i will + tell you: + +0137:00455BCA JZ 00455BF6 This jump here will send us to the real save dialog that we + want . + So we need to change the JZ to a JNZ so that the program will think that if we are a DEMO + we should jump to the real Save Dialog and not the Nag. Well lets see if we are right + do this A xxxx:00455BCA and press enter (note where the xxxx is put the right address you see on + your screen: + now you should see somthing like this + +A xxxx:00455BCA +xxxx:00455BCA + in your command window + you need to type in this + + JNZ 00455BF6 + + then press enter and then press enter again to get back to the command line + now lets see if this werks so press Ctrl-D and when you pop back to WinScan + try to SAVE AS again WOW you can now Save As now isnt this fun + + well the only thing is that this will only werk till we exit our program, When we restart it the nags + will be right back so now we need to make a real crack for our program. + so on to part 2 of this Crack + +Part 2: Hex Editing our program + + well lets make sure we have all the info we will need.. + Remeber the things i told you to write down well i hope you did ;-) + and if not then here it is +xxxx:00455AEA 74 2A 6A FF 6A 10 68 9D + well we will need this in Hiew to search for our Jumps we need to change + (by the way you should print this file to make lie easier on you) + Lets make a backup copy of our file you can name it what ever you wish (i used + WinScan.cbd) just dont use the .bak as this is needed else where + So lets fire up Hiew to do this we will need to have the program and Hiew in the + same Directory I use a Temp dir and copy both files to it (Hiew and Winscan.cbd) + now at a dos prompt type + (the numbers in ( ) are the steps) + (1) Hiew WinScan.cbd (or what ever you named it) now you will be in the Hiew program and will see a + bunch of shit that makes no sence what so ever + (2) so press the F4 key to get the Hex View (or what ever the key is at the + bottom) now we will have to search for our command and in order to do this we will + need to have the numbers above + (3) so press F7 and then enter the numebrs above + ie ( 74 2A 6A FF 6A 10 68 9D ) AND and press enter + then you will land at the first match it found + you + (4) should press F2 to get the ASM code of the above string + (5) then press F3 to edit it + (6) You will get a box that will show you a je and a address you just need to change the + je to JNZ then press enter + (7) now press F9 to update + (8) and Press F10 to quit + now restart Hiew and do each step over again + The first one is the Save function and if you do it again you will be in the Save As function + And if you do it a third time you will be in the Save Vectors functioin(not talk about because you + must have a scanner to use it) but go ahead and crack it to .. + Well that is it after all that you will have a fully working program that will work forever + Now if you wish to get rid of the DEMO screens that you see when you start the program + and in the About Box you can continue to Part 3 of the Crack (Must have Borland Resource WorkShop) + +Part 3 Removing the Demo Screens + + Start BRW and locate the Bitmaps that represent the Demo Messages + 239 <--- About Box BitMap + 240 <---- Start up BitMap + Now lets find the ones for the Full version + 102 <--- Startup BitMap + 159 <--- About Box BitMap + Now all you have to do is Delete 239 and 240 + then select 102 and then make a Duplicate of it (Right Click of the mouse and you will see Duplicate) + then do the same for 159 after you have done this it will rename them to something like + BitMap1 and BitMap 2 well rename the copy of 102 to 240 and the copy of 159 to 239 and that is + it you now will see the Full Version srceens when you run your program . Although this is not + Needed for the Crack to work this is just another thing you can do to remove the DEMO + nags But seeing how if you like the Program you are going to Buy it (RIGHT) you reall need not + do this part ;-) + +Part 4 Yeah i Know i said 3 parts but read on + Well if you wish to make a crack that you can distribute to others then you can get + a program like gpatch or write your onw in your favorite language to do all of the + above changes .... Well that is it for this Tutorial + + I Hope that you have learned something from this tutorial and i hope i have helped you to + better understand how this type of protection works. And remember this is a Shareware + program and if you intend to use it then Buy It after all they were nice enough to give us + the demo so we could Crack and Evaluate it so cintribute to them and give them the money + they ask for it is only fair........... _CbD_ [ME/C4N'97] + + I want to take a few lines here to say thanks to a few ppl So thanks go to : + nIabI of [ME/C4N'97] for gpatch and all your help + Scorpoin of [ME/C4N'97] for the info on Hiew + mornings on #cracking4Newbies for testing my tuts + and anyone i forgot :-) Thanks all ............. + + + + diff --git a/textfiles.com/piracy/CRACKING/cbd-tut04.txt b/textfiles.com/piracy/CRACKING/cbd-tut04.txt new file mode 100644 index 00000000..dc707ed0 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/cbd-tut04.txt @@ -0,0 +1,204 @@ + CbD's Tutorial #4 + Alternitive to Serial # Locating + Target : Business Cards 32 v 4.18 + Level: New to Intermediate + +Motive of Crack: + Well we all know that sometimes we cant seem to find the right serail number + when we are cracking a program, So this crack is to help you to better understand + that there are other ways to register even if you cant find that " GooD " number + I will show you that you can simply make the program take any number as a + "GooD" one. This type of crack can be hard in some cases but for this example + I have choosen a fairly simple program for us to use. If you have read my other + Tutorials you should know that I crack in steps to help each of you new crackers + to follow along and hopefully not get lost :-). + +About the Crack: + This crack will have 3 main Parts to it each of them having there own steps for + you to follow. I hope i have made it easy for you and if for some reason you + have trouble with it please feel free to join us on EFNET in #cracking4Newbies + and ask for help. Please note that we dont mind helping the newest of the + Cracking world to better their skills as this is what we are here for. + + +The Target: Business Cards 32 v4.18 +Get it From: http://www.midstream.com +Protection Type: Serial Number Registration with a 30day time limit +Requested by: None +Tools Needed: SoftIce, Hiew(or other Hex Editor) + +The Crack + +Part #1 + Ok lets get the crack started, so go and get the prorgram from midstream + and install it. Got it installed yet? well do it.... + +Step 1 + Well let start this crack by looking at our little program, So load Bcards + and then you will see the nag screen telling us that we are not a registered user + (Not Yet anyway) and that you have 30 days to try the program. Well click and get rid + of the nag and then click [HELP] [REGISTER] you will get the little box for you to + put in your info. Well put the Name in you want then the company (if you want) and + then the serial number. + +Step 2 + Now if we wanted to find the "GooD" serial number we would have to use softice + to find the location that the "GooD" number get compared to ours, But we dont + care what the number should be cause we are going to make the program + take our bogus number ( And Like It ) and then give us a registered user status. + But for us to do this we have to still use Softice so we can find where the program + checks for a valid number then make it think any number is a good one + so lets get in SoftIce and start the work. Do this Ctrl-D this put you in SI + now we need to break when the programs reads our Serial number so + we will set a BP(BreakPoint) on GetDlgItemTextA (I have already found the right + function for you) so do this BPX GETDLGITEMTEXTA and press enter + now we have the only break point we need for this crack. So get out of SI with + Ctrl-D. + +Step 3 + Now you should be back in Bcards at the registration screen, so press enter + and you will land back in SI at the GetDlgItemTextA function that was called + by our program. Well this is not where we need to be, because our program + has three different textboxes to read the data from (1) Name (2) company + (3) serial number, and the one we want is the serail number one. So + lets press F11 to return to the place the function was called then press F5 + and let the program continue to run, we will break again at the GetDlgItemTextA + function, this is where the program gets our company info, this to is not what we + want so Press F11 to return and then F5, now we break at the function once more + so we Press F11 to get to where the function was called from. This is where we + will start to do the real cracking of the program. + +Step 4 + Now that we are in the part of the code that will be checking our serial number + and deciding if we are a (GooD Guy) or a (Bad Cracker) we will need to do some single + stepping to see what happens here. So Press F10 and watch the lines of code as they + pass. We will want to stop on the code below. + +Your addresses may differ but the code it's self should look the same + +:00412C3A ADD ESP,04 +:00412C3D CMP BX,AX [STOP HERE] <---- compares part of our serial # with parts of the good one +:00412C40 JNZ 00412C7E <---- if all is good then go ahead and if not the jump +:00412C42 LEA EAX, [EBP-0C] so this is one of our points we need to make a change to + + + Ok we will need to change the JNZ (Jump if Not Zero) to JZ (Jump if Zero) and in doing this + if we were to enter a valid serial number the program would not allow it to register as it + will then think that it is a Bad number. So lets make a note of the the address we + will need to change and also you should do a D xxxx:00412C40 and then write down + the value from the data window for later use. Or if you just want to crack your program + and not make a general crack to distribute you can make the change in SI like this + +A xxxx:00412C40 [ENTER] <----- Press the Enter Key +xxxx:00412C40 JZ 00412C7E [ENTER] [ENTER] <---- Press Enter Twice + (Note the xxxx is the starting value for the address as you see it on your system mine is 0137) + + now this will not modify your program on the disk only what is running in the system memory + after you close the program the changes you made will be gone, but if you do all the right + steps the program will still be registered. + +Step 5 + Ok that was one of the 3 changes that will need to be made becasue if you scroll down with the + Ctrl-downarrow you will see the following code after you locate it Press F10 till you get to the + CMP then if you wish you can make your changes. + +:00412C62 ADD ESP,04 +:00412C65 CMP SI,AX [STOP HERE] <---- compares part of our serial # with parts of the good one +:00412C68 JNZ 00412C7E <---- Notice that the jump is to the same address as before +:00412C6A LEA EAX, [EBP-0C] so we will need to do the same as we did above + + do a D xxxx:00412C68 the write down the value from the data window for this one + and again if you want to you can make the change from right here in softice + +A xxxx:00412C68 [ENTER] <----- Press the Enter Key +xxxx:00412C68 JZ 00412C7E [ENTER] [ENTER] <---- Press Enter Twice + + now that is the second change now we have one more then the crack will be done + +Step 6 + Now F10 just a few lines and you will see this code below + +:00412C62 ADD ESP,04 +:00412C65 CMP EAX, [EBP-0098] [STOP HERE] +:00412C68 JZ 00412C91 <--- Jump if all the code is good +:00412C6A LEA EAX, [EBP-0C] + + Remeber to do a D xxxx:00412C68 and write down the values. + Now here we will need to change the JZ to a JNZ and once we have done this we can disable our + breakpoints and hit F5 or Ctrl-D and let the program continue and as we pop back to the program we + will see that we are now a registered owner of this program ....... + + + Ok we ahve now Cracked this program and if we want to we can make a general crack + so everyone can crack there copy. to do this just follow the steps below + +Part 2 + +Step 1 + Ok remember the values I told you to write down ? did you ? well if not i have provided them below + +First one was + xxxx:00412C40 75 3C 8D 45 F4 50 E8 59 + ^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need + +Second one + xxxx:00412C68 75 14 8D 45 F4 50 E8 31 + ^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need + +Third one + xxxx:00412C7C 75 13 8D 45 F4 50 E8 1D + ^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need + + The following instructions are for users of HIEW only if you are using a different + Hex editor then you will need to find the commands that do the same procedures + + ok Start Hiew by editing the bcards.exe file (Make a backup first) + then do the following + + 1) when hiew starts press the F4 key to get Hex view + 2)press F7 to search + 3) enter the first string from above(only the ones marked) + 4)press F2 to get the Code view + 5)press F3 to edit the code + 6)press F2 for ASM mode + 7)change the JNZ to a JZ + (This may show as a JE or a JNE depending on the step you are in 1,2 or 3) + 8)press F9 to update + 9)Press F10 to exit + + now do the same for each of the three strings, you will need to restart Hiew each time + to insure that you are able to get the proper search result + (Note for the last on make sure you change the JZ to a JNZ) + after you are done with all three you can then exite Hiew and continue to part 3 + +Part 3 + + Makeing a Patch with Gpatch + + ok remember I told you to make a back up copy of your file before you used HIEW + well you should name it like this Bcards32.bak and the one you edited should be + Bcards32.exe (note you should read the Doc that comes with gpatch to full understand + how to use it) if you want you can make a txt file named gpatch.txt and put any nfo + about your patch you want. now run gpatch like this gpatch bcards32.exe + it will make you a patch and name it patch.com you can now rename it to whatever you + like and distribute it . well thats it for this tut. + + I hope this Tutorial has been helpful and showed you another way to crack + those serial number protections. Well even if you cant seem to make the crack work + (Dont see why you couldn't) i have included the crack with the tutorial. + +Enjoy and Happy Cracking......... _CbD_ ME/C4N'97 + + EFNET #Cracking4Newbies stop by and see us sometime.... + + + + + + + + + + + + diff --git a/textfiles.com/piracy/CRACKING/cbd-tut05.txt b/textfiles.com/piracy/CRACKING/cbd-tut05.txt new file mode 100644 index 00000000..830decb8 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/cbd-tut05.txt @@ -0,0 +1,117 @@ + General Cracking Tutorial by _CbD_ + + Well as many ppl have asked me for help i am compiling all these question and tring to answer them + here, so if you have question that i dont explain please feel free to ask me if you see me and i will + do my best to help you.... + + +Q) Where do i start when Cracking a VB program ? + +A) Well first i strongly recommend getting a tut on VB programs, I ahve wrote 2 on the subject and razzia(Real Kewl guy) has wrote a few. + + but if you just cant seem to do this i will tell you the basics. + First you will not be abel to use the BP's (Break Points) that you use with non VB apps as they wont + werk ie.( Getdlgitemtexta or Getwindowtexta) you will have to use Hmemcpy. Dont set the BP until + you have entered the info that you need such as name and serail # or you will break on every single + letter or number, Also when you use this you will land in the Kerenel and will have to press F11 + to get back to the section of the VB.dll that called Hmemcpy. then do some single stepping and + alot of register checking to see what you program is doing with the data you used. Also use + W32Dasm on your vb program to see what calls it makes to the vb.dll such as RegQueryValue(for + checking a registry value) and so on. and oh yeah Good Luck........ + + +Q) How do i use SoftIce ? + +A) Read the Docs or Wiat till our SI tut's are out :-) + + +Q) SoftIce messed my Video Up what can i do ? + +A) try setting the proper Video Card in the Setup of SI. if your card is not listed get the Driver Updates. + +Q) How do i use the Loader in Si + +A) I dont use it anyone want to answer this question... :-( + +Q) The prrgram i am tring to crack has expired and wont let me enter a number anymore what do i do + +A) Well look in the system registry under Currnet_User & Local_Machine and see if there are any entries for + for the program you are useing and delete them then reinstall (Make sure you delete all files that were + installed the first time... also use a registry logger such as cleansweep to monitor the files that your + program puts on the drive... + +Q) I jsut cracked this program, or i thought i did It said thatnk you for registering and was the registered version + while i was using it, but when i restart it it still says unregistered, How can i fix it.... + +A) Well what you did was most likely change a jmp here and there and make the program take you invalid code + as a real one but the program wrote your code to the registry or a ini file then when you restarted it , the + program read the number or key and it was a invalid one, so you must find where the program looks + for a registry entry (RegQueryValueEx(A) or a GetPrivateProfile(A)) and force the program to validate any + key that it sees. this can be a very difficult process so be prepared for a lot of hell on this one. + but the best idea is to use W32dasm to disasemble the taget then look in the import functions + to find the fuctions above, then trace each one of them ( will be many) then after you trace the code + and find the right one it will most likely be a matter of changing a jnz to a jz or somthing siple like that + if you still cant do it seek help from a wise cracker (NOT a SMART ASS though) Wise as in smart :-) + +Q) What is a good staring place for Fuction Disabled Protections? + +A) Well MessageBox(A) or Dialogbox(A) is a very good starting place as these are most offetn used + to call the little box you see when you try to use a fuction that is disable ie. (Nope cant do it it is a demo + version) or in W32dasm look in the String Reference's for something like + Fuction Not Availible in Demo or Command not Availible or even Can Not Save in Shareware Demo + these are good pointers to the calls that you want to bypass. for more info on this get + my tutorial on WinScan (Fuction Disabled Protections) .. + +Q) What is the best programs to crack? (easy) + +A) Well they are generaly programs by (a) single proramers or (b) very large corperations or even (c) Specailty + software reasons below + + (a) He cant afford to buy the registration routines that would make it hard for us to crack + so he uses hardcoded Numbers in the protection + (b) They have so damn many programmers and most are so stupid they use simple + protections thinking that hmm nobaody will crack our software we are MicroSoft ;-) + (c) They use Fuction Disabled protections cause they are lazy and dont want to write + 2 differnt versions of thier super specail program + +Q)How long does it take to crack a program ? + +A) hmm 10 min, 1hour, 1day, 1 week, 1month, hmm forever .... Depends on the protection + +Q) What is Softice? + +A) A debugging system + +Q) What is debugging + +A) Go bother someone else i dont have time for you :-| + +Q) What is W32dasm? + +A) a windows disasembler that will give you the assembly language code of a program. + +Q) Waht is Assemly Language? + +A) Goto #asm on any IRC network and ask them ;-) ( it is the machine level code that your computer uses + to carry out instructions from a program. +Q) I want to learn Cracking How can i do it + +A) well it is not like you can just learn to crack you have to read read read read and yet read more then you + will need to learn assembly and then get the right tools for the job (Softice, W32dasm, a Hexeditor and + a few other advanced tools) it is like sex anyone can do it but only a few of us will ever master it + and satisfy all parties envoled :-) + +Q) Who is +ORC ? + +A) well lets see a fairly good cracker that has ben doing it for awhile(so he says) and has lots of info on the subject, He does however have a very piss poor attitude if you ask me and most think he is a god but i think he +is like any other cracker who has wrote a few good tut's and give a fwe good lessons.. DONT IDEALIZE HIM +he is only human...... + + +Well that will do it for now hope it helps and if it dont then oh well i tried so till next time Happy Cracking + + _CbD_ MexElite'97 ME/C4N'97 + #Cracking4Newbies on EFNET Come see us........... + + + diff --git a/textfiles.com/piracy/CRACKING/cbd-tut06.txt b/textfiles.com/piracy/CRACKING/cbd-tut06.txt new file mode 100644 index 00000000..c570bf4a --- /dev/null +++ b/textfiles.com/piracy/CRACKING/cbd-tut06.txt @@ -0,0 +1,190 @@ + _CbD_ Tutorial #6 + Modifying dll's to + give real reg codes + Target:VoxPhone + + +Pre Crack notes: + + Ok how many of you have wanted to crack a program and + have it give you the real registration code instead of + the Sorry you entered a invalid Code message? Hmm + thought so everyone. ok well that is what this tut is + all about. This will show you one of many ways to do this + the program we will be werking with uses a dll to check + our reg number so this will also give you a little info + on cracking dll's. + + +About the Tut. + +Target: Vox Phone +where to get it: www.voxware.com +protection type: user ID number / key number +tools needed: Softice, W32dasm, Heiw (Hexeditor) +Tut requested by: JosephCo & nIabI +Crack requested by: DarkNight + + + Well if you have ever read any of my tut's then you are + aware of my style of cracking, Step by Step is the + nest way for newbies to follow IMHO so that is how this + tut will flow. + +Pre Crack notes + You will need to run the program while you are on the net + then disconect so you can use the BreakPoint we will need + if you try to do this online you will break every time + your system gets info from your ISP but the program will + not start if you are not online so make sure your online + when you start then log off. Also you will have to click + on [help] register then fill out the form and tell the + you are going to send your registration in by mail + then you will be able to enter a registration number + after that. + +Step 1: + + ok lets start by setting the Break Points we will need in Softice + the one we will use first is GETDLGITEMTEXTA so set that in si + (BPX GETDLGITEMTEXTA)then press ctrl-d to return to our + program. Now lets go back to [help] and register and you + will see the box asking for a regcode. enter anything you want + as long as it fills the box or is atleast 10 digits long + and then press unlock. + +Step 2: + you should be in Softice now at the point that our program + called the getdlgitemtexta function. press F11 to get back to + the code that called this. you should see something like the + code below + + 0137:00691ESC CALL [USER32!GetDlgItemTextA] <-- Call to get + 0137:00691B92 MOV ECX,PFFFFFFF our unlock code + 0137:00691E97 SUB EAX,EAX + 0137:00691E99 REPNZ SCASB + 0137:00691E9B NOT ECX + 0137:00691E9D DEC ECX + 0137:00691E9E CMP ECX,OA <-- Check to see if code is 10 digits + 0137:00691EA1 JZ 00691EE3 <-- Jump if is + 0137:00691EA3 LEA EAX,[ESP+74] <-- set msg for invalid code + 0137:00691EA7 PUSH 006AC444 + 0137:00691EAC PUSH EAX <-- save msg + 0137:00691BAD CALL 006A0370 + 0137:00691EB2 LEA EAX,[ESP+7C] + 0137:00691EB6 ADD ESP,OS + 0137:00691EB9 PUSH 30 + + ok as you can see here the program checks to see if we entered + a code that is 10 digits long and if we did then it will jump + to the code below if not then it displays a invalid code msg + + 0137;00691EE2 RET + 0137:00691EE3 MOV EDI ,006B3ADO <-- we land here if code is 10 + 0137:00691EB8 MOV ECX ,FPFFFFFF + 0137:00691EED SUB EAX ,SAX + + ok now you will have to press F10 to single step though the code + till you come to the code below. + + + 0137 :00691F1E CALL 006936EO <-- Generate real code here + 0137 :00691F23 LEA ECX,ESP+4C) <-- if we do a ED ESP+4c here we get + 0137 :00691F27 ADD ESP,OC the real code + 0137 :00691F2A PUSH 006B84BO + 0137 :00691F2P PUSH ECX <-- Save real code + 0137 :00691230 CALL 006AA980 <-- call to compare our code with + 0137 :00691F35 ADD ESP,OB real code. + + I have skiped some code here just scroll down and + you will see this. + + 0137:00691F3A MOV EAX,[006B78B4] + 0137:00691F3F JNZ 00691F53 <-- jump if code is invalid + 0137:00691F41 MOV WORD PTR [EAX+04],0001 + 0137:00691F47 XOR EAX,EAX + 0137:00691F49 POP EDI + 0137;00691F4A POP ESI + 0137:00691F4B POP EBX + 0137:00691F4C ADD ESP,00000130 + 0137:00691F52 RET + 0137:00691F53 LEA ECX,[ESP+74] <-- set up for invalid code msg + 0137:00691F57 PUSH 006AC444 + 0137:00691F5C MOV WORD PTR [EAX+04,0000 + 0137:00691F62 PUSH ECX + 0137:00691P63 CALL 006A0370 + 0137:00691F68 LEA ECX,[ESP+7C] (this may not be 7C as i cant remeber + i had changed it before i wrote + down the code) This is where we + will make our change inorder to + get our real number. + + + Ok damn that is a lot of code. well what is happening here is + our program (the Rsagnt32.dll is getting ready to give us + that damn " Sorry you fucked up message" the program + copies the strings we will see in the messagebox right here + to ECX then will push ECX in a few lines down but we dont want + it to push the message we want it to push our real code, dont + we. So we will need to make a few changes here. rememeber where i + siad our real code was? + +:00691F23 LEA ECX,ESP+4C) <-- if we do a ED ESP+4c here we get +:00691F27 ADD ESP,OC the real code + + well do you think you see what needs to be done? + yeah change the esp+7c to esp+4c right? Nope that want work. + If you do that you will only get the last 5 letters of the code + because the code starts before 4c do we need to do a ED esp+4c + and see what we get. hmm well what we want to see is our code + start on the first line of the data window like below + +:009BEBD4 49505848 544E4A54 00005443 00000004 HXPITJNTCT.. . +:009BEEE4 00000000 00000000 02EF005C 02EF0004 +:009BEEF4 034P3AAO 02EF7E3B 7P1R0500 18078394 0.> .....0.... +:009BEF04 00004389 00000000 382780D4 40000000 C........'8...0 + + now to do this we will have to play with ESP so to save you time + i have found that ESP+48 will do the trick. + so what we will need to do is change LEA ECX,[ESP+7C] to + LEA ECX,[ESP+48] this will yield us a real code every time + in the place of that damn "Sorry you Fucked up message" + so now you can do one of 2 things (1) restart the registraion + process and when you get to the line with LEA ECX,[ESP+7C] on it + do a ED xxxx:00691F68 then write down what you see in the data + window so you can change it or i will give you the info + you willl need when you run your hexeditor + + you will need 8D4C247C83C408 do a search for that in your + hexeditor (use Hiew it is the best) and replace the 7C with 48 + and then save your file (make a back up before you do this though) + now when you run the program you will get a message that tell you + that a dll is corupted go on to the next step to fix that + +step 3: + in the Main program file tx32.exe do the following: + ok in hiew search for 85C0752C50 then edit it in code mode + and change the jnz to jz or visa versa then there is one more + search for 85C0752E33FF and change its jnz to jz or visa versa + i cant remember if they are jnz or jz but what ever it is change + to the opisite. or you can do a BPX MESSAGEBOXA and find the + jumps on your own. (Hint addresses are :0041CD27 & :0041D267) + well that is about it after you make the changes you can run the + program and get you real number from it then register it. + Sorry if this is not as clear as most of my tut's but i only wrote + down the code that i needed while i was cracking and make notes + about the rest so if you have any trouble just find me on EFNET + in #cracking4newbies and i will be glad to explain. + + Oh yeah you cant unregister the program after you register it + so make sure you get a good understanding of how it all werks + before you regiters the program. + + + Hope this Helps you to better understand Dll cracking and + makeing a msg box show you the real reg codes for your + program. _CbD_ + + Greetz to : + josephCo, nIabI, Mornings, ^pain^, drlan, mp, razzi and + all the rest of #Cracking4newbies diff --git a/textfiles.com/piracy/CRACKING/cdwizzard.txt b/textfiles.com/piracy/CRACKING/cdwizzard.txt new file mode 100644 index 00000000..b0a1a061 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/cdwizzard.txt @@ -0,0 +1,234 @@ +Tutorial Crack! 8th/07/97 +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Program: CD Wizzard +Version: 4.30 +URL: http://www.bfmsoft.com +Cracker: Niabi [Me'97/C4N] +Level: Beginner but written for Intermediate +Tools: SoftICE, W32Dasm, a Hex Editor. +Protection Type: Serial +Encrypted/DLL: No +Method: getdlgitemtexta + + +1st of all we do a BPX on GetWindoWtextA to see if we can get a break +if we don't get one then we try GetDlgItemTextA. +(If you want to know more of the API's get Win32.hlp (12 mgs) +or get our common api reference for crackers (2k) :-]) ) + +You should now in SoftIce. +We hit F12 a couple times till we get to the wizzard code part. +Now inside the wizzard code part whe start Tracing (hit f10). +We try and read and understand what the registers are doing. + +Try a D xxxxx from time to time also try ? xxxxxxx too. +(? in SICE Shows the REAL value of a reg at that time) + + +Ok after a while of tracing we come to a part of the code like this : + +XXXX:0041441C CALL 004151CD ; CALL CHECKING ROUTINE +XXXX:00414412 ADD ESP,0C +XXXX:00414424 TEST EAX,EAX ; IS PASSWORD OK ? +XXXX:00414426 JZ 00414444 ; NO THEN JUMP TO NOT_REGGED +XXXX:00414428 PUSH 40 ; ELSE CONTINUE GOOD BUYER +SOME_MORE CODE... + +NOT_REGGED: +XXXX:0041444 XOR EAX,EAX ; Make EAX ZERO +XXXX:0041446 PUSH NAG_YOU ; PUSH NAG SCREEN NOT REGGED + +Some ways to Crack this: + +The first one is to just change jz 00414444 to jnz 00414444. +(in an Hexeditor, more on this later) + +This will not jump to NOT_REGGED so the code is "Anything u type" +But it will if the code is the original, the program thinks that the good +code is now bad. +(Not really a good Patch) + +A second and better option is a lame one though. +Remove the test eax,eax, by changing them to nop's. +Since test eax,eax uses 2 bytes and nop's only 1 +you have to add 2 nops to it so it will read like this : + +XXXX:00414424 NOP +XXXX:00414425 NOP +XXXX:00414426 JZ 00414444 + + ^^^^^^^^ +(N.B. Check out the size here) + +This will cause it to not jump since it never really checked the Password. +This will register the program with good or bad Serials. + +Ok the third option is better it is : +Remove the test eax,eax and replace +with inc eax and a nop so it will read like this : + +XXXX:00414424 INC EAX +XXXX:00414425 NOP +XXXX:00414426 JZ 00414444 + +This will also cause the program to register with any password cause it does not check it either it just assume that the password is right everytime (it set's the flag to 1). + +Ok so now we need to hexedit it. + +We enter any hexeditor (hiew, Hexworkshop or any good one) we see what the bytes need to be chenged like this +D XXXX (where XXXX is the segment or reg you want to see) + +you will see something like this in the data window + +XXXX:XXXXXXX 9E CA 0F 00 65 04 70-16 00 00 5C 0A 65 04 70 00 + +Ok so starting from 9E to the "-" is what we need to seach in the Hexeditor, but how do i know what to change them to ? +good question, ok to find out what to change them to 1st change do a +D XXXXX inside Sice you will see something like the above +numbers. +Write them down on a piece of paper ( what ? u to lazy to do it?) the change them inside Softice like this +A XXXX:XXXXXXXX u will get something like this + +XXXX:XXXXXXXXX <== u type here what u whant to change +like let's say you want to change JZ 0414444 to JNZ 00414444 you would : +1.- D 00414426 +we see the code whe write it down +2.- A 00414426 +XXXX:00414426 jnz 00414444 <= we type this in sice + +When we hit enter another line follows just hit enter again to get out of the assembly mode, now do a d 00414426 +and you will see that the code has changed. +Now write down the new one. Now you have the old (what we searched for) +and the new ( what we change it to), so now in the hexeditor, +search for the old one and when we find it we change it to the new one +(beware that you need to search in hex and not in ascii). + +Run the program register it and Boom! its yours. Thankyou very much. + +Exit... and restart +shit what is this !! nag screen again ! it is not registered !! wtf !, k so we now know that the program does 2 checks one at input and one at the begining. + +This is the output that i get from w32dasm (Great tool BTW) +I commented it a little. + +* Possible StringData Ref from Data Obj ->"Password" <-- this is where my password resides ? + | +:00401BD6 68D4364300 push 004336D4 +:00401BDB 56 push esi +:00401BDC 889A18BD4300 mov [edx+0043BD18], bl +* Reference To: KERNEL32.GetPrivateProfileIntA, Ord:010Ch + | +:00401BE2 FF1570464400 Call dword ptr [00444670] +:00401BE8 50 push eax +:00401BE9 66A3D0A84300 mov [0043A8D0], ax +:00401BEF FF750C push [ebp+0C] +:00401BF2 68C0B34300 push 0043B3C0 + ; push my name to the stack +:00401BF7 E8D1350100 call 004151CD ;call REAL password checking routine +:00401BFC 83C40C add esp, 0000000C +:00401BFF 85C0 test eax, eax ; Was the password correct ? +:00401C01 0F84A2000000 je 00401CA9 + ; no then bug off bad cracker ! +:00401C07 68C0B34300 push 0043B3C0 + ; push my name again +:00401C0C 895D14 mov [ebp+14], ebx + +* Referenced by a CALL at Addresses: +|:00401BF7 ; Real Password Checking routine + +:004151CD 837C240808 cmp [esp + 08], 00000008 + ; is the paswword 8 charaters long ? +:004151D2 7D03 jge 004151D7 ; yes then go on +:004151D4 33C0 xor eax, eax ; no then bug off with Z flag +:004151D6 C3 ret + +* Referenced by a (U)nconditional or (C)onditional Jump at Address: +|:004151D2(C) +| +:004151D7 FF742408 push [esp + 08] +:004151DB FF742408 push [esp + 08] +:004151DF E8B3FFFFFF call 00415197 +:004151E4 6BC00B imul eax, eax, 0000000B ; mutiply eax by 0bh <-- sounds to me like a keygen +:004151E7 59 pop ecx +:004151E8 0FB7C0 movzx word ptr eax, eax +:004151EB 59 pop ecx +:004151EC 6A07 push 00000007 +:004151EE 99 cdq +:004151EF 59 pop ecx +:004151F0 F7F9 idiv ecx +:004151F2 33C9 xor ecx, ecx +:004151F4 663944240C cmp [esp + 0C], ax +:004151F9 0F94C1 sete al +:004151FC 8BC1 mov eax, ecx +:004151FE C3 ret + +ok when we restarted CD wizzrd whe got the not regged about box, so ok then whe set a new BPX in Si to point at +GetPrivateProfileIntA or Getprivateprofilestringa (the 1st one works better in CD wizzard), +ok if we set a bpx on it whe will land in some others whe try and understand wich them are they we do a trace and +read and understand what the program is doing do a D xxxx once in a while... ok after some breaks on +GetprivatePrifeliIntA whe will soon land in here : + +00401BE2 FF1570464400 Call dword ptr [00444670] +:00401BE8 50 push eax +:00401BE9 66A3D0A84300 mov [0043A8D0], ax +:00401BEF FF750C push [ebp+0C] +:00401BF2 68C0B34300 push 0043B3C0 ; push my name to the stack +:00401BF7 E8D1350100 call 004151CD ; call REAL password checking routine +:00401BFC 83C40C add esp, 0000000C +:00401BFF 85C0 test eax, eax ; Was the password correct ? +:00401C01 0F84A2000000 je 00401CA9 ; no then bug off bad cracker ! +:00401C07 68C0B34300 push 0043B3C0 ; push my name again +:00401C0C 895D14 mov [ebp+14], ebx + +we can go futher inside the calls, how do i go futher u ask, ok is easy just see what the call is heading to and set a bpx on it +like lets say CALL 004151CD if we want to go futher we do a BPX 004151CD ( easy eh?) +ok if we go inside the call we will see this : + +:004151CD 837C240808 cmp [esp + 08], 00000008 ; is the paswword 8 charaters long ? +:004151D2 7D03 jge 004151D7 ; yes then go on +:004151D4 33C0 xor eax, eax ; no then bug off with Z flag +:004151D6 C3 ret + +Right here i can crack it because if you check the line in 00401BFF u can see it tests eax to check if it's 0. If it's 0 then bug +off bad cracker happens but if it's not 0 then go on nice buyer, so we can do this: + +:004151CD 837C240808 cmp [esp + 08], 00000008 ; is the paswword 8 charaters long ? +:004151D2 90 NOP ; I don't care if it's 8 +:004151D3 40 INC EAX ; Increment EAX by 1 +:004151D4 48 DEC EAX ; Decrement EAX by 1 +004151D5 40 INC EAX ; Increment EAX by 1 +:004151D6 C3 ret ; Return With REGGED Flag SET + +so what we did there it was some flag changing we don't even go futher inside the check we just make the program +assume that it did and that the password was a good one. since EAX was 0 when we got into the call we 1st did a nop +because if we had done an INC EAX or a DEC EAX we would have found out that it would work ;). + +This is the second part of the crack or we can go for another. One less byte changing than this one ( you whant to change +the fewer bytes u can). + +ok, after the RET from the real password check is done whe land exactly here : + +:00401BFF 85C0 test eax, eax ; Was the password correct ? +:00401C01 0F84A2000000 je 00401CA9 ; no then bug off bad cracker ! + +what whe do here is really easy u maybe know it by now. + +:00401BFF 90 nop +:00401C00 40 inc eax ; set flag to 1 <== good password +:00401C01 0F84A2000000 je 00401CA9 + +easy eh? so we did it we completely cracked CD wizard the last part is doing the hex editing which u have to know by now +if ya read my first part ;) i will give the exact bytes to change: + +741C6A40C705B8BC change it to 40906A40C705B8BC <== Reg Check +85C00F84A2000000 change it to 40900F84A2000000 <== nag removed + +if we do the last crack by itself u will find out that doing the reg check crack is useless see for yourself, + if you do only the second crack (a.k.a nag removed) u will find out that is regged and fully working. + + +ok i hope u enjoyed this tutorial i know it is hard to understand in some parts but u can figure it out +till nex time. + nIabI [C4N/ME'97] + + diff --git a/textfiles.com/piracy/CRACKING/ch2-doc b/textfiles.com/piracy/CRACKING/ch2-doc new file mode 100644 index 00000000..3b07677f --- /dev/null +++ b/textfiles.com/piracy/CRACKING/ch2-doc @@ -0,0 +1,422 @@ + +----------------------------------------------------------------------+ + | ###### ## ## ###### ####### ###### ###### | + | ## ## ## ## ## ## ## ## ## ## ## ## | + | ## ######## #### #### ## ## ## ## ## | + | ## ## ## ## ### ## ## ## ## ## ## | + | ###### ## ## ######## ####### ###### ###### | + +----------------------------------------------------------------------+ + | CrackerHack Version 2.0 (c) 1992 - No Means No. Released 12/1/1992. | + | Crackerhack is a very fast custom increment password cracker | + | Utilities included with CH2 are: CH, SETCH, TIMECH, SPLITCH, & NETCH | + | This documentation file describes the Crackerhack Version2 utilities | + | in full detail along with examples & instructions on how to use them | + +----------------------------------------------------------------------+ + | -> First increment password cracker ever released (ever written?) <- | + +----------------------------------------------------------------------+ + + +Disclaimer: + I, No Means No, nor any persons involved with the production, construction, +instruction, publication, distribution, implementation or observation of +CrackerHack Version 2.0 assume no responsibility over persons involved with +using, abusing or choosing of CrackerHack Version 2.0, nor do we promote or +condone it. People can make up thier own minds, it is up to the individual. + + +Overview: + This is a program, like any other, that can be used for a variety of +purposes, educational, security, and yes, even cracking *gasp!*. However, it +was intended to shed light on increment password cracking and prove that it is +indeed very possible. + I began writing Crackerhack sometime during the summer of 1992, however it +was put aside several times so I could work on other projects. I completed +version 1 of Crackerhack sometime in late september of 1992 and was due to be +released to the public on 10/1/92, but it never happened. Instead, after +discovering a few bugs and alot of compatability problems, I decided to just +make CrackerHack Version 2 and have that be the first release to the public. +Only CH, SETCH, and TIMECH were planned for CH1, I added SPLITCH and NETCH in +CH2 as well as writing much more reliable and compatable source code for CH, +SETCH and TIMECH. The documentation was also greatly extended to further +discussion on the included utilities. The original release for CH2 was planned +for 11/1/92 but due to it being submitted to 2600, I have extended the release +date to 12/1/92. + Crackerhack was my second Unix C program to start. A version 3 of +Crackerhack could be very possible, it all depends on what I would like to add +to it. If CH2 has any errors that I do not yet know about, or if there are +any systems on which it will not compile or run correctly, please let me know. +If I discover that there were any problems that I have missed, or if I decide +to add extra features, then there WILL be a CH3. My internet mail address +will be included at the end of this documentation file. + The documentation you are about to read will be fairly detailed and I will +attempt to make things easy to understand, even if you have never used a +program like this before (I have never used a password cracker other than this +one). I also strongly suggest you PRINT these documentations up on PAPER, it +would be annoying to have to come back and scan through this file each time +you want instructions, information, or help using a Crackerhack utility. So +print these if you havn't already. + + +Explination: + To clear some things up, no password cracker can really be called a password +cracker unless it actually CRACKS the encryption. This program is similar to +other password crackers in the way it compares encryptions, but ONLY in that +respect. It crypts the "guessed word" and compares the encryption of the +"guessed word" to the encryption of the target password encryption, if they +match, the "guessed word" is the unencrypted password. However, that is the +ONLY way Crackerhack can be compared to other password crackers. Other +crackers use dictionary files to use as guesswords. Crackerhack does NOT use +this method, if it did it would be just like every other cracker out there, +which would mean in would be a waste of my time for me to write (correct?). +Instead, Crackerhack could be classified as an INCREMENT CRACKER. This means +it tries EVERY possible combination within a specified range. Combinations and +ranges are set with the SETCH utility and its use is explained in full detail +in the "how to use SETCH" section. + Understanding increment password cracking: Increment cracking works like +binary counting on an alphanumeric table. An example would be if you were to +scan from "aaa" to "zzz" in only lowercase alphas, it would count in the +following format: aaa,aab,aac...nml,nmm,nmn,nmo,nmp,nmq,nmr,nms,nmt,nmu,nmv... +zzu,zzv,zzw,zzx,zzy,zzz. You might be thinking "Damn that must take forever!". +Well first of all, Crackerhack is meant to be used to work on ONLY ONE password +and work on that password until it is either cracked, or the full combo/range +has been completed. Longer cracks take longer time, of course. And it also +depends on the machine you will be cracking the password on and if you will be +using a fast encryption program with CH2, such as UFC (Ultra Fast Crypt). + There is a "Suggestions" section later in this documentation that will +explain different methods of cracking your target password. Some good +suggestions on cracking methods, simple investigation procedures, and what to +AVOID when attempting to crack a password (you wouldnt want it to run +forever!). + + +Files: + Included with the archived version of this program is the UFC directory that +contains all of the needed Ultra Fast Crypt files so you may add UFC in the +Crackerhack files when compiling. This is explained in the section below +called "compiling". The following files should be in your directory: + CH2-DOC : This documentation file for Crackerhack Version 2. + CH2-NET : Complete information on how to set up the NETCH program. + makefile : The make file for Crackerhack Version 2. + addch.h : The include file for ch.c and timech.c. + ch.c : Crackerhack Version 2 source code. + netch.c : Network Crackerhack Version 2 source code. + setch.c : Setup Crackerhack Version 2 source code. + splitch.c : Split Crackerhack Version 2 source code. + timech.c : Time Crackerhack Version 2 source code. + netch.sh : Network Crackerhack Version 2 work file. + + +Compiling: + Semi-detailed instructions can be found by just typing "make" in the +directory where the Crackerhack files reside (runs the "makefile"). So if you +should at any time need quicker instructions on how to compile Crackerhack, you +can do that. I am going to explain here in a little more detail exactly how to +compile them. + Included with the archived version of Crackerhack V2, is UFC (Ultra Fast +Crypt). All of the UFC files can be found in the UFC directory that is +included in the CH2 archive. It is highly recommended that you use UFC or some +other fast encryption method with Crackerhack 2 to get MUCH greater speeds when +cracking, because, as most of us know, the standard crypt routines on any +system are slower than a cop without his doughnuts in the morning! + Because UFC is included with the Crackerhack archive, I will explain how to +compile UFC to get the "libufc.a" file and add it to Crackerhack. First, +switch over to the UFC directory and type "make libufc.a". This will compile +the semi-portable version of UFC's "libufc.a" file which should compile and +work correctly on ALL systems. However, you can specify which system you are +using to generate a faster version of UFC for your system, if this is what you +choose to do, you will have to read the UFC documentation for information on +that. + Also, when compiling it on a non-unix based system, use GCC compiler and it +SHOULD compile and run correctly. This has not yet been tested, because CH2 +was designed and meant to work on faster systems. + There are 3 different ways to compile: + -------------------------------------- + Compiling Crackerhack V2 with "libufc.a": Copy the "libufc.a" file into the +Crackerhack directory and type "make addufc". This will make all Crackerhack +files and add the Ultra Fast Crypt routines into CH and TIMECH. + Compiling Crackerhack V2 with "other.a": First compile the other fast +encryption method and copy the needed file into the Crackerhack directory under +the filename "other.a". Now type "make other", this will make all Crackerhack +files and add your specified fast encryption routines into CH and TIMECH. + Compiling Crackerhack V2 standard format: "make standard" will compile all +Crackerhack files without fast encryption. + -------------------------------------- + NOTE: There are special instructions on how to make Crackerhack on a NeXT +system. Add the following string after "make" and before your argument, +'CFLAG=""'... This will clear the optimization flag which seems to screw up +the programs on a NeXT system, so use that so you dont run across any problems +with it after compiling. + You can also "make clean" which will delete all of the made Crackerhack +files as well as ".ch-t", "libufc.a" and "other.a" if they exist. + + +Using SETCH (Setting up Crackerhack): + The first program you will want to run will be SETCH. SETCH is what is used +to set up the cracking combination and ranges as well as selecting the password +you wish to crack. SETCH creates the ".ch-d" data file which every other +Crackerhack utility works with. After running SETCH you will get the following +menu: + +---(SETCH program output)-------------------------------------------+ + |(1) Choose your target password from the "/etc/passwd" file. | + |(2) Choose your target password from the ".ch-p" file. | + |(3) Manually enter an encrypted password string. | + +--------------------------------------------------------------------+ + If you are going to be cracking an account that is on the system you will be +cracking on, you will want to select #1 here. If you are going to be cracking +a password that is on another system other than the one you will be cracking on +you will need to copy the "/etc/passwd" file (or just a partial file or even +just one single account if needed) from your target's system, on to the system +you will be cracking on, under the file name of ".ch-p", and select #2. If you +know the encryption of the password you want to crack, then you can select #3 +and it will prompt you to type it in. Make sure you type it in EXACTLY (all 13 +digits), otherwise you will get false results, or no results at all! + In cases of #1 or #2, it will ask you a pattern to search for, you can +either just press return (to list every account), or enter a pattern for SETCH +to look for within each line of the password file (it uses the unix GREP +command). Then it will go through each account in the password file and ask +you which account you want to choose as your target. + NOTE: In cases #1 or #2, and if you select a pattern to search for it will +create the ".ch-t" file, which is a temporary file created when it uses the +GREP command. This file will be deleted after selecting your target. If you +have a disk space quota it might give you an error when it attempts to create +this file when SETCH is working with very large password files. + After you select either of the 3 options and select your target encryption +it will then display the following: + +---(SETCH program output)-------------------------------------------+ + |Select one of the following COMBINATIONS: | + |(1): 0123456789 | + |(2): abcdefghijklmnopqrstuvwxyz | + |(3): 0123456789abcdefghijklmnopqrstuvwxyz | + |(4): ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz | + |(5): 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz | + +--------------------------------------------------------------------+ + This is where you select the COMBINATION. keep in mind here that when the +program increments, it will count the combination from left to right. Example, +if you choose #2, it will count from a to z and then flip to aa. ab. ac. etc. +The decision on the combination depends on the method you wish to crack the +target password with. Some examples: Will you be scanning in JUST numeric +combinations? Then choose #1. Will you be doing a FULL alphanumeric +(including uppercase) scan? Then choose #5. + +---(SETCH program output)-------------------------------------------+ + |Now select the cracking RANGE, up to 8 characters. | + |From : | + |To : | + +--------------------------------------------------------------------+ + This is where you select where your cracking increment scan will start at +and end at. If you selected a combo of #1 for example, you will want the start +and end to be NUMERIC, however there are exceptions. A valid exception would +be if you were to crack a password starting with "staff000" and ending at +"staff999" and you want it to scan numerics only. But if you selected from +"test000" to "testaaa" with a numeric combination, it would increment forever. +This is because it would never get to the "aaa" after "test999", instead it +would flip to "tes0000" and continue counting. Be sure you select your COMBO +and RANGE correctly. + Once you have completed the "From" and "To" phase of SETCH it will then +create the ".ch-d" Crackerhack data file. You have just completed setting up +your crack. You may now run any of the other CH2 utilities. + + +Using TIMECH (Time estimation of your crack): + What this program does is tell you the estimated amount of time it will +take to complete the full cracking scan on the current machine. It will first +load the ".ch-d" data file. Then it counts the number of crypts per second +(CPS) your machine is getting. Then it counts the number of encryptions it +will take to crack your selection. It will then give you an estimate of the +time it will take to complete the full crack in the format of YY/DD/HH/MM/SS +(that is, if it doesn't crack it first!). Thats all there is to it. Simple +and helpful. + NOTE: Because systems/compilers vary on the maximum storage for the DOUBLE +VARIABLE in C, smaller systems will come up with false results when counting +the encryptions it will take to crack very large cracking ranges/combinations. +But then again, it is not a good idea to even attempt running such large cracks +on such small, obviously slow systems anyway. So I don't this this will be too +much of a problem. However, this will be fixed in the possible CH3. + + +Using CH (Crackerhack Version 2.0): + Crackerhack! Run this program, it uses your specifications in the ".ch-d" +file and runs the crack on it, all output will go to the ".ch-l" log file. The +only way it can prematurely abort is if the ".ch-d" file does not exist. In +that case it will immediatly tell you and abort, otherwise it will create or +append to the ".ch-l" crackerhack log file the crack is it working on. It will +stop and write the crack completion information to the ".ch-l" crackerhack log +file if either of the following 3 things happen: 1) It cracks the password. +2) It completes the cracking scan. 3) It is aborted. + It is best to run Crackerhack in the background, because some cracks take +quite a long time. A nohup (no hangup) is suggested as well. This will make +sure the program does not abort if the user hangs up or loses connection to the +system. An example on a unix system would be to do this: "nohup ch &". The & +signifies that the program will be run in the background as a job. + ACCESS NOTE: If you have superuser access, or if the system you are on +allows users to set priority, Crackerhack will automatically set the priority +of the program to absolute highest (-20). This will eat up process and CPU, +but it is worth it because you will get much faster CPS. If you do not have +such access to set the priority to a job, then it will not be set and will run +normally. + ABORTING NOTE: If Crackerhack is aborted it will write the last encryption +to the log file. This will let you know where it left off when it was aborted +so you are able to continue the crack from where it left off. However, +Crackerhack is UNABLE to detect the system shutdown, this might cause problems +if you are running it on a system that has an upcoming shutdown! You might +want to time it if your system has shutdowns to make sure it wont get killed +with the shutdown. If anyone knows how to detect a shutdown, let me know, I +have not figured it out. Also, it can not detect "sure kills" (kill -9) +because they can not be caught. So if you are going to kill it, send a -QUIT, +-TERM, or -INT so it will write the last encryption to the log file in case you +decide to continue that crack at a later time. + + +Using SPLITCH (Split Crackerhack into multiple jobs): + This program does exactly what its called, it SPLITS crackerhack into +multiple jobs to be run on the same system, this is useful for such systems as +Crays where you can run multiple jobs and still get the same results for each +job as you would from one single job. This greatly increases the CPS (Crypts +per second). The program sets the limit to up to 10 SPLITS, if you wish to run +more than 10, you will have to change the source code to "#define SPLITMAX <#>" +where <#> equals the maximum number of splits you wish it to allow. You will +then have to recompile the program if you change it. To use SPLITCH, you +simply specify the # of splits you wish to split your crack into (set by SETCH) +after the program name. If you wish to split it into, say 7 jobs, you would +type up "splitch 7". Everything afterwards is automatically done by SPLITCH. +What it does is it counts the cracks in your scan combo/range and then splits +it up and runs the crackerhack jobs for you with "nohup ch &", if you do not +wish to use that format, you will have you go into the source code once again +and change "#define BEFORECH" and "#define AFTERCH". This program is indeed +useful and serves its purpose, but an even MUCH more powerful program is needed +for another purposes, and that program is NETCH. + + +Using NETCH (Split Crackerhack and NETWORK the multiple jobs): + This program does as stated in SPLITCH, except the splitted jobs will NOT +be run on the machine you are currently running it on, but instead the splitted +jobs will be run on any machine(s) you specify (that you have access to of +course). You will need to compile a list of systems you are on (that you have +RSH access to) in a file named ".ch-n", which is the Crackerhack network +information file. The format for this file is thoroughly explained in the +CH2-NET file. + If your system does not support the "rsh" command, you will have to check to +see which command it uses instead, it might be "rshl" or something similar, if +it is different than "rsh" you can specify the command when you run NETCH. For +example if it uses rshl, you will need to run netch like this: "netch rshl". +When this program is run, it will first access the ".ch-n" file and collect the +information within. If there are any errors in the format, it will display the +error and abort. If it is fine it will then access the ".ch-d" data file (set +with SETCH) and split your crack according to the specified networks in ".ch-n" +and attempt to access each system and run the splits. If there are any errors +with accessing the system, it will let you know then attempt to access the next +system - it will not abort. It is a good idea to first run a test net-crack to +make sure all systems are working correctly before running your real crack, be +sure if you run a test net-crack to go and kill the cracks on each system +before you run the actual crack. If you don't, it will surely slow down the +CPS time you get on your actual crack. Of course, there is an alternative, and +that is to run a very short NETCH splitted crack to not only test to make sure +your network is working correctly, but it will also allow it to be finished +very quickly so you don't have to go to each system and abort them before +running your actual net-crack. + In the program, the maximum networks allowed are 100... This can be changed +by editing the line "#define SPLITMAX <#>" where <#> is of course, as explained +above in SPLITCH, the maximum number of splits allowed. In this case it is the +maximum number of network systems/splits allowed. Each split will go to one +machine on the network that you specify in the ".ch-n" file. All networked +cracks will be run with "nohup" and "&" as explained in the SPLITCH section, +however if you want to change them in netch, you'll have to edit the netch.sh +file. The netch.sh file is used only by netch when networking your crack. +This program is a powerful utility if used correctly, so use it correctly! + + +Files used/created: + Note that all the files start with a ".", which means they will be hidden +to a normal user on a standard unix system. Use the "-a" flag when using +"ls" to display them. + [FILE]: (Created_by) (Used_by) Description of file. + ------: ------------ --------- -------------------- + .ch-d : (SETCH ) (all ) Crackerhack Crack data file. + .ch-l : (CH ) (user ) Crackerhack Log file. + .ch-n : (user ) (NETCH ) Crackerhack Network information file. + .ch-p : (user ) (SETCH ) Alternate Passwd file, "etc/passwd" format. + .ch-t : (SETCH ) (SETCH ) Temporary file when choosing target in SETCH. + + +Suggestions: + Some people immediately attempt to crack a password with full or very long +range/combinations which is crazy under most conditions, but there are some +conditions under which it can actually be done though, only under those +conditions should it even be attempted. Such large cracks are usually not even +necessary. But maybe, for some reason, you want a VERY LONG increment scan. +No computer is fast enough to complete it in a reasonable amount of time, +however, there is an alternative. If you are able to access a network of +machines, you can divide the specified large crack on several machines. NETCH +does this for you automatically, and with NETCH and a large number of systems, +a very large crack CAN be done. Of course, you have to have access to those +systems if you want to use them. As stated before, this is usually not +necessary, so let this be your last choice. + One of the first things you will want to do is find out the requirements for +changing a password on the system where the target derived from. An example, +if password changing on that system requires it being at least 6 digits long +with alpha and numeric characters, you might want to start cracking with the +following scan first: Combo #3, Range From "000000" To "zzzzzz". Of course you +can scan everything below 6 digits if you wish. Just experiment, you will get +the hang of it if you havn't already. + Make sure you enter in all information correctly when setting up your crack +with SETCH! A strong suggestion is that you read over the above documentation +if you havn't already. Alot is explained in each section that could have been +explained in this section instead but I felt it would be better to give the +needed information/explination that pertained to that particular section. + + +Speeds: + From all of the tests other people and myself have done, Crackerhack 2 is +THE absolute fastest password cracker (Encryptions Per Second) out there. When +used with the same encryption techniques as the other cracker in question, most +usually it is UFC. It can get as much as (maybe more than) 10 times faster +than other password crackers on a UNICOS Cray system! (Using SPLITCH on a Cray +will accomplish this. If your user has priority access you can get extreme +ammounts of crypts per second without using SPLITCH). On every system it has +been tested on and every cracker it has been compared to, it comes out as the +fastest cracker in CPS. Of course, if you do not beleive this, you can test it +and compare it for yourself. + I was going to include a couple of charts in these documentations, however I +was not able to obtain a sizeable ammount of information for the charts by the +time of the release. If I write a future version of Crackerhack, I will +include the charts in that version. + + +Known Problems: + After completing this version I found a couple of minor problems: + When compiling Crackerhack on systems such as SysV, it may not compile +correctly and get errors. This same problem might occur on some HP systems as +well. Crackerhack should compile and run correctly under most other systems. + Crackerhack might not compile under DOS, this depends on how you compile it +and with what compiler. Very little tests have been done with this, because +CH2 was meant to be used on much faster systems. However if you wish to +pursuit compiling Crackerhack2 on a PC, use a compiler that can compile +programs in the UNIX C format (such as gcc). + If there is a Crackerhack Version 3, these problems will be fixed along with +any other problems that arise in Crackerhack Version 2. + + +Credits: + Thats it! I had no credits for Crackerhack Version 1 because I did all the +testing myself before releasing it to selected people to have tested. When I +gave it out to be tested, I was notified of certain problems on different +systems so I could correct them for the public release of Crackerhack (CH2). +So i'd like to thank those people who helped me get this programs compatibility +to where it is now and/or just using it alot and giving me feedback on it. +Those people are: Nat X, Sarlo, Lazar, Infomaster, Lithium Bandit, and Krynn. +I would also like to acknowledge Infomaster who not only suggested the idea of +NETCH, but was extremely helpful with testing it! These people were alot of +help and are recognized for it, thanks. + Also advanced thanks to Informix who is going to be helping me distribute +CH2 when it is released. + + +Thats it!: + Docs are finished. I hope everyone that uses this realizes it's potential, +fully understands how it operates, and puts it to good use. I didn't spend all +this time programming it for it just to be "collected". If you happen to find +any bugs, compiling problems, or if you have any comments, complaints, +suggestions, questions, or if you just want to annoy me or just need someone +to talk to, then you can leave me mail at the following internet mail address +and I will try to help you as much as I can. + + No Means No + nmn@mindvox.phantom.com diff --git a/textfiles.com/piracy/CRACKING/check.txt b/textfiles.com/piracy/CRACKING/check.txt new file mode 100644 index 00000000..d726d2d8 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/check.txt @@ -0,0 +1,199 @@ + +5/26/89 + + Megaton Man Teaches Cracking + ============================ + + + DOC CHECK PROTECTION + + + +Hello all you young and ameatur crackers! Today's lessons is on DOC Checks. +Doc Checks are pretty easy once you get to know them. But some are a pain +in the ass, like that Sub 688 game. But still, if you have a good working +knowledge of 8088 assembly, it shouldn't really be a problem. I myself, +only a 17 year old cheese high school boy, learned this facinating art form +of cracking. I see cracking as a game within a game. The first being the +actual game, the second is the Protection. + +Ok, here we go. Get your Cracking tools out. They should consist of a good +Debugger of your choice. My choice is Microsoft's CodeView. Pretty easy to +use and it's been working so far. But most of the major crackers seem to use +Dos's DEBUG.COM. Which is found on your dos disk. They use this primitive but +powerful tool because its so small in size, and wont bother with a game in +memory. But i found CodeView lets you CTRL-BRK out of programs easier. Your +next tool is NORTON UTILITIES. This program should be at your side all the +time. You should have Norton and your Debug program in the PATH always because +you will use it alot. + +Well, in this little package, you should find a file named DOC1.COM. This file +is an assembly language file i made which simulates a DOC check. It'll give +you some phony message like - "ENTER PASSWORD:". then you must enter the +password inorder for the Program to tell you that you cracked it. The password +for DOC1.COM is MEGATON MAN. Yea, i'm an egotistic asshole. but i love it. +This is your game plan. First trace the program until the program waits for +the input prompt. At that point, enter "KOOK" or anything at the prompt. +Anything except MEGATON MAN. Then keep tracing the program till it eats +shit (terminates). Try to memorize what path the program took and if you cant +memorize, pen and paper always works. Now, restart the program and trace +the program until the input prompt asks you for the password. Now instead of +typeing the wrong password, type in MEGATON MAN, which is the correct pass- +word. Now keep tracing the program and try again to memorize the path. Ok. +The first part is over. Now, compare the two paths, and find out where a +detour was made. Once you find the detour, just force the program to go the +correct way. Are you saying, "How do i force the program?". Well find the +Detour first.. and when you do continue on reading... So stop reading and +try to crack DOC1.COM. + +Now that you are continuing reading, i suspect that you did find the Detour, +or your Stumped. Well it doesnt matter, just keep reading. + +Ok, This is the "map" of this little program. + + XXXX:0100 Jmp 1E8 + : + : + XXXX:01E8 CALL 1F7 <--- Print Message and Ask for Password + XXXX:01EB OR AX,AX <--- Is the AX register = 0? + XXXX:01ED JNZ 1F2 <--- No. then jump to 1F2 + XXXX:01EF CALL 225 <--- This is DEATH! + XXXX:01F2 CALL 21C <--- Call if its CRACKED! + +ok, this is the main part your worried about. Line 100, makes a jump to line +1E8. Now, 1E8 is CALL 1F7. what this CALL does, is, it Displays the intro +message and asks you to input the Password. Now before executing this CALL +statement on 1E8, take a look at the AX register. Write it down. Now, +EXECUTE the entire Call. Use a BOGUS password. Take a look at the AX register +after the call. The IP register should be on 1E8. What does the AX register +contain? All 0000's? or 0001? Well Most Protections are like this! Even +INT 13 protections! This is what's happening. When you execute the CALL 1F7, +if you typed in the wrong password, the call will return with AX = 0000. If +you typed in the correct password, the AX register will contain 0001. Pretty +neat eh? Well, look at line 1EB. It is OR AX,AX. now this is pretty much like +the CMP AX,0000 instruction. By using the OR AX,AX it saves memory (sorta), +and is supposed to be faster than CMP AX,0000. Dont ask me why its like this, +its just one of those Professional Programmers rules or somthing. Now to +keep things going, Line 1EB checks to see if AX is equal to Zero. If AX is +equal to zero, the ZERO FLAG is set. if not, then the ZERo flag is cleared. +Look at line 1ED. It is JNZ 1F2. It says, Jump if Not Zero to line 1F2. +See, AX will not equal zero if you entered the correct password. So if you +entered the wrong password, the IP register will go down to line 1EF, which +contains CALL 225, which is the Eat it and Die call! You dont want this! +NEVER! If the correct Password was entered, line 1ED will jump down to line +1F2 which will execute a Call to tell you that you cracked the program. Now +how could we change the program to make it so it will always jump to the +correct line? well, there are a few different wayz we could do this. One ,is +the EASY way, but less professional way. The next way is also an easy way, +but also not as professional. And the last way is the harder way, and it is +the professional way. + +Lets first try the second easy way. Because if i told you the easiest way +first, your screw the program up! ok. Have you heard of the instruction +NOP? Which means NO Operation. Yea, it doesnt do anything! just sorta +patches up some instruction. Now if we NOP line 1EF (CALL 225), the program +will encounter a NOP and keep continuing until the Call we want is reached, +which is line 1F2 (call 21C). The Hex value for NOP is 90. So Disassemble +the area we need to change and write down the bytes on, and around the area. +Now flip out Norton Utilities and search for these bytes. Once found, do not +Display them and change them! Continue with the search. Make sure there are +no more discoveries. If you found another match, go back to the program, +disassemble it and write down some more bytes around , and on the part you +want fixed. Go back and search for these bytes. make sure there is only one +occurance. ok, So there is one occurance, go find the bytes that you need +changed. Once found, replace them with the hex value 90. Save your changes +and bail out of Norton Utilites. Now Run DOC1.COM and type a wrong pasword. +The program should tell you that its Cracked no matter what you type! if +it told you that it was cracked, well you Cracked it! yea! + +The file DOC1.COM is cracked. Go to your MASTER DISK and copy the file on +the MASTER DISK over to your SCREW AROUND DISK. which will get rid of the +newly cracked DOC1.COM. + +Now that you have the DOC1.COM that is NOT cracked, lets begin the second +way to crack the same program. Some DOC Check PROTECTORS are sorta lame +and lazy. Remember i told you the password was MEGATON MAN? Well, when you +purchase a game from EggHead or any other software place, and a DOC Protection +accompanies the disk, there is always the DOC's that you need! well lets +say for instance that you bought Silpheed. It's a DOC check type thingy. Well +lets say one of the passwords was SIERRA. Pull out Norton Utilites and search +for the characters S I E R R A. Norton should beep and show you where the +word SIERRA was found. Now look around that area and see if there are any +other words or letters around SIERRA. If so, read them. Now look in your Book +of DOC's and see if a word on the screen matches a PASSWORD in the book. +Yes? if so, BINGO, you found the password list. Now you could change the +passwords to anything you want. But take note, a delimiter is usually put +at the end of each password. Now whats a delimiter you say? its like a +character or HEX value thats at the end of each password. For instance a +hex value of 00 may be at the end of each password. Or each password is +8 characters long. Or somthing like that. Well, change them to what you +please. I did this when i Cracked Silpheed. Kinda weak eh? well who cares. +Now i dont really call this method "Cracking". Its more like hacking. +But to prove to my self, i cracked it the next day. not hacking. + +The file DOC1.COM is cracked. Go to your MASTER DISK and copy the file on +the MASTER DISK over to your SCREW AROUND DISK. which will get rid of the +newly cracked DOC1.COM. + +OK, we cracked DOC1.COM two differnt wayz. Now the third way, which is the +best. This method will totally eliminate the DOC check. Which means, NO +SIGN of PROTECTION can be detected! Which means, you gotta remove the part +where it ask for the password. Now take a look at the Listing. Ill copy the +listing down here so you dont have to switch your face back and forth. + + XXXX:0100 Jmp 1E8 + : + : + XXXX:01E8 CALL 1F7 <--- Print Message and Ask for Password + XXXX:01EB OR AX,AX <--- Is the AX register = 0? + XXXX:01ED JNZ 1F2 <--- No. then jump to 1F2 + XXXX:01EF CALL 225 <--- This is DEATH! + XXXX:01F2 CALL 21C <--- Call if its CRACKED! + +Now look at line 1E8 (call 1F7). This call Ask for the password and returns +AX=0000 if its wrong, and AX=0001 if its correct. Well, our goal is to get +to line 1F2 (call 21c)! Well, couldn't we just NOP line 1e8 thru 1Ef? Sure +we can! Now thats what we gotta do. So write down the bytes around and on +this area. Use Norton Utilites to search for these bytes and replace them +with NOP's which is a HEX value of 90. Save your changes and run DOC1.COM. +The program should just say.. GAME is CRACKEd. or somthing like that. +Yip, just one line of Text. + +Ok, yea! we have cracked this simple doc check program 3 differnt wayz and +3 differnt times. Seems pretty easy eh? Well there are some problems. What +if you didnt have a Correct password to trace thru? Well this is somthing +only experience could teach. You must experiment with the jumps. If there +seems to be a compare involved, usually the AX register is changed, and a +conditional jump instuction follows, force the jump and see what happens. +If it still eats shit, then dont force it and see what happens. If it still +eats it, then keep following the path until another conditional jump +is reached and do the same. + +Some INT 13's are similar to the Doc checks i explained above. Look at line +1e8 (call 1f7). This subroutine asks for the password and reutns the +appropriate code. Now what if the Disk drive light lit up when this +call is executed? If the DISK Protection was found, AX=0001. if its not +found AX=0000. See its sorta the same. + +Oh, now what if the Doc Check is later on in the game. Like Questron II, +Larry Bird One on One, and Demon Stalker. Well, Load up your debugger with +the intro exe file. Then Press "g" for go and run the program while your +debugger is in the background. when the program asks for the Password, +just type "SHIT" and presss CTRL-BRK! The Debugger should regain control +and will show you where the current line is at. Trace thru at that point +and look for them conditional jumps and Comparisons. + +Well that wraps it up for this lesson. Any questions? well call ... + +THE ROACH MOTEL +818-369-2083 +12/24/and 9600! USR HST! +100+ Megz +Sysop : Black Flag +Co's : Megaton Man (me) + Eternal Warrior + Lone Wolf + +Ask for Megaton Man. + +END. Line 199. \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/copyprot.pro b/textfiles.com/piracy/CRACKING/copyprot.pro new file mode 100644 index 00000000..29d749f7 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/copyprot.pro @@ -0,0 +1,175 @@ + Author's Note: The following article was written for submission to +ComputerFun magazine. Alas, the mag died! Some information, specifically that +about pirates and piracy, is somewhat biased, due to the intended audience. +Keep that in mind as you read this. Still good for a laugh tho! -dt + + COPY PROTECTION: A HISTORY AND OUTLOOK + + Back in the last seventies, when personal computers were just starting to +catch on, a lot of software was distributed on audio cassettes. The price was +generally low ($15 and under), and so was the quality. Personal computer owners +knew that audio cassettes could be duplicated fairly easily with two +decent-quality tape recorders. However, the process was time-consuming and +unreliable (volume levels were critical), and it did not save that much money, +since the cassette alone cost five dollars anyway. The market for cassette +software was stable. + + As the prices of home systems continued to drop, the popularity of the floppy +disk as a storage medium increased so that software suppliers had to carry each +program on both tape and disk. Typically, the disk version cost slightly more, +due to the higher cost of the disk itself, and the fact that disk drive owners +were prepared to pay a little extra for a program that loads several times +faster. + + These software prices, still relatively low, were short-lived. Disks, unlike +tapes, were trivially easy to copy. User clubs formed in which one copy was +purchased (legally) and copied (illegally) for everyone in the group. Worse +yet, schools and businesses owning more than one system would make copies for +all of their systems from one original. Then, individuals connected with the +schools or businesses would copy the disks for themselves, for friends, for +their user club, for other schools and businesses... Piracy had spread like a +cancer to ridiculous proportions, throwing a monkey wrench into the once-stable +software market. + + The software distributors' next move was to modify their program disks in such +a way that they could not be duplicated by conventional means, and to raise +their prices somewhat. These early efforts at copy-protection were very simple, +and equally simple to undo. Every disk has on it a list of what data is +contained on it, where on the disk it is, what type of data it is, etc. The +part of the disk that contains this information is called the catalog or +directory of the disk. On copy-protected disks, the catalog was altered +slightly in format, moved to elsewhere on the disk, or omitted entirely. All +someone would have to do was restore the catalog, an easy task if you know what +you're doing, and the disk would copy normally. + + The new copy-protected disks kept a significant proportion of the pirates +discouraged, much the same way a flimsy doorknob lock "keeps an honest man +honest". Most of the early large-scale piracy stopped. Businesses and schools +could not afford the time required to duplicate the disks, so they shrugged, +gave in and bought the disks. Hobbyists quickly found ways to copy the new +software, but they were working independently, and therefore not dangerous. The +software industry was content and hopeful. + + It was a false hope. As the popularity of personal computers continued to +escalate, hobby users banded together more and more. Some broke the software +"lock" and made the disks copyable while others purchased the tape versions of +software and transferred them to disk. The industry retaliated by discontinuing +most of the taped versions of software, as they were far too easy to copy, and +by using more sophisticated techniques to protect the disks. Of course, they +also raised the prices. + + These second generation copy-protection schemes worked remarkably well for a +while. Data on a disk is encoded (pre-nibbilized) in a standard way before it +is written out to disk, and then decoded (post-nibbilized) as it is read back. +By altering the code under which the data is written and read, the software +companies rendered ordinary copy programs useless. Another technique of this +era was to write data in unusual formats in odd places on the disk, such as +between two tracks or after the last track normally used. + + The hobby users, indignant at the recent price increase, adapted the general +attitude that piracy is okay because they would never buy the software at the +exhorbitant price being asked. User clubs were now considered essential. To +not belong to one was to be repeatedly "cheated" when buying software. No +matter what copy-protection methods the software people tried, the pirates broke +the disk and circulated the copy, quite literally around the country. + + In order to make piracy easier, enthusiasts and certain software firms +(considered traitors by other software firms) developed special copy programs +which analyzed the data being copied as little as possible, attempting to copy +as directly as is possible from one disk to another. The infamous Locksmith and +the more recent COPY ][ are examples of such programs, called bit copiers or +nibble copiers because they copy the data one bit or one nibble at a time, +rather than one sector or one track at a time. + + Still, the goal of a pirate was downright unprotection, not duplication. To a +new breed of pirate, it was a game. Each new disk provided the pirate with a +new challenge, a puzzle, which, if he could solve, would make him famous +(pirates tended to leave their mark on the disks they unprotected in those +days). To the software firms, it was hardly a game, it was a war of attrition, +and until they could outsmart the pirates, they would just have to increase the +prices and hope for the best. + + Or would they? Some software companies stepped back at this point and +surveyed the situation: they probably could not keep the pirates at bay for +long, as there was genuine intelligence out there -- thousands of users all +working toward one goal -- to break that disk! It seemed to them that they +actually had a number of options if they wished to continue to do a healthy +business. First, they lobbied for stricter copyright laws and won. Bootleg +disk distribution is now more illegal than every before, but it is still +difficult to enforce the law. Second, they could fight it out, raising the +prices as necessary and developing more diabolical methods of copy-protection. + + Only so much can be done to protect disks, however. Those firms that +continued to protect their disks were upset by the introduction of a hardware +device developed by pirates and later marketed which allows the entire state of +the computer to be frozen and remembered, down to the last status bit, and +restored at will later. Duplication of the program disk was no longer +necessary. The whole program was right there in memory waiting to be run. All +the pirate had to do was duplicate the state the computer was in, not the disk +that got it there. + + The software firms, to work around the setback, tried a new technique: they +caused their programs to look at the disk periodically and make sure it is the +original. How to tell the difference between the original and a copy was an +ingenious trick called nibble counting. When disks are copied, the two drives +doing the copying are seldom running at the exact same speed, so the duplicate +disk will contain tracks which are slightly longer (more nibbles) or shorter +(fewer nibbles) than the original. The software could count the nibbles and +determine whether the disk being used is an original. Soon, though, nibble +copiers began to allow the user to preserve the nibble count, foiling the +protectors again. + + Another particularly devious tactic in copy-protection is called sector +skewing. To simplify a complex process, data is spread finely over the entire +disk, so that it would take an exceptionally high-quality disk drive to write +such a disk, though any drive can read it under direction of the software. What +these software firms realize too late is that the pirates have one secret weapon +-- a foolproof, though painful, procedure to break any disk protection scheme -- +boot tracing! You see, software has the unfortunate characteristic that it has +to be written in such a way that the computer can understand it. It has to, so +to speak, spoon-feed itself to the computer. The process of boot tracing is +simply to painstakingly, step by step, pretend you're the computer, follow all +the rules it follows, and you will eventually succeed in reading the disk. + + Some software firms still fight the war of attrition, such as Br0derbund, +On-line systems and others. Other firms had a better idea: to give up on +protection altogether and direct their attention to providing an attractive +package -- with ample documentation, quick-reference cards and other goodies -- +at a good price. An excellent example of this novel approach, to give the buyer +a good deal, is Beagle Bros, whose software has never been protected, and never +will be. Their products are of highest quality and reasonably priced. To be +sure, it is duplicated to some degree, but the package with all its goodies is +worth the investment. Penguin software has used this approach successully as +well. + + A final possibility, useful only in the more expensive packages, is to require +a hardware device to be installed in the computer for the software to run +properly. Softerm 2 for Apple, for instance, requires a plug-in card to be +installed in the computer which has attached to it three special function +switches necessary for the operation of the program. You can copy the disk, but +not the card. Not all computers have as much room for extra hardware as the +Apple, though, and hardware devices cost a lot of money compared to disks and +manuals, so this method is only practical in expensive packages. + + So where does all that leave you, the honest (ahem!) consumer? Well, the +software firms really are anxious to serve you. If your copy-protected disk +ever fails to work, you can send it back for free replacement. If the disk is +damaged physically, the replacement fee is about five dollars (provided you send +in the old disk!!). Many packages come with two copies of the software, in case +one should fail, and legitimate software owners often receive free updates to +both the software and the documentation. Software companies try to make it +worth your while to buy their product. Also, due to a recent crackdown, +big-time pirates are getting caught, and piracy is more anonymous now. Trust +among pirates has broken down, and so has the once widespread circulation of +pirated disks. The heyday of piracy is over. So, if you are thinking of +getting some software, examine the package. Find out exactly what the program +can do, the guarantee, and all the fringe benefits you will receive as a +legitimate owner of the software. If, after all that, the package does not +interest you, don't buy it. If you are considering being a pirate, be careful! +Imprisonment is entirely possible if you are caught, and even if you are not, +you are only raising software prices for yourself and everyone else. + + -DT + + if you are caught, and even if you are not, +you are only raising software prices for yourself \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/copyprot.txt b/textfiles.com/piracy/CRACKING/copyprot.txt new file mode 100644 index 00000000..aa2c4ec9 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/copyprot.txt @@ -0,0 +1,337 @@ +**************************************** +* B U C K A R O O B A N Z A I * +* aka the Reset Vector * +* * +* presents * +* * +* Cracking On the IBMpc * +* Part I * +* * +**************************************** + +Introduction +------------ + For years, I have seen cracking +tutorials for the APPLE computers, but +never have I seen one for the PC. I +have decided to try to write this series +to help that pirate move up a level to a +crackest. + + In this part, I will cover what +happens with INT 13 and how most copy +protection schemes will use it. I +strongly suggest a knowledge of +Assembler (M/L) and how to use DEBUG. +These will be an important figure in +cracking anything. + +INT-13 - An overview +-------------------- + Many copy protection schemes use the +disk interrupt (INT-13). INT-13 is +often use to either try to read in a +illegaly formated track/sector or to +write/format a track/sector that has +been damaged in some way. + INT-13 is called like any normal +interupt with the assembler command +INT 13 (CD 13). [AH] is used to select +which command to be used, with most of +the other registers used for data. + +INT-13 Cracking Collage +----------------------- + Although, INT-13 is used in almost all +protection schemes, the easiest to crack +is the DOS file. Now the protected +program might use INT-13 to load some +other data from a normal track/sector on +a disk, so it is important to determine +which tracks/sectors are inportant to +the protection scheme. I have found the +best way to do this is to use +LOCKSMITH/pc (what, you don't have LS. +Contact your local pirate for it.) + Use LS to to analyze the diskette. +Write down any track/sector that seems +abnormal. These track are must likely +are part of the protection routine. + Now, we must enter debug. Load in the +file execute a search for CD 13. Record +any address show. If no address are +picked up, this mean 1 or 2 things, the +program is not copy protected (bullshit) +or that the check is in an other part of +the program not yet loaded. The latter +being a real bitch to find, so I'll +cover it in part II. There is another +choice. The CD 13 might be hidden in +self changing code. Here is what a +sector of hidden code might look like + +-U CS:0000 +1B00:0000 31DB XOR BX,BX +1B00:0002 8EDB MOV DS,BX +1B00:0004 BB0D00 MOV BX,000D +1B00:0007 8A07 MOV AL,[BX] +1B00:0009 3412 XOR AL,12 +1B00:000B 8807 MOV [BX],AL +1B00:000D DF13 FIST WORD... + + In this section of code, [AL] is set +to DF at location 1B00:0007. When you +XOR DF and 12, you would get a CD(hex) +for the INT opcode which is placed right +next to a 13 ie, giving you CD13 or INT- +13. This type of code cann't and will +not be found using debug's [S]earch +command. + +Finding Hidden INT-13s +---------------------- + The way I find best to find hidden +INT-13s, is to use a program called +PC-WATCH (TRAP13 works well also). This +program traps the interrupts and will +print where they were called from. Once +running this, you can just disassemble +around the address until you find code +that look like it is setting up the disk +interupt. + An other way to decode the INT-13 is +to use debug's [G]o command. Just set a +breakpoint at the address give by +PC-WATCH (both programs give the return +address). Ie, -G CS:000F (see code +above). When debug stops, you will have +encoded not only the INT-13 but anything +else leading up to it. + +What to do once you find INT-13 +------------------------------- + Once you find the INT-13, the hard +part for the most part is over. All +that is left to do is to fool the +computer in to thinking the protection +has been found. To find out what the +computer is looking for, examine the +code right after the INT-13. Look for +any branches having to do with the CARRY +FLAG or any CMP to the AH register. + If a JNE or JC (etc) occurs, then +[U]nassembe the address listed with the +jump. If it is a CMP then just read on. + Here you must decide if the program +was looking for a protected track or +just a normal track. If it has a +CMP AH,0 and it has read in a protected +track, it can be assumed that it was +looking to see if the program had +successfully complete the READ/FORMAT of +that track and that the disk had been +copied thus JMPing back to DOS +(usually). If this is the case, Just +NOP the bytes for the CMP and the +corrisponding JMP. + If the program just checked for the +carry flag to be set, and it isn't, then +the program usually assumes that the +disk has been copied. Examine the +following code + + INT 13 <-- Read in the Sector + JC 1B00 <-- Protection found + INT 19 <-- Reboot +1B00 (rest of program) + + The program carries out the INT and +find an error (the illegaly formatted +sector) so the carry flag is set. The +computer, at the next instruction, see +that the carry flag is set and know that +the protection has not been breached. +In this case, to fool the computer, just +change the "JC 1B00" to a "JMP 1B00" +thus defeating the protection scheme. + + +NOTE: the PROTECTION ROUTINE might be + found in more than just 1 part of + the program + +Handling EXE files +------------------ + As we all know, Debug can read .EXE +files but cannot write them. To get +around this, load and go about cracking +the program as usual. When the +protection scheme has been found and +tested, record (use the debug [D]ump +command) to save + & - 10 bytes of the +code around the INT 13. + Exit back to dos and rename the file +to a .ZAP (any extention but .EXE will +do) and reloading with debug. + Search the program for the 20+ bytes +surrounding the code and record the +address found. Then just load this +section and edit it like normal. + Save the file and exit back to dos. +Rename it back to the .EXE file and it +should be cracked. ***NOTE: Sometimes +you have to fuck around for a while to +make it work. + +DISK I/O (INT-13) +----------------- + This interrupt uses the AH resister to +select the function to be used. Here is +a chart describing the interrupt. + +AH=0 Reset Disk +AH=1 Read the Status of the Disk + system in to AL + + AL Error + ---------------------------- + 00 - Successful + 01 - Bad command given to INT + *02 - Address mark not found + 03 - write attempted on write prot + *04 - request sector not found + 08 - DMA overrun + 09 - attempt to cross DMA boundry + *10 - bad CRC on disk read + 20 - controller has failed + 40 - seek operation failed + 80 - attachment failed +(* denotes most used in copy protection) +AH=2 Read Sectors + + input + DL = Drive number (0-3) + DH = Head number (0or1) + CH = Track number + CL = Sector number + AL = # of sectors to read + ES:BX = load address + output + AH =error number (see above) + [Carry Flag Set] + AL = # of sectors read + +AH=3 Write (params. as above) +AH=4 Verify (params. as above -ES:BX) +AH=5 Format (params. as above -CL,AL + ES:BX points to format + Table) + + For more infomation on INT-13 see the +IBM Techinal Reference Manuals. + +Comming Soon +------------ + In part II, I will cover CALLs to +INT-13 and INT-13 that is located in +diffrents overlays of the program + + +Happy Cracking..... + Buckaroo Banzai + <-------+-------> + +PS: This Phile can be Upload in it's +unmodified FORM ONLY. + +PPS: Any suggestion, corrections, +comment on this Phile are accepted and +incouraged..... + + +From Lunatic Labs UnLtd. 415-278-7421 + + + +*************************************************************************** +* B U C K A R O O B A N Z A I * +* * +* presents * +* * +* Cracking On the IBMpc * +* Part II * +* * +*************************************************************************** + +Introduction +------------ + + Ok guys, you now passed out of Kopy Klass 101 (dos files) and have this +great new game with overlays. How the phuck do I crack this bitch. You +scanned the entire .EXE file for the CD 13 and it's nowhere. Where can it be +you ask yourself. + In part II, I'll cover cracking Overlays and the use of locksmith in +cracking. If you haven't read part I, then I suggest you do so. The 2 files +go together. + + +Looking for Overlays +-------------------- + So, you cant find CD 13 in the .EXE file, well, it can mean 4 things. 1, +the .EXE (though it is mostly .COM) file is just a loader for the main file. +2, the .EXE file loads in an overlay. 3, the CD 13 is encrypted &/or hidden +in the .EXE file. 4, your + looking at the WRONG PHUCKEN PHILE. + I won't discuss case 1 (or at least no here) because so many UNP files are +devoted to PROLOCK and SOFTGUARD, if you can't figure it out with them, your +PHUCKEN stupid. + If you have case 3, use the techinque in part I and restart from the beg. +And if you have case 4, shoot your self. + You know the program uses overlays but don't see and on disk? Try looking +at the disk with good old nortons. Any hidden files are probally the +overlays. These are the ones we are after. If you still can't find them, use +PC-WATCH (this program is a m +ust!!! for all crackists. Traps ALL interrupts). + + +Using PC-Watch to Find Overlays +------------------------------- + Start up PC-Watch and and EXCLUDE everything in the left col. Search the +right col. until you find DOS21 - OpnFile and select it. Now run the program +to be cracked. Play the game until the protection is checked. Examine you +pcwatch output to see wha +t file was loaded right before it. This probally is the one holding the +check. If not, shit go through all the files. + + +You Have Found the Overlays +--------------------------- + Great, now just crack the overlay as if it was a DOS file. You don't need +to worry about .EXE file, debug can write an overlay file. Part I explains +the basics of cracking. I suggest that you keep a backup copy of the overlay +so if you phuck up, and +you will, you can recover quickly. Ah, and you thought cracking with overlays +was going to be hard. + + +Locksmith and Cracking +---------------------- + The copy/disk utility program Locksmith by AlphaLogic is a great tool in +cracking. It's analyzing ability is great for determining what and where the +protection is. + I find it useful, before I even start cracking, to analyze the protected disk +to find and id it's protection. This helps in 2 ways. First, it helps you to +know what to do in order to fake out the protection. Second, it helps you to +find what the progr +am is looking for. + I suggest that you get locksmith if you don't already have it. Check your +local pirate board for the program. I also suggest getting PC-Watch and +Norton Utilities 3.1. All of these program have many uses in the cracking +world. + + +Have Phun Phucker + Buckaroo Banzai + The Banzai Institute + +special thanks to the Honk Kong Cavliers diff --git a/textfiles.com/piracy/CRACKING/crack-1.txt b/textfiles.com/piracy/CRACKING/crack-1.txt new file mode 100644 index 00000000..7fd61a2a --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crack-1.txt @@ -0,0 +1,254 @@ + + **************************************** + * B U C K A R O O B A N Z A I * + * aka the Reset Vector * + * * + * presents * + * * + * Cracking On the IBMpc * + * Part I * + * * + **************************************** + + Introduction + ------------ + For years, I have seen cracking + tutorials for the APPLE computers, but + never have I seen one for the PC. I + have decided to try to write this series + to help that pirate move up a level to a + crackest. + + In this part, I will cover what + happens with INT 13 and how most copy + protection schemes will use it. I + strongly suggest a knowledge of + Assembler (M/L) and how to use DEBUG. + These will be an important figure in + cracking anything. + + INT-13 - An overview + -------------------- + Many copy protection schemes use the + disk interrupt (INT-13). INT-13 is + often use to either try to read in a + illegaly formated track/sector or to + write/format a track/sector that has + been damaged in some way. + INT-13 is called like any normal + interupt with the assembler command + INT 13 (CD 13). [AH] is used to select + which command to be used, with most of + the other registers used for data. + + INT-13 Cracking Collage + ----------------------- + Although, INT-13 is used in almost all + protection schemes, the easiest to crack + is the DOS file. Now the protected + program might use INT-13 to load some + other data from a normal track/sector on + a disk, so it is important to determine + which tracks/sectors are inportant to + the protection scheme. I have found the + best way to do this is to use + LOCKSMITH/pc (what, you don't have LS. + Contact your local pirate for it.) + Use LS to to analyze the diskette. + Write down any track/sector that seems + abnormal. These track are must likely + are part of the protection routine. + Now, we must enter debug. Load in the + file execute a search for CD 13. Record + any address show. If no address are + picked up, this mean 1 or 2 things, the + program is not copy protected (bullshit) + or that the check is in an other part of + the program not yet loaded. The latter + being a real bitch to find, so I'll + cover it in part II. There is another + choice. The CD 13 might be hidden in + self changing code. Here is what a + sector of hidden code might look like + + -U CS:0000 + 1B00:0000 31DB XOR BX,BX + 1B00:0002 8EDB MOV DS,BX + 1B00:0004 BB0D00 MOV BX,000D + 1B00:0007 8A07 MOV AL,[BX] + 1B00:0009 3412 XOR AL,12 + 1B00:000B 8807 MOV [BX],AL + 1B00:000D DF13 FIST WORD... + + In this section of code, [AL] is set + to DF at location 1B00:0007. When you + XOR DF and 12, you would get a CD(hex) + for the INT opcode which is placed right + next to a 13 ie, giving you CD13 or INT- + 13. This type of code cann't and will + not be found using debug's [S]earch + command. + + Finding Hidden INT-13s + ---------------------- + The way I find best to find hidden + INT-13s, is to use a program called + PC-WATCH (TRAP13 works well also). This + program traps the interrupts and will + print where they were called from. Once + running this, you can just disassemble + around the address until you find code + that look like it is setting up the disk + interupt. + An other way to decode the INT-13 is + to use debug's [G]o command. Just set a + breakpoint at the address give by + PC-WATCH (both programs give the return + address). Ie, -G CS:000F (see code + above). When debug stops, you will have + encoded not only the INT-13 but anything + else leading up to it. + + What to do once you find INT-13 + ------------------------------- + Once you find the INT-13, the hard + part for the most part is over. All + that is left to do is to fool the + computer in to thinking the protection + has been found. To find out what the + computer is looking for, examine the + code right after the INT-13. Look for + any branches having to do with the CARRY + FLAG or any CMP to the AH register. + If a JNE or JC (etc) occurs, then + [U]nassembe the address listed with the + jump. If it is a CMP then just read on. + Here you must decide if the program + was looking for a protected track or + just a normal track. If it has a + CMP AH,0 and it has read in a protected + track, it can be assumed that it was + looking to see if the program had + successfully complete the READ/FORMAT of + that track and that the disk had been + copied thus JMPing back to DOS + (usually). If this is the case, Just + NOP the bytes for the CMP and the + corrisponding JMP. + If the program just checked for the + carry flag to be set, and it isn't, then + the program usually assumes that the + disk has been copied. Examine the + following code + + INT 13 <-- Read in the Sector + JC 1B00 <-- Protection found + INT 19 <-- Reboot + 1B00 (rest of program) + + The program carries out the INT and + find an error (the illegaly formatted + sector) so the carry flag is set. The + computer, at the next instruction, see + that the carry flag is set and know that + the protection has not been breached. + In this case, to fool the computer, just + change the "JC 1B00" to a "JMP 1B00" + thus defeating the protection scheme. + + + NOTE: the PROTECTION ROUTINE might be + found in more than just 1 part of + the program + + Handling EXE files + ------------------ + As we all know, Debug can read .EXE + files but cannot write them. To get + around this, load and go about cracking + the program as usual. When the + protection scheme has been found and + tested, record (use the debug [D]ump + command) to save + & - 10 bytes of the + code around the INT 13. + Exit back to dos and rename the file + to a .ZAP (any extention but .EXE will + do) and reloading with debug. + Search the program for the 20+ bytes + surrounding the code and record the + address found. Then just load this + section and edit it like normal. + Save the file and exit back to dos. + Rename it back to the .EXE file and it + should be cracked. ***NOTE: Sometimes + you have to fuck around for a while to + make it work. + + DISK I/O (INT-13) + ----------------- + This interrupt uses the AH resister to + select the function to be used. Here is + a chart describing the interrupt. + + AH=0 Reset Disk + AH=1 Read the Status of the Disk + system in to AL + + AL Error + ---------------------------- + 00 - Successful + 01 - Bad command given to INT + *02 - Address mark not found + 03 - write attempted on write prot + *04 - request sector not found + 08 - DMA overrun + 09 - attempt to cross DMA boundry + *10 - bad CRC on disk read + 20 - controller has failed + 40 - seek operation failed + 80 - attachment failed + (* denotes most used in copy protection) + AH=2 Read Sectors + + input + DL = Drive number (0-3) + DH = Head number (0or1) + CH = Track number + CL = Sector number + AL = # of sectors to read + ES:BX = load address + output + AH =error number (see above) + [Carry Flag Set] + AL = # of sectors read + + AH=3 Write (params. as above) + AH=4 Verify (params. as above -ES:BX) + AH=5 Format (params. as above -CL,AL + ES:BX points to format + Table) + + For more infomation on INT-13 see the + IBM Techinal Reference Manuals. + + Comming Soon + ------------ + In part II, I will cover CALLs to + INT-13 and INT-13 that is located in + diffrents overlays of the program + + + Happy Cracking..... + Buckaroo Banzai + <-------+-------> + + PS: This Phile can be Upload in it's + unmodified FORM ONLY. + + PPS: Any suggestion, corrections, + comment on this Phile are accepted and + encouraged..... + ht + next to a 13 ie, giving you CD13 or INT- + 13. This type of code cann't and will + not \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/crack-2.txt b/textfiles.com/piracy/CRACKING/crack-2.txt new file mode 100644 index 00000000..dbc4638b Binary files /dev/null and b/textfiles.com/piracy/CRACKING/crack-2.txt differ diff --git a/textfiles.com/piracy/CRACKING/crack.txt b/textfiles.com/piracy/CRACKING/crack.txt new file mode 100644 index 00000000..0303d545 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crack.txt @@ -0,0 +1,2310 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The Cracking Manual + + Written By The Cyborg - April 3, 1992 + + + + + + + + Disclaimer + The author of this text shall hold no liability for special, + incidental, or consequential damages arising out of or + resulting from the use/misuse of the information in this + file. + + + + + + + + + The Cracking Manual + + + + INTRODUCTION + + Introduction + ------------ + Welcome to the wonderful world of cracking. What is + cracking? If you don't know and you're reading this, ask + yourself why? Anyway, cracking is the art of removing copy + protected coding from programs. Why do this? In recent + years, software companies have been fighting to keep copy + protection in their software to avoid their work to be + illegally copied. Users feel that such copy protection is + ridiculous in that it violate their own rights to make + backups of their sometimes expensive investments. + Whichever side you may favor, this manual will go into + some detail on removing copy protection from programs. If + you feel offended by this, then I would suggest you stop + here. Please note, I do not endorse cracking for the illegal + copying of software. Please take into consideration the hard + work and effort of many programmers to make the software. + Illegal copying would only increase prices on software for + all people. Use this manual with discretion as I place into + your trust and judgement with the following knowledge. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 1 + + + + + + The Cracking Manual + + + + WHAT YOU WILL NEED + + What You Will Need + ------------------ + Like all programming, cracking is the debugging stage of + software development. It is the most tedious and hectic part + of programming as you shall see. However, unlike software + development, you are given no source code, only the machine + level code commonly called machine language. Cracking + demands patience. No patience, no cracking. + Before we begin, you will need certain tools. These + include: + + - A decent computer. By this, I mean at minimum a 286 + computer with 2 or more megs of RAM. A 386 is the + ideal since it can load a debugger into usable memory. + - A source level debugger (eg. Turbo Debugger) + - A low level debugger (eg. DEBUG) + - An assembler system (eg. MASM, LINK, EXE2BIN) + - A hex dumping program (eg. Norton Utilities) + + The source level debugger is what you will try to be using + most of the time. It provides many features that are a + convenience to the cracker, such as interrupt redirection. + Become comfortable with its features. However, in some + instances, the source level debugger may not be suitable for + cracking huge games since the debugger itself may take up too + much memory. In such a case, a low level debugger must be + used since their memory usage may be considered negligible. + This manual will focus on its use. + The assembler package will be used in the creation of + the famed loaders, which provide the cracker with dynamic + memory alterations without changing the original program. + + + + + + + + + + + + + + + + + + + + + + + + Page 2 + + + + + + The Cracking Manual + + + + CRASH COURSE IN ASSEMBLY LANGUAGE + + Crash Course in Assembly Language + --------------------------------- + If you are already well familiar with the assembly + language, you may wish to skip this section. Cracking + demands the knowledge of assembly language. If you wish to + become a "serious" cracker, you might like to read up more + about this fascinating language. This section will only give + you enough info for intermediate level cracking. + At this point, you should familiarize yourself with + DEBUG and its commands as we will be using them shortly. + + Registers + --------- + One of the neato things that you will be fooling around + most often with are called the registers. Registers are like + variables (such as in BASIC) that are located within the CPU + itself. These registers may hold a positive integer from 0 + to 255 or from 0 to 65535. They can also hold negative + integers from -128 to 127 or from -32768 to 32767. The + registers are given names as follows: + + AX => accumulator - this register is most commonly used + for mathematical or I/O operations + BX => base - this register is used commonly as a base or + a pointer register (we'll talk more about this + later) + CX => count - used commonly for counting instructions + such as loops + DX => displacement - much like the base register + + The registers stated above are considered general purpose + registers, since they can basically be used to store whatever + the user wants. Let's try putting some number in these + registers. Type in "R {enter}". You should see a bunch of + info, of which are four of the above mentioned registers. + Now, type in "RAX {enter}". Then type in a number like + 8FABh. Type in "R" again and noticed how the accumulator + (AX) has change its number. + These general purpose registers can also be "split" in + half into its higher and lower order components. Instead of + having one register AX, you can have two registers, AH and + AL. Note however that while you have a range of 0 to FFFFh + for AX, you will now have a range of 0 to FF for AH and AL. + You cannot change these directly in debug, but be aware that + programs will use it. If AX contains 0A4Ch, then AH will + contain 0Ah and AL will contain 4Ch. + The following are called the segment registers: + + CS => code segment - the block of memory where the code + (instructions are located) + DS => data segment - the block of memory where data can + be accessed. In block move operations in which + + + Page 3 + + + + + + The Cracking Manual + + + + huge blocks of memory are moved, this is commonly + the segment in which the CPU reads from. + ES => extra segment - also another data segment. In + block move operations in which huge blocks of + memory are moved, this is commonly the segment in + which the CPU writes to. + SS => stack segment - this is the block of memory in + which the CPU uses to store return addresses from + subroutines. (more on this later) + + In introductory level of cracking, we don't mess around with + these registers. Later, we will see how we can use these to + trick a program into thinking other things, but that's later. + You can also change these registers in debug. Type in "RCS + {enter}". Then enter "0 {enter}" and notice how the CS + register changed. + There are other registers that we use to see what the + program is doing. These registers can also be change in + debug. Included are the following: + + SI => source index - this register is used in + conjunction with block move instructions. This is + a pointer within a segment (usually DS) that is + read from by the CPU. + DI => destination index - this register is also used in + conjunction with block move instructions. This is + a pointer within a segment (usually ES) that is + written to by the CPU. + BP => base pointer - a pointer used commonly with the + stack segment + SP => stack pointer - another pointer used commonly with + the stack segment (this one, you don't touch) + + By now, you may probably be confused about this + segment/pointer bit. Here is an analogy that my straighten + things out. + Pretend you are in kindergarden learning to read. There + are four black boards surrounding the room. These black + boards are like SEGMENTS. Let's pretend the front blackboard + is the code segment (CS). The teacher has written some + instructions on pronunciation rules. This is what the + students refer to when they try to pronounce words. In a + program, this is what the CPU refers to when it follows + directions. + Okay, now the teacher has gone to the blackboard on the + left of the classroom. We will call this board the data + segment (DS). The teacher has also written a set of words on + the board. Then she uses a wooden stick or a POINTER to + point to a word. Let's pretend this stick is the source + index (SI). She points to the word "their". Now, the + students look at the front blackboard (CS) to see how to + pronounce the word and they say "their". + Now, the instructor wants the students to learn how to + write. She points the stick to the word "apple". The + + + Page 4 + + + + + + The Cracking Manual + + + + students pronounce the word. Then she goes to the blackboard + on the right. We shall call this one the extra segment (ES). + She then uses her finger as a different POINTER and points to + a location on the board where Mary Jane will write "apple". + That's basically what segments and pointers are. + Segments are the blackboards and pointers are the teacher's + stick (we're not talking sexually here) or finger. + One last important register is the flags register. + These registers control how certain instruction work, such as + the conditional jumps (in BASIC, they are like IF-THEN's). + They are stored as bits (0's or 1's) in the flags register. + We will most often use: + + zero => ZR/NZ (zero/not zero) - tells you whether an + instruction (such as subtraction) yielded a zero + as an answer + sign => NG/PL (negative/positive) - tells you whether an + instruction yielded a positive or negative + number + carry => CY/NC (carry/no carry) - tells you whether an + instruction needed to carry a bit (like in + addition, you carry a number over to the next + digit). Various system (BIOS) functions use + this flag to denote an error. + direction => DN/UP (decrement/increment) - tells a block + instruction to either move forward or backwards + in reads and writes + + Try changing some of these bits. Type in "RF {enter}". Then + type in "DN {enter}" to change the direction flag to its + decrement position. + + The Instructions + ---------------- + + MOV - move + ---------- + Now we get to the actual instructions or commands that + the CPU will use. The first instruction you will see most + often is the move instruction. Its form is + MOV {destination},{source}. Let's try programming now. Exit + (q) and reenter debug again. Now, type in "A {enter}". You + will see a bunch of number to the left. You can think of + these as line numbers. Now type in "MOV AX,7A7A {enter}". + Then type "MOV DX,AX" and so on until your program looks + similar to the one below: (type "U 100" to see) + + xxxx:0100 B8A77A MOV AX,7AA7 + xxxx:0103 89C2 MOV DX,AX + xxxx:0105 B90000 MOV CX,0000 + xxxx:0108 88D1 MOV CL,DL + xxxx:010A 890E0005 MOV [0500],CX + xxxx:010E 8B160005 MOV DX,[0500] + xxxx:0112 BB0200 MOV BX,0002 + + + Page 5 + + + + + + The Cracking Manual + + + + xxxx:0115 26A30005 MOV ES:[0500],AX + + Press enter again until you see the "-" prompt again. You + are ready to run your first program. Type "R {enter}" and + note the values of the general purpose registers. Then type + in "T {enter}". Debug will automatically display the + registers after the execution of the instruction. What is in + the AX register? It should be 7AA7h. Now, "T" again. What + is in the DX register? It should also be 7AA7h. Trace again + using "T" and note that CX should be 0 if it was not already. + Trace again and note what is in the CX register. It should + be 00A7h. Now trace another step. What is this instruction + doing? It is now moving the contents of CX into memory + location 500h in the data segment (DS). Dump the memory by + typing in "D 500". The first two two-digit numbers should be + the same as in the CX register. But wait a minute you say. + They are not the same. They are backwards. Instead of + 00A7h, it is A700h. This is important. The CPU stores 16 + bit numbers in memory backwards to allow for faster access. + For 8 bit numbers, it is the same. Now, continue tracing. + This instruction is moving the memory contents of address + 500h into the DX register. DX should be 00A7h, the same as + CX regardless of how it looked in memory. The next trace + should be nothing new. The next trace again moves the + contents of a register into memory. But notice it is using + the BX register as a displacement. That means it adds the + contents of BX and 500h to get the address, which turns out + to be 502h. But also not the "ES:" in front of the address. + This additional statement tells the CPU to use the extra + segment (ES) rather than the data segment (DS which is the + default). Now dump address 502h by entering "D ES:502" and + you should see A77Ah, which is backwards from 7AA7h. + + CMP/J? - compare/conditional jump + --------------------------------- + Another instruction you will see quite often is the CMP + or compare instruction. This instruction compares the two + "variables" and changes the flags register accordingly. The + source and destination operands are the same as those for the + move instruction. + Let's consider an example in which the AX register holds + 21 and the BX register holds 22. Then "CMP AX,BX" is + performed. The compare instruction is like a subtraction + instruction, but it doesn't change the contents of the AX + register. So, when 22 is subtracted from 21, the answer will + be -1, but we will never see the answer, only the flags which + have resulted from the operation. Number 21 is less than 22, + so the carry flag and the sign flag should be set. Just + remember that when the carry flag is set, the first number is + less than the second number. The same is true for the sign + flag. Why have two flags if they tell us the same thing? + This is more complicated and you should not concern yourself + with it. It requires knowledge of hexadecimal arithmetic, + the denotation of signed and unsigned integers. + + + Page 6 + + + + + + The Cracking Manual + + + + So, now that we have done the compare instruction, there + will most likely be a conditional jump instruction after. If + we wanted to jump if AX is less than BX (which it is), then + there would be an instruction like "JB 200". This + instruction says Jump if Below to instruction 200h. What + about if we wanted to jump if AX is greater than BX. Then we + might have "JA 200". This is read Jump if Above to + instruction 200. What about AX equal to BX. We would then + have "JZ 200" or "JE 200". (Please note that the previous + instructions are synonymous.) This is read Jump if Equal to + instruction 200h. Here are the jumps you will most likely + encounter: + + Mnemonic Flag(s) Checked Description + ------------------------------------------------------------- + JB/JNAE CF=1 Jump if below/not above or + equal (unsigned) + JAE/JNB CF=0 Jump if above or equal/not + above (unsigned) + JBE/JNA CF=1 or ZF=1 Jump if below or equal/not + above (unsigned) + JE/JZ ZF=1 Jump if equal/zero + JNE/JNZ ZF=0 Jump if not equal/not zero + JL/JNGE SF not equal Jump if less/not greater or + to OF equal (signed) + JGE/JNL SF=OF Jump if greater or equal/not + less (signed) + JLE/JNG ZF=1 or SF Jump is less or equal/not + not equal OF greater (signed) + JG/JNLE ZF=0 or SF=OF Jump if greater/not less or + equal (signed) + JS SF=1 Jump if sign + JNS SF=0 Jump if no sign + JC CF=1 Jump if carry + JNC CF=0 Jump if no carry + JO OF=1 Jump if overflow + JNO OF=0 Jump if not overflow + JP/JPE PF=1 Jump if parity/parity even + JNP/JPO PF=0 Jump if no parity/parity odd + + There are all the possible combinations of conditional jumps + that you will encounter. I realize that we have not + discussed some of the flags such as overflow or parity, but + be aware that they exist and programs sometimes use them. + + JMP - jump + ---------- + This instruction does what it suggests. It jumps too + different sections of code. Several forms of the jump + instruction include: + + 2E0B:0208 EBF6 JMP 0200 + 2E0B:020A 3EFF24 JMP DWORD PTR DS:[SI] + + + + Page 7 + + + + + + The Cracking Manual + + + + The first instruction jumps to an address within the segment. + The latter instruction jumps to an address pointed to by ds: + si. The DWORD says that this will be a far jump, a jump to a + different segment (a different blackboard). So, if the + double word that is pointed to by ds:si contains 1000:0040h, + then, the instruction will jump to 1000:0040h whereas the + previous jump instruction will jump within the current + segment (or blackboard). + + CALL - procedural transfer + -------------------------- + This instruction is the baby that you will be carefully + watching out for most often. This instruction calls another + procedure and upon it's completion, will return to calling + address. For example, consider the following block of code: + + 2E0B:1002 E8BB46 CALL 56C0 + 2E0B:1005 7209 JB 1010 + 2E0B:1007 0C00 OR AL,00 + + The first line calls another procedure at "line number" + 56C0h. Upon its completion, the instruction pointer will + point to the second line. Note that there is a "JC" + instruction. Remember that programs often use the carry flag + to signal errors. If the call instruction called a copy + protection instruction and you entered a wrong code or + something, it may return with the carry flag set. The next + instruction would then jump if there was an error to an + exiting procedure. + Note, this is a near call. A program can also have far + calls just like jumps. + + INT - generate an interrupt + --------------------------- + This instruction is much like the call instruction. It + also transfers control to another procedure. However, the + number after the INT instruction does not point to an + address. Instead, it is a number pointing to an address that + is located in something called an interrupt vector. You will + commonly see "INT 10", "INT 21", "INT 13". Just know (for + now) that they are like calls to procedures. + + LODSB/LODSW/STOSB/STOSW - load/store a byte/word + ------------------------------------------------ + These instructions either load in or store a byte or a + word to or from memory. The DS:SI register pair points to + the source data. These are the registers the CPU will use + when reading from memory using the LODS instruction. The + AX/AL register will hold the number to either read from or + write to the memory. So, if DS:SI points to a byte which is + maybe 60, then a "LODSB" instruction will load in the number + 60 into the AL register. A LODSB or STOSB will use the AL + register while the LODSW or STOSW will use the AX register. + The STOS writes whatever is in the AX/AL register to the + + + Page 8 + + + + + + The Cracking Manual + + + + memory pointed to by ES:DI. So, if ES:DI points to 100:102h + and if AL held 50, then the byte at 100:102h will hold 50. + After the instruction is finished, the CPU will either + increment or decrement SI or DI according to the status of + the direction flag. So, if SI was 100h and a "LODSW" + instruction was performed with a cleared direction flag + (forward), the SI will now point to 102h. + + MOVSB/MOVSW - copies a byte/word from source to destination + ----------------------------------------------------------- + This instruction gets a byte or a word from the data + pointed to by DS:SI and copies it to the data pointed to by + the ES:DI address. When the instruction is finished, SI and + DI will be incremented or decremented accordingly with the + status of the direction flag. So, if DS:SI pointed to a byte + with the number 30, a "MOVSB" instruction would copy into the + byte pointed to by ES:DI the number 30. + + REP - repeat + ------------ + The REP instruction in front of a MOVS/LODS/STOS would + cause the MOVS/LODS/STOS instruction to be repeated for a + number of times specified in the CX register. So, if CX + contained 5, then "REP STOSB" would store whatever was in the + AL register into the byte pointed to by ES:DI five times, + increasing DI each time. + + LOOP - looping + -------------- + The LOOP instruction repeats a block of instructions for + a certain number of times. This number will be held in the + CX register. Each time we reach this instruction, the CPU + will decrement the CX register and jump to a specified + instruction until CX becomes zero. This instruction looks + like "LOOP 1A00" where the number indicates the instruction + address to loop to. + + Arithmetic Operators + -------------------- + Arithmetic instructions allow you to perform various + arithmetic function of data. "ADD" and "SUB" work the same + way as "MOV" instructions do in that it subtracts whatever is + in the source register from the destination register and + stores it in the destination register. + The "MUL" and "DIV" instructions are a bit more + complicated and they are not used as intensively as the "ADD" + or "SUB" since they are slow, so we will not talk about them. + There are also a multitude of other instructions that + you should familiarize yourself with if you are thinking of + becoming a serious cracker. The instructions given above are + only the BARE minimum that you need. There is no way around + learning assembly for better cracking. + + + + + Page 9 + + + + + + The Cracking Manual + + + + THE CRACKING + + The Cracking + ------------ + Now the fun stuff begins. First, we must discuss the + different forms of copy protection schemes. They are + basically divided into the disk based and manual based copy + protection schemes. + With disk based schemes, the software often reads from + specific sectors on a disk to determine the disk's validity. + How can this be done? When you perform a disk format, the + disk is formatted with specific sector sizes. Once the + sector size changes, DOS cannot recognize it, thinking that + it is a bad sector. Since this looks like a bad sector, a + simple DISKCOPY will not work in copying such disks. + Interrupt 13h (the assembly mnemonic is INT 13) was commonly + used to handle such copy protections. It is now very rare to + encounter the once famed INT 13h copy protection method + nowadays since it was quite easy to defeat. Any professional + commercial software will often use their own custom based + disk I/O routines. This involves intimate access to I/O + ports using IN and OUT instructions. This is beyond the + scope of the first release of this manual. However, if you + are lucky, the I/O functions might be called from a "CALL" + instruction in which case you may defeat the protection + without much difficulty. Another disk based scheme used to + denote legality of software is used during the installation + process of the software. With certain programs, when you + install it, it copies the files into the hard drive. But it + also sets a specific sector in the hard drive so that the + program can recognize it. This is also similar to diskette + copy protections, but can be defeated in much the same way. + Thank goodness that disk based copy protections are + almost completely out of the software industry. However, a + sometimes more difficult copy protection scheme has arisen + that may sometimes prove to be even more difficult to crack. + These schemes are commonly known as the doc checks in which + the user must have a copy of the manual to bypass the + protection. With programs compiled as true assembly (you can + call then "normal" programs), these protections are not too + bad to trace through and crack. With programs that run + scripts (such as Sierra games), this can he a real chore + however. Why? It is because it is like running a program + within a program. You just have to be very very patient in + this case, carefully tracing through the instructions. + As if these copy protection schemes weren't enough, + software companies have also added trace inhibition schemes + to their code. What does this mean? This means that you + will have a hell of a time trying to trace through code. + However, if you know how these things work, it should not be + too much of a problem. + Run-time compression/decompression and + encryption/decryption of files also make changes to the + program difficult. In this case, the loader sure comes in + + + Page 10 + + + + + + The Cracking Manual + + + + handy. Also, when the data within the file changes due to + overlays, loaders are also good to use. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 11 + + + + + + The Cracking Manual + + + + DISK BASED COPY PROTECTIONS + + Disk Based Copy Protection + -------------------------- + Since disk based copy protection schemes are rarely + used, we will not go into great depth in its discussion. + + INT 13h + ------- + I have previously mentioned that INT 13h copy protection + schemes are hardly ever used anymore. Nevertheless, it would + be good practice for the beginner to learn how to defeat the + code. You will most likely see INT 13h used with function 2, + read sector. This means that: + + AH => will contain the number 2 (function 2) + AL => the number of sectors to read in. This is + commonly only 1 since you just want to check a few + sectors for disk validity. + CH => will contain the cylinder number + CL => will contain the sector number + DH => will contain the head number + DL => will contain the drive number + 00h - 7Fh for floppies + 80h - FFh for fixed disks + ES:BX => will point to the address into which the data + read from the disk will be written to + + Upon the return for this interrupt, if the carry flag is + set, that means that the program could not read the sector, + and therefore the disk is valid. If the carry flag is clear, + that meant that INT 13h could read the sector properly and so + the disk would be bad in the eyes of the program, thinking it + was a copied disk. + Okay, now that we know to look for INT 13h in the + program code, we can begin tracing. First, we must know the + difference between debug's "T" and "P". "T" is the trace + instruction, which tells it to follow instructions step by + step. That also means that in LOOP or REP instruction, the + trace will patiently go through the loop until finished. + Also, during CALL instructions, trace will go into the call + and execute the instructions pointed to by the call + instruction. The "P" command is similar to the "T" but with + the difference in that it traces over instructions. That + means that if it encounter a LOOP or REP, it will quickly + finish up the loop and point to the next instruction. With a + CALL, the "P" (proceed) will not go into the subroutine. + Instead, it will just execute the procedure, then point to + the next instruction. + Okay, before you start tracing for hours through a + program, you must first notice when and where the copy + protection appears. Run the program in DOS first and make + careful note of when things happen. You might see an intro + screen, then the music pops up, then the menu comes out. + + + Page 12 + + + + + + The Cracking Manual + + + + Notice this so you will know where you are in the program. + Once you have done that, you can begin debugging the + program. Whenever you start out with a program, you use "P" + to trace through the program. Be patient as this might take + a while. While you are tracing, watch out for CALLs and + INTerrupts. When you are just about to execute the step, try + to remember the segment and offset of the instruction. The + segment is the number to the left of the colon while the + offset is the number to the right. As you continue tracing + through the program, you will find that the screen might + blank and display the intro screen or something like that. + This is a good sign and it tells you that you are headed in + the right direction. Start slowing down when you feel that + you are near to the copy protection. + + Situation 1 - Exit from copy protected CALL + ------------------------------------------- + Oops, you have traced over a call that accessed drive A. + Unfortunately, you also exited the program. That's good. + You have just narrowed down the location of the copy + protection code. Now I hope you remembered the address of + that CALL. If not, you gotta start all over to find it. + Anyway, restart the program now. Now Go to that instruction + by "G {segment:address}". + Did something go wrong? Did the computer freeze or + something? It is most likely that this is an overlay or + encrypted code or something that caused the code at that + location to change. In this case, you will have to remember + the addresses of various instructions along the way. + Instructions that you want to take note of are far calls (if + you remember, calls with a segment:offset address as their + operand). You don't have to do this for every call. As you + crack more and more, you will get the hang of which + instructions to keep track of. + Okay, let's assume you have gotten back into the + location of the code again. It is a CALL instruction that + will access the disk drive. At this point, try skipping the + CALL instruction. To do this, type in "RIP {enter}". Then + type in the address of the next instruction. Then execute + the do or die instruction, "G". If the program runs fine + without asking for the copy protection, congratulations! You + have cracked the program. + If the program freezes or does something weird, restart + the program and trace back to the suspected copy protected + location. Now use the "T" command once and start using "P" + again. Remember to write down the address of that CALL + instruction you just traced into so you can come back to it + quickly. As you keep tracing, using the above procedures, + pretend you eventually come up to an INT 13h instruction. + See what it does by tracing over it. Make sure you have a + disk in drive A too. If there was no error, force an error + by turning on the carry flag and proceeding. With INT 13h + copy protections, this should be sufficient to crack the + program. + + + Page 13 + + + + + + The Cracking Manual + + + + Situation 2 - Return from copy protected CALL + --------------------------------------------- + Okay, the CALL that you just traced over accessed the + disk drive, but it didn't kick you out. Keep on proceeding + and this point. If there is an instruction that causes you + to jump because of a carry flag, try fooling around with this + carry flag and see how the program reacts. INT 13h copy + protections are usually simple enough for you to just change + the carry flag to allow the program to bypass the copy + protection. + + Access to the Hard Drive + ------------------------ + The cracking for installation software is also the same + as cracking for the INT 13h. You just keep tracing until you + see some disk activity. At that point, you try messing + around with some of the conditional jumps to see what + happens. If you have the original program, you should run it + also to see the differences between the valid and invalid + copies. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 14 + + + + + + The Cracking Manual + + + + DOC CHECK COPY PROTECTIONS + + Doc Check Copy Protections + -------------------------- + Okay, we have just quickly scanned over disk based copy + protections because they are rarely used nowadays. Doc + checks will be discussed in greater detail for the rest of + this manual. + Unlike the disk based protections, which are based on + hardware identification, doc checks are based on software + identification. Therefore, the only information that will + indicate that a copy protection is happening is the screen, + unlike the whirr of the disk drive. The moral, watch the + screen. Because this copy protection is software based, it + will be more of a challenge to trace, but of course, that is + the "fun" part of cracking. + + The Basics + ---------- + Make sure you have the COMPLETE version of the program + you are about to crack. When you do, run the program in DOS. + While the program is loading, take note of exactly what goes + on with the screens, sounds, etc. Here is what you might + want to note: + + 1) What comes up first? Is it a standard text output + that asks you for the type of graphics adaptor you + have, the number of joysticks, the sound card? + 2) When does the intro screen come up? Is it after the + music starts? After the copyright notice? After + the text prompt for the graphics mode you will be + operating in? + 3) What happens now? An animated sequence that brings + you through the beginning plot of a game? If so, + can you press a key and escape from it? + 4) Now what? Is there a main menu? When you start the + game by selecting the "START GAME" option from the + menu, does the copy protection come up immediately? + 5) If it doesn't come up immediately, when does it come + up? + 6) Does the copy protection only appear when you are + playing the game, or does it come up also when you + select "CHANGE OPTIONS" from the main menu? + + Obviously, these questions are merely prompts for you to + follow. Use your own mind in discovering what to take note + of. There are no set rules for cracking. It is a puzzle + that you must use your mind on. + Okay, once you have run the program, go into your + debugger (in our case, DEBUG) and load up the program. One + tip to use when you first start out programming is to use the + "P" command to trace through code. As you become a more + advanced cracker, you might start seeing patterns in coding. + These patterns are characteristic of high level programming + + + Page 15 + + + + + + The Cracking Manual + + + + languages (Pascal, C, etc.) and are usually the + initialization code for the rest of the program. Use "P" for + each instruction, one at a time. Be patient as this might + take a while. + Okay, you have been tracing for some time now and + finally, you notice something happen. The screen might have + blanked or maybe a message prompting you to enter the + graphics mode may have popped up. Was this what you have + noted before? It should be and you can assure yourself that + you are headed in the right direction. As you keep tracing + programs, you notice that CALLs usually do something + significant. A CALL might clear the screen or sound some + music. When it does something rad like this, write down its + address as the segment:offset pair. The segment is the + number to the left of the colon while the offset is the + number to the right of the colon. Don't be a dork and set a + breakpoint there. Write it down on paper or something. We + will see later on why breakpoints fail miserably in the cool + wares. + Why take note of these instructions? As you trace + deeper and deeper into programs, the coding often loads up + overlays or maybe decompresses code to the memory location + that you have just traced over. Therefore, if you set a + breakpoint there, or execute a "G" instruction to that + address, you will fuck up the program and cause your computer + to freeze. We will see why when we examine how breakpoints + and single stepping works. + Also, while you are tracing using "P", mentally remember + the addresses of the CALLs. That way, if you trace over a + call that brought you immediately to the copy protection, you + won't have to retrace the code again. You don't have to + write down all of the addresses, of course, just remember one + at a time and write them down if they do anything + significant. + + Code Guards Through Keyword Entry + --------------------------------- + Okay, you know that the copy protection is one in which + the program waits for you to type in a keyword that you have + to look up in the manual or something. Here are then + following steps you should take. + + Situation 1 - Return from a copy protected CALL + ----------------------------------------------- + When a copy protection coding reveals itself on the + screen, you can have a situation in which you are returned to + the debugger, waiting for the next instruction to be + executed. Now, suppose that the CALL asked you to enter a + code. You entered an incorrect code and were returned to the + debugger, but you have not exited the program. Make sure + that you have previously recorded the address of this CALL. + Now, you can do two things, (1) you can try skipping over the + CALL, (2) you can trace on further. As you become more + experienced, you will be able to better decide. As one with + + + Page 16 + + + + + + The Cracking Manual + + + + experience, however, I can say that 90% of the time, you will + have to trace further on, but hey, you might get lucky. + For now, let's say you are lazy and decide that you want + to skip over the call to see what happens. To do this, you + must restart the program. Then trace your way back to the + CALL where the copy protection was located. Use "G + {segment:offset}" to do this. If, for some reason, the + computer freezes when you do this, you will have to use "G" + followed by the addresses of the CALLs that you have noted + down to be significant. If that doesn't work, resort to + retracing the code over again. As you become more + experienced, you will find that you rarely have to retrace + the entire code since you can "feel" what is going on. Okay, + now that you are at the location of the CALL, this is the + time to skip over the instruction. To do this, enter "RIP" + and then the address of the next instruction's address. Now + enter the "G" command and see what happens. If the program + runs just fine, you've cracked the program. If the program + kicks you out or crashes, you have to do some more tracing. + Okay, so you've decided to continue tracing from the + point of the copy protection. There are usually a bunch of + CMP and J? CMPS? instructions after the call. This point on + is the difficulty of cracking for a beginner since you don't + know what the fuck is going on. All those compares and jumps + don't mean shit to you are you are about to pass out in + frustration. Don't distress, here are a few tips I can give + you. If these don't work, you gotta find out your own + solutions to the problem. + Okay, in all probability, the CALL that you just traced + over was acting as a read string procedure (like BASIC's + INPUT). That means somewhere in the computer's memory, there + lies the code that you typed in and the code that you were + supposed to have typed in. What this would mean is that the + code after the CALL will do some sort of string comparison. + Look out for these. It might be hidden inside another CALL + if you're lucky. In such a case, does the program kick you + out? If it does, you have to trace into the call using "T" + to see what is going on. Okay, the string comparison will + most likely take the form of some kind of loop. Maybe "REP + CMPSB" or "LOOP". In the case of the REP CMPSB, there might + be a JZ/JNZ or JCXZ/JECXZ that follows it. When strings + match, the CX register will be zero. If CX is not zero, the + strings are not the same and the conditional jump will + probably jump to an exit routine. All you have to do is to + change the status of the zero flag. Then, try out the "G" + instruction. If it still didn't work, start over and do some + more tracing. If the string compare is not of the REP form, + there will be some kind of loop that will check between two + memory locations. In such a case, you will just have to + become accustomed to realizing that the code is a string + compare. There is no standard code for this. If you know + you have entered a wrong code, trace through the loop and see + where in the loop you are thrown out of the loop. At this + point, you can go back to it, change some flags to make sure + + + Page 17 + + + + + + The Cracking Manual + + + + you stay in the loop. When you exit through a different + location, you have probably bypassed the code and now, you + can enter "G" to see what happens. + + Situation 2 - Exit from a copy protected CALL + --------------------------------------------- + When a copy protection coding reveals itself on the + screen, you can have a situation in which you are not + returned to the debugger, instead, causing you to exit the + program. In this case, you have to restart the program and + trace into the CALL using "T". After that, you can start + using "P" again to uncover the location of the code. You + will most likely encounter a condition that will resemble + situation 1. Follow its instructions. + + Shortcuts For Keyword Entry Protections + --------------------------------------- + With keyword entry systems, you might be lucky to have + the codes stuck somewhere into file in its + uncompressed/unencrypted form. This means that you can "see" + the keywords in its ASCII format. This case is cool because + you won't have to do any tracing to crack the program. All + you have to do is to dump the contents of the files to find + something that looks like a keyword. (Always backup the file + that you are about to alter.) When you have found such a + file and the location of the codes, all you have to do now is + to change the codes to values that you know. For example, + one code might call for you to enter "PIRATE". It's a bitch + if you don't know the code. But if you change the code to + your name or something else you will never forget ("CYBORG"), + then you'd be set. + However, in most instances, you can't simple just type + over the old code with your new code. In high level + languages, these codes are stored as strings. In 'C', + strings are stored in their ASCII equivalent. They are then + terminated with a NULL character (this is a 0). In Pascal, + the lengths of the strings are first stored in the first + position. Then, the ASCII is stored. + + NULL Terminated Strings + ----------------------- + So, if you see zeros after the codes, this is a NULL + terminated string. Now, start at the beginning of the string + and enter your code. Then, enter the '0'. Make sure your + string is less than the original string since 'C' refers to + these strings also with pointers. + + Pre-Length Indentifier + ---------------------- + If you see numbers before strings, enter your own code. + Then change the length of the code appropriately. Make sure + you do not exceed the length of the original string. + + + + + Page 18 + + + + + + The Cracking Manual + + + + Code Guards Through Pointed Icons + --------------------------------- + We have a case where we do not type in keywords. + Rather, we must use a pointer device such as the cursor keys + on the keyboard, the mouse, or joystick. These protections + are a bit more complicated since there are no strings to + compare against. Rather, the input will be a number stored + in memory or a register. This is what makes this copy + protection more difficult to crack. We have to hunt through + code to find out which compare instruction is the key. + What you have to do is to find the general location of + the copy protection code as before. Then, instead of typing + in the keyword, you select the icon. Like before, you must + step slowly through the code and go until the program JUST + STOPS asking you for the code. For example: + + 2E0B:0000 E8740E CALL 0E77 + 2E0B:0003 38D0 CMP AL,DL + 2E0B:0005 7569 JNZ 0070 + 2E0B:0007 CB RETF + + You might decide to trace over the call at address xxxx:0000. + But then, you see that the screen displayed the icons and you + got to select the code. Then, the procedure does some disk + activity and you return to address xxxx:0003. If you see + something happen after you have just finished entering the + code or if it is slow in returning you to debug, then, + some code must have been performed before you returned. In + this case, you must trace into the CALL to see what has + happened. If not, there is still a small probability that + there were some instructions that formatted the code you + entered and saved it to a memory location. (We'll talk about + multiple doc checks later.) + Realize that most of the programs that you will be + cracking have been programed by C or some other high level + language. These languages often use the stack (SS:SP) to + pass parameters (variables) or to create local variables for + a procedure's use. Most likely, you will see compares to + data contained within the stack such as "CMP AX,WORD PTR + [BP+10]" or "MOV DX,WORD PTR [BP+10]". This is what you hope + to find, although not always the case. If you do see some + access via the stack using the BP register as a pointer, you + may have something there. Then, all you would have to do is + to mess around the flags register (most likely, JZ/JE will be + used) at the compare instruction. + + Multiple Doc Checks + ------------------- + There are some wares that invoke multiple doc checks, + doc checks that pop up either systematically or randomly. In + addition, there could also be two types of this protection. + The doc check could be a similar type (eg. typing the code + found on page...) or they could be different (eg. typing in + the code on page... then select the correct icon), although + + + Page 19 + + + + + + The Cracking Manual + + + + the latter is more rarely used due to its extensive memory + usage. + + Situation 1 - Similar doc checks + -------------------------------- + Cracking multiple doc checks that are similar is just + like cracking with just one doc check. The procedure to + trace is still the same. Keep Proceeding until you come up + to the CALL that contains the copy protection. Just use the + sequences mentioned above. When you are absolutely positive + that the call contains the copy protection (skip the CALL and + see what happens; if the protection has been bypassed but + appears at other times, you got something), here is what you + do. + + 1) Note what type of CALL it was. Near if the operand + (number after the CALL) was a four digit number or + far if the operand contained the segment:offset + pair. + 2) Trace INTO the call. + 3) At the first instruction, note the address inside + the CALL. + 4) Then, type in "A" then the address of that very + first instruction. + 5) If there was a near call performed, now type in + "RETN", otherwise, type in "RETF". + 6) Now run the program ("G") and see what happens. + + If this call was definitely the copy protection, you should + have bypassed the copy protection completely. Otherwise, you + might have a case like situation 2. + + Situation 2 - Different doc check types + --------------------------------------- + Again, cracking multiple doc checks are like cracking + single doc checks. You follow the same procedures until you + come up to a copy protected location. Then, you would trace + into the code as explained in situation 1 just to make sure + that the code is not called up again. Different doc checks + are a bitch to do because you have to manually keep tracing + until you find each one to effectively rid yourself of the + copy protection. There is not sure way of getting rid of all + the doc checks any other way. But luckily, there are very + few wares out there like this. Remember, the more the + company shoves into the program's memory, the more money it's + gonna cost them. + + Of course, I cannot cover every single type of doc check + since there are too many of them. You'd just have to use + your own imagination to solve some of them. + + + + + + + Page 20 + + + + + + The Cracking Manual + + + + SPECIAL SITUATIONS + + Special Situations + ------------------ + What all crackers are faced with at one time or another + are situations that call for intuitive thinking to overcome + the barrier. Remember, there is no one sure way of cracking. + + INT 3 - Problems During Tracing + ------------------------------- + Sometimes, when you start cracking, you just find your + instruction pointer messing up. You keep tracing and + tracing, then your computer freezes. But then, when you type + "G" at the beginning of the program, it works just fine. + What is happening here? There are several things that the + program could do to impede tracing. Unless you have a + hardware debugger, you have to settle in for more primitive, + intuitive methods. First, we have to find out how a software + debugger works. + I now introduce you to INT 3 and INT 1. They are the + breakpoint and single stepping interrupts respectively. We + will be looking at INT 3 the most. + What happens when you set breakpoints? Well, here is + what the debugger does. At the address you have specified, + the debugger will read in the byte at that address and store + it somewhere else in its own memory. This byte is part of + the whole instruction located at that address. For example, + if there was an "INT 13" at that location, the machine + language equivalent will be CD13h. Debug will read in the + first byte, CDh, and save it in memory. The CDh will then be + replaced by INT 3 (CCh). So, the code will now look like + CC13h in machine language. When you unassemble this at the + address, you will see "INT 3" (the instruction only takes up + one byte) and some gibberish after that. So, when the CPU + comes up to this address, it will encounter INT 3 and will + return control to the debugger. The debugger then replaces + the INT 3 with the CDh byte used before. + With single stepping, the same thing occurs. Debug will + also insert the INT 3 instruction at the instruction after + the one you are about to execute. Then, internally, a "G" + instruction is performed until it reaches the INT 3, at which + point, the byte will be replaced and everything will be cool. + + Use of INT 3 to Call Up Other Interrupts + ---------------------------------------- + This INT 3 deal seems to be cool, working in many + situations. But what if the software vendor reprograms INT 3 + to point to an INT 21? Many programs use INT 21 to access + DOS functions like reading a file, etc. There would be a + conflict now as the program uses INT 3 to call up DOS while + debug wants to use INT 3 for its breakpoints. There is also + another problem. INT 21 uses two bytes (CD21h) while INT 3 + uses only one byte (CCh). Therefore, you cannot replace INT + 3 with the INT 21. + + + Page 21 + + + + + + The Cracking Manual + + + + Also, INT 3 could be reprogrammed so that everytime it + is used, the program will just exit to its higher process. + So everytime you single step, you will be kicked out of the + program. + + Parity Errors with INT 3 + ------------------------ + The tough copy protections use the change of memory to + obstruct tracing. Examine the code below: + + 2E0B:0500 FC CLD + 2E0B:0501 B80000 MOV AX,0000 + 2E0B:0504 BB0000 MOV BX,0000 + 2E0B:0507 BE0005 MOV SI,0500 + 2E0B:050A BF0010 MOV DI,1000 + 2E0B:050D B90005 MOV CX,0500 + 2E0B:0510 AC LODSB + 2E0B:0511 345A XOR AL,5A ;'Z' + 2E0B:0513 01C3 ADD BX,AX + 2E0B:0515 AA STOSB + 2E0B:0516 E2F8 LOOP 0510 + 2E0B:0518 3B1E0043 CMP BX,[4300] + 2E0B:051C 7403 JZ 0521 + 2E0B:051E E9EF2A JMP 3010 + 2E0B:0521 D1E0 SHL AX,1 + + Notice what the program is doing. It is performing a simple + decryption of a block of code from address 500h and putting + it in address 1000h. In addition, there is a checksum being + performed at address . The program is adding all those bytes + up, then comparing the number with some other number (a + checksum value) in memory at address 4300h. So what you may + say. When the program is run without any set breakpoints, + the program will run fine. But when you start tracing + through the code, or putting a breakpoint somewhere after the + loop, the program will cause you to exit. If you decide to + change the program so that it will let you pass regardless of + the checksum value, somewhere along the line, the program + will fuck up. + This goes back to the idea of INT 3. Right before debug + executes an instruction, it places an INT 3 at the next + instruction. In this program, when debug places this + interrupt and executes an instruction, the program is reading + in this INT 3 at the address and copies it to a different + address. INT 3 is obviously a different number than the + other instructions, so the checksum value will be different. + So, now that INT 3 is copied to another location in memory, + debug also cannot replace that with it's original byte value. + Therefore, if you try to force the checksum to match and + continue running the program, the program will crash because + the INT 3 is causing the instructions after itself to be + interpreted incorrectly by the CPU. + To bypass this, you have to make sure not to get your + INT 3 placed in the wrong place at the wrong time. Looking + + + Page 22 + + + + + + The Cracking Manual + + + + at the program, you can keep tracing normally until the SI + register points to any byte past the CMP instruction at + address 519h. Then, you can do a "G 518" to finish off the + loop quicker. Debug will place a temporary INT 3 at address + 518h, but it doesn't matter now since SI will be past 518h. + This is obviously a simple example, but it gets the point + across that you have to watch where you trace. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 23 + + + + + + The Cracking Manual + + + + OVERLAYS/LOADERS + + Overlays/Loaders + ---------------- + Sometimes, programs will have an initialization code and + upon its completion, call up another program or overlay. + These programs present unique situations in which it is + sometimes difficult, after finding the copy protection code, + to write the changes to disk. Let's see what these programs + do before we go on to the next topic of making changes + permanent. + Loaders are usually small programs that might first ask + you for the graphics mode or what sound card you have. When + finished, it will load up another program. Sometimes, this + is done with DOS' interrupt 21h, function 4B00h (load and + execute). This is the same interrupt DOS uses to load up + programs when you type them in at the DOS prompt. You can + tell what file is going to be executed by tracing up to the + INT 21 instruction and dumping the address pointed to by + DS:DX (type in "D DS:DX"). Also, internal procedures could + be used to call up the program. Use what you've learned to + trace through them. + Code decryptions or dynamic heap allocation where data + is to be loaded presents problems as well. Code that changes + as the program progresses makes code changes difficult in the + file itself. And when you want to alter sometime in the data + area, something called a heap is often used to store the + data. The thing with the heap is that it can be allocated at + anytime and depending on what is currently in memory, you + can't tell where the memory is going to be located. In these + cases, you might choose to go with run-time memory overlays + (discussed later). + + Writing the Changes Out to the File + ----------------------------------- + Okay, so you've found the copy protection. You also + know how to bypass it. Now, the next problem you will most + likely encounter is writing it out to a file. But first, + let's assume a simple case. + + Using a Hex Dump Program + ------------------------ + Included is this package is one of the files from Norton + Utilities which does a decent job of finding and changing the + contents of files. Before we exit that debugger, we must + know what to look for. + + 1) At the location of the instruction, copy down the + machine language equivalent of the instruction. At + instructions after that, also take down their + machine level equivalents. This is what you will + use to search for the code in the file. + a) If there is a near call or a near jump or a near + memory access, you can just write down all the + + + Page 24 + + + + + + The Cracking Manual + + + + hex numbers. + b) If there is a far call (CALL DS:[5C10+BX]) or a + far jump (JMP DWORD PTR ES:[5080+BX]) or a far + memory access (MOV AX,WORD PTR ES:[10+SI]), then + do not write these instructions down. In .EXE + files, anything that is located in different + segments will have different displacement + values. This is a value in the file. At the + beginning of the file is a table that tells DOS + where these instructions are located. When the + program is loaded into memory, the pointers are + changed appropriately to match the memory + location. So, write down other near + instructions like CLD, JZ 100, INC AX, etc. + 2) After you know what to search for, you must now know + what you will have to be changing. Very often, + NOP's are used to "delete" code. For example, if + there is a CALL 3140 and we want to skip this call, + we can NOP it out. The near call takes up three + bytes. The NOP takes up one byte. So, type in "A" + at the address of the call and enter "NOP" three + times. Then unassemble the code to make sure that + the code still looks okay. Take down the machine + level equivalents of the NOP's (90h). Same thing + with conditional jumps. Suppose you have a JZ 90 + and you want it to jump to address 90 everytime, + then type in "A" at the jump instruction and enter + "JMP 90". Then, just write down the machine code as + before. One thing, however. You cannot do what I + have just said above with far calls. Remember, the + numbers will be different in the file as compared to + memory. So what do you do? No problemo. At the + call instruction, trace into the call and place a + "RETF" instruction at the address of the callee. + This will be the location that you will search for + (write down the bytes here) and where you will be + writing to (RETF is CBh in machine language). + 3) Finally, after all this is through, you can enter + your file editor and search for the numbers you + wrote down. Then, you can change the numbers. Now + run the program and it should be cracked. But + remember, always backup the file you are about to + change. + + Using a Memory Overlay + ---------------------- + When do you use these things? You would use memory + overlays when step 3 (stated above) has failed in some way. + Maybe you couldn't find the code, or when you change it, the + program freezes up. Don't fret, the memory overlay is here. + What is a memory overlay? It is an external program (TSR) + that when it reaches a certain point during program + execution, it will change the location in memory you have + specified. It overlays the code during run time. + + + Page 25 + + + + + + The Cracking Manual + + + + Here is what you will need to do to make the overlay + work. First, you must find some way for the program to call + up the overlay code. This can most easily be done by + reprogramming interrupts. So, the first thing you have to do + is look for an interrupt usage near the copy protection code + (usually an INT 21h or INT 10h). When you find this + interrupt (it must be fairly close to the code), write down + the address of the NEXT instruction. You must get down the + segment and the offset. Also, get down the current status of + the registers. For interrupts like INT 21h and INT 10h, + write down the functions numbers (eg. AX,AL,BX,DX,etc.). + Then, keep tracing until the copy protection code. Get the + address of the instruction that you want to change (the + segment and the offset). Also get down the machine language + equivalent of the changed code. This should be all you need + for the overlay program. Here is the overlay program: + +INT_SEG equ 1DA5h ;SEG:OFF of instruction after the +INT_OFF equ 05D1h ; calling interrupt +CHANGE_SEG equ 2DA5h ;SEG:OFF of instruction to change +CHANGE_OFF equ 0432h + +OVERLAY segment para 'code' + + assume cs:OVERLAY,ds:OVERLAY + + org 100h ;This will be a .COM program + +START: jmp INITCODE ;Initialization code + +;************************************************************************** + +OLDINT dw 0,0 ;Storage for old interrupt address + +ADDR_OFF equ +ADDR_SEG equ + +CR equ 0Dh ;Carriage return +LF equ 0Ah ;Line feed +BEEP equ 07h ;Beep +EOS equ '$' ;End of DOS string + +DISPLACEMENT equ CHANGE_SEG - INTSEG + +;************************************************************************** + +NEWINT proc far + + push bp ;Establish stack frame + mov bp,sp + push ax ;Save necessary registers + push bx + push cx + push dx + + + Page 26 + + + + + + The Cracking Manual + + + + push si + push di + push ds + push es + + mov bx,ADDR_OFF ;Get offset + cmp bx,INT_OFF + jnz EXIT + + cmp ax,0201h ;Check for AX=0201h <=(1) + jnz EXIT + cmp bx,0001h ;Check for BX=0001h <=(2) + jnz EXIT + + mov bx,ADDR_SEG ;Get segment + add bx,DISPLACEMENT + mov ds,bx ;This will be the segment of change + + ;change the number at the next line to point to the offset of + ; the address to be changed + mov bx,1C12h ;This is the offset of the change + mov al,0EBh ;This is the byte to be changed + mov [bx],al + + ;change the number at the next line to point to the offset of + ; the address to be changed + mov bx,1C20h ;This is the new offset of the change + mov ax,0B8h ;This is the byte to be changed + mov [bx],ax + mov al,0 ;This is the next byte to be changed + mov [bx+2],al + + pop es ;Restore necessary registers + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + pop bp + iret ;Interrupt return + +EXIT: pop es ;Restore necessary registers + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + pop bp + jmp dword ptr cs:OLDINT ;Jump to old interrupt + + + + Page 27 + + + + + + The Cracking Manual + + + +NEWINT endp + +;************************************************************************** + +FINISH equ $ + +MESSAGE db "This is an overlay loader.",CR,LF + db "Written by The Cyborg.",CR,LF,BEEP,EOS + +INITCODE: + mov ax,cs + mov ds,ax ;DS point to CS + + mov ah,9 ;Print string + mov dx,offset MESSAGE ;The address of the message + int 21h + + mov ax,3510h ;Get old interrupt address + int 21h + mov OLDINT[0],bx ;Save in memory for later use + mov OLDINT[2],es + + mov ax,2510h ;Set new interrupt address + mov dx,offset NEWINT ;Point to new procedure + int 21h + + lea dx,FINISH ;CS:DX of last byte of code to remain + int 27h ; in memory. Terminate and stay + ; resident. + +OVERLAY ends + + end START + + All you have to do is set the first four values in the first + four lines of the file. They are the segment:offset pairs of the + interrupt address and the address of the bytes to be changed. + Also, change the functions to check for at (1) and (2) to + appropriately check for proper code entry. Then, specify which + bytes you will be changing at the specified lines. Then compile + this crack ("ASM OVL {enter}"). + The next program demonstrates a simple loader. It also + demonstrates what you can do if you have a program that utilizes + scripts or dynamically allocated data areas in heap spaces. This + program scans for a known segment in memory for a "keyword". When + it finds this, it can then begin writing new code to overlay the + old data. Note, KEYWORD specifies the keyword to look for. Then, + CRK (0's) is the list of bytes to replace the data areas pointed + to by addresses listed in LIST. The addresses in LIST are + displacement addresses. This means that at the address the + keyword was found in, the appropriate number listed in LIST is + added to that address. There are thirteen addresses whose data + are to be changed in this case. + Also interesting to note is that this program is using two + + + Page 28 + + + + + + The Cracking Manual + + + + interrupt vectors, INT F1h and INT 21h. INT 21h is used in the + same way as the above overlay program uses it. It replaces two + bytes at offset 1FE5h with CDF1h. This is the machine language + equivalent of INT F1h. Now, let's examine what INT F1h actually + does. First, it changes the return address in the stack so that + instead of returning to the address right after the INT F1h + instruction, it will return to another instruction, located at + offset 1FE5. This is the location of the INT F1h instruction. + This interrupt, upon its completion, will replace the INT F1h + instruction with the original instruction and run the program + normally. + The loader itself is simple. It reallocates the memory + located to itself to accommodate a "daughter" program, the program + that it is going to load. If it can't find the program or if an + error has occurred trying to execute the program, the loader will + load itself up as a TSR. Then, you can run the program via DOS. + This loader also checks if INT F1h has been occupied and returns + an error if it is. + +LOADER segment para 'code' + + assume cs:LOADER,ss:LOADER + + org 100h + +BEGIN: jmp INIT + +CR equ 0Dh +LF equ 0Ah +BEEP equ 07h +EOLN equ '$' + +OPTION db 1 ;Options +CRC dw 0 ;Cyclic Redundency Checking data + +START equ $ + +OLDINT1 dw 0,0 +OLDINT2 dw 0,0 +KEYWORD db "weat" +CRK db 0,0,0,0 +LIST dw 0h,014h,019h,02Dh,041h,046h,05Ah,05Fh,073h,087h,08Ch,0A0h,0B4h + + ;********** New Interrupt 1 **********; + +NEWINT1 proc far + + push bp ;Establish stack frame + mov bp,sp + push ax ;Save registers + push bx + push cx + push dx + push di + + + Page 29 + + + + + + The Cracking Manual + + + + push si + push ds + + mov ax,cs + mov ds,ax + + mov ax,word ptr [bp+2] ;Get offset + cmp ax,1FE7h + jnz EXIT1 + +NEXT1: mov ax,1FE5h ;Where to return next + mov word ptr [bp+2],ax + + mov ax,word ptr [bp+4] ;Get segment + mov ds,ax ;Put in data segment + mov bx,1FE5h ;Offset to change + mov ax,0D803h ;The new code to put in + mov [bx],ax ;Store changes + + mov ax,cs ;Get current data segment + mov ds,ax + + mov di,0 ;Where to start search + mov dx,0FF00h ;Search the entire segment + mov bx,0 +COMP: mov di,bx ;Where to begin + mov si,offset KEYWORD ;Get keyword + mov cx,4 ;Lenght of keyword + repe cmpsb ;Compare until done + jz MATCH + inc bx + dec dx ;Done? + jz EXIT1 ;If no match, exit + jmp COMP + +MATCH: mov dx,bx + mov ax,0E07h + int 10h + mov bx,offset LIST ;Get list of codes to change + mov cx,13 ;Number of locations to change +NEXT2: push cx + mov cx,4 ;Lenght of string + mov di,[bx] ;Get destination + add di,dx + mov si,offset CRK ;Get string to copy from + rep movsb ;Copy String + inc bx ;Next location + inc bx + pop cx + loop NEXT2 + +EXIT1: pop ds ;Restore registers + pop si + pop di + + + Page 30 + + + + + + The Cracking Manual + + + + pop dx + pop cx + pop bx + pop ax + pop bp + iret ;Interrupt return + +NEWINT1 endp + + ;********** New Interrupt 2 **********; + +NEWINT2 proc far + + push bp ;Establish stack frame + mov bp,sp + push ax ;Save registers + push bx + push ds + + mov bx,word ptr [bp+2] ;Get offset + cmp bx,0Ch ;See if called from the proper offset + jnz EXIT2 ;If not, exit + + cmp ah,30h ;See if want this function call + jnz EXIT2 ;If not, exit + + mov bx,word ptr [bp+4] ;Get segment + add bx,0F8Dh ;New segment + mov ds,bx + mov bx,1FE5h ;New offset + mov ax,0F1CDh ;The new instruction + mov [bx],ax ;Save changes in memory + +EXIT2: pop ds ;Restore registers + pop bx + pop ax + mov sp,bp + pop bp + jmp dword ptr cs:OLDINT2 ;Call old interrupt + +NEWINT2 endp + +FINISH equ $ + + ;********** Initialization Code **********; + +PARAM dw 0 + db 80h,0 +PARAM1 dw 5 dup(0) +PROG db 8 dup('1234567890') + +MESS db 'Savage Empire eta Crack v1.0 July 15,1991',CR,LF + db 'Loader needed only after creating a character.',CR,LF + db "Press {ENTER} at the copy protection.",CR,LF,BEEP,EOLN + + + Page 31 + + + + + + The Cracking Manual + + + +ERR1 db 'ERROR: Not enough memory. ' + db 'Activating TSR sequence.',CR,LF,BEEP,EOLN +ERR2 db 'ERROR: Could not load program. ' + db 'Activating TSR sequence.',CR,LF,BEEP,EOLN +ERR3 db 'ERROR: Interrupt vector (0xF1) already occupied.',CR,LF + db ' Release memory before restarting.',CR,LF,LF,BEEP,EOLN + +INIT: mov ah,9 ;Print string + mov dx,offset MESS + int 21h + + mov ax,35F1h ;Get interrupt vector + int 21h + mov OLDINT1[0],bx ;Save in memory + mov OLDINT1[2],es + + cmp word ptr es:[bx],8B55h ;Check for vector occupation + jnz CONT1 + + mov ah,9 ;Write string + mov dx,offset ERR3 + int 21h + mov ax,4C03h ;Exit with error 3 + int 21h + +CONT1: mov ax,25F1h ;Set interrupt vector + mov dx,offset NEWINT1 + int 21h + + mov ax,3521h ;Get interrupt vector + int 21h + mov OLDINT2[0],bx ;Save in memory + mov OLDINT2[2],es + + mov ax,2521h ;Change interrupt vector + mov dx,offset NEWINT2 + int 21h + + cmp OPTION,0 ;See if wants to run program + jz EXIT3 + + mov ax,cs + mov ds,ax + mov es,ax + mov bx,offset ENDCODE ;Get end of memory + shr bx,1 ;Convert to paragraphs + shr bx,1 + shr bx,1 + shr bx,1 + inc bx + mov ah,4Ah ;Reallocate memory + int 21h + jnc OKAY1 ;If no error, continue + + + + Page 32 + + + + + + The Cracking Manual + + + + mov ah,9h ;Write string + mov dx,offset ERR1 + int 21h + jmp EXIT3 + +OKAY1: mov ax,cs + mov PARAM,ax + mov PARAM1,ax + mov bx,offset PARAM + mov dx,offset PROG + mov ax,4B00h ;Load and execute child + int 21h + jnc OKAY2 ;If no error, continue + + mov ah,9h ;Write string + mov dx,offset ERR2 + int 21h + jmp EXIT3 + +OKAY2: mov ax,25F1h ;Restore interrupt vector + lds dx,dword ptr OLDINT1 + int 21h + + mov ax,2521h ;Restore interrupt vector + lds dx,dword ptr OLDINT2 + int 21h + + mov ax,4C00h ;Exit with error code 0 + int 21h + +EXIT3: lea dx,FINISH ;Offset of booster + int 27h ;Exit with ejection of booster + +LOADER ends + + end BEGIN + + + + + + + + + + + + + + + + + + + + + Page 33 + + + + + + The Cracking Manual + + + + CONCLUSION + + Conclusion + ---------- + Okay, so we've seen the processes of cracking. If you are + just a beginner and don't know much about programming, you + probably got lost somewhere right after the introduction. I would + suggest that you spend some time learning assembly before doing + anything else. Actually, you don't have to start out with + assembly. I started programming using BASIC. When I got really + good at it, I jumped into Assembly, regardless of how difficult + people said it was. Assembly is not at all difficult if you have + had some previous knowledge of another language. It is only + difficult if you make it hard. And after you've learned assembly, + you get a "feel" for the other languages and can learn them in a + matter of days. Pascal, Modula-2, C, C++, ..., they're are based + on assembly language programming. + Cracking is like the debugging process of programming. To + become experienced with debugging is to become adept at cracking. + You just need lots o' practice as practice makes perfect. + One final note. I got this manual out kinda quickly so there + are bound to be errors, inconsistencies in what I've said, unclear + passages, etc. Well, too bad. If you really want a good manual, + tell me or something and I'll consider it. I got really bored + towards the last parts of the manual so it went pretty fast, + skipping over some stuff. If a lot (and I mean A LOT) of people + want a better manual, tell me and give me suggestions. I'll find + the time to do it somehow. + Anyways, have fun! + - The Cyborg + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 34 + + + diff --git a/textfiles.com/piracy/CRACKING/crack1 b/textfiles.com/piracy/CRACKING/crack1 new file mode 100644 index 00000000..bcd72857 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crack1 @@ -0,0 +1,274 @@ + +**************************************** +* B U C K A R O O B A N Z A I * +* aka the Reset Vector * +* * +* presents * +* * +* Cracking On the IBMpc * +* Part I * +* * +**************************************** + +Introduction +------------ + For years, I have seen cracking +tutorials for the APPLE computers, but +never have I seen one for the PC. I +have decided to try to write this series +to help that pirate move up a level to a +crackest. + + In this part, I will cover what +happens with INT 13 and how most copy +protection schemes will use it. I +strongly suggest a knowledge of +Assembler (M/L) and how to use DEBUG. +These will be an important figure in +cracking anything. + +INT-13 - An overview +-------------------- + Many copy protection schemes use the +disk interrupt (INT-13). INT-13 is +often use to either try to read in a +illegaly formated track/sector or to +write/format a track/sector that has +been damaged in some way. + INT-13 is called like any normal +interupt with the assembler command +INT 13 (CD 13). [AH] is used to select +which command to be used, with most of +the other registers used for data. + +INT-13 Cracking Collage +----------------------- + Although, INT-13 is used in almost all +protection schemes, the easiest to crack +is the DOS file. Now the protected +program might use INT-13 to load some +other data from a normal track/sector on +a disk, so it is important to determine +which tracks/sectors are inportant to +the protection scheme. I have found the +best way to do this is to use +LOCKSMITH/pc (what, you don't have LS. +Contact your local pirate for it.) + Use LS to to analyze the diskette. +Write down any track/sector that seems +abnormal. These track are must likely +are part of the protection routine. + Now, we must enter debug. Load in the +file execute a search for CD 13. Record +any address show. If no address are +picked up, this mean 1 or 2 things, the +program is not copy protected (bullshit) +or that the check is in an other part of +the program not yet loaded. The latter +being a real bitch to find, so I'll +cover it in part II. There is another +choice. The CD 13 might be hidden in +self changing code. Here is what a +sector of hidden code might look like + +-U CS:0000 +1B00:0000 31DB XOR BX,BX +1B00:0002 8EDB MOV DS,BX +1B00:0004 BB0D00 MOV BX,000D +1B00:0007 8A07 MOV AL,[BX] +1B00:0009 3412 XOR AL,12 +1B00:000B 8807 MOV [BX],AL +1B00:000D DF13 FIST WORD... + + In this section of code, [AL] is set +to DF at location 1B00:0007. When you +XOR DF and 12, you would get a CD(hex) +for the INT opcode which is placed right +next to a 13 ie, giving you CD13 or INT- +13. This type of code cann't and will +not be found using debug's [S]earch +command. + +Finding Hidden INT-13s +---------------------- + The way I find best to find hidden +INT-13s, is to use a program called +PC-WATCH (TRAP13 works well also). This +program traps the interrupts and will +print where they were called from. Once +running this, you can just disassemble +around the address until you find code +that look like it is setting up the disk +interupt. + An other way to decode the INT-13 is +to use debug's [G]o command. Just set a +breakpoint at the address give by +PC-WATCH (both programs give the return +address). Ie, -G CS:000F (see code +above). When debug stops, you will have +encoded not only the INT-13 but anything +else leading up to it. + +What to do once you find INT-13 +------------------------------- + Once you find the INT-13, the hard +part for the most part is over. All +that is left to do is to fool the +computer in to thinking the protection +has been found. To find out what the +computer is looking for, examine the +code right after the INT-13. Look for +any branches having to do with the CARRY +FLAG or any CMP to the AH register. + If a JNE or JC (etc) occurs, then +[U]nassembe the address listed with the +jump. If it is a CMP then just read on. + Here you must decide if the program +was looking for a protected track or +just a normal track. If it has a +CMP AH,0 and it has read in a protected +track, it can be assumed that it was +looking to see if the program had +successfully complete the READ/FORMAT of +that track and that the disk had been +copied thus JMPing back to DOS +(usually). If this is the case, Just +NOP the bytes for the CMP and the +corrisponding JMP. + If the program just checked for the +carry flag to be set, and it isn't, then +the program usually assumes that the +disk has been copied. Examine the +following code + + INT 13 <-- Read in the Sector + JC 1B00 <-- Protection found + INT 19 <-- Reboot +1B00 (rest of program) + + The program carries out the INT and +find an error (the illegaly formatted +sector) so the carry flag is set. The +computer, at the next instruction, see +that the carry flag is set and know that +the protection has not been breached. +In this case, to fool the computer, just +change the "JC 1B00" to a "JMP 1B00" +thus defeating the protection scheme. + + +NOTE: the PROTECTION ROUTINE might be + found in more than just 1 part of + the program + +Handling EXE files +------------------ + As we all know, Debug can read .EXE +files but cannot write them. To get +around this, load and go about cracking +the program as usual. When the +protection scheme has been found and +tested, record (use the debug [D]ump +command) to save + & - 10 bytes of the +code around the INT 13. + Exit back to dos and rename the file +to a .ZAP (any extention but .EXE will +do) and reloading with debug. + Search the program for the 20+ bytes +surrounding the code and record the +address found. Then just load this +section and edit it like normal. + Save the file and exit back to dos. +Rename it back to the .EXE file and it +should be cracked. ***NOTE: Sometimes +you have to fuck around for a while to +make it work. + +DISK I/O (INT-13) +----------------- + This interrupt uses the AH resister to +select the function to be used. Here is +a chart describing the interrupt. + +AH=0 Reset Disk +AH=1 Read the Status of the Disk + system in to AL + + AL Error + ---------------------------- + 00 - Successful + 01 - Bad command given to INT + *02 - Address mark not found + 03 - write attempted on write prot + *04 - request sector not found + 08 - DMA overrun + 09 - attempt to cross DMA boundry + *10 - bad CRC on disk read + 20 - controller has failed + 40 - seek operation failed + 80 - attachment failed +(* denotes most used in copy protection) +AH=2 Read Sectors + + input + DL = Drive number (0-3) + DH = Head number (0or1) + CH = Track number + CL = Sector number + AL = # of sectors to read + ES:BX = load address + output + AH =error number (see above) + [Carry Flag Set] + AL = # of sectors read + +AH=3 Write (params. as above) +AH=4 Verify (params. as above -ES:BX) +AH=5 Format (params. as above -CL,AL + ES:BX points to format + Table) + + For more infomation on INT-13 see the +IBM Techinal Reference Manuals. + +Comming Soon +------------ + In part II, I will cover CALLs to +INT-13 and INT-13 that is located in +diffrents overlays of the program + + +Happy Cracking..... + Buckaroo Banzai + <-------+-------> + +PS: This Phile can be Upload in it's +unmodified FORM ONLY. + +PPS: Any suggestion, corrections, +comment on this Phile are accepted and +incouraged..... + + + +Acquired from FCP II.. +Hit a key.. + + + + + + +X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X + Another file downloaded from: The NIRVANAnet(tm) Seven + + & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 + Burn This Flag Zardoz 408/363-9766 + realitycheck Poindexter Fortran 510/527-1662 + Lies Unlimited Mick Freen 801/278-2699 + The New Dork Sublime Biffnix 415/864-DORK + The Shrine Rif Raf 206/794-6674 + Planet Mirth Simon Jester 510/786-6560 + + "Raw Data for Raw Nerves" +X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X diff --git a/textfiles.com/piracy/CRACKING/crack1.txt b/textfiles.com/piracy/CRACKING/crack1.txt new file mode 100644 index 00000000..18538abd --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crack1.txt @@ -0,0 +1,252 @@ + +**************************************** +* B U C K A R O O B A N Z A I * +* aka the Reset Vector * +* * +* presents * +* * +* Cracking On the IBMpc * +* Part I * +* * +**************************************** + +Introduction +------------ + For years, I have seen cracking +tutorials for the APPLE computers, but +never have I seen one for the PC. I +have decided to try to write this series +to help that pirate move up a level to a +crackest. + + In this part, I will cover what +happens with INT 13 and how most copy +protection schemes will use it. I +strongly suggest a knowledge of +Assembler (M/L) and how to use DEBUG. +These will be an important figure in +cracking anything. + +INT-13 - An overview +-------------------- + Many copy protection schemes use the +disk interrupt (INT-13). INT-13 is +often use to either try to read in a +illegaly formated track/sector or to +write/format a track/sector that has +been damaged in some way. + INT-13 is called like any normal +interupt with the assembler command +INT 13 (CD 13). [AH] is used to select +which command to be used, with most of +the other registers used for data. + +INT-13 Cracking Collage +----------------------- + Although, INT-13 is used in almost all +protection schemes, the easiest to crack +is the DOS file. Now the protected +program might use INT-13 to load some +other data from a normal track/sector on +a disk, so it is important to determine +which tracks/sectors are inportant to +the protection scheme. I have found the +best way to do this is to use +LOCKSMITH/pc (what, you don't have LS. +Contact your local pirate for it.) + Use LS to to analyze the diskette. +Write down any track/sector that seems +abnormal. These track are must likely +are part of the protection routine. + Now, we must enter debug. Load in the +file execute a search for CD 13. Record +any address show. If no address are +picked up, this mean 1 or 2 things, the +program is not copy protected (bullshit) +or that the check is in an other part of +the program not yet loaded. The latter +being a real bitch to find, so I'll +cover it in part II. There is another +choice. The CD 13 might be hidden in +self changing code. Here is what a +sector of hidden code might look like + +-U CS:0000 +1B00:0000 31DB XOR BX,BX +1B00:0002 8EDB MOV DS,BX +1B00:0004 BB0D00 MOV BX,000D +1B00:0007 8A07 MOV AL,[BX] +1B00:0009 3412 XOR AL,12 +1B00:000B 8807 MOV [BX],AL +1B00:000D DF13 FIST WORD... + + In this section of code, [AL] is set +to DF at location 1B00:0007. When you +XOR DF and 12, you would get a CD(hex) +for the INT opcode which is placed right +next to a 13 ie, giving you CD13 or INT- +13. This type of code cann't and will +not be found using debug's [S]earch +command. + +Finding Hidden INT-13s +---------------------- + The way I find best to find hidden +INT-13s, is to use a program called +PC-WATCH (TRAP13 works well also). This +program traps the interrupts and will +print where they were called from. Once +running this, you can just disassemble +around the address until you find code +that look like it is setting up the disk +interupt. + An other way to decode the INT-13 is +to use debug's [G]o command. Just set a +breakpoint at the address give by +PC-WATCH (both programs give the return +address). Ie, -G CS:000F (see code +above). When debug stops, you will have +encoded not only the INT-13 but anything +else leading up to it. + +What to do once you find INT-13 +------------------------------- + Once you find the INT-13, the hard +part for the most part is over. All +that is left to do is to fool the +computer in to thinking the protection +has been found. To find out what the +computer is looking for, examine the +code right after the INT-13. Look for +any branches having to do with the CARRY +FLAG or any CMP to the AH register. + If a JNE or JC (etc) occurs, then +[U]nassembe the address listed with the +jump. If it is a CMP then just read on. + Here you must decide if the program +was looking for a protected track or +just a normal track. If it has a +CMP AH,0 and it has read in a protected +track, it can be assumed that it was +looking to see if the program had +successfully complete the READ/FORMAT of +that track and that the disk had been +copied thus JMPing back to DOS +(usually). If this is the case, Just +NOP the bytes for the CMP and the +corrisponding JMP. + If the program just checked for the +carry flag to be set, and it isn't, then +the program usually assumes that the +disk has been copied. Examine the +following code + + INT 13 <-- Read in the Sector + JC 1B00 <-- Protection found + INT 19 <-- Reboot +1B00 (rest of program) + + The program carries out the INT and +find an error (the illegaly formatted +sector) so the carry flag is set. The +computer, at the next instruction, see +that the carry flag is set and know that +the protection has not been breached. +In this case, to fool the computer, just +change the "JC 1B00" to a "JMP 1B00" +thus defeating the protection scheme. + + +NOTE: the PROTECTION ROUTINE might be + found in more than just 1 part of + the program + +Handling EXE files +------------------ + As we all know, Debug can read .EXE +files but cannot write them. To get +around this, load and go about cracking +the program as usual. When the +protection scheme has been found and +tested, record (use the debug [D]ump +command) to save + & - 10 bytes of the +code around the INT 13. + Exit back to dos and rename the file +to a .ZAP (any extention but .EXE will +do) and reloading with debug. + Search the program for the 20+ bytes +surrounding the code and record the +address found. Then just load this +section and edit it like normal. + Save the file and exit back to dos. +Rename it back to the .EXE file and it +should be cracked. ***NOTE: Sometimes +you have to fuck around for a while to +make it work. + +DISK I/O (INT-13) +----------------- + This interrupt uses the AH resister to +select the function to be used. Here is +a chart describing the interrupt. + +AH=0 Reset Disk +AH=1 Read the Status of the Disk + system in to AL + + AL Error + ---------------------------- + 00 - Successful + 01 - Bad command given to INT + *02 - Address mark not found + 03 - write attempted on write prot + *04 - request sector not found + 08 - DMA overrun + 09 - attempt to cross DMA boundry + *10 - bad CRC on disk read + 20 - controller has failed + 40 - seek operation failed + 80 - attachment failed +(* denotes most used in copy protection) +AH=2 Read Sectors + + input + DL = Drive number (0-3) + DH = Head number (0or1) + CH = Track number + CL = Sector number + AL = # of sectors to read + ES:BX = load address + output + AH =error number (see above) + [Carry Flag Set] + AL = # of sectors read + +AH=3 Write (params. as above) +AH=4 Verify (params. as above -ES:BX) +AH=5 Format (params. as above -CL,AL + ES:BX points to format + Table) + + For more infomation on INT-13 see the +IBM Techinal Reference Manuals. + +Comming Soon +------------ + In part II, I will cover CALLs to +INT-13 and INT-13 that is located in +diffrents overlays of the program + + +Happy Cracking..... + Buckaroo Banzai + <-------+-------> + +PS: This Phile can be Upload in it's +unmodified FORM ONLY. + +PPS: Any suggestion, corrections, +comment on this Phile are accepted and +incouraged..... + + diff --git a/textfiles.com/piracy/CRACKING/crack2.txt b/textfiles.com/piracy/CRACKING/crack2.txt new file mode 100644 index 00000000..c8e14454 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crack2.txt @@ -0,0 +1,1575 @@ +2 + + + CRACKING 101 - 1990 edition + + Lesson 3 + + ZDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD? + 3 CHAMBER OF THE SCI-MUTANT PREISTEST 3 + @DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDY + + + Oh shit, I have finally found a newer program that has + on disk copy protection. Good, you'all need a refresher + course on so here it is (YO JB study hard, you might learn + something). + + CHAMBER of the SCI-MUTANT PREISTEST (CSMP) is a really + fucked up game but was simple to unprotect. So, lets dive + right in. We will be using DEBUG here (although I used + periscope but then shit I'm special) to do the crack. Lets + dive in. When we first load CSMP (the file ERE.COM) and + unassemble it here is what we get. + + Come on... Ain't Got All Day!! u 100 10B + + 119A:0100 8CCA MOV DX,CS + 119A:0102 81C2C101 ADD DX,01C1 + 119A:0106 52 PUSH DX + 119A:0107 BA0F00 MOV DX,000F + 119A:010A 52 PUSH DX + 119A:010B CB RETF + + I included the register listing for a reason. NOTICE + that this piece of code just seem to stop (the RETF) + statement. Well, what is really does is place the address + (segment and offset) of the real starting point on to the + stack and the execute a far return to that location. Now + this might fool a real beginner (or at least make him worry a + bit but us...no way). + + If you take the current CS value and add 1C1 to it (in + segment addition) you will get the segment address 135B (that + is if you are using my example of 119A. If not then you will + not get 135B but trust me, it's the right value). + + So since we want to be at the real program, execute the + code until 10B (ie use the command "G 10B") then trace + Come on... Ain't Got All Day!! through the next instruction. + + If you now unassemble the code, here is what it should + look like. + + -u 000f 36 + + 135B:000F 9C PUSHF + 135B:0010 50 PUSH AX + 135B:0011 1E PUSH DS + 135B:0012 06 PUSH ES + 135B:0013 0E PUSH CS + 135B:0014 1F POP DS + 135B:0015 0E PUSH CS + 135B:0016 07 POP ES + 135B:0017 FC CLD + 135B:0018 89260B00 MOV [000B],SP + 135B:001C C70600000102 MOV WORD PTR [0000],0201 + 135B:0022 B013 MOV AL,13 + 135B:0024 A23500 MOV [0035],AL + 135B:0027 A2FF01 MOV [01FF],AL + 135B:002A A22F02 MOV [022F],AL + 135B:002D A23901 MOV [0139],AL + 135B:0030 B280 MOV DL,80 + Come on... Ain't Got All Day!! 135B:0032 B408 MOV AH,08 + 135B:0034 CD21 INT 21 + 135B:0036 7232 JB 006A + + + Since we are looking for a disk based copy protection, + it might be a good time to look for INT 13. So search the + current segment for INT 13 with the command + + S 135B:0 FFFF CD 13 + + But shit, nothing. You mean this program doesn't use + int 13. Be real. Reread the first lesson. You know the one + that talks about self modifing code. This is what we have + here. Let's take a closer look at the last bit of code but + this time, with my comments added. + + -u 000f 36 + + ; The first part of the code simple sets up for the return to + ; dos as well as sets ES and DS + + 135B:000F 9C PUSHF + 135B:0010 50 PUSH AX + Come on... Ain't Got All Day!! 135B:0011 1E PUSH DS + 135B:0012 06 PUSH ES + 135B:0013 0E PUSH CS + 135B:0014 1F POP DS ; Set DS to CS + 135B:0015 0E PUSH CS + 135B:0016 07 POP ES ; Set ES to DS + 135B:0017 FC CLD + + 135B:0018 89260B00 MOV [000B],SP + + ; The next instruction sets up a variable that is used in the + ; routine that reads in the sectors from the disk. More on + ; later. + + 135B:001C C70600000102 MOV WORD PTR [0000],0201 + + ; Now, here is the self modifing code. Notice at AL is 13 + ; (INT 13h ... Get it). Look at the first memory location + ; (35h) and remember that DS = CS. With this in mind, when + ; then instuction at 135B:0024 is executed byte at 135B:0035 + ; will be changed to 13h. That will in fact change the + ; INT 21h at 135B:0034 to an INT 13h. And so on, and so on. + + 135B:0022 B013 MOV AL,13 ; New value + Come on... Ain't Got All Day!! 135B:0024 A23500 MOV [0035],AL ; Change to INT 13h + 135B:0027 A2FF01 MOV [01FF],AL ; Change to INT 13h + 135B:002A A22F02 MOV [022F],AL ; Change to INT 13h + 135B:002D A23901 MOV [0139],AL ; Change to INT 13h + + ; If you lookup DOS function 08 you will find it's CONSOLE + ; INPUT. Now does that seem out of place to you. + + 135B:0030 B280 MOV DL,80 + 135B:0032 B408 MOV AH,08 + 135B:0034 CD21 INT 21 ; Changed to INT 13h + 135B:0036 7232 JB 006A + + + Whoa, that was tricky. If you execute up to 135B:30 + here is what it should look like.. + + + 135B:0030 B280 MOV DL,80 + 135B:0032 B408 MOV AH,08 + 135B:0034 CD13 INT 13 + 135B:0036 7232 JB 006A + + AHA, now we are getting somewhere. If we lookup what + Come on... Ain't Got All Day!! disk function 08 means, you won't be suprised. Function 08h + is GET DRIVE TYPE. It will tell what type of disk drive we + have. Remember, if you are loading off of a hard disk then + it wants to use a different routine. Since we want it to + think we are loading off of disk, then we want to take this + jump. So for now, force the jmp by setting IP to 6A. + + At 135B:006A you find another jmp instruction + + 135B:006A EB6B JMP 00D7 + + + This jumps to the routine that does the actual disk + check. Here is the outer loop of that code (With my comments + of course). + + ; This first part of this routine simply test to see how many + ; disk drives you have. + + + 135B:00D7 CD11 INT 11 + 135B:00D9 25C000 AND AX,00C0 + 135B:00DC B106 MOV CL,06 + 135B:00DE D3E8 SHR AX,CL + Come on... Ain't Got All Day!! 135B:00E0 FEC0 INC AL + 135B:00E2 FEC0 INC AL + 135B:00E4 A20200 MOV [0002],AL + + ; Next, so setup for the actual disk check + + + 135B:00E7 C606090000 MOV BYTE PTR [0009],00 + 135B:00EC B9F127 MOV CX,27F1 + 135B:00EF 8BE9 MOV BP,CX + 135B:00F1 B107 MOV CL,07 + 135B:00F3 F8 CLC + + ; This calls the protection routine part 1 + + 135B:00F4 E82F00 CALL 0126 + + 135B:00F7 B9DE27 MOV CX,27DE + 135B:00FA 8BE9 MOV BP,CX + 135B:00FC B108 MOV CL,08 + 135B:00FE F9 STC + + ; This calls the protection routine part 2 + + Come on... Ain't Got All Day!! 135B:00FF E82400 CALL 0126 + + 135B:0102 8D1E5802 LEA BX,[0258] + 135B:0106 8D361C01 LEA SI,[011C] + 135B:010A 8BCD MOV CX,BP + 135B:010C AC LODSB + 135B:010D 8AC8 MOV CL,AL + + ; This calls the protection routine part 3 + + 135B:010F E8E300 CALL 01F5 + + ; Makes the final check + + 135B:0112 7271 JB 0185 + 135B:0114 AC LODSB + 135B:0115 0AC0 OR AL,AL + 135B:0117 75F4 JNZ 010D ; If not correct, try again + 135B:0119 EB77 JMP 0192 ; Correct, continue program + 135B:011B 90 NOP + + + There are calls to 2 different subroutines. The routine + at 126 and the routine at 1F5. If you examine the routine at + Come on... Ain't Got All Day!! 126 you find that it makes several calls to the routine at + 1F5. Then you you examine the routine at 1F5 you see the + actual call to INT 13. Here is the code for both routine + with comments + + + ; First, it sets up the sector, head and drive information. + ; DS:000A holds the sector to read + + 135B:0126 880E0A00 MOV [000A],CL + 135B:012A 8A160900 MOV DL,[0009] + 135B:012E B600 MOV DH,00 + + ; Sets the DTA + + 135B:0130 8D365802 LEA SI,[0258] + 135B:0134 7213 JB 0149 + + ; Resets the disk + + 135B:0136 33C0 XOR AX,AX + 135B:0138 CD13 INT 13 + + ; Calls the the check + Come on... Ain't Got All Day!! + 135B:013A B90114 MOV CX,1401 ; TRACK 14 sector 1 + 135B:013D 8BDE MOV BX,SI + 135B:013F E8B300 CALL 01F5 + + + ; The next track/sector to read in is stored in BP + + 135B:0142 8BCD MOV CX,BP + 135B:0144 E8AE00 CALL 01F5 + 135B:0147 7234 JB 017D ; If an error occured, + ; trap it. + + + 135B:0149 88160900 MOV [0009],DL ; Reset drive + 135B:014D 8A0E0A00 MOV CL,[000A] ; reset sector + 135B:0151 E8A100 CALL 01F5 ; check protection + 135B:0154 722F JB 0185 ; Check for an error + + 135B:0156 8D5C20 LEA BX,[SI+20] + + 135B:0159 8BCD MOV CX,BP ; Get next T/S + 135B:015B B010 MOV AL,10 ; Ignore this + 135B:015D E89500 CALL 01F5 ; Check protection + Come on... Ain't Got All Day!! 135B:0160 7223 JB 0185 ; check for error + + ; The next sector of code checks to see if what was read in + ; is the actual protected tracks + + ; First check + + 135B:0162 8DBCAC00 LEA DI,[SI+00AC] + 135B:0166 B91000 MOV CX,0010 + 135B:0169 F3 REPZ + 135B:016A A7 CMPSW + + ; NOTE: If it was a bad track, it will jmp to 185. A good + ; read should just continue + + 135B:016B 7518 JNZ 0185 + + ; Second check + + 135B:016D 8D365802 LEA SI,[0258] + 135B:0171 8D3E3702 LEA DI,[0237] + 135B:0175 B90400 MOV CX,0004 + 135B:0178 F3 REPZ + 135B:0179 A7 CMPSW + Come on... Ain't Got All Day!! + ; see NOTE above + + 135B:017A 7509 JNZ 0185 + + ; This exit back to the main routine. + + 135B:017C C3 RET + + ; Here is the start of the error trap routines. Basicly what + ; they do is check an error count. If it's not 0 then it + ; retries everything. If it is 0 then it exit back to dos. + + 135B:017D FEC2 INC DL + 135B:017F 3A160200 CMP DL,[0002] + 135B:0183 72B1 JB 0136 + 135B:0185 E85400 CALL 01DC + 135B:0188 8B260B00 MOV SP,[000B] + 135B:018C 2BC9 SUB CX,CX + 135B:018E 58 POP AX + 135B:018F 50 PUSH AX + 135B:0190 EB1F JMP 01B1 + + + Come on... Ain't Got All Day!! ** Here is the actual code the does the check ** + + ; ES:BX points to the buffer + + 135B:01F5 1E PUSH DS + 135B:01F6 07 POP ES + + ; SI is set to the # of retries + + 135B:01F7 56 PUSH SI + 135B:01F8 BE0600 MOV SI,0006 + + ; Remember how I said we would use what was in DS:0000 later. + ; well, here is where you use it. It loads in the FUNCTION + ; and # of sectors from what is stored in DS:0000. This is + ; just a trick to make the int 13 call more vague. + + 135B:01FB A10000 MOV AX,[0000] + 135B:01FE CD13 INT 13 + + ; If there is no errors, then exit this part of the loop + + 135B:0200 7309 JNB 020B + 135B:0202 F6C480 TEST AH,80 + Come on... Ain't Got All Day!! + ; Check to see if it was a drive TIMEOUT. If so, then set + ; an error flag and exit + + 135B:0205 7503 JNZ 020A + + ; It must have been a load error. Retry 6 times + + 135B:0207 4E DEC SI + 135B:0208 75F1 JNZ 01FB + + ; Set the error flag + + 135B:020A F9 STC + + ; restore SI and return + + 135B:020B 5E POP SI + 135B:020C C3 RET + + + If you follow through all of that. You will see that + the only real way out is the jmp to "135B:0192" at 135B:0119. + So, how do we test it. Simple. Exit back to dos and let's + Come on... Ain't Got All Day!! add a temporary patch. + + Reload ERE.COM under debug. Execute the program setting + a breakpoint at 135B:0022 (if you remember, that is right at + the begining of the self modifing code). When execution + stops, change you IP register to 192. Now execute the code. + + Well shit, we are at the main menu. We just bypassed + the entire protection routine. So, now where to add the + patch. We will be adding the patch at 135B:0022. But what + should the patch be. In this case, simply jumping to + 135B:0192 will do. So, reload ERE.COM under debug. Execute + the code until 135B:0022. Now unassemble it. Here is the + code fragment we need. + + 135B:0022 B013 MOV AL,13 + 135B:0024 A23500 MOV [0035],AL + 135B:0027 A2FF01 MOV [01FF],AL + 135B:002A A22F02 MOV [022F],AL + 135B:002D A23901 MOV [0139],AL + + Here is the code we want to use as the patch + + 135B:0022 E96D01 JMP 192 + Come on... Ain't Got All Day!! + So, to add the patch, we search the file ERE.COM using + PC-TOOLS. For our search string we use + + B0 13 A2 35 00 A2 FF 01 A2 2F 02 A2 39 01 + + PC-TOOLS should find the search string at reletive + sector #13. Edit the sector and change "B0 13 A2" to + "E9 6D 01" (our patch) and save the sector. + + BOOM! your done and CSMP is cracked. Fun huh. You just + kicked 5 seconds off of the load time. Preaty fucken good. + Well, I hope this textfile helped. + + + -Buckaroo Banzai + -Cracking Guru + + CRACKING 101 - 1990 Edition + + Lesson 4 + revision 1 + + ZDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD? + Come on... Ain't Got All Day!! 3 REMOVING THE DOC CHECK FOR STAR CONTROL 3 + @DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDY + + < + + Added for revision 1 - + + First, let me tell you about a major fuckup I made. + When I first wrote this file, I left out a major part of the + patch. For all of the user who got that version, I'm sorry + but even I make mistakes at 3:00 in the morning. Anyway, + just replace the original with this updated version + + - Buckaroo Banzai + + > + + Hey, Buckaroo Banzai .. Cracking Guru back once again to + help you lesser crackist learn. This time, we will be going + over Star Control. This is the last lesson in the original + 4. From here on out, I will simply release lessons as I + write them. + + I want to say a few things about some of the groups out + Come on... Ain't Got All Day!! there right now. Speed isn't everything. I really wish that + for example when you remove a doc check, most of us want it + REMOVED. We don't want to have to enter your group name or + even typing 1 letter is to much. We shouldn't even see the + menu for the doc check. Now, I don't direct this to all of + you, but there seems to have been a move from quality to + quickness. Let's go back to the days of SPI (and INC when + they were first getting started) and crack right. If there + is a doc check, remove it, not just fake it. + + Nuff said, on with the tutorial. + + Star Control (SC for here out) is a preaty good game. + The protection on it wasn't too hard, but if you didn't read + enough in to it, you would just kill the title music also. + + So, how do we go about cracking SC. Well for this one I + opted to break out when SC asks for the code from the code + wheel. Originaly I did this just for the hell of it, but it + turned out to be a luck guess and made life a lot easier. + + As usual we will be using periscope to crack SC. I used + PSKEY (using int 3 as the trap interrupt not int 2) to pop in + at the input routine. So lets get started. Load up PS and + Come on... Ain't Got All Day!! PSKEY, then execute Star Control. When you get to the doc + check, break out. + + Now you should be at the usual IRET insturction that's + part of PSKEY. Now comes the tricky part. Since we are + using a key trap to break out during the input sequence, we + could be anywhere inside the entire input routine. So in + cases like this I suggest finding a reference point. + + So how do you pick the reference point. Well, since + this doc check must be entered via the keyboard you can bet + somewhere it will call INT 16h (bios keyboard) (although + there are times when this is not true, it rare). I think we + should go off and find that call to that interrupt. + + So we trace (using the 'T' command) through some code + and finally come apon the follow subroutine .... + + ( NOTE: all comments were added by me ) + + + ; This is the actual routine that is used to get a key + + 2A00:09D4 55 PUSH BP + Come on... Ain't Got All Day!! 2A00:09D5 8BEC MOV BP,SP + 2A00:09D7 8A6606 MOV AH,[BP+06] + 2A00:09DA 8AD4 MOV DL,AH + 2A00:09DC 80E20F AND DL,0F + 2A00:09DF CD16 INT 16 ; Call to bios. We will + 2A00:09E1 7509 JNZ 09EC ; use this as our + 2A00:09E3 80FA01 CMP DL,01 ; reference point + 2A00:09E6 7504 JNZ 09EC + 2A00:09E8 33C0 XOR AX,AX + 2A00:09EA EB0A JMP 09F6 + 2A00:09EC 80FA02 CMP DL,02 + 2A00:09EF 7405 JZ 09F6 + 2A00:09F1 0BC0 OR AX,AX + 2A00:09F3 7501 JNZ 09F6 + 2A00:09F5 48 DEC AX + 2A00:09F6 5D POP BP + 2A00:09F7 CB RETF + + So we write down the address of our REFERENCE point and + get ready to procede. Now, It's really kinda boring to keep + trying to trace through the entire input routine while trying + to enter the code string, so what we want to do next, is to + figure out the input routine. A quick look at this last + section of code shows that it only reads in a character but + Come on... Ain't Got All Day!! really does not handle it. + + So, we exit via the RETF at 9F7 enter the next level of + the subroutine. Again, if you manual trace through this + routine (as well as the next level up) you see that it simple + exits out rather quickly. This is definitly not the top loop + of the imput routine. + + So, we trace through the next level up, and again exit + quickly to a higher level. But this time, as we trace + through, we find that the it loops back on itself. AHA, the + outer input loop. Here is the code to the entire input loop. + I have marked the place where you should enter from the lower + level. + + ( String input loop -- Outer level ) + + 7C00:0835 FF365220 PUSH [2052] + 7C00:0839 FF365020 PUSH [2050] + 7C00:083D 9A2802FD41 CALL 41FD:0228 ; Entery here + 7C00:0842 888670FE MOV [BP+FE70],AL + 7C00:0946 0AC0 OR AL,AL + 7C00:0848 7503 JNZ 084D + 7C00:084A E99200 JMP 08DF + Come on... Ain't Got All Day!! 7C00:084D 2AE4 SUB AH,AH + 7C00:084F 2D0800 SUB AX,0008 + 7C00:0852 745A JZ 08AE + 7C00:0854 48 DEC AX + 7C00:0855 48 DEC AX + 7C00:0856 7503 JNZ 085B + 7C00:0858 E90901 JMP 0964 + 7C00:085B 2D0300 SUB AX,0003 + 7C00:085E 7503 JNZ 0863 + 7C00:0860 E90101 JMP 0964 + 7C00:0863 8A9E70FE MOV BL,[BP+FE70] + 7C00:0867 2AFF SUB BH,BH + 7C00:0869 F687790B57 TEST BYTE PTR [BX+0B79],57 + 7C00:086E 746F JZ 08DF + 7C00:0870 F687790B03 TEST BYTE PTR [BX+0B79],03 + 7C00:0875 740C JZ 0883 + 7C00:0877 F687790B02 TEST BYTE PTR [BX+0B79],02 + 7C00:087C 7405 JZ 0883 + 7C00:087E 80AE70FE20 SUB BYTE PTR [BP+FE70],20 + 7C00:0883 8A8670FE MOV AL,[BP+FE70] + 7C00:0887 C49E7EFE LES BX,[BP+FE7E] + 7C00:088B 8BB682FE MOV SI,[BP+FE82] + 7C00:088F 26 ES: + 7C00:0890 8800 MOV [BX+SI],AL + Come on... Ain't Got All Day!! 7C00:0892 FF8682FE INC WORD PTR [BP+FE82] + 7C00:0896 FFB688FE PUSH [BP+FE88] + 7C00:089A 8D8678FE LEA AX,[BP+FE78] + 7C00:089E 50 PUSH AX + 7C00:089F 9A56049324 CALL 2493:0456 + 7C00:08A4 83C404 ADD SP,+04 + 7C00:08A7 0BC0 OR AX,AX + 7C00:08A9 7534 JNZ 08DF + 7C00:08AB EB27 JMP 08D4 + 7C00:08AD 90 NOP + 7C00:08AE 83BE82FE00 CMP WORD PTR [BP+FE82],+00 + 7C00:08B3 7404 JZ 08B9 + 7C00:08B5 FF8E82FE DEC WORD PTR [BP+FE82] + 7C00:08B9 B008 MOV AL,08 + 7C00:08BB 50 PUSH AX + 7C00:08BC 9A1003443D CALL 3D44:0310 + 7C00:08C1 8D8684FE LEA AX,[BP+FE84] + 7C00:08C5 16 PUSH SS + 7C00:08C6 50 PUSH AX + 7C00:08C7 9A6A00843D CALL 3D84:006A + 7C00:08CC B047 MOV AL,47 + 7C00:08CE 50 PUSH AX + 7C00:08CF 9A1003443D CALL 3D44:0310 + 7C00:08D4 8D8678FE LEA AX,[BP+FE78] + Come on... Ain't Got All Day!! 7C00:08D8 16 PUSH SS + 7C00:08D9 50 PUSH AX + 7C00:08DA 9A8202C93C CALL 3CC9:0282 + 7C00:08DF 83BE8CFE00 CMP WORD PTR [BP+FE8C],+00 + 7C00:08E4 7503 JNZ 08E9 + 7C00:08E6 E94CFF JMP 0835 ; , etc.). Now + execute the program. + + SHIT! It worked, we are fucking amazing. Ok, now + adding the patch permenatly. Using PCTOOLS (or whatever) + search the file STARCON.EXE for the bytes mention above + (ie: C746F60B00C746F87900C746FA2801) But wait, now + matches...Hmmm strange. It was there just a minute ago...but + Come on... Ain't Got All Day!! wait there... another file STARCON.OVL (as we all know .OVL + mean OVERLAY). Let's try searching this one. + + There we go, that's better (it should should up on the + 13 sector read in). Now to add the patch. Simply find the + search bytes and the go backwards until the first occurance + of the hex byte 9A. Add the patch here. Save it. + + Next, add the patch to 45E2:023F. Search for the bytes + 83C4040BC07465. The should appear on sector 3 (give or take + a few sectors). Now simply change the 2 bytes 74 65 to 90 90 + and save the sector. Now, you are good to go. + + Well shit, this has been some hell of a textfile. 1113 + lines in all. But what detail. Ok I hope you learned + something from all of this. And this end the first part of + CRACKING 101 - the 1990 edition. From here out all lessons ( + lesson 5 and up) will be released on their own. + + I would like the thank Phantom Phlegm for pushing me to + finish this shit. + + Till lesson 5 this is Buckaroo Banzai, signing off. + + Come on... Ain't Got All Day!! + OH... I can be reached for personal help via E-MAIL on LORD + WOLFEN's CASTLE or TOS... + +[2] Tfiles: (1-3,?,Q) : \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/crack3.txt b/textfiles.com/piracy/CRACKING/crack3.txt new file mode 100644 index 00000000..9d46f044 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crack3.txt @@ -0,0 +1,596 @@ + + + +[0] Tfiles: (1-3,?,Q) : 3 + + + THE OFFICIAL UNPROTECTION SCHEME LIBRARY + + original document created and compiled by "The PaperBoy" + and the CopyCats, Inc. + 01-21-89, 01-26-89, 01-30-89, 02-04-89, 02-06-89 +----------------------------------------------------------------------------- +The following protection removal schemes took many valuable hours of time to +create. This file contains the procedures for many of the latest software +packages out today. (This document is updated at every new unprotection +scheme or schemes we find.) Please be patient if your program can't be +cracked yet. It will be, pretty soon, we hope. + + ! Please note that these patches are for personal use only ! + + We are THE COPYCATS INCORPORATED: + + Seymore Warez Unprotected (President) + The PaperBoy, MasterByte, The Gigolo, The Ninjutsu, SlimeMan, Shimba, + Grand Central Station, Didley Bop, Dr. Disk, The No Cause People In Florida + + ** Just cracking software, byte by byte. ** + Come on... Ain't Got All Day!! + Use these software unprotection schemes at own risk! (Try with a BACKUP!) +----------------------------------------------------------------------------- +These programs have unprotection patches or fixes in this document: 29 + + Accolade: 4th & Inches, Test Drive, Fast Break, Grand Prix Circuit, + Apollo 18 + Activision: The Last Ninja+fix, Rampage + Sierra: Leisure Suit Larry II, King's Quest IV, Manhunter: NYork + Police Quest II, Gold Rush! + MindScape: Willow, Bop'n Wrestle, Infiltrator, Defender of the Crown, + Perfect College + Epyx: The Games: Summer E, TechnoCop/fix, California Games, The + Games: Winter E. + Simon&Schuster: Star Trek: The Kobayashi Alternative + DataSoft: Bruce Lee/fix + Electronic Arts: Advanced Flight Trainer 1.2 +Spectrum Holobyte: Gato: WW2 Submarine Simulator + Broderbund: The Print Shop, Ancient Art of War + Cignet Tech: Little Black Book + PowerUp!: most software + Infocom: BattleTech! + misc: Trivia Fever + + Come on... Ain't Got All Day!! /fix=fix only, no unprotection patch +fix=fix and unprotection patch +----------------------------------------------------------------------------- +A NOTE ON COPY PROTECTION + +At the CopyCats, we would like to make a statement on copy protection. We see +this concept as unnecessary. Crude disk checking and trudging through the +manuals for "key words," make it very difficult for many of the novice users, +as well as the experienced computer users. Many of our "program hackers" +also feel they do not promote software piracy. They only help the people +who are against the protection schemes and use of software authorization +procedures. And, if it continues, WE will continue. + + "S. W. Unprotected" + President of The CopyCats, Inc +----------------------------------------------------------------------------- +LAST MINUTE HACKER'S NOTES + +The PaperBoy here. You may notice that many of these programs have similar +protection scheme instruction codes. If you have a program that has no +unprotection scheme here, apply it to the program and test it. That's how +we were able to pull most schemes down. Remember, this is for the experienced +user. Don't mess up your originals, either. And, use write-protect tabs for +the scheme checking - last time, it erased itself due to a backfire of +the BIOS interrupt 13hex. Smart program, but WE cracked it. CAREFUL! + Come on... Ain't Got All Day!! ----------------------------------------------------------------------------- + THE UNPROTECTION SCHEMES! +----------------------------------------------------------------------------- +1. MOST MAJOR ACCOLADE SOFTWARE, The PaperBoy + +To remove the protection schemes of 4TH & INCHES, TEST DRIVE, FAST BREAK**, & +other ACCOLADE SOFTWARE: + + Search for these bytes: 55 56 57 06 1E (use Norton Utilities, DEBUG + And replace it with: 31 C0 C3 06 1E PC-Tools, or equivalent) + + ** If you wish to patch FAST BREAK, you must modify all main FB-?.EXE files + and the FB.RTL file. +----------------------------------------------------------------------------- +2. GRAND PRIX CIRCUIT BY ACCOLADE, Two Guys + +The previous ACCOLADE unprotection scheme was incompatible with its later +released game, GRAND PRIX CIRCUIT. With an updated protection, you must: + + Search for these bytes ------> And replace it with + 1. BE 06 00 E8 13 00 EB 16 00 EB 13 00 + 2. F6 C4 10 75 0B EB 0E 10 75 0B + 3. 72 5F BB 90 90 BB + 4. 75 47 BE 90 90 BE + Come on... Ain't Got All Day!! 5. B8 09 02 EB 0A 02 + 6. 75 03 E8 03 EB 03 E8 03 (GPEGA.EXE only!) +----------------------------------------------------------------------------- +3. LEISURE SUIT LARRY II BY SIERRA, Pirates-R-Us + +LEISURE SUIT LARRY GOES LOOKING FOR LOVE IN SEVERAL WRONG PLACES by Sierra +On-Line has a seriously annoying protection scheme. The player must trudge +through the manual to look for girl's phone number in order to enter the +game. This patch force the program to accept any input at the prompt in the +initialization of the program. + + 1. Rename SIERRA.EXE to SIERRA.XXX + 2. Enter DEBUG and enter the following lines. + + E 0394 F6 + E 4210 52 5C + E 9E1D B8 08 35 CD 21 89 1E FC 12 8C 06 FE 12 B8 24 35 + E 9E2D CD 21 89 1E 00 13 8C 06 02 13 B8 24 35 CD 21 89 + E 9E3D 1E 04 13 8C 06 06 13 07 1E 0E 1F BA 6B 9C B8 23 + E 9E4D 25 CD 21 BA 6C 9C B8 24 35 CD 21 1F E8 5A 00 C7 + E 9E5D 06 FA 12 01 00 C3 90 57 51 B9 0F 00 BF 86 BA C6 + E 9E6D 05 00 83 C7 09 E2 F8 59 5F 2E C7 06 10 3F 0E 01 + E 9E7D E9 8F A3 90 90 90 90 90 90 90 90 90 90 98 90 83 + E 9E8D 3E FA 12 00 75 01 C3 1E 07 + Come on... Ain't Got All Day!! E F676 8E D8 B1 03 + W + Q + + 3. Rename SIERRA.XXX back to SIERRA.EXE +----------------------------------------------------------------------------- +4. STAR TREK: THE KOBAYASHI ALTERNATIVE BY SIMON & SCHUSTER, Dr. Disk + +This simple protection scheme can be bypassed with Central Point Software's +NOKEY (distributed with COPY II-PC), or you can use the removal scheme below. + + Search through ST.EXE for CD 13 and replace it with 90 90. + +You can use this patch with most software that you use with NOKEY to bypass +its protection scheme. +----------------------------------------------------------------------------- +5. RAMPAGE AND THE LAST NINJA BY ACTIVISION, INC., The Ninjutsu + +The above unprotection scheme can be used on these two ACTIVISION programs. +Search the main EXE files for CD 13 and replace it with 90 90. +----------------------------------------------------------------------------- +6. MANHUNTER: NEW YORK BY SIERRA, Bart Montgomery + + Search the file MHVOL.1 for these bytes: 41 06 7A + Come on... Ain't Got All Day!! and replace them with these bytes: 7F C3 00 +----------------------------------------------------------------------------- +7. FIX FOR BRUCE LEE BY DATASOFT, The PaperBoy (FOR DISK VERSION ONLY) + + First, Bruce Lee is an excellent product. It's just that (aaarrrggghhh) +you have no `falls' left, and you feel yourself quite near the finish of the +game. Suddenly, one of those little dots floating on floor taps your foot and +you get zapped. You see the sign "Game Over" and you feel pretty pissed, and +wish you could open the drive and rip the disk to shreds, but that would be +a waste. So, fix it! One thing you could do is play option C, one player vs. +your opponent played by the other player. But this time, play alone, and make +sure the second joystick is calibrated wrong. If the computer sees that the +Yamo isn't moving, it will take over, so a wrong calibration will make it +move always. So, you're playing, but that stupid ninja is in your way and it +won't let you win. Alternative? Eliminate him. And this is how you do it. +Get a disk utility, preferably Norton Utilities. Zap the Bruce Lee disk, +with the following information. + + Sector 271 Sector 271 + Offset 139 and Offset 354 + Change 09(hex) to 63(hex) Change 09(hex) to 63(hex) + + That's all there is to it. Now you play, the Green Yamo flying around +crazily, and the ninja... hmm... the ninja seems to appear for a quick second + Come on... Ain't Got All Day!! then disappear. Now, he's never gonna touch you! +----------------------------------------------------------------------------- +8. GATO: WORLD WAR 2-CLASS SUBMARINE SIMULATOR BY SPECTRUM HOLOBYTE, SlimeMan + + To unprotect GATO, use the following table below. + + Sector Offset Contents Change To + + 53 0E 72 11 90 90 + 53 13 72 0C 90 90 + 53 53 72 EB + 53 65 75 EB +----------------------------------------------------------------------------- +9. TRIVIA FEVER, Grand Central Station + +To unprotect TRIVIA FEVER, follow the steps below. + + 1. Rename TF.EXE to TF.XXX + 2. Enter DEBUG and type in the lines below. + -E 257E + -75.90 03.90 + -W + -Q + 3. Rename TF.XXX back to TF.EXE + Come on... Ain't Got All Day!! ----------------------------------------------------------------------------- +10. THE GAMES: SUMMER EDITION BY EPYX, Dr. Disk + +To unprotect THE GAMES, use the following patch below. + + Search for these bytes: E8 87 00 59 C6 + And replace it with: 59 59 5F EB 55 +----------------------------------------------------------------------------- +11. LITTLE BLACK BOOK BY CIGNET TECHNOLOGIES, The Gigolo + +To unprotect your LITTLE BLACK BOOK, search the file BOOK.EXE and patch: + + Search for these bytes: ----> and replace it with these bytes: + 3D 00 00 74 07 C6 06 03 01 B8 00 00 74 07 C6 06 03 00 + CD 13 B8 01 02 CD 13 72 0E 90 90 90 90 90 90 90 EB 0E + EB F5 F6 C4 06 75 06 EB F5 F6 C4 06 EB 06 + +Now, search in the file LBB.EXE and patch: + + Search for these bytes: ----> and replace it with these bytes: + 3D 00 00 74 07 C6 06 76 04 01 B8 00 00 74 07 C6 06 76 04 00 + CD 13 B8 01 02 CD 13 72 0E 90 90 90 90 90 90 90 EB 0E + EB F5 F6 C4 06 75 06 EB F5 F6 C4 06 EB 06 +----------------------------------------------------------------------------- + Come on... Ain't Got All Day!! 12. KING'S QUEST IV: THE PERILS OF ROSELLA BY SIERRA ON-LINE, Pirates-R-Us + +To completely bypass the documentational protection on KING'S QUEST IV, use +the procedure below. + + 1. First, search your Quality Assurance file for the correct edition date. + It is found in the ????????.QA file. + 2. If you do not have your version dated 09-19-88 nor 09-24-88, you cannot + proceed with this patch. Sorry! + 3. Rename SIERRA.EXE to SIERRA.XXX. + 4. Enter DEBUG and type the following lines below. + + (if you have the 09-19-88 version, use this patch) + E 0394 82 + E 0CB4 90 E8 38 98 + E A4A9 B8 08 35 CD 21 89 1E 7E 12 8C 06 80 12 B8 24 35 CD 21 89 1E + E A4BD 82 12 8C 06 84 12 B8 24 35 CD 21 89 1E 86 12 8C 06 88 12 07 + E A4D1 1E 0E 1F BA F7 A2 B8 24 35 CD 21 BA F8 A2 B8 24 35 CD 21 1F + E A4E5 E8 5A 00 C7 06 7C 12 01 00 C3 90 80 FB 98 75 16 C7 04 32 95 + E A4F9 C6 44 02 00 2E C7 06 B4 09 FF 97 2E C7 06 B6 09 A0 01 FF A7 + E A50D A0 01 90 90 90 90 90 90 90 90 90 83 3E 7C 12 00 75 01 C3 1E + E A521 07 + W + Q + Come on... Ain't Got All Day!! + (if you have the 09-24-88 version, use this patch) + E 0394 74 + E 0CB4 90 E8 2A 98 + E A49B B8 08 35 CD 21 89 1E 5E 12 8C 06 60 12 B8 23 35 CD 21 89 1E + E A4AF 62 12 8C 06 64 12 B8 24 35 CD 21 89 1E 66 12 8C 06 68 12 07 + E A4C3 1E 0E 1F BA E9 A2 B8 23 25 CD 21 BA EA A2 B8 24 25 CD 21 1F + E A4D7 E8 5A 00 C7 06 5C 12 01 00 C3 90 80 FB 98 75 16 C7 04 32 99 + E A4EB C6 44 02 00 2E C7 06 B4 09 FF 97 2E C7 06 B6 09 0A 05 FF A7 + E A4FF 0A 05 90 90 90 90 90 90 90 90 90 83 3E 5C 12 00 75 01 C3 1E + E A513 07 + W + Q + + 5. Rename SIERRA.XXX back to SIERRA.EXE. +----------------------------------------------------------------------------- +13. CALIFORNIA GAMES BY EPYX, Jonathan Millhouse + +To override the disk protection scheme in CALIFORNIA GAMES, enter Norton +Utilities or your favorite disk/file editor and open CALGAMES.EXE. + + Search for these bytes: FA FC 55 56 57 + And replace it with these bytes: 00 00 31 C0 C3 +----------------------------------------------------------------------------- + Come on... Ain't Got All Day!! 14. CHUCK YEAGER'S ADVANCED FLIGHT TRAINER BY ELECTRONIC ARTS, Tony Elliott + +(Version 1.2 only) + + 1. Rename AFT.EXE to AFT.XXX + 2. Enter DEBUG with AFT.XXX open for editing. + 3. At the DEBUG "-" prompt, type + + U 0DBB + +Several lines with be displayed on screen. You are interested in the first +two. They should look EXACTLY like this: + + xxxx:0DBB E9A3A7 JMP B561 + xxxx:0DBE C3 RET + +The "xxxx" represents any four hexadecimal numbers. If you have a match, +on to the next step. If not, you probably have the wrong version. Sorry! + + 4. At the "-" prompt again, type + + U 0E38 + +Several lines of code will again be displayed on screen. Look at the first + Come on... Ain't Got All Day!! two following the "U 0E38" command. They should also match exactly with the +following: + + xxxx:0E38 880E5005 MOV [0550],CL + xxxx:0Exx 8A0E4D05 MOV CL,[054d] + +If you have a match here, then you should have a compatible version of the +AFS program. If not, sorry! + + 5. At the "-" prompt, type the following: + + E 0DBB 90 90 90 + E 0E38 C3 90 90 90 + W + Q + +You should now be back in DOS. Only one more step left. + + 6. Rename AFT.XXX back to AFT.EXE + +That's it! You now have an unprotected copy of AFT. +----------------------------------------------------------------------------- +15. POWER-UP! SOFTWARE, The No Cause People in Florida + + Come on... Ain't Got All Day!! To unprotect most programs from POWER-UP!, load the main EXE file with Norton +Utilities or such. + + Search for the bytes: E8 48 FF + And replace it with: 90 90 90 +----------------------------------------------------------------------------- +16. THE PRINT SHOP BY BR0DERBUND, Swamp Fox + +The Print Shop employs two sections of code to copy protect itself. The first +is embedded in PS.EXE and is exercised when the program is run from a floppy. +The second is embedded in PSINIT.OVR and is employed when the program is run +from a hard or ram disk. Once activated, both seek out a specially formatted +track on the A: drive and terminate the program if not found. + +Both sections of code will be un-hooked here so that the program will run +from either a floppy or a hard disk. + +RENAME PS.EXE PS.ZAP Rename for DEBUG + +DEBUG PS.ZAP Start DEBUG + +S0 9000 CD 13 Search for Disk interrupt 13 + +XXXX:3AC6 You should find these two: + Come on... Ain't Got All Day!! XXXX:3ADF + +U 3AC6 Unassemble code to make sure + you're in the right place : + +XXXX:3AC6 INT 13 A test for any disk in A: +XXXX:3AC8 MOV BYTE PTR [0A91],02 +XXXX:3ACD DEC BYTE PTR [0A91] +XXXX:3AD1 JZ 3AE6 +XXXX:3AD3 MOV DH,00 \ +XXXX:3AD5 MOV DL,00 | This sets up a look for the +XXXX:3AD7 MOV CH,09 | special track +XXXX:3AD9 MOV CL,0A | +XXXX:3ADB MOV AL,01 | +XXXX:3ADD MOV AH,04 | +XXXX:3ADF INT 13 / +XXXX:3AE1 CMP AH,00 If not there ... Loop then +XXXX:3AE4 JNZ 3ACD Zonk! Terminate Program... + + +A 3AC6 Get rid of 1 st diskette look + +XXXX:3AC6 NOP Remove the INT 13 +XXXX:3AC7 NOP + Come on... Ain't Got All Day!! XXXX:3AC8 + +A 3ADD Get rid of the real test: + +XXXX:3ADD MOV AH,00 Give it what it wants in AH +XXXX:3ADF NOP Remove the INT 13 +XXXX:3AE0 NOP +XXXX:3AE1 + +W Write out the changed code + +Q Quit DEBUG + +RENAME PS.ZAP PS.EXE Rename for running program + +(The program will now run from floppy disks without further changes) + +Now for the second portion of the copy protection : + +DEBUG PSINIT.OVR Start DEBUG (using a copy !) + +S0 2000 CD 13 Look for disk interrupt 13 + +XXXX:0479 You should find these three: + Come on... Ain't Got All Day!! XXXX:0492 +XXXX:04BD + +U 0479 + +XXXX:0479 INT 13 A test for any disk in A: +XXXX:047B MOV BYTE PTR [CD57],02 +XXXX:0480 DEC BYTE PTR [CD57] +XXXX:0484 JZ 04DB +XXXX:0486 MOV CL,11 \ +XXXX:0488 MOV AH,04 | +XXXX:048A MOV DH,00 | +XXXX:048C MOV CH,09 | This sets up a look for the +XXXX:048E MOV DL,00 | special track +XXXX:0490 MOV AL,01 | +XXXX:0492 INT 13 / +XXXX:0494 CMP AH,00 If not there ... Loop then +XXXX:0497 JNZ 0480 Zonk ! Terminate Program... + + (Look familiar ?) + +U 04BD + +XXXX:04BD INT 13 This one's a read (same idea) + Come on... Ain't Got All Day!! XXXX:04BF CMP AH,00 +XXXX:04C2 JNZ 04A5 +XXXX:04C4 ADD BX,018B +XXXX:04C8 MOV CL,05 +XXXX:04CA ES: +XXXX:04CB MOV AL,[BX] +XXXX:04CD CMP AL,41 +XXXX:04CF JNZ 04DB +XXXX:04D1 INC BX +XXXX:04D2 DEC CL +XXXX:04D4 JNZ 04CA +XXXX:04D6 MOV AX,0000 This is the success exit ! +XXXX:04D9 JMP 04DE + +A 0479 + +XXXX:0479 NOP Remove INT 13 +XXXX:047A NOP +XXXX:047B + +A 0490 + +XXXX:0490 MOV AH,00 Give it what it wants in AH +XXXX:0492 NOP Remove INT 13 + Come on... Ain't Got All Day!! XXXX:0493 NOP +XXXX:0494 + +A 04BD + +XXXX:04BD JMP 04D6 Jump to success exit code +XXXX:04BF + +W Write out the changed code + +Q Quit DEBUG + + +The program may now be run from a hard disk or floppy as desired. The hard +disk set up will ask for the master diskette to be inserted but won't do +any checking or diskette access at all. +----------------------------------------------------------------------------- +17. THE ANCIENT ART OF WAR BY BR0DERBUND, Didley Bop + +Load up Norton Utilities with WAS.EXE and search for these bytes: E8 F8 32. +Replace them with B8 01 00. Now, it's unprotected! +----------------------------------------------------------------------------- +18. FIX FOR BATTLETECH BY INFOCOM, The PaperBoy + + Come on... Ain't Got All Day!! You don't have enough C-Bills? Well, this will help. Save your game and run +Norton Utilities or such with the GAME# (#=number of the save game) ready. +Edit the bytes at offset 05D5hex and 05D6hex and replace it with 00 70. That +should give you about 28672 C-Bills when you return to the game. You may go +as high as FF 7F, which will total 32767, but I wouldn't want to go higher +than that, or there could be a program interpretation screwup. +----------------------------------------------------------------------------- +19. FIX FOR TECHNOCOP BY US GOLD AND EPYX, Shimba + +If you start with only 5 lives and must go through 11 levels of harsh battle, +I don't think you'll make it, unless you are lucky and fast enough to get +extra lives. Save your game, enter NU and change the byte at offset 5hex to +05. This will return you to 5 lives. I tried fixing it with FF, but I found +out that it doesn't work - I lose as if I had no lives left. You can attempt +to screw around with other bytes and hopefully get more lives than five. +----------------------------------------------------------------------------- +20. WILLOW BY MINDSCAPE/CINEMAWARE, Hacker Joe + +Open WILLOW.EXE with your hex file editor and perform these operations: + + Search for these bytes: ----> And replace with: + CD 13 59 90 90 59 + 74 02 EB E6 EB 02 EB E6 + 75 04 3C 00 EB 18 3C 00 + Come on... Ain't Got All Day!! 3C F8 75 14 3C F8 EB 14 + 73 0C 33 C0 EB 0C 33 C0 +----------------------------------------------------------------------------- +21. BOP 'N WRESTLE BY MINDSCAPE, SlimeMan + +Prepare BOP.EXE for editing with NU or compatible program. Search for these +bytes: B8 00 19 CD and replace them with: 31 C0 EB 2F. +----------------------------------------------------------------------------- +22. FIX FOR THE LAST NINJA BY ACTIVISION, The Ninjutsu + +Not enough lives? Well, save your game and enter your hex-style editor with +that save game file open for editing. Change the byte at offset 59hex to any +hex number from 00 to FF. FF will obviously give you 255 lives, so why want +the 00? Your screen will be lined up with those damn apples on the bottom +status screen, but they won't effect the game. +----------------------------------------------------------------------------- +23. INFILTRATOR BY MINDSCAPE, MasterByte + +This unprotection scheme was very similar to that of BOP 'N WRESTLE. Here's +its own version. ** Make sure you change all EXE files (except INSTALL)! ** + + Search for these bytes: 31 C0 19 CD + And replace it with: EB 33 19 CD +----------------------------------------------------------------------------- + Come on... Ain't Got All Day!! 24. APOLLO 18 BY ACCOLADE, Two Guys + +To unprotect APOLLO 18, use Norton Utilities or PC-Tools and... + + Search for these bytes: 9A 29 00 + And replace it with: EB 1B 00 +----------------------------------------------------------------------------- +25. DEFENDER OF THE CROWN BY MINDSCAPE/CINEMAWARE, The Doctor of MASH + +To unprotect DEFENDER OF THE CROWN, use DEBUG for this one. Rename the file +DOC.EXE to DOC.XXX and follow the instructions below. + +DEBUG DOC.XXX +-S 0 FFFF B8 00 A0 50 FF 36 0A 45 ; search for beginning of routine. +xxxx:3BCC ; addresses may be different +xxxx:3BF2 +-A3BCC ; assemble at first address +xxxx:3BCC JMP 3BF2 ; jump to second address +xxxx:3BCE +-W ; write the edited file back to disk +Writing 11600 bytes +-Q ; quit, return to DOS + +Now, rename DOC.XXX back to DOC.EXE. It's unprotected. + Come on... Ain't Got All Day!! ----------------------------------------------------------------------------- +26. PERFECT COLLEGE, Dr. Disk + +This unprotection scheme is very similar to that of unprotection scheme #1, +the ACCOLADE schemes. However, the program places a RETF (far return) +instruction instead of the normal RET. So, ready COLLEGE.EXE for edit, and: + + Search for these bytes: 55 56 57 06 1E + And replace it with: 31 C0 CB 06 1E +----------------------------------------------------------------------------- +27. POLICE QUEST II: THE VENGEANCE BY SIERRA, Pirates-R-Us + +The new line of SIERRA software protected with the documentational check have +almost identical patches to the main EXE file. This one was no sweat. + +Rename SIERRA.EXE to SIERRA.XXX and load DEBUG. Enter these lines: + + E 0394 74 + E 7FDB 05 1F + E 9E9B B8 08 35 CD 21 89 1E 38 13 8C 06 3A 13 B8 24 35 + E 9EAB CD 21 89 1E 3C 13 8C 06 3E 13 B8 24 35 CD 21 89 + E 9EBB 1E 40 13 8C 06 42 13 07 1E 0E 1F BA E9 9C B8 23 + E 9ECB 25 CD 21 BA EA 9C B8 24 35 CD 21 1F E8 5A 00 C7 + E 9EDB 06 36 13 01 00 C3 90 57 51 B9 38 00 BF B8 AB C6 + Come on... Ain't Got All Day!! E 9EEB 05 00 47 E2 FA 2E C7 06 DB 7C 5B 01 59 5F E9 DE + E 9EFB E0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 + E 9F0B 3E 36 13 00 75 01 C3 1E 07 + W + Q + +Rename SIERRA.XXX back to SIERRA.EXE and your unprotection is complete. +----------------------------------------------------------------------------- +28. GOLD RUSH! BY SIERRA, Sir Graham + +To avoid the 80-page manual for the keywords, prepare the file GRDIR for +DEBUG and enter the following lines: + + E 28C CC + E 28D 7A + W + Q +----------------------------------------------------------------------------- +29. THE GAMES: WINTER EDITION BY EPYX, Super Dave + +To unprotect THE GAMES: WINTER EDITION, follow these steps below: + + 1. Rename GAMES.EXE to GAMES.XXX. + 2. Enter DEBUG with GAMES.XXX ready for modifications. + Come on... Ain't Got All Day!! 3. Type "S 0000 FFFF 0B C0 74 01" to search for the protection pattern. + 4. The computer should respond with only one address. If none or more + than one is given, this unprotection scheme may not work. Sorry! + 5. Take the address given (in the form of XXXX:YYYY) and subract 5 from + the YYYY address. The numbers are in hexidecimal. Do not attempt + this patch if you do not understand hex. + 6. Use the subracted number (ZZZZ) and enter it in DEBUG as follows: + "E ZZZZ EB 03 90 90 90 31 C0" to NOP the protection scheme. + 7. Save the modified file by entering "W", then entering "Q" to exit to + DOS. + 8. Rename the file GAMES.XXX back to GAMES.EXE. +----------------------------------------------------------------------------- + This file is updated every week. Watch out for new unprotection schemes! +Please upload this file archived as "UNP89-#.ARC," where # is the edition +number. For instant cracks on software, call 1-312-ZAP-DISK and ask for Vic! + +[3] Tfiles: (1-3,?,Q) : \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/crackam2.txt b/textfiles.com/piracy/CRACKING/crackam2.txt new file mode 100644 index 00000000..21c5ab1c --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crackam2.txt @@ -0,0 +1,630 @@ +*********************************************************************** +*********************************************************************** + + (Part II of Hacking Doc) + + MONAM2 HELP FILE + This is a copy of a monam2 help file I wrote ages ago + +*********************************************************************** +*********************************************************************** + + Devpac 2 + +Devpac 2 is the best Monitor program I have ever used. It has some very +nice break points that you can place conditions on. You can do nice things +like tell the monitor to trace the program for 10000 instructions and then +jump back to the monitor. Ok in the list below the Am = the right Amiga +button. + +Window Commands +TAB Mo +ve to the next window +Am A Set address + sets the starting address of a memory or disassembly window +Am B Set Breakpoint + Sets various break point (see later) +Am E Edit Window + On the memory window this lets you edit memory. You can + edit in hex (delfault) or press the TAB key and jump to + the Ascii part of the window and edit in Ascii +Am L Lock Window + With this command you can lock the disassembly window or + memory win +dow to a particular register. The disassembly + window is lock by default to the PC. You can lock the + disassembly window and the memory window together by + locking the memory window to M2. (M2 is a memory registor + see later) +Am O Show Other + This does convertions and mathmatcis for you. It prompts + for a number but you can use symbols from your program + as well as complex maths +Am P Printer Dump + Dumps the current + window to the printer, it can be aborted + by pressing ESC +Am R Register Set + Alter a register. You can just feed in a number or define it + by a maths equation ex A3=A2+4 or you can even use the + symbols from the A3=A2+START +Am S Split Windows + Splits window 2 into window 2 and window 4 or window 3 into + window 3 and window 4 +Am T Change Type + This only works on window 4 (created either by splitting + window 2 o +r by loading a source file). It changes the type + of the window between disassembly, memory and source-code + (if a file has been loaded). +Am Z Zoom Window + Zooms the current window to full size or back again. Zooming + the register window shows the values of M0-M9 (Devpac internal + memory registers... see later) + +SCREEN SWITCHING + +Monam uses its own screen display and will always make itself the front +and active window whenever an exception (including + breakpoint) occurs + +V View other Screen + +BREAKPOINTS + +Am B Set Breakpoint + With this command you can set a variaty of kinds of break + points. After pressing B just enter one of the following + + address + will set a simple break point + + address,expression + will set a stop breakpoint at the given address,after + it has executed expression times + + address,= + will set a count breakpoint. The ini +tial value of the + count will be zero + + address,* + will set a permanent breakpoint + + address,? expression + will set a conditional breakpoint, using the given +expression + such as the value of a registor etc + + address,- + will clear any breakpoint at the given address + +You can't set a break point in ROM + +Help Show Help and Breakpoints + This displays the current breakpoints, task status, its + + seqment list (showing where your program is), free memory + and the system memory list. Am commands are available within + this display + +Ctrl B Set Breakpoints + Sets a breakpoint at the start address of the disassembly + window (you have to be in it). If there is one already there + it will clear it + +U Go Until + Prompts for an address at which a simple breakpoint will be + placed then program execution resumed + +Ctrl K Ki +ll Breakpoints + Clears all break points + +Ctrl A Set Breakpoint then Execute + A real great command. It places a simple breakpoint at the + instruction after the Program counter and then runs the + program. This is really great for single stepping through + conditional loops, you just single step down to the command + that does the test and loop and press Ctrl A and it places a + breakpoint after the loop and then runs program (goes arou +nd + the loop until it falls through on to your break point). The + only thing to watch is the program exiting at another point + and never getting to your break point + + Ctrl X Stop program executing + Stops your task running. It does this by setting the trace bit + so you will get a trace exception. While this does work, be + careful if you stop it in the middle of some AmigaDOS ROM + routines, particularly signal handling and message pa +ssing + + + OTHER STUFF + + Monam has a history buffer showing the condition of the registors and + program counter. + + H Show History buffer + Shows the history buffer (for the last 5 instructions) + +Ctrl C Terminate + Leave Monam + +Ctrl Q Quit a program + Stops a program running. This can be hazardous to use, and + should only be done as a last resort. If your program is + terminated in this way it will not clean up, and thus not + de-allocate any +memory it was using or close windows etc + +Ctrl L Loading Executable Program + This will prompt for a filename and then a command line + and will attempt to load the file ready for execution. + If MonAm has already loaded a program it is not possible to + load another until the former has terminated + +B Load Binary File + Prompts you for a file name and optional load address +(separated + by a commma) and will then load the file where specified +. If + no load address is given then memory will be allocated from the + system. M0 will be set to the start address and M1 to the end + address (see below for a discription of the M registers) + A Load Ascii file + A great command that allows you to load a ascii file (such as +the + sorce coad) into window four of Monam, if window 4 isn't +already + open then it will open it automaticly + + EXECUTING PROGRAMS + + Ctrl R Return to program/Run + + Runs the current program from the PC position at full spead the + history buffer will not be updated while running. + +Ctrl Z Single-Step + This single-steps the instruction at the PC with the current + register values. Single-stepping a trap, Line-A or Line-F +opcode + will, by default, be treated as a single instruction. This can +be + charged using Prefrences (Ctrl P) + +Ctrl Y Single-Step + as above but included for the convenience of German u +sers + +Ctrl T Interpret an Instruction (Trace) + A great command. It is the same as Ctrl Z but skips over BSR's, + JSR's, Traps, Line-A and Line-F calls, re-entering the debugger + on return from them to save stepping all the way through the + routine or trap. It works on instructions in ROM and RAM + +Ctrl S Skip and Instruction + Ctrl S increments the PC register by the size of the current + instruction thus causing it to be skipped. Use this inst +ead + of Ctrl Z when you know this instruction is going to do +something + you dont want + +R Run (various) + Prompts for the style of run you want just press it and you +will + be prompted for + + G Go + Identicial to Ctrl R just runs the program at full speed + + I Instruction + This is a great command that executes the entered number of + enstructions remembering the infomation in the history + +buffer + and then returning to Monam. Traps are executed as single + insturctions + +SEARCHING MEMORY +G Search memory (get a sequence) + Will prompt for B/W/L/T standing for Bytes, Words, Longs, Text and + Instructions (Intructions and Texzt are case sensitive). The SP is + not called SP in the searches it is called A7 + +N Find Next + Having found one with the G command (see above) you can find +another + occurence of it by pressing N + +OTHER + STUFF + +Ctrl P Preferences + Alows you to alter various options in Monam by answering Y/N to the + questions + +I Intellegent Copy + Copies a block of memory to another area. The addresses should + be entered in the form + + START,INCLUSIVE_END,DESTINATION + + No checks are made on the validity of the move. It will let you + quite happily crash the system + +L List Lables + Lists all the lables in the program. Lables are displaye +d in + the order they where found on the disk + +W Fill Memory With + START,INCLUSIVE_END,FILLBYTE + +P Disassemble to Printer/Disk + Disassembles Area of memory to printer or disk with lables + the first lines should be entered in the form + + START_ADDRESS,END_ADDRESS + + The next line prompts for an Area of memory to use to build + the cross-reference list, which should be left blank if no + automatic labels are require +d else should be of the form + + BUFFER_START,BUFFER_END + + Next is the prompt for data areas which will be disassembled as + DC instructions, of the form + + DATA_START,DATA_END,SIZE + + The optional size field shoudl be B, W, L, defaulting to L, + determining the size of the data. When all data areas have + been defined, a blank line should be entered + + Finally a filename prompt will appear, if this is blank all + outp +ut will be to the printer, else it will be assumed to be a + disk file + **** Special Note **** I will be stuffed if I can get this to + work... I can get it to just disassemble the code but I can't + get it to put in lables. (it worked on the ST what happend + guy's). We hope for a fix in an upgrade. + + +M Modify Address + Same as Am A + +O Show Other Bases + Same as Am O + +D Change Drive and Directory + Change current + Drive and Directory + +THE M REGISTERS (In the bits above where I said see later well here it is) + +The Devpac manual is shy and doesn't blow it's own horn enough about some +of +it's features. The M registers are one of the things, Devpac has internal +registors numberred M0-M9 some of them are used by the program such as +M2 and M3 which control the start of the disembly window and the start of +the +Memory window. You can alter the value of the M registers and the windows +will reflect the change. You can use som +e of the registers for your own use +such as setting M7 to a memory address you want to look back at latter and +the go away and look at another memory address then when you want to go +back +you just go + +M .... for Modify memory + and +M7 + +and you will jump back to the address you stored just by going MM7 + +when you load a binary file M0 and M1 are set to the start and end of +file you loaded. This makes it really easy to load a binary file change +a character and save it back again. You don't even have to en +ter in the +start and end addresses when you save it you just use M0 and M1 in the +save statement + +M2, M3, M4 and M5 are the start addresses of windows 2,3,4,5 + +Another thing Devpac doesn't make to much about it the use of symbols +in your statements such as alterring a register + +A5=A2+A3+START_PRG - SUM_OTHER_NUMBER + +So why work it out let Devpac do it for you + +Fuck that took me a long time to type in and I dearsay there are +heeps of spelling mistacks in it so if you find one all you have to +do is write it o +n a piece of paper and flush it down the loo. Or correct +the file and reload it up to the board. + + Bye Fun_to_hack + + + +*********************************************************************** +*********************************************************************** + + MONAM2 METHODS +This is a copy of a file I wrote ages ago showing you how to get the + most out of monam + +*********************************************************************** +******** +*************************************************************** + +HANDY THINGS TO KNOW ABOUT DEVPAC'S MONAM +I really like using Devpac's machine code monitor (called Monam or Monam2 +from here on). Most people don't really use it to it's potential because +the manual dosn't emphasize some of the better features so I thought I +would write about some of the handy features and methods of using them that +I have found helpful in debugging programs. Everything I mention here is in +the manual but some it is in very o +bscure places or just mentioned in +passing. This is not an Help file of the commands but a help file showing +better ways to use the commands. For a list of the commands see the file +Monam2_help.txt + +Monam2 will debug programs and tell you what the machine code calls are as +it comes to them so instead of looking at code that says JSR -$1E(A6) when +you are single stepping the program you will see JSR Open. This is great +and stops you looking up endless calls in the manual. The way to get it to +do it is to put + the file Libfile.Monam into the libs directory on your +systems disk. You will find the file in the Libs directory on the original +distribution disk. Monam2 will debug programs that have been saved with the +labels in them and display them in the program when you are single stepping + it. Ok that is obvious but what isn't so obvious is you can use the labels +yourself. This is great if you are like me and hate keying in 6 didget Hex +numbers all the time. When ever you have to key in a hex address you can +just + type in the label instead. You can set the program counter to point to +a label just by using the Set register command (Right_Amiga_Key R PC=label) +that goes for setting the address of the current window as well (M label) +you can even use the names of the Registers to save you key in the values +in them. For example if A0=$123456 and you think it is pointing to a file +name and want to see what it is you can set the Data window to it by making +it the current window and going M A0 this will set the current win +dow to +the value in AO you can do this for all the Registers A0-A7, D0-D7, PC. All +these labels and short cuts really come into there own when you are doing a +calculation you can use the O command (Other) for doing calculations you +can do things like O A0+D0 and it will work out what the values in A0 plus +D0 equal. You can use all the Registers A0-A7, D0-D7 the PC and even use +the SR register (you can do it with the SR reg I didn't say you could do +anything useful with it). You can even use the operators {} + for the number +at an address instead of the address itself for example if A0 is pointing +at number $12345678 you can go M {A0} and it will set the current window to +address $12345678 this could be useful for looking up a table. If you want +to actually do something with the address A0 or the number A0 then all you +have to do is put a $ in front of it. Apart from using labels and Registers +as short cuts Monam2 has some built in reserve words they are CODE which is +set to the start address of any program you +load up and HUNK1 HUNK2 etc +which are set to the start of the Hunks. CODE is very handy for when you +are single steeping and want to nip back to the start to see what where you +started. Hunk can be handy for jumping around the code. There is no end off +HUNK or ENDOFCODE reserved words. The flexibly of the maths bits of Monam2 +is extreamly good and you will find you can use it from any part of the +program so when ever you want to go to an address or set a register to a +value you have to work out you don't ha +ve to work it out and then set the +register or tell Monam2 to go to that address just include the equation in +the command to tell monam to go to the address or set the register to the +value. With out a doubt my feature of Monam2 is it's Memories there are 10 +memories M0 to M9. M0, M1, M2 and M3 are used by Monam itself. M2 is set to +the top of the disassembly window and M3 is set to the top of the Hex +window when ever you move these windows then the values change to the top +of it's window. We can use these +for our own use. If you are in the +Disassembly window and come across a bit of code that looks a bit funny and +could be data so you nip over to the Data window and want to set it to the +same address as the disassemble window. Just go to the Data window (M3) and +press MM2 then hit RETURN (M for memory and M2 for the address of M2 which +is the disassemble window). Although this involves four keystrokes which is +in most cases only going to be a few less than going M and the address you +want to go anyway since +two of them are the same and the other one is +Return and you don't have to hunt and peck around the keyboard to type in a +hex number you get a great increase in speed and you are much more sure of +getting it right than keying in the number. You actually have two more +windows than are not obvious, if you go to the disassembly window and press +Right Amiga button and S at the same time then you split the window into +two windows both which are disassemble windows you can jump over to the +Data window and split i +t in two the same way and you can jump around them +with the TAB key just as you can do with the two normal windows and you can +Zoom each of the windows with Amiga Z. I will talk more about windows and +the M variables in the Section on Tracing techniques and Stuff. You can +also lock a window to an window to a Memory variable or a register. By +default the disassembly window is locked to the PC but you can lock any of +the windows to any register or Memory value. To lock the Data window to A0 +you just move to t +he Data window and press the right Amiga key and L +simultaneously and then then type A0 and press return and from then on the +Data window will always be set to the value of A0 and if it should change +then the top of the window will change. You can also lock windows together +for example to lock M3 to M2 you go to the Data window (M3) and go Amiga L +M2 return and everytime the the disassembly window changes the Data window +will change to match. To unlock a window you just lock it to it's Memory +value example +move to the disassembly window and go Right Amiga L M2 and + the window will not change when PC goes off the screen. The values M0 and +M1 are automatically set to the start and end of a file that is loaded in +with the binary function (B) this is very handy when you want to save a +file back again you just use M0 for the start and M1 as the end. + +The values of M are set to +M0 Start of the last binary file loaded +M1 The end of the Last binary file loaded +M2 The start of the Disassembly window +M3 The sta +rt of the Data window +M4 The start of the second disassembly window if it exists otherwise free +M5 The start of the second Data window if it exists otherwise free +M6 A free variable to be used by you +M7 A free variable to be used by you +M8 A free variable to be used by you +M9 A free variable to be used by you + +To get a list of all the M variables as well as the usual A0-A7, D0-D7, PC +and SR just keep pressing TAB key until you get to the register window and +press Right Amiga key and Z (for Zoom) + and you get a dump of all the +Registers. While you are in the Zoom mode you can't use the O command for +preforming calculations but you can use right Amiga O to do the same thing. +The O without an Amiga key is supposed to be there only to be compatible +with Monam 1 but I don't know anyone who uses the Amiga O version so you +tend to think Monam2 wont let you do calculations but it will, this is very +handy because so often the thing you want to calculate on is something you +have seen in Zoom mode the same go +es for the screen that displays the hunks +and break points (got to by pressing Help). You can also set Registers in +Zoom mode and in the help key screen just go Right Amiga R and set the +register as per normal. You can get a dump of the current window you are in +by going Right Amiga P this also works in Zoom mode giving you a bigger +dump. The disassemble to printer or drive option of monam2 (version 2.0) +has a floor in it... it won't put labels in even though it ask you for an +area to store the labels in. T +he only way to fix this is to get a latter +version of Monam there is a version of Monam2.05 that has been converted +from German to English (thanks Sigfried) have a look on the disk you got +this with if it is there it will be called Monam2.05 (my name not anyone +elses). The only problem we have found with this version is it wont save +Preferences (hopefully we will fix this). I found the easiest way around +this is to save the preferences from an earlier version of Monam2 (real men +change the file by hand). + +T +racing techniques and stuff +When you are single stepping a program and stop half way through and go +into Zoom mode you are able to jump up and down the program and have a good +look around then when you press Escape to go back you where you where when +you went into Zoom mode this is great if you wanted to go back to there but +if you have just found something interesting and would rather have that at +the top of the window when you got back to the normal screen this is an +absolute pain. The way around this is +to set the window Memory variable +from Zoom mode if you are in the Disassembly window and you go into Zoom +mode then advance four or five pages all you have to do is go Amiga R +M2=address to set the memory variable M2 (top of disassembly window) to the +address that you want to be at and when you press escape the top of the +window will be the address you put into the register M2. When you are +tracing a program and you come to something of interest you can flag it by +setting a memory value to the PC (Amiga R +M3=PC) and if you find another +thing then set M4=Pc and M5 etc up to M9 then if you want to come back you +just go MM3 (Memory M3) and later MM4 etc. I use this quite alot to keep +track of the flow of a program that I am tracing if you get to a suspicious +part that calls a subroutine and you set M3=PC if that subroutine calls +another one you can set M4=PC etc. You can then conveniently jump around +the bits of the program without having to write a single address down. A +thing I use this for alot is working ba +ckwards. You find a bit of code in +the program that look of interest and you Set M9=Address then trace the +program using the Instruction search and when if you find the call to it + you set M8=address then search again for a call to that address and set M7 +to it's address. With all these memory variables set to different parts of +the program you can then go MM6 or MM7 or MM8 to jump around the different +parts of the program of course this is very limited in the amount of code +you can do this with and there i +s a good chance that you wont be able to +find the address call you are searching for but anytime you find you are +about to write a Memory address down set a Memory variable to equal it +instead. I find moving the address to the top of the window and using the +Memory variable for that window to define the new variable the best way to +do it.. for example want to set M5 to an address in M2 you just keep +pressing the down arrow until the address lines up with the top of its +window and go Right Amiga R M5=M2. Thi +s sounds very involved but you will +find your self doing it very quickly after a few times and it doesn't +involve keying in a number which is the thing that really slows you down +and is most likely to be got wrong. Saving and loading a binary file can be +very handy for changing a program you don't have the source code for +(Hacking who me?). If you load an executable program with the binary load +function (B) it loads the whole program including the program header and +file relocation table. The program looks +just as it would on the disk not +as it would look in memory if you had loaded it as an executable file +(Control L) because when a program is loaded by the operating system it is +relocated to run at that place in memory. If you load a program with the B +option you can save it with the S option and it will still run in the usual +fashion the trick is to save it with a correct start and end. If you were +to try and find out the start and end by looking in memory you would +without a doubt fail but since the varia +ble M0 and M1 are assigned to the +start and end of the binary file loaded all you have to do is to save it +using M0 for the start and M1 as the end. After you have loaded a program +you can then alter bits of it. But you have to be careful what you are +doing, you can't alter anything that has absolute address because this will +be altered by the relocation table when it is loaded but you can alter +things that are PC relative or change commands into Nop's or change a +conditional branch to another condition suc +h as make a BNE to BRA just by +changing one byte. I can not over emphasize the need to make sure you are +not changing something that will be altered by the relocation table when +the program is loaded. When you are looking at a program you have loaded as +a program (the normal way with Control L or when starting monam) have a +look the data window and see if the address that a call is talking about is +there in hex if it is then it was put there by the relocation table and is +to be left alone. The other thing t +o watch out for is making sure you don't +save the program down on top of something else on the disk. Normally the +file system makes sure you don't do that but if it is a protected disk then +they may be loading sectors directly from the disk and not have allocated +them as already used and the operating system will think there fair game +and save your file down over some other code on the disk. The way to be +sure this dosn't happen is to use Newzap or one of the other excellent file +zapers available on the ami +ga and change it directly on the disk. Loading +the file up as binary is still handy in this case as it will show you +exactly what the code looks like on the disk so you will have lots to code +surrounding the code you want to change to confirm you are in fact changing +the right bit of code. + +UPDATE ON MONAM2_METHODS + +SNAP & OSNAP +There are two programs that I have started using in conjunction with Monam2 +and I dont know what I would do without them. They are both the same kind +of program. I started using sna +p and have now retired it in favour of OSNAP +but if you cant get OSNAP then snap will do fine. The programs allows you +to click on some text anywhere on the screen and copy it into a buffer and +then paste it somewhere else as if you had keyed it in by hand. The +programs have many uses including using them from inside a modem package to +quote other messages back at people. But from monam I use it for enterring +in hex numbers for me. You will have noticed I have a reel hatrid with hex +numbers and will do anyt +hing to get away from keying them in includeing +using the memories as much as posible to store them. With both SNAP and + OSNAP you can do things like see a BSR $12345 instruction and move the +mouse pointer to the line hold down the Amiga key and drag the pointer +accross the number and copy it into a buffer then you just go M (for change +window address) and press Amiga I to insert it into the line. You can grab +the numbers from anywhere. OSNAP is the same as snap with more features the +main feature I like is + the fact it has a history buffer on the strings it +is grabing. I use this to follow the flow of a program. You come to a BSR +so you grab the whole line with the BSR instruction in it and then single +step to the address it is going to then the next time you get another BSR +you grab it again and you carry on doing this until you decide you went the +wrong way and then you just list the lines you have been grabing and to go +back one call you just change to the address at the start of the line. + + + + FunToHack diff --git a/textfiles.com/piracy/CRACKING/crackist.hac b/textfiles.com/piracy/CRACKING/crackist.hac new file mode 100644 index 00000000..59ca9d22 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crackist.hac @@ -0,0 +1,1697 @@ + + + + + + + + + VOL 1 NUM 1 + + + + + The Amatuer Crackist Tutorial + Version 1.3 + By + Specular Vision + + + + + + Special Thanks to: + Mr. Transistor + Ironman + The Grand Elusion + Banzai Buckaroo + + + + + Another fine PTL Production + Call The Myth Inc. BBS + Table of Contents: + ------------------ (Page Numbers will be aprox. until + final version is finished) + i. Table of Contents 2 + + ii. Introduction 3 + + I. How to Crack 4 + Debugging DOS 4 + Cracking on the IBM PC Part 1 7 + Cracking on the IBM PC Part 2 11 + + II. Example Cracks 14 + Mean-18 by Accolade 14 + Submarine by Eypx 18 + Space Station Oblivion by Eypx 22 + + III. Removing Doc Check Questions 23 + F-15 Strike Eagle by MicroProse 23 + Battlehawks 1945 by Lucasfilms 25 + Yeager's AFT by Electronic Arts 26 + + IV. Cracking Self Booters 27 + Disk Basics + Victory Road by Data East 27 + MS-Flight Simulator (Ver 2.x) 30 + + V. Creating Title Screens 33 + + VI. Appendix 35 + A - Interrupt Tables 36 + (This will be an add-on file) + + + + + + + + + + + + + + + + + + + + + + + + 2 + Introduction: + ------------- + + Due to the current lack of Crackers, and also keeping in mind + the time it took me to learn the basics of cracking, I de- + cided to put this tutorial together. I will include many + files which I have found helpful in my many cracking endeav- + ors. It also has comments that I have included to make it + easier to understand. + + + + Comments Key: + ------------- + + Comments in the following material will be made by one of the + following and the lines that enclose the comments show who + made the comment. + + Specular Vision = ------------- + Mr. Transistor = +++++++++++++ + Ironman = ||||||||||||| + + + Special thanks to Mr. Transistor, for coming out of "Retire- + ment" to help compose this document. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 3 + Chapter I How to Crack + + + ------------------------------------------------------------- + Let's start with a simple introduction to patching a program + using the DOS DEBUG program. The following article will in- + troduce you to the basic ideas and concepts of looking for a + certain area of a program and making a patch to it. + ------------------------------------------------------------- + + + By: Charles Petzold / Specular Vision + Title: Case Study: A Colorful CLS + + This article originally appeared in the Oct. 14,1986 Issue + of PC Magazine (Vol 15. Num 17.). Written by Charles Petzold. + + The hardest part of patching existing programs is determin- + ing where the patch should go. You really have to make an + intelligent guess about the functioning of the program. + + As an example, let's attempt to modify COMMAND.COM so that + is colors the screen on a CLS command. As with any type of + patch try it out on a copy and NOT the original. + + First, think about what we should look for. CLS is differ- + ent from all the other DOS internal Commands, It is the only + internal command that does something to the screen other than + just write to it with simple teletype output. CLS blanks the + screen and homes the cursor. Since it can't do this through + DOS Calls (unless ANSI.SYS is loaded), it is probably calling + the BIOS Directly. The BIOS Interrupt 10h call controls the + video, and so the CLS command probably uses several INT 10h + instructions. The machine code for INT 10h is CD 10. + + (While this same method will work under any version of + PC-DOS, Version 2.0 and later, the addresses I'll be using + are from PC-DOS 3.1. Other versions of PC-DOS(or MS-DOS) will + have different addresses; you should be absolutely certain + that you're using the correct addresses.) + + Load COMMAND.COM into DEBUG: + + DEBUG COMMAND.COM + + and do an R (Registers) command. The size of COMMAND.COM is + in register CX. For DOS 3.1's COMMAND.COM, this value is + 5AAA. + + Now do Search command to look for the CD 10 bytes: + + S 100 L 5AAA CD 10 + + You'll get a list of six addresses, all clustered close to- + + 4 + gether. The first one is 261D. You can now pick an address a + little before that (to see what the first call is doing) and + start disassembling: + + U 261B + + The first INT 10 has AH set to 0F which is a Current Video + State call. The code checks if the returned value of AL + (Which is the video mode) is less than 3 or equal to 7. + These are the text modes. If so, it branches to 262C. If + not, it just resets the video mode with another INT 10 at ad- + dress 2629. + + At 262C, the code first sets the border black (the INT 10 + at 2630), then does another Current Video State call (at + 2634) to get the screen width in register AH. It uses infor- + mation from this call to set DX equal to the bottom right row + and column. It then clears the screen by scrolling the en- + tire screen up with another INT 10 (at 2645), and then sets + the cursor to the zeroth row and zeroth column with the final + INT 10 (at 264D). + + When it scrolls the whole screen, the zero value in AL ac- + tually means blank the screen, the value of BH is the at- + tribute to be used on the blanked area. In an unmodified + COMMAND.COM, BH is set to 7 (Which is white on black) by the + following statement at address 2640: + + MOV BX,0700 + + If you prefer a yellow-on-blue attribute (1E), you can + change this line by going into Assemble mode by entering: + + A + + then entering + + MOV BX,1E00 + + and exiting Assemble mode by entering a blank line. + + Now you can save the modified file: + + W + + and quit DEBUG: + + Q + + When you load the new version of COMMAND.COM (and you can + do so without rebooting by just entering: + + COMMAND + + + 5 + on the DOS command level), a CLS will turn the screen blue + and display characters as yellow. + + If it doesn't or if anything you type shows up as white on + black, that probably means you have ANSI.SYS loaded. If you + use ANSI.SYS, you don't have to make this patch but can in- + stead use the prompt command for coloring the screen. + + END. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 6 + ------------------------------------------------------------- + That was just one section of a very large article that helped + me to get started. Next we'll look at two other articles, + both written by Buckaroo Banzi. These two articles CRACK-1 + and CRACK-2 give you an introduction to the different copy + protection schemes used on IBM PC's, and how to find and by- + pass them. + ------------------------------------------------------------- + + + + By: Buckaroo Banzai + Title: Cracking On the IBM PC Part I + + + Introduction + ------------ + For years, I have seen cracking tutorials for the APPLE + computers, but never have I seen one for the PC. I have de- + cided to try to write this series to help that pirate move up + a level to a crackest. + + In this part, I will cover what happens with INT 13 and how + most copy protection schemes will use it. I strongly suggest + a knowledge of Assembler (M/L) and how to use DEBUG. These + will be an important figure in cracking anything. + + + INT-13 - An overview + -------------------- + + Many copy protection schemes use the disk interrupt + (INT-13). INT-13 is often use to either try to read in a il- + legally formatted track/sector or to write/format a + track/sector that has been damaged in some way. + + INT-13 is called like any normal interrupt with the assem- + bler command INT 13 (CD 13). [AH] is used to select which + command to be used, with most of the other registers used for + data. + + INT-13 Cracking College + ----------------------- + Although, INT-13 is used in almost all protection schemes, + the easiest to crack is the DOS file. Now the protected pro- + gram might use INT-13 to load some other data from a normal + track/sector on a disk, so it is important to determine which + tracks/sectors are important to the protection scheme. I + have found the best way to do this is to use LOCKSMITH/pc + (what, you don't have LS. Contact your local pirate for it.) + + Use LS to analyze the diskette. Write down any track/sector + that seems abnormal. These track are must likely are part of + the protection routine. Now, we must enter debug. Load in + + 7 + the file execute a search for CD 13. Record any address + show. + + If no address are picked up, this mean 1 or 2 things, the + program is not copy protected (right...) or that the check is + in an other part of the program not yet loaded. The latter + being a real hassle to find, so I'll cover it in part II. + There is another choice. The CD 13 might be hidden in self + changing code. Here is what a sector of hidden code might + look like + + -U CS:0000 + 1B00:0000 31DB XOR BX,BX + 1B00:0002 8EDB MOV DS,BX + 1B00:0004 BB0D00 MOV BX,000D + 1B00:0007 8A07 MOV AL,[BX] + 1B00:0009 3412 XOR AL,12 + 1B00:000B 8807 MOV [BX],AL + 1B00:000D DF13 FIST WORD... + + In this section of code, [AL] is set to DF at location + 1B00:0007. When you XOR DF and 12, you would get a CD(hex) + for the INT opcode which is placed right next to a 13 ie, + giving you CD13 or INT-13. This type of code can't and will + not be found using debug's [S]earch command. + + + + Finding Hidden INT-13s + ---------------------- + + The way I find best to find hidden INT-13s, is to use a + program called PC-WATCH (TRAP13 works well also). This pro- + gram traps the interrupts and will print where they were + called from. Once running this, you can just disassemble + around the address until you find code that look like it is + setting up the disk interrupt. + + An other way to decode the INT-13 is to use debug's [G]o + command. Just set a breakpoint at the address give by + PC-WATCH (both programs give the return address). Ie, -G + CS:000F (see code above). When debug stops, you will have + encoded not only the INT-13 but anything else leading up to + it. + + + What to do once you find INT-13 + ------------------------------- + + Once you find the INT-13, the hard part for the most part + is over. All that is left to do is to fool the computer in + to thinking the protection has been found. To find out what + the computer is looking for, examine the code right after the + INT-13. Look for any branches having to do with the + + 8 + CARRYFLAG or any CMP to the AH register. If a JNE or JC + (etc) occurs, then [U]nassembe the address listed with the + jump. If it is a CMP then just read on. + + Here you must decide if the program was looking for a pro- + tected track or just a normal track. If it has a CMP AH,0 + and it has read in a protected track, it can be assumed that + it was looking to see if the program had successfully com- + plete the READ/FORMAT of that track and that the disk had + been copied thus JMPing back to DOS (usually). If this is + the case, Just NOP the bytes for the CMP and the correspond- + ing JMP. + + If the program just checked for the carry flag to be set, + and it isn't, then the program usually assumes that the disk + has been copied. Examine the following code + + INT 13 <-- Read in the Sector + JC 1B00 <-- Protection found + INT 19 <-- Reboot + 1B00 (rest of program) + + The program carries out the INT and find an error (the il- + legally formatted sector) so the carry flag is set. The com- + puter, at the next instruction, see that the carry flag is + set and know that the protection has not been breached. In + this case, to fool the computer, just change the "JC 1B00" to + a "JMP 1B00" thus defeating the protection scheme. + + NOTE: the PROTECTION ROUTINE might be found in more than just + 1 part of the program + + + Handling EXE files + ------------------ + + As we all know, Debug can read .EXE files but cannot write + them. To get around this, load and go about cracking the + program as usual. When the protection scheme has been found + and tested, record (use the debug [D]ump command) to save + & + - 10 bytes of the code around the INT 13. Exit back to dos + and rename the file to a .ZAP (any extension but .EXE will + do) and reloading with debug. Search the program for the 20+ + bytes surrounding the code and record the address found. + Then just load this section and edit it like normal. Save + the file and exit back to dos. Rename it back to the .EXE + file and it should be cracked. + + ***NOTE: Sometimes you have to play around with it for a + while to make it work. + + + + + + 9 + DISK I/O (INT-13) + ----------------- + This interrupt uses the AH resister to select the function + to be used. Here is a chart describing the interrupt. + + AH=0 Reset Disk + AH=1 Read the Status of the Disk + system in to AL + + AL Error + ---------------------------- + 00 - Successful + 01 - Bad command given to INT + *02 - Address mark not found + 03 - write attempted on write protected disk + *04 - request sector not found + 08 - DMA overrun + 09 - attempt to cross DMA boundary + *10 - bad CRC on disk read + 20 - controller has failed + 40 - seek operation failed + 80 - attachment failed + (* denotes most used in copy protection) + AH=2 Read Sectors + + input + DL = Drive number (0-3) + DH = Head number (0or1) + CH = Track number + CL = Sector number + AL = # of sectors to read + ES:BX = load address + output + AH =error number (see above) + [Carry Flag Set] + AL = # of sectors read + + AH=3 Write (params. as above) + AH=4 Verify (params. as above -ES:BX) + AH=5 Format (params. as above -CL,AL + ES:BX points to format + Table) + + ------------------------------------------------------------ + For more information on INT-13 refer to appendix A. + ------------------------------------------------------------ + + END. + + + + + + + + 10 + ------------------------------------------------------------- + In part II, Buck cover's Calls to INT-13 and INT-13 that are + located in different overlays of the program. This is a + method that is used often. + ------------------------------------------------------------- + + + Cracking Tutorial II. + + By: Buckaroo Banzai + Title: Cracking On the IBM PC Part II + + + Introduction + ------------ + + OK guys, you now passed out of Copy Class 101 (dos files) + and have this great new game with overlays. How do I crack + this one. You scanned the entire .EXE file for the CD 13 and + it's nowhere. Where can it be you ask yourself. + + In part II, I'll cover cracking Overlays and the use of + locksmith in cracking. If you haven't read part I, then I + suggest you do so. The 2 files go together. + + + Looking for Overlays + -------------------- + So, you cant find CD 13 in the .EXE file, well, it can mean + 4 things. + + 1: The .EXE (though it is mostly .COM) file is just a + loader for the main file. + + 2: The .EXE file loads in an overlay. + + 3: The CD 13 is encrypted &/or hidden in the .EXE file. + + 4: Your looking at the WRONG file. + + + I won't discuss case 1 (or at least no here) because so + many UNP files are devoted to PROLOCK and SOFTGUARD, if you + can't figure it out with them, your stupid. + + If you have case 3, use the technique in part I and restart + from the beginning. And if you have case 4, shoot your self. + + You know the program uses overlays but don't see and on + disk? Try looking at the disk with good old Norton's. Any + hidden files are probably the overlays. These are the ones + we are after. If you still can't find them, use PC-WATCH + (this program is a must!!! For all crackists. Traps ALL in- + terrupts). + + 11 + + Using PC-Watch to Find Overlays + ------------------------------- + Start up PC-Watch and EXCLUDE everything in the left Col.. + Search the right Col. until you find DOS21 - OpnFile and + select it. + + Now run the program to be cracked. + Play the game until the protection is checked. + Examine you PCWatch output to see what file was loaded + right before it. + This probably is the one holding the check. + If not, go through all the files. + + + You Have Found the Overlays + --------------------------- + Great, now just crack the overlay as if it was a DOS file. + You don't need to worry about .EXE file, debug can write an + overlay file. Part I explains the basics of cracking. I + suggest that you keep a backup copy of the overlay so if you + mess up, and you will, you can recover quickly. Ah, and you + thought cracking with overlays was going to be hard. + + + + Locksmith and Cracking + ---------------------- + + The copy/disk utility program Locksmith by AlphaLogic is a + great tool in cracking. It's analyzing ability is great for + determining what and where the protection is. + + I find it useful, before I even start cracking, to analyze + the protected disk to find and id it's protection. This + helps in 2 ways. First, it helps you to know what to do in + order to fake out the protection. Second, it helps you to + find what the program is looking for. + + I suggest that you get locksmith if you don't already have + it. Check your local pirate board for the program. I also + suggest getting PC-Watch and Norton Utilities 3.1.(Now 4.1) + All of these program have many uses in the cracking world. + + END. + + + + + + + + + + + 12 + Chapter II Example Cracks + + + + ------------------------------------------------------------- + OK, now let's put some of this information into practice by + examining a few cracks of some common programs. First we'll + look at a Crack for Mean-18 Golf by Accolade. Accolade has + been one of those companies that has a fervent belief in Copy + Protection. + ------------------------------------------------------------- + + + + + Title: MEAN-18 UnProtect For CGA/EGA Version + + + This crack works by eliminating the code that tests for known + bad sectors on the original diskette to see if it is the + genuine article or an illegal copy. The code begins with an + INT 13 (CD 13 HEX), a DOS BIOS disk service routine followed + a few bytes later by another INT 13 instruction. The program + then checks the returned value for the bit configuration that + signifies the bad sectors and, if all is as expected, contin- + ues on with program execution. + + The code that needs to be patched is in the GOLF.EXE file and + in the ARCH.EXE file. It is identical in both files and lies + near the end of each file. + + In the following steps, you'll locate the start of the test + code and patch it by replacing it with NOP instructions (HEX + 90). The method described uses the DOS DEBUG utility but + Norton's Utility (NU) works too. + + Copy all of the files from the MEAN-18 disk onto a fresh + floppy using the DOS COPY command and place your original + diskette out of harm's way. + + Assuming DEBUG is in the A: drive and the floppy containing + the files to be unlocked is in the B: drive , proceed as fol- + lows: + + First REName the GOLF.EXE file so it has a different + EXTension other than .EXE. + + REN GOLF.EXE GOLF.DEB + + + Next load the file GOLF.DEB into DEBUG and displays the "-" + DEBUG prompt. + + A:> DEBUG B:GOLF.EXE + + 13 + Search for the beginning of the code to be patched by typing: + + + - S CS:100 FFFF CD 13 + + Searches the file for the two byte INT 13 instruction. If + all goes well, two addresses should appear on the screen. + + XXXX:019C + XXXX:01A8 + + XXXX indicates that the numbers preceeding the ":" vary from + system to system but the numbers following the ":" are the + same on all systems. + + The next step is to use the "U" command as indicated to + un-assemble a few bytes in order to verify your position in + the file) + + - U CS:019C + + (Un-assembles 32 bytes of code. Verify the following se- + quence of instructions: + + INT 13 + JB 01E9 + MOV AL,[BX+01FF] + PUSH AX + MOV AX,0201 + INT 13 + POP AX + JB 01E9 + CMP AL,F7 + JNZ 01B5 + + These are the instructions you'll be patching out in the fol- + lowing step) + + - A CS:019C + + This command assembles the new instructions you enter at the + keyboard into the addresses shown. Beginning at CS:019C, and + for the next 21 bytes, ending with and including CS:01B0, en- + ter the no op command "NOP" (90h) followed by a or + . Just hit at address XXXX:01B1 to end the + assemble command.) + + XXXX:019C NOP + XXXX:019D NOP + . + . + . + XXXX:01AE NOP + XXXX:01AF NOP + + 14 + XXXX:01B0 NOP + XXXX:01B1 + + This just wipes out the section of code containing the INT 13 + check. + + Now do a HEX dump and verify that bytes 019C through 01B0 + have been set to 90 HEX. + + - D CS:019C + + If they have, write the patched file to the disk as follows) + + - W + + This writes the patched file back to the + disk where it can be run by typing GOLF just as before but + now, it can be run from any drive, including the hard + drive) + + Now just [Q]uit or exit back to DOS. This command can be ex- + ecuted at any "-" DEBUG prompt if you get lost. No modifica- + tion will be made to the file on the disk until you issue the + "W" command. + + - Q + + The process is the same for the ARCH.EXE file but because it + is a different length, the segment address, (XXXX part of the + address), will be different. You should find the first INT + 13 instruction at address XXXX:019C and the second one at + XXXX:01A8 as before. + + You will again be patching 21 bytes and you will start with + 019C and end with 01B0 as before. After doing the HEX dump + starting at address 019C, you again write the file back to + the disk with a "W" command then "Q" uit. + + Norton's utilities can also be used to make this patch. Be- + gin by searcing the GOLF.EXE or ARCH.EXE files for the two + byte combination CD 13 (remember to enter these as HEX + bytes). Once located, change the 21 bytes, starting with the + first "CD" byte, to 90 (a NOP instruction). As a check that + you are in the right place, the byte sequence in both files + is CD 13 72 49 8A 87 FF 01 50 B8 01 02 CD 13 58 72 3C 3C F7 + 75 04. After modifying the bytes, write the modified file + back to the disk. It can then be run from any drive. + + END. + + + + + + + 15 + ------------------------------------------------------------ + That was the first the tutorial cracks, here's another crack + based on the same ideas but using Norton's Utilities instead. + The following is an unprotect method for Eypx Submarine. + Eypx is another one of those companies bent on protecting the + world. + ------------------------------------------------------------ + + + By: Assembler Magic + Title: EPYX Submarine Unprotect + + + You will only need to make one modification to the main + executable program of Submarine, SUB.EXE. I will assume that + your computer has a hard disk and that you have a path to + DOS. It's time to fire up DEBUG as follows: + + DEBUG SUB.EXE + + The computer should respond with a "-" prompt. Now look at + the registers, just to make sure everything came up okay. + Type the letter "R" immediately after the prompt. The com- + puter should respond with a few lines of info as follows: + + AX=0000 BX=0001 CX=6103 DX=0000 SP=0080 BP=0000 SI=0000 + DI=0000 DS=12CE ES=12CE SS=37B2 CS=27FC IP=0010 NV UP EI PL + NZ NA PO NC + 27FC:0010 8CC0 MOV AX,ES + - + + Note the value of CS is "27FC". That is the hexadecimal + segment address for the beginning of the program code in your + computer's memory. It is highly probable that the value you + see for CS will differ from mine. Whatever it is, write it + down. Also, the values you see for DS, ES and SS will almost + certainly differ from mine and should not cause you concern. + The other registers should show the same values mine do, and + the flags should start with the same values. + + Next, we will do a search for Interrupt 13's. These are + BIOS (not DOS) Interrupts built into the program which are + used to ensure that the original disk is being used to run + the program. The whole key to this unprotect scheme is to by- + pass these Interrupts in the program code. The tricky part + of this unprotect is to find them! They are not in the seg- + ment of program code starting at the value of CS equal to + "27FC". They are closer to the beginning of the program in + memory. Easy enough! Reset the value of CS to equal the + value of DS as follows; type immediately after Debug's "-" + prompt: + + RCS + + + 16 + Debug will prompt you for the new value of CS with: + + CS:27FC: + + You respond by typing the value of DS you saw when you + dumped the registers the first time. For example, I typed + "12CE". The value you type will be different. Debug + will again respond with the "-" prompt which means we are + ready to do our search. Type in the following after the "-" + prompt: + + S CS:0 FFFF CD 13 + + The computer should respond with three lines of information + which are the addresses of the three Interrupt 13 calls built + into the program. The first four digits are the segment ad- + dress and will equal to the value of CS you have just set. + The second four digits following the colon are the offset ad- + dresses which are of primary interest to us. On my machine + they came back as follows: + + 12CE:4307 + 12CE:431F + 12CE:4335 + + The segment addresses will be identical and the three off- + set addresses should all be relatively close together. Now + look at the first offset address. (As you can see, mine was + "4307".) Write it down. Now we do a bit of Unassembly. + + Type "U4307" which is the letter "U", followed immedi- + ately (with no blank spaces) by whatever your first offset + address turned out to be, followed by a carriage return. If + you are not familiar with unassembled machine code, it will + look like lines of gibberish as follows: + + 12CE:4307 CD13 INT 13 + 12CE:4309 4F DEC DI + 12CE:430A 744C JZ 4358 + . + . + 12CE:431F CD13 INT 13 + 12CE:4321 4F DEC DI + . + . + 12CE:4324 BF0400 MOV DI,0004 + 12CE:4326 B80102 MOV AX,0201 + + In my computer, Unassemble will automatically output 16 + lines of code to the screen. Yours may differ. Note, in the + abbreviated list I have shown above, the addresses at the be- + ginning of the two lines which contain the Interrupt 13's + (INT 13) correspond to the first two addresses we found in + our search. Now we continue the unassemble, and here comes + + 17 + another tricky part. Just type in "U" after the "-" + prompt. + + You'll get sixteen more lines of code with the third Inter- + rupt 13 on a line which begins with the address (CS):4335 if + you have the same version of Submarine as I do. It's not + terribly important to this exercise, but it will at + least show you that things are proceeding okay. Now type in + "U" again after the prompt. You are now looking for + three key lines of code. On my program they appear as fol- + lows: + + 12CE:4335 07 POP ES + 12CE:4356 5D POP BP + 12CE:4357 CB RETF + + The true key is the instruction "POP ES". This instruction + begins the normal return sequence after the program has ex- + ecuted its Interrupt 13 instructions and accompanying checks. + If Debug on your machine prints fewer than 16 lines of code + at a shot, you may have to type in "U" more than twice at the + "-" to find these instructions. (If you haven't found any of + this stuff, either get help on the use of Debug or go back to + using your diskette version!) Write down the offset address + of the "POP ES" instruction; the four digits following the + colon, which in my example is "4354". You're well on your + way now, so please persevere. + + The next step is to modify the program to JUMP around the + code which executes the Interrupt 13's and go immediately to + the instruction which begins the normal return sequence + (again, it's the "POP ES". Type in the following instruc- + tions carefully: + + A4307 + + This first bit tells Debug that new Assembler code will be + inserted at the address of the first Interrupt 13. If your + first Interrupt 13 is at an address other that "4307", use + the correct address, not mine. The computer will prompt you + with the address: + + 12CE:4307 + + After which you will immediately type: + + JMP 4354 + + This instruction jumps the program immediately to the normal + return code instructions. Again, at the risk of being redun- + dant, if your "POP ES" instruction is at a different address, + use that address, not "4354"! + + The computer will prompt you with the address of the next in- + + 18 + struction if all went well. MAKE SURE you just hit the + carriage return at this point. Debug will then return the + familiar "-" prompt. + + Now it's time to examine your handiwork. Let's do the + unassemble again starting at the address of what had been the + first Interrupt 13 instruction, but which is now the Jump in- + struction. Type in "U4307" or "U" followed by the appro- + priate address and a carriage return. The first line begin- + ning with the address should appear as follows: + + 12CE:4307 EB4B JMP 4354 + + The key here is the four bytes immediately following the ad- + dress. In my example they are "EB4B". Yours may not be. + But, they are VERY IMPORTANT because they represent the ac- + tual machine code which is the Jump instruction. WRITE THESE + FOUR BYTES DOWN AND MAKE SURE THEY ARE CORRECT. + + Now if you want to have some fun before we go on, reset + register CS to its original value by first typing "RCS" + at the "-" prompt. Then type in the original value of CS + that I asked you to write down. Using my example, I typed + "27FC". Next, you will type "G" after the "-" prompt + which means GO! If all went well, SUB should run at this + point. At least it will if you put all of the Submarine + files onto the diskette or into the hard disk subdirectory + where youre working. If it didn't run, you may have made an + error. Check through what you have done. + + Don't give up at this point if it does not run. Your version + of Debug may simply have not tolerated our shenanigans. When + you are done playing, quit Submarine ("Alt-Q") and type a + "Q" after the Debug prompt "-" appears. + + Now comes the tough part. I can't walk you through this + phase in complete detail, because you may be using one of + several programs available to modify the contents of SUB.EXE. + Debug is not the way to go, because it can't write out .EXE + files, only .COM files. + + ------------------------------------------------------------- + Note: Another method of doing this is to REName the SUB.EXE + file so it has a different extension other than .EXE before + you enter DEBUG. That way after you've made the change you + can then [W]rite then changes out to the file right in DEBUG. + Then one drawback is that you can't run the program in DEBUG + once you've changed the name. + ------------------------------------------------------------- + + You have to get into your sector modification package (NORTON + works good) and work on the SUB.EXE file on your new diskette + or your hard disk. Remember, I warned you that doing this on + your hard disk is dangerous if you are not fully aware of + + 19 + what you are doing. So, IF YOU MESS UP, it's YOUR OWN FAULT! + + You are looking for the first occurrence of an Interrupt 13 + (the "CD 13") using the search facility in your program. If + you don't have the ability to search for the two-byte hexa- + decimal code "CD 13" directly, then you will have to manually + search. + + ------------------------------------------------------------- + Note: Norton 4.x now has a search utility. When you get to + the point of typing in the search text, just press the TAB + key, and you can type in the actual hexadecimal code "CD 13". + ------------------------------------------------------------- + + Start at the beginning of SUB.EXE and proceed. Again, you + want to find the first of the three (first from the beginning + of the program). + + I will give you a hint. I found it in NORTON at location + 4407 hexadecimal which is location 17,415 decimal in the + SUB.EXE program file. DOS standard sectors are 512 decimal + bytes. Replace the two bytes "CD 13" with the "EB 4B" or + whatever your Jump instruction turned out to be. Write or + save the modified file. + + That's ALL there is to modifying SUB.EXE. You can go ahead + and execute your program. If you have followed my instruc- + tions, it should run fine. Get help if it doesn't. Now, you + should be all set. You can load onto your hard disk, if you + haven't already. You can run it from a RAM disk using a BAT + file if you really want it to hum. Or, if you have the fa- + cilities, you can copy it from 5-1/4" floppy to 3-1/2" dis- + kette and run it on machines which accept that medium if you + upgrade to a new computer. + + END. + + + + + + + + + + + + + + + + + + + + 20 + ------------------------------------------------------------- + Now let's take a look at a newer crack on the program, Space + Station Oblivion by Eypx. At a first [S]earch with Debug and + Norton's Utility no CD 13's could be found, and yet it was + using them... So a different approach had to be taken... + ------------------------------------------------------------- + + + By: PTL + Title: Space Station Oblivion Crack + + + First of all, you must determine which file the INT 13's are + in, in this case it had to be the file OBLIVION.EXE since it + was the main program and probably contained the INT 13's. So + then rename it to a different EXTension and load it into De- + bug. + + Then do a [S]earch for INT 13's. + + -S 100 FFFF CD 13 + + Which will promptly turned up nothing. Hmmm... + + Next you might decide that, maybe, the code was modifying it- + self. So quit from Debug and load up PC-Watch, include all + the INT 13 Calls. For those of you not familiar with + PC-Watch, it is a memory resident program that can be set to + look for any type of BIOS call. When that call is made + PC-Watch prints to the screen the contents of all the regis- + ters and the current memory location that the call was made + from. + + After PC-Watch is initialized, then run the OBLIVION.EXE file + from the hard disk, leaving the floppy drive door open, and + sure enough, when the red light comes on in the diskette + drive, PC-Watch will report the address's of some INT 13 + calls. Which you should then write down. + + From there, quit the game, reboot, (To dump PC-Watch from + memory) and load the OBLIVION.EXE into Debug and issue a [G]o + command with a breakpoint. What address should you use for a + breakpoint? You guessed it, the same address PC-Watch gives + you. + + Well, it locked up did'nt it? Which is quite common in this + line of work so don't let that discourage you. So next re- + loaded it into debug and this time [U]nassemble the address + that you got from PC-Watch. But instead of finding the INT + 13's you'll find harmless INT 21's. + + Hmm... could it be that the program was converting the CD + 21's to CD 13's during the run? Well, to test the idea as- + semble an INT 20 (Program Terminate) right after the first + + 21 + INT 21. Then I run the program, and yes immediately after the + red light comes on the drive, the program will terminate nor- + mally. + + Then [U]nassemble that same area of memory, and low and be- + hold, some of the INT 21's have magically turned into INT + 13's. How clever... + + So, then it is just a matter of locating the address of the + routine that it jumped (JMP) to if the correct disk was found + in drive A:. Once you have that address, just go to the + start of all this nonsense and [A]ssemble a JMP XXXX command. + Where XXXX was the address to jump to if the original disk + was in drive A:. + + Then just [W]rite the file back out to the disk and [Q]uit + debug, and then REName the file back to OBLIVION.EXE + afterwhich it should work fine. + + + END. + + 22 + Chapter III Removing Doc Check Questions + + + ------------------------------------------------------------- + A new fad has recently started up with software vendors, it + involves the use of "Passwords" which are either stored in + the documentation or are actually the documentation itself. + Then when you reach a certain part of the program (Usually + the beginning) the program will ask for the password and you + have to look it up in the Docs before being allowed to con- + tinue. If the wrong password is entered, it will usually + drop you to DOS or take you to a Demo version of the program. + + This new form of copy protection is very annoying, but can + usually be cracked without too much effort, and the files + and the disk are usually in the standard DOS format. So now + we'll take a look at cracking the Doc check questions. + + First of all we'll crack the startup questions in F-15 + Strike Eagle by MicroProse. + ------------------------------------------------------------- + + + By: JP ASP + Title: F-15 Unprotect + + + + Make a copy of the original disk using the DOS DISKCOPY pro- + gram. + + >DISKCOPY A: B: + + Then insert the copy disk in the A drive and invoke DOS DE- + BUG. + + >DEBUG + + Now we'll [F]ill an area of memory with nothing (00). + + -F CS:100 L FEFF 0 + + Next we will [L]oad into address CS:0100 the data that is on + the A: disk (0) from sector 0 to sector 80. + + -l cs:100 0 0 80 + + Now lets [S]earch the data we loaded for the area where the + copy protection routine is. + + -s cs:100 l feff FA EB FD + + Then for each of the occurences listed, use the address DEBUG + returned in the [E]nter command below. + + 23 + + -e xxxx 90 90 90 + + ------------------------------------------------------------- + Here's the part we are interested in, it's where you change + all the autorization codes to a space. Notice how you can + use the [S]earch command to look for ASCII text. + ------------------------------------------------------------- + + -s cs:100 l feff "CHIP" + + Then for each occurance of "CHIP" use the address DEBUG re- + turned in the [F]ill command below. + + -F XXXX L F 20 + + Write out the modified data + + -W CS:100 1 0 80 + + Quit DEBUG + + -Q + + + You should now be able to DISKCOPY and boot from all copies + also just press the space bar when it ask for ANY authority + code and then press "ENTER". Now there is no need to remember + (or look up) any codes that are so finely tucked away in the + manual! + + END. + + + + + + + + + + + + + + + + + + + + + + + + 24 + ------------------------------------------------------------- + Here is a similar method that was used break the passwords in + the program BATTLEHAWKS 1945 by Lucasfilms. However Norton + Utilities is used to search for the passwords and change + them. + ------------------------------------------------------------- + + By: PTL + Title: BATTLEHAWKS-1945 Doc Check Crack + + + In keeping in line with their previous programs, Lucasfilms + has released yet another program which uses Doc Checks for + its means of copy protection, Battlehawks 1942. + + When you run this program, it first goes through a series of + graphic displays, then it goes through a series of questions, + asking what type of mission you want to fly, such as Train- + ing, Active Duty, or which side of the war you want to be on. + + Then right before the simulation begins, it shows you a pic- + ture of a Japanese Zero and ask you for a password which you + + are then supposed to get by looking up the picture of the + Zero in the User Manual and typing the corresponding password + in. After which it enters the simulation, in the event you + enter the wrong password, it puts you into a training mis- + sion. + + Removing the Doc Check in a program like this is usually + pretty easy. The ideal way to do it is to remove the Doc + Check routine itself, but if you don't have all day to debug + and trace around the code this might not be the best way. + For instance if you only have your lunch hour to work on it + (Like I did), then you need to use the standard Q.D.C.R.S. + (Quick Doc Check Removal System). + + How do you do a QDCRS? Well first of all, play around with + the program, find out what it will and will NOT accept as a + password. Most programs will accept anything, but a few + (Like Battlehawks) will only accept Alpha characters. + + Once you've learned what it likes, make an educated guess as + to what program the Doc Check routine is in. Then load that + program into Norton's Utility (NU). + + At this point, take a look at the passwords, and write down + the most unusual one that you can find (I'll explain later). + Now type that password in as the search string, and let NU + search through the file until it finds the password. Now a + couple of things can happen. + + 1. It only finds one occurrence + 2. It finds more than one occurrence + 3. It doesn't find any occurrence + + In the event of case 2 then YOU have to determine where the + passwords are stored, you can do this by opening your eyes + and looking. + + In the event of case 3, go to the kitchen and start a pot of + coffee, then tell you wife to go to bed without you, because + you have a "Special Project" that you have to finish tonight. + And by the way, Good Luck. You'll need it. + + Hopefully case 1 will occur, now you have to take a look at + the data and ask yourself 2 questions: + + 1. Are all the passwords the same length? + 2. Is there a set number of spaces between each pass- + word? + 3. Does the next password always start a certain number + of characters from the first character of the previ- + ous password? + + If you can answer yes to any of the above questions, you in + luck. All you have to do is change the passwords to spaces + + (If the program allows that, Battlehawks doesn't) or change + them to you favorite character. The letter X works good, it's + easy to type and easy to remember. + + If you can't answer yes to any of the questions then you ei- + ther need to bypass the Doc Check routine itself or you need + to be adventurous and experiment. Battlehawks will not follow + any of the above patterns, and your quickly running out of + time, so you'll have to try something, fast... + + So just wiped out all of the data area with X's, all the + passwords and associated "garbage" between them. Then saved + the changes and drop out of NU and into BH. Then when it ask + for the password, just filed the area with X's. Next thing + you know, you'll be escorting a bombing run on a Japanese + carrier. + + So, this one turned out to be fairly simple. Where you may + run into trouble is on Doc Checks that use a graphic system, + such as Gunship by MicroProse. When it comes to this type of + Doc Check, you almost have to bypass the routine itself. And + again, a good way to do this is with setting break points and + using the trace option in Debug. + + END. + + + + + + + + 25 + + ------------------------------------------------------------- + That was the easy version Doc Check crack, however there a + "Better" way to crack Doc Checks, is to bypass the routine + completely so the user can just press enter and not worry + about spaces. Let's take a lot at this method by looking at + a crack for the program, Yeager's Advanced Flight Trainer, by + Electronic Arts. + ------------------------------------------------------------- + + + By: PTL + Title: Yeager's Advanced Flight Trainer + + + + + + + + + + + + + + + + + 26 + Chapter 5 Cracking Self Booters + + + + ------------------------------------------------------------- + Now we'll take a look at cracking self booters. A few compa- + nies have found this to be the best copy protection scheme + for them, one of which is DataEast, makers of Ikari Warriors, + Victory Road, Lock-On, Karnov, etc... This posses a special + problem to the Amateur Cracker, since they seldom use stan- + dard DOS formats. So let's jump right in! + ------------------------------------------------------------- + + + This is the area where a "Higher than Normal" knowledge of + Assembly Language and DOS Diskette structures, so first of + all, the Basic's. + + + The Disk's Physical Structure + + Data is recorded on a disk in a series of concentric circles, + called Tracks. Each track if further divided into segments, + called Sectors. The standard double-density drives can + record 40 tracks of data, while the new quad-density drives + can record 80 tracks. + + However, the location, size, and number of the sectors within + a track are under software control. This is why the PC's + diskettes are known as soft-sectored. The characteristics of + a diskette's sectors (Their size, and the number per track) + are set when each track is formatted. Disk Formatting can be + done either by the operating system or by the ROM-BIOS format + service. A lot of self booters and almost all forms of copy + protection create unusual formats via the ROM-BIOS diskette + services. + + The 5 1/4-inch diskettes supported by the standard PC BIOS + may have sectors that are 128,256,512, or 1,024 bytes in + size. DOS, from versions 1.00 through 4.01 has consistently + used sectors of 512 bytes, and it is quite possible that this + will continue. + + Here is a table displaying 6 of the most common disk formats: + _____________________________________________________________ + + Type Sides Sectors Tracks Size(bytes) + _____________________________________________________________ + + S-8 1 8 40 160K + D-8 2 8 40 320K + S-9 1 9 40 180K + D-9 2 9 40 360K + QD-9 2 9 80 720K + QD-15 2 15 80 1,200K + _____________________________________________________________ + + + + S - Single Density + D - Double Density + QD - Quad Density + + Of all these basic formats, only two are in widespread use: + S-8 and D-9. The newer Quad Density formats are for the 3 + 1/2" and 5 1/4" high density diskettes. + + + The Disk's Logical Structure + + So, as we have already mentioned, the 5 1/4-inch diskette + formats have 40 tracks, numbered from 0 (the outside track) + through 39 (the inside track, closest to the center). On a + double sided diskette, the two sides are numbered 0 and 1 + (the two recording heads of a double-sided disk drive are + also numbered 0 and 1). + + The BIOS locates the sectors on a disk by a three-dimensional + coordinate composed of a track number (also referred to as + the cylinder number), a side number (also called the head + number), and a sector number. DOS, on the other hand, lo- + cates information by sector number, and numbers the sectors + sequentially from the outside to inside. + + We can refer to particular sectors either by their + three-dimensional coordinates or by their sequential order. + All ROM-BIOS operations use the three-dimensional coordinates + to locate a sector. All DOS operations and tools such as DE- + BUG use the DOS sequential notation. + + The BASIC formula that converts the three-dimensional coordi- + nates used by the ROM-BIOS to the sequential sector numbers + used by DOS is as follows: + + DOS.SECTOR.NUMBER = (BIOS.SECTOR - 1) + DIOS.SIDE + * SECTORS.PER.SIDE + BIOS.TRACK * SECTORS.PER.SIDE + * SIDES.PER.DISK + + And here are the formulas for converting sequential sector + numbers to three-dimensional coordinates: + + BIOS.SECTOR = 1 + DOS.SECTOR.NUMBER MOD SECTORS.PER.SIDE + BIOS.SIDE = (DOS.SECTOR.NUMBER \ SECTORS.PER.SIDE) + MOD SIDE.PER.DISK + BIOS.TRACK = DOS.SECTOR.NUMBER \ (SECTORS.PER.SIDE + * SIDES.PER.DISK) + + (Note: For double-sided nine-sector diskettes, the PC's + most common disk format, the value of SECTORS.PER.SIDE + is 9 and the value of SIDES.PER.DISK is 2. Also note + that sides and tracks are numbered differently in the + ROM-BIOS numbering system: The sides and tracks are num- + bered from 0, but the sectors are numbered from 1.) + + Diskette Space Allocation + + The formatting process divides the sectors on a disk into + four sections, for four different uses. The sections, in the + order they are stored, are the boot record, the file alloca- + tion table (FAT), the directory, and the data space. The + size of each section varies between formats, but the struc- + ture and the order of the sections don't vary. + + The Boot Record: + + This section is always a single sector located at sector + 1 of track 0, side 0. The boot record contains, among other + things, a short program to start the process of loading the + operating system on it. All diskettes have the boot record + on them even if they don't have the operating system. Asisde + from the start-up program, the exact contents of the boot + record vary from format to format. + + The File Allocation Table: + + The FAT follows the boot record, usually starting at + sector 2 of track 0, side 0. The FAT contains the official + record of the disk's format and maps out the location of the + sectors used by the disk files. DOS uses the FAT to keep a + record of the data-space usage. Each entry in the table con- + tains a specific code to indicate what space is being used, + what space is available, and what space is unusable (Due to + defects on the disk). + + The File Directory: + + The file directory is the next item on the disk. It is + used as a table of contents, identifying each file on the + disk with a directory entry that contains several pieces of + information, including the file's name and size. One part of + the entry is a number that points to the first group of sec- + tors used by the file (this number is also the first entry + for this file in the FAT). + + The Data Space: + + Occupies the bulk of the diskette (from the directory + through the last sector), is used to store data, while the + other three sections are used to support the data space. + Sectors in the data space are allocated to files on an + as-needed basis, in units known as clusters. The clusters + are one sector long and on double-sided diskettes, they are a + pair of adjacent sectors. + + + + (From here on I'll continue to describe the basics of DOS + disk structures, and assembly language addressing technics. + + + ------------------------------------------------------------- + Here is a simple routine to just make a backup copy of the + Flight Simulator Version 1.0 by Microsoft. I know the latest + version is 3.x but this version will serve the purpose of + demonstrating how to access the data and program files of a + selfbooter. + ------------------------------------------------------------- + + + By: PTL + Title: Microsoft Flight Simulator 1.00 Unprotect + + + This procedure will NOT convert the Flight Simulator disk to + files that can be loaded on a hard drive. But... it will + read off the data from the original and put it onto another + floppy. And this should give you an idea of how to read data + directly from a disk and write it back out to another disk. + + First of all take UNFORMATTED disk and place it in drive B:. + This will be the target disk. + + Now place your DOS disk (which has Debug) into drive A:, or + just load Debug off you hard disk. + + A>DEBUG + + Then we are going to enter (manually) a little program to + load the FS files off the disk. + + -E CS:0000 B9 01 00 BA 01 00 BB 00 + 01 0E 07 06 1F 88 E8 53 + 5F AA 83 C7 03 81 FF 1C + 01 76 F6 B8 08 05 CD 13 + 73 01 90 FE C5 80 FD 0C + 76 E1 90 CD 20 + + -E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 + 00 00 04 02 00 00 05 02 00 00 06 02 + 00 00 07 02 00 00 08 02 + + Next we'll [R]eset the IP Register by typing. + + -R IP + + And then typing four zeros after the address prefix. + + xxxx:0000 + + Next insert the original Flight Simulator disk into drive A: + and we'll run our little loader. + + -G =CS:0000 CS:22 CS:2A + + Now enter a new address to load from. + + -E CS:02 0E + -E CS:27 19 + + And run the Loader again. + + -G =CS:0000 CS:22 CS:2A + + New address + + -E CS:02 27 + -E CS:27 27 + + Run Loader + + -G =CS:0000 CS:22 CS:2A + + Here we'll do some [L]oading directly from the disk our- + selves. + + -L DS:0000 0 0 40 + + And the in turn, write it back out to the B: (1) drive + + -W DS:0000 1 0 40 + + Etc... + + -L DS:0000 0 40 28 + -W DS:0000 1 70 30 + -L DS:0000 0 A0 30 + -W DS:0000 1 A0 30 + -L DS:0000 0 138 8 + -W DS:0000 1 138 8 + + When we are all through, [Q]uit from debug and you should + have a backup copy of the Flight Simulator. + + -Q + + And that's all there is to it. + + END. + diff --git a/textfiles.com/piracy/CRACKING/cracklog.txt b/textfiles.com/piracy/CRACKING/cracklog.txt new file mode 100644 index 00000000..bec9302e --- /dev/null +++ b/textfiles.com/piracy/CRACKING/cracklog.txt @@ -0,0 +1,136 @@ +PROG: InfoSpy v2.61 +TYPE: 16-bit +PROT: Name/Reg +CHECK: 240F:06EC JZ +HEX: + +1. Let's find the protection + a. BPX GetDlgItemText ; set our breakpoint in SoftICE + b. Run InfoSpy ; and enter some registration info + 1) help, use registration key + 2) enter your first name, last name, and any reg number + 3) click ok + c. ICE pops + 1) F11 ; step out of the function + 2) F10, F10, F10,... ; walk thru the code + d. Gets first string, runs thru loop to calculate reg code + e. Gets second string, runs thru loop to calculate reg code + f. After stepping thru the loops I found the final compare at 240F:06EC + (your memory segment may be differnt; it's the JZ 06F1) + g. Keep stepping thru and it'll beep and display invalid reg code +2. Since we now know the final compare (JZ) is at 240F:06EC + a. BC 0 ; clear the original breakpoint + b. BPX 240F:06EC ; set a new breakpoint before the compare + c. Run InfoSpy, enter your first name, last name, and any reg number, ok + d. ICE pops + e. R FL Z ; toggle zero flag + f. F10, F10, F10,... ; continue running + g. Or just Ctrl-D a few times to get back to the program +3. Thank you for registering! +4. Key is written to \windir\infospy.ini + [InfoSpy] + RegStat=DLBGJ4320 +5. Happy cracking! + +PROG: Win-eXpose Registry v1.0 +TYPE: 32-bit +PROT: Name/Reg +CHECK: 0137:004024F9 JZ +HEX: 0F84CF, replace with E9D000 + +1. Use same approach as InfoSpy... +2. Final compare is at 0137:004024F9 +3. BPX 0137:004024F9 +4. R FL Z ; toggle zero flag +5. Thank you for registering! +6. Stepping thru the program, found real password: + First, Lst name: dr + Company name: LAN + Address line #1: 1 + Address line #2: 1 + Serial Number: 1 + Password: f422c070 + +PROG: Win-eXpose I/O v2.0 +TYPE: 32-bit +PROT: Name/Reg +CHECK: 0137:004061D9 JZ +HEX: 0F84CF, replace with E9D000 + +1. Use same approach as Win-eXpose Registry... +2. Final compare is at 0137:004061D9 +3. BPX 0137:004061D9 +4. R FL Z ; toggle zero flag +5. Thank you for registering! +6. Stepping thru the program, found real password: + First, Last name: dr + Company name: LAN + Address line #1: 1 + Address line #2: 1 + Serial Number: 1 + Password: f422c070 + +PROG: StartClean v1.2 +TYPE: 32-bit +PROT: Name/Reg +CHECK: BPX lstrcmpA +HEX: + +From Qapla's Cracking Tutorial... + +BPX lstrcmpA ; in sICE + +Enter name and a bogus registration number and click ok. +I entered drLAN, 12345. + +. +. +. +PUSH EAX ; push your code on the stack +PUSH 406030 ; push the right code on the stack +CALL [KERNEL32!lstrcmp] ; compare them +TEST EAX,EAX ; test results of string compare and set Zero flag +JNZ 00401271 ; 1 = bad boy; not reg'd, 0 = good boy; reg'd +. +. +. + +d 406030 ; here's the right code + +972-8766-1717-341 + +PROG: WizCat Pro v4.2 +TYPE: +PROT: Name/Reg +CHECK: 2F97:CED9 JZ +HEX: + +2F97:CED9 3C01 CMP AL,01 ; holy flag +2F97:CEDB 7403 JZ CEE0 ; 0=good guy; reg'd +2F97:CEDD E9DD00 JMP CDBD ; <>0=bad guy; beggar off + +A good, clean crack would be: + +MOV AL,01 +JMP CEE0 + +However, the program does some internal checking and won't run if modified. +So, all we can do is find the correct reg code and then use it. + +I entered drLAN, 006969. Then searched for my reg code and set BPR's on +the ranges. + +s 0 l ffffffff '006969'. Should find the entered code in memory. +BPR ssss:oooo SSSS:OOOO RW. Where ssss:oooo is segment:offset of starting +address where string resides. SSSS:OOOO is ending address (last byte of the +string). + +I eventually found my reg code somewhere that BX pointed to. It showed up +as one big ugly number, and then a little earlier in memory in the correct +format: 42041-7420. + +So to register, use: + +drLAN +42041-7420 + diff --git a/textfiles.com/piracy/CRACKING/crackman.txt b/textfiles.com/piracy/CRACKING/crackman.txt new file mode 100644 index 00000000..a07ea819 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crackman.txt @@ -0,0 +1,2266 @@ + + The Cracking Manual + + Written By The Cyborg - April 3, 1992 + + + + + + + + Disclaimer + The author of this text shall hold no liability for special, + incidental, or consequential damages arising out of or + resulting from the use/misuse of the information in this + file. + + + + + + + + + The Cracking Manual + + + + INTRODUCTION + + Introduction + ------------ + Welcome to the wonderful world of cracking. What is + cracking? If you don't know and you're reading this, ask + yourself why? Anyway, cracking is the art of removing copy + protected coding from programs. Why do this? In recent + years, software companies have been fighting to keep copy + protection in their software to avoid their work to be + illegally copied. Users feel that such copy protection is + ridiculous in that it violate their own rights to make + backups of their sometimes expensive investments. + Whichever side you may favor, this manual will go into + some detail on removing copy protection from programs. If + you feel offended by this, then I would suggest you stop + here. Please note, I do not endorse cracking for the illegal + copying of software. Please take into consideration the hard + work and effort of many programmers to make the software. + Illegal copying would only increase prices on software for + all people. Use this manual with discretion as I place into + your trust and judgement with the following knowledge. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 1 + + + + + + The Cracking Manual + + + + WHAT YOU WILL NEED + + What You Will Need + ------------------ + Like all programming, cracking is the debugging stage of + software development. It is the most tedious and hectic part + of programming as you shall see. However, unlike software + development, you are given no source code, only the machine + level code commonly called machine language. Cracking + demands patience. No patience, no cracking. + Before we begin, you will need certain tools. These + include: + + - A decent computer. By this, I mean at minimum a 286 + computer with 2 or more megs of RAM. A 386 is the + ideal since it can load a debugger into usable memory. + - A source level debugger (eg. Turbo Debugger) + - A low level debugger (eg. DEBUG) + - An assembler system (eg. MASM, LINK, EXE2BIN) + - A hex dumping program (eg. Norton Utilities) + + The source level debugger is what you will try to be using + most of the time. It provides many features that are a + convenience to the cracker, such as interrupt redirection. + Become comfortable with its features. However, in some + instances, the source level debugger may not be suitable for + cracking huge games since the debugger itself may take up too + much memory. In such a case, a low level debugger must be + used since their memory usage may be considered negligible. + This manual will focus on its use. + The assembler package will be used in the creation of + the famed loaders, which provide the cracker with dynamic + memory alterations without changing the original program. + + + + + + + + + + + + + + + + + + + + + + + + Page 2 + + + + + + The Cracking Manual + + + + CRASH COURSE IN ASSEMBLY LANGUAGE + + Crash Course in Assembly Language + --------------------------------- + If you are already well familiar with the assembly + language, you may wish to skip this section. Cracking + demands the knowledge of assembly language. If you wish to + become a "serious" cracker, you might like to read up more + about this fascinating language. This section will only give + you enough info for intermediate level cracking. + At this point, you should familiarize yourself with + DEBUG and its commands as we will be using them shortly. + + Registers + --------- + One of the neato things that you will be fooling around + most often with are called the registers. Registers are like + variables (such as in BASIC) that are located within the CPU + itself. These registers may hold a positive integer from 0 + to 255 or from 0 to 65535. They can also hold negative + integers from -128 to 127 or from -32768 to 32767. The + registers are given names as follows: + + AX => accumulator - this register is most commonly used + for mathematical or I/O operations + BX => base - this register is used commonly as a base or + a pointer register (we'll talk more about this + later) + CX => count - used commonly for counting instructions + such as loops + DX => displacement - much like the base register + + The registers stated above are considered general purpose + registers, since they can basically be used to store whatever + the user wants. Let's try putting some number in these + registers. Type in "R {enter}". You should see a bunch of + info, of which are four of the above mentioned registers. + Now, type in "RAX {enter}". Then type in a number like + 8FABh. Type in "R" again and noticed how the accumulator + (AX) has change its number. + These general purpose registers can also be "split" in + half into its higher and lower order components. Instead of + having one register AX, you can have two registers, AH and + AL. Note however that while you have a range of 0 to FFFFh + for AX, you will now have a range of 0 to FF for AH and AL. + You cannot change these directly in debug, but be aware that + programs will use it. If AX contains 0A4Ch, then AH will + contain 0Ah and AL will contain 4Ch. + The following are called the segment registers: + + CS => code segment - the block of memory where the code + (instructions are located) + DS => data segment - the block of memory where data can + be accessed. In block move operations in which + + + Page 3 + + + + + + The Cracking Manual + + + + huge blocks of memory are moved, this is commonly + the segment in which the CPU reads from. + ES => extra segment - also another data segment. In + block move operations in which huge blocks of + memory are moved, this is commonly the segment in + which the CPU writes to. + SS => stack segment - this is the block of memory in + which the CPU uses to store return addresses from + subroutines. (more on this later) + + In introductory level of cracking, we don't mess around with + these registers. Later, we will see how we can use these to + trick a program into thinking other things, but that's later. + You can also change these registers in debug. Type in "RCS + {enter}". Then enter "0 {enter}" and notice how the CS + register changed. + There are other registers that we use to see what the + program is doing. These registers can also be change in + debug. Included are the following: + + SI => source index - this register is used in + conjunction with block move instructions. This is + a pointer within a segment (usually DS) that is + read from by the CPU. + DI => destination index - this register is also used in + conjunction with block move instructions. This is + a pointer within a segment (usually ES) that is + written to by the CPU. + BP => base pointer - a pointer used commonly with the + stack segment + SP => stack pointer - another pointer used commonly with + the stack segment (this one, you don't touch) + + By now, you may probably be confused about this + segment/pointer bit. Here is an analogy that my straighten + things out. + Pretend you are in kindergarden learning to read. There + are four black boards surrounding the room. These black + boards are like SEGMENTS. Let's pretend the front blackboard + is the code segment (CS). The teacher has written some + instructions on pronunciation rules. This is what the + students refer to when they try to pronounce words. In a + program, this is what the CPU refers to when it follows + directions. + Okay, now the teacher has gone to the blackboard on the + left of the classroom. We will call this board the data + segment (DS). The teacher has also written a set of words on + the board. Then she uses a wooden stick or a POINTER to + point to a word. Let's pretend this stick is the source + index (SI). She points to the word "their". Now, the + students look at the front blackboard (CS) to see how to + pronounce the word and they say "their". + Now, the instructor wants the students to learn how to + write. She points the stick to the word "apple". The + + + Page 4 + + + + + + The Cracking Manual + + + + students pronounce the word. Then she goes to the blackboard + on the right. We shall call this one the extra segment (ES). + She then uses her finger as a different POINTER and points to + a location on the board where Mary Jane will write "apple". + That's basically what segments and pointers are. + Segments are the blackboards and pointers are the teacher's + stick (we're not talking sexually here) or finger. + One last important register is the flags register. + These registers control how certain instruction work, such as + the conditional jumps (in BASIC, they are like IF-THEN's). + They are stored as bits (0's or 1's) in the flags register. + We will most often use: + + zero => ZR/NZ (zero/not zero) - tells you whether an + instruction (such as subtraction) yielded a zero + as an answer + sign => NG/PL (negative/positive) - tells you whether an + instruction yielded a positive or negative + number + carry => CY/NC (carry/no carry) - tells you whether an + instruction needed to carry a bit (like in + addition, you carry a number over to the next + digit). Various system (BIOS) functions use + this flag to denote an error. + direction => DN/UP (decrement/increment) - tells a block + instruction to either move forward or backwards + in reads and writes + + Try changing some of these bits. Type in "RF {enter}". Then + type in "DN {enter}" to change the direction flag to its + decrement position. + + The Instructions + ---------------- + + MOV - move + ---------- + Now we get to the actual instructions or commands that + the CPU will use. The first instruction you will see most + often is the move instruction. Its form is + MOV {destination},{source}. Let's try programming now. Exit + (q) and reenter debug again. Now, type in "A {enter}". You + will see a bunch of number to the left. You can think of + these as line numbers. Now type in "MOV AX,7A7A {enter}". + Then type "MOV DX,AX" and so on until your program looks + similar to the one below: (type "U 100" to see) + + xxxx:0100 B8A77A MOV AX,7AA7 + xxxx:0103 89C2 MOV DX,AX + xxxx:0105 B90000 MOV CX,0000 + xxxx:0108 88D1 MOV CL,DL + xxxx:010A 890E0005 MOV [0500],CX + xxxx:010E 8B160005 MOV DX,[0500] + xxxx:0112 BB0200 MOV BX,0002 + + + Page 5 + + + + + + The Cracking Manual + + + + xxxx:0115 26A30005 MOV ES:[0500],AX + + Press enter again until you see the "-" prompt again. You + are ready to run your first program. Type "R {enter}" and + note the values of the general purpose registers. Then type + in "T {enter}". Debug will automatically display the + registers after the execution of the instruction. What is in + the AX register? It should be 7AA7h. Now, "T" again. What + is in the DX register? It should also be 7AA7h. Trace again + using "T" and note that CX should be 0 if it was not already. + Trace again and note what is in the CX register. It should + be 00A7h. Now trace another step. What is this instruction + doing? It is now moving the contents of CX into memory + location 500h in the data segment (DS). Dump the memory by + typing in "D 500". The first two two-digit numbers should be + the same as in the CX register. But wait a minute you say. + They are not the same. They are backwards. Instead of + 00A7h, it is A700h. This is important. The CPU stores 16 + bit numbers in memory backwards to allow for faster access. + For 8 bit numbers, it is the same. Now, continue tracing. + This instruction is moving the memory contents of address + 500h into the DX register. DX should be 00A7h, the same as + CX regardless of how it looked in memory. The next trace + should be nothing new. The next trace again moves the + contents of a register into memory. But notice it is using + the BX register as a displacement. That means it adds the + contents of BX and 500h to get the address, which turns out + to be 502h. But also not the "ES:" in front of the address. + This additional statement tells the CPU to use the extra + segment (ES) rather than the data segment (DS which is the + default). Now dump address 502h by entering "D ES:502" and + you should see A77Ah, which is backwards from 7AA7h. + + CMP/J? - compare/conditional jump + --------------------------------- + Another instruction you will see quite often is the CMP + or compare instruction. This instruction compares the two + "variables" and changes the flags register accordingly. The + source and destination operands are the same as those for the + move instruction. + Let's consider an example in which the AX register holds + 21 and the BX register holds 22. Then "CMP AX,BX" is + performed. The compare instruction is like a subtraction + instruction, but it doesn't change the contents of the AX + register. So, when 22 is subtracted from 21, the answer will + be -1, but we will never see the answer, only the flags which + have resulted from the operation. Number 21 is less than 22, + so the carry flag and the sign flag should be set. Just + remember that when the carry flag is set, the first number is + less than the second number. The same is true for the sign + flag. Why have two flags if they tell us the same thing? + This is more complicated and you should not concern yourself + with it. It requires knowledge of hexadecimal arithmetic, + the denotation of signed and unsigned integers. + + + Page 6 + + + + + + The Cracking Manual + + + + So, now that we have done the compare instruction, there + will most likely be a conditional jump instruction after. If + we wanted to jump if AX is less than BX (which it is), then + there would be an instruction like "JB 200". This + instruction says Jump if Below to instruction 200h. What + about if we wanted to jump if AX is greater than BX. Then we + might have "JA 200". This is read Jump if Above to + instruction 200. What about AX equal to BX. We would then + have "JZ 200" or "JE 200". (Please note that the previous + instructions are synonymous.) This is read Jump if Equal to + instruction 200h. Here are the jumps you will most likely + encounter: + + Mnemonic Flag(s) Checked Description + ------------------------------------------------------------- + JB/JNAE CF=1 Jump if below/not above or + equal (unsigned) + JAE/JNB CF=0 Jump if above or equal/not + above (unsigned) + JBE/JNA CF=1 or ZF=1 Jump if below or equal/not + above (unsigned) + JE/JZ ZF=1 Jump if equal/zero + JNE/JNZ ZF=0 Jump if not equal/not zero + JL/JNGE SF not equal Jump if less/not greater or + to OF equal (signed) + JGE/JNL SF=OF Jump if greater or equal/not + less (signed) + JLE/JNG ZF=1 or SF Jump is less or equal/not + not equal OF greater (signed) + JG/JNLE ZF=0 or SF=OF Jump if greater/not less or + equal (signed) + JS SF=1 Jump if sign + JNS SF=0 Jump if no sign + JC CF=1 Jump if carry + JNC CF=0 Jump if no carry + JO OF=1 Jump if overflow + JNO OF=0 Jump if not overflow + JP/JPE PF=1 Jump if parity/parity even + JNP/JPO PF=0 Jump if no parity/parity odd + + There are all the possible combinations of conditional jumps + that you will encounter. I realize that we have not + discussed some of the flags such as overflow or parity, but + be aware that they exist and programs sometimes use them. + + JMP - jump + ---------- + This instruction does what it suggests. It jumps too + different sections of code. Several forms of the jump + instruction include: + + 2E0B:0208 EBF6 JMP 0200 + 2E0B:020A 3EFF24 JMP DWORD PTR DS:[SI] + + + + Page 7 + + + + + + The Cracking Manual + + + + The first instruction jumps to an address within the segment. + The latter instruction jumps to an address pointed to by ds: + si. The DWORD says that this will be a far jump, a jump to a + different segment (a different blackboard). So, if the + double word that is pointed to by ds:si contains 1000:0040h, + then, the instruction will jump to 1000:0040h whereas the + previous jump instruction will jump within the current + segment (or blackboard). + + CALL - procedural transfer + -------------------------- + This instruction is the baby that you will be carefully + watching out for most often. This instruction calls another + procedure and upon it's completion, will return to calling + address. For example, consider the following block of code: + + 2E0B:1002 E8BB46 CALL 56C0 + 2E0B:1005 7209 JB 1010 + 2E0B:1007 0C00 OR AL,00 + + The first line calls another procedure at "line number" + 56C0h. Upon its completion, the instruction pointer will + point to the second line. Note that there is a "JC" + instruction. Remember that programs often use the carry flag + to signal errors. If the call instruction called a copy + protection instruction and you entered a wrong code or + something, it may return with the carry flag set. The next + instruction would then jump if there was an error to an + exiting procedure. + Note, this is a near call. A program can also have far + calls just like jumps. + + INT - generate an interrupt + --------------------------- + This instruction is much like the call instruction. It + also transfers control to another procedure. However, the + number after the INT instruction does not point to an + address. Instead, it is a number pointing to an address that + is located in something called an interrupt vector. You will + commonly see "INT 10", "INT 21", "INT 13". Just know (for + now) that they are like calls to procedures. + + LODSB/LODSW/STOSB/STOSW - load/store a byte/word + ------------------------------------------------ + These instructions either load in or store a byte or a + word to or from memory. The DS:SI register pair points to + the source data. These are the registers the CPU will use + when reading from memory using the LODS instruction. The + AX/AL register will hold the number to either read from or + write to the memory. So, if DS:SI points to a byte which is + maybe 60, then a "LODSB" instruction will load in the number + 60 into the AL register. A LODSB or STOSB will use the AL + register while the LODSW or STOSW will use the AX register. + The STOS writes whatever is in the AX/AL register to the + + + Page 8 + + + + + + The Cracking Manual + + + + memory pointed to by ES:DI. So, if ES:DI points to 100:102h + and if AL held 50, then the byte at 100:102h will hold 50. + After the instruction is finished, the CPU will either + increment or decrement SI or DI according to the status of + the direction flag. So, if SI was 100h and a "LODSW" + instruction was performed with a cleared direction flag + (forward), the SI will now point to 102h. + + MOVSB/MOVSW - copies a byte/word from source to destination + ----------------------------------------------------------- + This instruction gets a byte or a word from the data + pointed to by DS:SI and copies it to the data pointed to by + the ES:DI address. When the instruction is finished, SI and + DI will be incremented or decremented accordingly with the + status of the direction flag. So, if DS:SI pointed to a byte + with the number 30, a "MOVSB" instruction would copy into the + byte pointed to by ES:DI the number 30. + + REP - repeat + ------------ + The REP instruction in front of a MOVS/LODS/STOS would + cause the MOVS/LODS/STOS instruction to be repeated for a + number of times specified in the CX register. So, if CX + contained 5, then "REP STOSB" would store whatever was in the + AL register into the byte pointed to by ES:DI five times, + increasing DI each time. + + LOOP - looping + -------------- + The LOOP instruction repeats a block of instructions for + a certain number of times. This number will be held in the + CX register. Each time we reach this instruction, the CPU + will decrement the CX register and jump to a specified + instruction until CX becomes zero. This instruction looks + like "LOOP 1A00" where the number indicates the instruction + address to loop to. + + Arithmetic Operators + -------------------- + Arithmetic instructions allow you to perform various + arithmetic function of data. "ADD" and "SUB" work the same + way as "MOV" instructions do in that it subtracts whatever is + in the source register from the destination register and + stores it in the destination register. + The "MUL" and "DIV" instructions are a bit more + complicated and they are not used as intensively as the "ADD" + or "SUB" since they are slow, so we will not talk about them. + There are also a multitude of other instructions that + you should familiarize yourself with if you are thinking of + becoming a serious cracker. The instructions given above are + only the BARE minimum that you need. There is no way around + learning assembly for better cracking. + + + + + Page 9 + + + + + + The Cracking Manual + + + + THE CRACKING + + The Cracking + ------------ + Now the fun stuff begins. First, we must discuss the + different forms of copy protection schemes. They are + basically divided into the disk based and manual based copy + protection schemes. + With disk based schemes, the software often reads from + specific sectors on a disk to determine the disk's validity. + How can this be done? When you perform a disk format, the + disk is formatted with specific sector sizes. Once the + sector size changes, DOS cannot recognize it, thinking that + it is a bad sector. Since this looks like a bad sector, a + simple DISKCOPY will not work in copying such disks. + Interrupt 13h (the assembly mnemonic is INT 13) was commonly + used to handle such copy protections. It is now very rare to + encounter the once famed INT 13h copy protection method + nowadays since it was quite easy to defeat. Any professional + commercial software will often use their own custom based + disk I/O routines. This involves intimate access to I/O + ports using IN and OUT instructions. This is beyond the + scope of the first release of this manual. However, if you + are lucky, the I/O functions might be called from a "CALL" + instruction in which case you may defeat the protection + without much difficulty. Another disk based scheme used to + denote legality of software is used during the installation + process of the software. With certain programs, when you + install it, it copies the files into the hard drive. But it + also sets a specific sector in the hard drive so that the + program can recognize it. This is also similar to diskette + copy protections, but can be defeated in much the same way. + Thank goodness that disk based copy protections are + almost completely out of the software industry. However, a + sometimes more difficult copy protection scheme has arisen + that may sometimes prove to be even more difficult to crack. + These schemes are commonly known as the doc checks in which + the user must have a copy of the manual to bypass the + protection. With programs compiled as true assembly (you can + call then "normal" programs), these protections are not too + bad to trace through and crack. With programs that run + scripts (such as Sierra games), this can he a real chore + however. Why? It is because it is like running a program + within a program. You just have to be very very patient in + this case, carefully tracing through the instructions. + As if these copy protection schemes weren't enough, + software companies have also added trace inhibition schemes + to their code. What does this mean? This means that you + will have a hell of a time trying to trace through code. + However, if you know how these things work, it should not be + too much of a problem. + Run-time compression/decompression and + encryption/decryption of files also make changes to the + program difficult. In this case, the loader sure comes in + + + Page 10 + + + + + + The Cracking Manual + + + + handy. Also, when the data within the file changes due to + overlays, loaders are also good to use. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 11 + + + + + + The Cracking Manual + + + + DISK BASED COPY PROTECTIONS + + Disk Based Copy Protection + -------------------------- + Since disk based copy protection schemes are rarely + used, we will not go into great depth in its discussion. + + INT 13h + ------- + I have previously mentioned that INT 13h copy protection + schemes are hardly ever used anymore. Nevertheless, it would + be good practice for the beginner to learn how to defeat the + code. You will most likely see INT 13h used with function 2, + read sector. This means that: + + AH => will contain the number 2 (function 2) + AL => the number of sectors to read in. This is + commonly only 1 since you just want to check a few + sectors for disk validity. + CH => will contain the cylinder number + CL => will contain the sector number + DH => will contain the head number + DL => will contain the drive number + 00h - 7Fh for floppies + 80h - FFh for fixed disks + ES:BX => will point to the address into which the data + read from the disk will be written to + + Upon the return for this interrupt, if the carry flag is + set, that means that the program could not read the sector, + and therefore the disk is valid. If the carry flag is clear, + that meant that INT 13h could read the sector properly and so + the disk would be bad in the eyes of the program, thinking it + was a copied disk. + Okay, now that we know to look for INT 13h in the + program code, we can begin tracing. First, we must know the + difference between debug's "T" and "P". "T" is the trace + instruction, which tells it to follow instructions step by + step. That also means that in LOOP or REP instruction, the + trace will patiently go through the loop until finished. + Also, during CALL instructions, trace will go into the call + and execute the instructions pointed to by the call + instruction. The "P" command is similar to the "T" but with + the difference in that it traces over instructions. That + means that if it encounter a LOOP or REP, it will quickly + finish up the loop and point to the next instruction. With a + CALL, the "P" (proceed) will not go into the subroutine. + Instead, it will just execute the procedure, then point to + the next instruction. + Okay, before you start tracing for hours through a + program, you must first notice when and where the copy + protection appears. Run the program in DOS first and make + careful note of when things happen. You might see an intro + screen, then the music pops up, then the menu comes out. + + + Page 12 + + + + + + The Cracking Manual + + + + Notice this so you will know where you are in the program. + Once you have done that, you can begin debugging the + program. Whenever you start out with a program, you use "P" + to trace through the program. Be patient as this might take + a while. While you are tracing, watch out for CALLs and + INTerrupts. When you are just about to execute the step, try + to remember the segment and offset of the instruction. The + segment is the number to the left of the colon while the + offset is the number to the right. As you continue tracing + through the program, you will find that the screen might + blank and display the intro screen or something like that. + This is a good sign and it tells you that you are headed in + the right direction. Start slowing down when you feel that + you are near to the copy protection. + + Situation 1 - Exit from copy protected CALL + ------------------------------------------- + Oops, you have traced over a call that accessed drive A. + Unfortunately, you also exited the program. That's good. + You have just narrowed down the location of the copy + protection code. Now I hope you remembered the address of + that CALL. If not, you gotta start all over to find it. + Anyway, restart the program now. Now Go to that instruction + by "G {segment:address}". + Did something go wrong? Did the computer freeze or + something? It is most likely that this is an overlay or + encrypted code or something that caused the code at that + location to change. In this case, you will have to remember + the addresses of various instructions along the way. + Instructions that you want to take note of are far calls (if + you remember, calls with a segment:offset address as their + operand). You don't have to do this for every call. As you + crack more and more, you will get the hang of which + instructions to keep track of. + Okay, let's assume you have gotten back into the + location of the code again. It is a CALL instruction that + will access the disk drive. At this point, try skipping the + CALL instruction. To do this, type in "RIP {enter}". Then + type in the address of the next instruction. Then execute + the do or die instruction, "G". If the program runs fine + without asking for the copy protection, congratulations! You + have cracked the program. + If the program freezes or does something weird, restart + the program and trace back to the suspected copy protected + location. Now use the "T" command once and start using "P" + again. Remember to write down the address of that CALL + instruction you just traced into so you can come back to it + quickly. As you keep tracing, using the above procedures, + pretend you eventually come up to an INT 13h instruction. + See what it does by tracing over it. Make sure you have a + disk in drive A too. If there was no error, force an error + by turning on the carry flag and proceeding. With INT 13h + copy protections, this should be sufficient to crack the + program. + + + Page 13 + + + + + + The Cracking Manual + + + + Situation 2 - Return from copy protected CALL + --------------------------------------------- + Okay, the CALL that you just traced over accessed the + disk drive, but it didn't kick you out. Keep on proceeding + and this point. If there is an instruction that causes you + to jump because of a carry flag, try fooling around with this + carry flag and see how the program reacts. INT 13h copy + protections are usually simple enough for you to just change + the carry flag to allow the program to bypass the copy + protection. + + Access to the Hard Drive + ------------------------ + The cracking for installation software is also the same + as cracking for the INT 13h. You just keep tracing until you + see some disk activity. At that point, you try messing + around with some of the conditional jumps to see what + happens. If you have the original program, you should run it + also to see the differences between the valid and invalid + copies. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 14 + + + + + + The Cracking Manual + + + + DOC CHECK COPY PROTECTIONS + + Doc Check Copy Protections + -------------------------- + Okay, we have just quickly scanned over disk based copy + protections because they are rarely used nowadays. Doc + checks will be discussed in greater detail for the rest of + this manual. + Unlike the disk based protections, which are based on + hardware identification, doc checks are based on software + identification. Therefore, the only information that will + indicate that a copy protection is happening is the screen, + unlike the whirr of the disk drive. The moral, watch the + screen. Because this copy protection is software based, it + will be more of a challenge to trace, but of course, that is + the "fun" part of cracking. + + The Basics + ---------- + Make sure you have the COMPLETE version of the program + you are about to crack. When you do, run the program in DOS. + While the program is loading, take note of exactly what goes + on with the screens, sounds, etc. Here is what you might + want to note: + + 1) What comes up first? Is it a standard text output + that asks you for the type of graphics adaptor you + have, the number of joysticks, the sound card? + 2) When does the intro screen come up? Is it after the + music starts? After the copyright notice? After + the text prompt for the graphics mode you will be + operating in? + 3) What happens now? An animated sequence that brings + you through the beginning plot of a game? If so, + can you press a key and escape from it? + 4) Now what? Is there a main menu? When you start the + game by selecting the "START GAME" option from the + menu, does the copy protection come up immediately? + 5) If it doesn't come up immediately, when does it come + up? + 6) Does the copy protection only appear when you are + playing the game, or does it come up also when you + select "CHANGE OPTIONS" from the main menu? + + Obviously, these questions are merely prompts for you to + follow. Use your own mind in discovering what to take note + of. There are no set rules for cracking. It is a puzzle + that you must use your mind on. + Okay, once you have run the program, go into your + debugger (in our case, DEBUG) and load up the program. One + tip to use when you first start out programming is to use the + "P" command to trace through code. As you become a more + advanced cracker, you might start seeing patterns in coding. + These patterns are characteristic of high level programming + + + Page 15 + + + + + + The Cracking Manual + + + + languages (Pascal, C, etc.) and are usually the + initialization code for the rest of the program. Use "P" for + each instruction, one at a time. Be patient as this might + take a while. + Okay, you have been tracing for some time now and + finally, you notice something happen. The screen might have + blanked or maybe a message prompting you to enter the + graphics mode may have popped up. Was this what you have + noted before? It should be and you can assure yourself that + you are headed in the right direction. As you keep tracing + programs, you notice that CALLs usually do something + significant. A CALL might clear the screen or sound some + music. When it does something rad like this, write down its + address as the segment:offset pair. The segment is the + number to the left of the colon while the offset is the + number to the right of the colon. Don't be a dork and set a + breakpoint there. Write it down on paper or something. We + will see later on why breakpoints fail miserably in the cool + wares. + Why take note of these instructions? As you trace + deeper and deeper into programs, the coding often loads up + overlays or maybe decompresses code to the memory location + that you have just traced over. Therefore, if you set a + breakpoint there, or execute a "G" instruction to that + address, you will fuck up the program and cause your computer + to freeze. We will see why when we examine how breakpoints + and single stepping works. + Also, while you are tracing using "P", mentally remember + the addresses of the CALLs. That way, if you trace over a + call that brought you immediately to the copy protection, you + won't have to retrace the code again. You don't have to + write down all of the addresses, of course, just remember one + at a time and write them down if they do anything + significant. + + Code Guards Through Keyword Entry + --------------------------------- + Okay, you know that the copy protection is one in which + the program waits for you to type in a keyword that you have + to look up in the manual or something. Here are then + following steps you should take. + + Situation 1 - Return from a copy protected CALL + ----------------------------------------------- + When a copy protection coding reveals itself on the + screen, you can have a situation in which you are returned to + the debugger, waiting for the next instruction to be + executed. Now, suppose that the CALL asked you to enter a + code. You entered an incorrect code and were returned to the + debugger, but you have not exited the program. Make sure + that you have previously recorded the address of this CALL. + Now, you can do two things, (1) you can try skipping over the + CALL, (2) you can trace on further. As you become more + experienced, you will be able to better decide. As one with + + + Page 16 + + + + + + The Cracking Manual + + + + experience, however, I can say that 90% of the time, you will + have to trace further on, but hey, you might get lucky. + For now, let's say you are lazy and decide that you want + to skip over the call to see what happens. To do this, you + must restart the program. Then trace your way back to the + CALL where the copy protection was located. Use "G + {segment:offset}" to do this. If, for some reason, the + computer freezes when you do this, you will have to use "G" + followed by the addresses of the CALLs that you have noted + down to be significant. If that doesn't work, resort to + retracing the code over again. As you become more + experienced, you will find that you rarely have to retrace + the entire code since you can "feel" what is going on. Okay, + now that you are at the location of the CALL, this is the + time to skip over the instruction. To do this, enter "RIP" + and then the address of the next instruction's address. Now + enter the "G" command and see what happens. If the program + runs just fine, you've cracked the program. If the program + kicks you out or crashes, you have to do some more tracing. + Okay, so you've decided to continue tracing from the + point of the copy protection. There are usually a bunch of + CMP and J? CMPS? instructions after the call. This point on + is the difficulty of cracking for a beginner since you don't + know what the fuck is going on. All those compares and jumps + don't mean shit to you are you are about to pass out in + frustration. Don't distress, here are a few tips I can give + you. If these don't work, you gotta find out your own + solutions to the problem. + Okay, in all probability, the CALL that you just traced + over was acting as a read string procedure (like BASIC's + INPUT). That means somewhere in the computer's memory, there + lies the code that you typed in and the code that you were + supposed to have typed in. What this would mean is that the + code after the CALL will do some sort of string comparison. + Look out for these. It might be hidden inside another CALL + if you're lucky. In such a case, does the program kick you + out? If it does, you have to trace into the call using "T" + to see what is going on. Okay, the string comparison will + most likely take the form of some kind of loop. Maybe "REP + CMPSB" or "LOOP". In the case of the REP CMPSB, there might + be a JZ/JNZ or JCXZ/JECXZ that follows it. When strings + match, the CX register will be zero. If CX is not zero, the + strings are not the same and the conditional jump will + probably jump to an exit routine. All you have to do is to + change the status of the zero flag. Then, try out the "G" + instruction. If it still didn't work, start over and do some + more tracing. If the string compare is not of the REP form, + there will be some kind of loop that will check between two + memory locations. In such a case, you will just have to + become accustomed to realizing that the code is a string + compare. There is no standard code for this. If you know + you have entered a wrong code, trace through the loop and see + where in the loop you are thrown out of the loop. At this + point, you can go back to it, change some flags to make sure + + + Page 17 + + + + + + The Cracking Manual + + + + you stay in the loop. When you exit through a different + location, you have probably bypassed the code and now, you + can enter "G" to see what happens. + + Situation 2 - Exit from a copy protected CALL + --------------------------------------------- + When a copy protection coding reveals itself on the + screen, you can have a situation in which you are not + returned to the debugger, instead, causing you to exit the + program. In this case, you have to restart the program and + trace into the CALL using "T". After that, you can start + using "P" again to uncover the location of the code. You + will most likely encounter a condition that will resemble + situation 1. Follow its instructions. + + Shortcuts For Keyword Entry Protections + --------------------------------------- + With keyword entry systems, you might be lucky to have + the codes stuck somewhere into file in its + uncompressed/unencrypted form. This means that you can "see" + the keywords in its ASCII format. This case is cool because + you won't have to do any tracing to crack the program. All + you have to do is to dump the contents of the files to find + something that looks like a keyword. (Always backup the file + that you are about to alter.) When you have found such a + file and the location of the codes, all you have to do now is + to change the codes to values that you know. For example, + one code might call for you to enter "PIRATE". It's a bitch + if you don't know the code. But if you change the code to + your name or something else you will never forget ("CYBORG"), + then you'd be set. + However, in most instances, you can't simple just type + over the old code with your new code. In high level + languages, these codes are stored as strings. In 'C', + strings are stored in their ASCII equivalent. They are then + terminated with a NULL character (this is a 0). In Pascal, + the lengths of the strings are first stored in the first + position. Then, the ASCII is stored. + + NULL Terminated Strings + ----------------------- + So, if you see zeros after the codes, this is a NULL + terminated string. Now, start at the beginning of the string + and enter your code. Then, enter the '0'. Make sure your + string is less than the original string since 'C' refers to + these strings also with pointers. + + Pre-Length Indentifier + ---------------------- + If you see numbers before strings, enter your own code. + Then change the length of the code appropriately. Make sure + you do not exceed the length of the original string. + + + + + Page 18 + + + + + + The Cracking Manual + + + + Code Guards Through Pointed Icons + --------------------------------- + We have a case where we do not type in keywords. + Rather, we must use a pointer device such as the cursor keys + on the keyboard, the mouse, or joystick. These protections + are a bit more complicated since there are no strings to + compare against. Rather, the input will be a number stored + in memory or a register. This is what makes this copy + protection more difficult to crack. We have to hunt through + code to find out which compare instruction is the key. + What you have to do is to find the general location of + the copy protection code as before. Then, instead of typing + in the keyword, you select the icon. Like before, you must + step slowly through the code and go until the program JUST + STOPS asking you for the code. For example: + + 2E0B:0000 E8740E CALL 0E77 + 2E0B:0003 38D0 CMP AL,DL + 2E0B:0005 7569 JNZ 0070 + 2E0B:0007 CB RETF + + You might decide to trace over the call at address xxxx:0000. + But then, you see that the screen displayed the icons and you + got to select the code. Then, the procedure does some disk + activity and you return to address xxxx:0003. If you see + something happen after you have just finished entering the + code or if it is slow in returning you to debug, then, + some code must have been performed before you returned. In + this case, you must trace into the CALL to see what has + happened. If not, there is still a small probability that + there were some instructions that formatted the code you + entered and saved it to a memory location. (We'll talk about + multiple doc checks later.) + Realize that most of the programs that you will be + cracking have been programed by C or some other high level + language. These languages often use the stack (SS:SP) to + pass parameters (variables) or to create local variables for + a procedure's use. Most likely, you will see compares to + data contained within the stack such as "CMP AX,WORD PTR + [BP+10]" or "MOV DX,WORD PTR [BP+10]". This is what you hope + to find, although not always the case. If you do see some + access via the stack using the BP register as a pointer, you + may have something there. Then, all you would have to do is + to mess around the flags register (most likely, JZ/JE will be + used) at the compare instruction. + + Multiple Doc Checks + ------------------- + There are some wares that invoke multiple doc checks, + doc checks that pop up either systematically or randomly. In + addition, there could also be two types of this protection. + The doc check could be a similar type (eg. typing the code + found on page...) or they could be different (eg. typing in + the code on page... then select the correct icon), although + + + Page 19 + + + + + + The Cracking Manual + + + + the latter is more rarely used due to its extensive memory + usage. + + Situation 1 - Similar doc checks + -------------------------------- + Cracking multiple doc checks that are similar is just + like cracking with just one doc check. The procedure to + trace is still the same. Keep Proceeding until you come up + to the CALL that contains the copy protection. Just use the + sequences mentioned above. When you are absolutely positive + that the call contains the copy protection (skip the CALL and + see what happens; if the protection has been bypassed but + appears at other times, you got something), here is what you + do. + + 1) Note what type of CALL it was. Near if the operand + (number after the CALL) was a four digit number or + far if the operand contained the segment:offset + pair. + 2) Trace INTO the call. + 3) At the first instruction, note the address inside + the CALL. + 4) Then, type in "A" then the address of that very + first instruction. + 5) If there was a near call performed, now type in + "RETN", otherwise, type in "RETF". + 6) Now run the program ("G") and see what happens. + + If this call was definitely the copy protection, you should + have bypassed the copy protection completely. Otherwise, you + might have a case like situation 2. + + Situation 2 - Different doc check types + --------------------------------------- + Again, cracking multiple doc checks are like cracking + single doc checks. You follow the same procedures until you + come up to a copy protected location. Then, you would trace + into the code as explained in situation 1 just to make sure + that the code is not called up again. Different doc checks + are a bitch to do because you have to manually keep tracing + until you find each one to effectively rid yourself of the + copy protection. There is not sure way of getting rid of all + the doc checks any other way. But luckily, there are very + few wares out there like this. Remember, the more the + company shoves into the program's memory, the more money it's + gonna cost them. + + Of course, I cannot cover every single type of doc check + since there are too many of them. You'd just have to use + your own imagination to solve some of them. + + + + + + + Page 20 + + + + + + The Cracking Manual + + + + SPECIAL SITUATIONS + + Special Situations + ------------------ + What all crackers are faced with at one time or another + are situations that call for intuitive thinking to overcome + the barrier. Remember, there is no one sure way of cracking. + + INT 3 - Problems During Tracing + ------------------------------- + Sometimes, when you start cracking, you just find your + instruction pointer messing up. You keep tracing and + tracing, then your computer freezes. But then, when you type + "G" at the beginning of the program, it works just fine. + What is happening here? There are several things that the + program could do to impede tracing. Unless you have a + hardware debugger, you have to settle in for more primitive, + intuitive methods. First, we have to find out how a software + debugger works. + I now introduce you to INT 3 and INT 1. They are the + breakpoint and single stepping interrupts respectively. We + will be looking at INT 3 the most. + What happens when you set breakpoints? Well, here is + what the debugger does. At the address you have specified, + the debugger will read in the byte at that address and store + it somewhere else in its own memory. This byte is part of + the whole instruction located at that address. For example, + if there was an "INT 13" at that location, the machine + language equivalent will be CD13h. Debug will read in the + first byte, CDh, and save it in memory. The CDh will then be + replaced by INT 3 (CCh). So, the code will now look like + CC13h in machine language. When you unassemble this at the + address, you will see "INT 3" (the instruction only takes up + one byte) and some gibberish after that. So, when the CPU + comes up to this address, it will encounter INT 3 and will + return control to the debugger. The debugger then replaces + the INT 3 with the CDh byte used before. + With single stepping, the same thing occurs. Debug will + also insert the INT 3 instruction at the instruction after + the one you are about to execute. Then, internally, a "G" + instruction is performed until it reaches the INT 3, at which + point, the byte will be replaced and everything will be cool. + + Use of INT 3 to Call Up Other Interrupts + ---------------------------------------- + This INT 3 deal seems to be cool, working in many + situations. But what if the software vendor reprograms INT 3 + to point to an INT 21? Many programs use INT 21 to access + DOS functions like reading a file, etc. There would be a + conflict now as the program uses INT 3 to call up DOS while + debug wants to use INT 3 for its breakpoints. There is also + another problem. INT 21 uses two bytes (CD21h) while INT 3 + uses only one byte (CCh). Therefore, you cannot replace INT + 3 with the INT 21. + + + Page 21 + + + + + + The Cracking Manual + + + + Also, INT 3 could be reprogrammed so that everytime it + is used, the program will just exit to its higher process. + So everytime you single step, you will be kicked out of the + program. + + Parity Errors with INT 3 + ------------------------ + The tough copy protections use the change of memory to + obstruct tracing. Examine the code below: + + 2E0B:0500 FC CLD + 2E0B:0501 B80000 MOV AX,0000 + 2E0B:0504 BB0000 MOV BX,0000 + 2E0B:0507 BE0005 MOV SI,0500 + 2E0B:050A BF0010 MOV DI,1000 + 2E0B:050D B90005 MOV CX,0500 + 2E0B:0510 AC LODSB + 2E0B:0511 345A XOR AL,5A ;'Z' + 2E0B:0513 01C3 ADD BX,AX + 2E0B:0515 AA STOSB + 2E0B:0516 E2F8 LOOP 0510 + 2E0B:0518 3B1E0043 CMP BX,[4300] + 2E0B:051C 7403 JZ 0521 + 2E0B:051E E9EF2A JMP 3010 + 2E0B:0521 D1E0 SHL AX,1 + + Notice what the program is doing. It is performing a simple + decryption of a block of code from address 500h and putting + it in address 1000h. In addition, there is a checksum being + performed at address . The program is adding all those bytes + up, then comparing the number with some other number (a + checksum value) in memory at address 4300h. So what you may + say. When the program is run without any set breakpoints, + the program will run fine. But when you start tracing + through the code, or putting a breakpoint somewhere after the + loop, the program will cause you to exit. If you decide to + change the program so that it will let you pass regardless of + the checksum value, somewhere along the line, the program + will fuck up. + This goes back to the idea of INT 3. Right before debug + executes an instruction, it places an INT 3 at the next + instruction. In this program, when debug places this + interrupt and executes an instruction, the program is reading + in this INT 3 at the address and copies it to a different + address. INT 3 is obviously a different number than the + other instructions, so the checksum value will be different. + So, now that INT 3 is copied to another location in memory, + debug also cannot replace that with it's original byte value. + Therefore, if you try to force the checksum to match and + continue running the program, the program will crash because + the INT 3 is causing the instructions after itself to be + interpreted incorrectly by the CPU. + To bypass this, you have to make sure not to get your + INT 3 placed in the wrong place at the wrong time. Looking + + + Page 22 + + + + + + The Cracking Manual + + + + at the program, you can keep tracing normally until the SI + register points to any byte past the CMP instruction at + address 519h. Then, you can do a "G 518" to finish off the + loop quicker. Debug will place a temporary INT 3 at address + 518h, but it doesn't matter now since SI will be past 518h. + This is obviously a simple example, but it gets the point + across that you have to watch where you trace. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 23 + + + + + + The Cracking Manual + + + + OVERLAYS/LOADERS + + Overlays/Loaders + ---------------- + Sometimes, programs will have an initialization code and + upon its completion, call up another program or overlay. + These programs present unique situations in which it is + sometimes difficult, after finding the copy protection code, + to write the changes to disk. Let's see what these programs + do before we go on to the next topic of making changes + permanent. + Loaders are usually small programs that might first ask + you for the graphics mode or what sound card you have. When + finished, it will load up another program. Sometimes, this + is done with DOS' interrupt 21h, function 4B00h (load and + execute). This is the same interrupt DOS uses to load up + programs when you type them in at the DOS prompt. You can + tell what file is going to be executed by tracing up to the + INT 21 instruction and dumping the address pointed to by + DS:DX (type in "D DS:DX"). Also, internal procedures could + be used to call up the program. Use what you've learned to + trace through them. + Code decryptions or dynamic heap allocation where data + is to be loaded presents problems as well. Code that changes + as the program progresses makes code changes difficult in the + file itself. And when you want to alter sometime in the data + area, something called a heap is often used to store the + data. The thing with the heap is that it can be allocated at + anytime and depending on what is currently in memory, you + can't tell where the memory is going to be located. In these + cases, you might choose to go with run-time memory overlays + (discussed later). + + Writing the Changes Out to the File + ----------------------------------- + Okay, so you've found the copy protection. You also + know how to bypass it. Now, the next problem you will most + likely encounter is writing it out to a file. But first, + let's assume a simple case. + + Using a Hex Dump Program + ------------------------ + Included is this package is one of the files from Norton + Utilities which does a decent job of finding and changing the + contents of files. Before we exit that debugger, we must + know what to look for. + + 1) At the location of the instruction, copy down the + machine language equivalent of the instruction. At + instructions after that, also take down their + machine level equivalents. This is what you will + use to search for the code in the file. + a) If there is a near call or a near jump or a near + memory access, you can just write down all the + + + Page 24 + + + + + + The Cracking Manual + + + + hex numbers. + b) If there is a far call (CALL DS:[5C10+BX]) or a + far jump (JMP DWORD PTR ES:[5080+BX]) or a far + memory access (MOV AX,WORD PTR ES:[10+SI]), then + do not write these instructions down. In .EXE + files, anything that is located in different + segments will have different displacement + values. This is a value in the file. At the + beginning of the file is a table that tells DOS + where these instructions are located. When the + program is loaded into memory, the pointers are + changed appropriately to match the memory + location. So, write down other near + instructions like CLD, JZ 100, INC AX, etc. + 2) After you know what to search for, you must now know + what you will have to be changing. Very often, + NOP's are used to "delete" code. For example, if + there is a CALL 3140 and we want to skip this call, + we can NOP it out. The near call takes up three + bytes. The NOP takes up one byte. So, type in "A" + at the address of the call and enter "NOP" three + times. Then unassemble the code to make sure that + the code still looks okay. Take down the machine + level equivalents of the NOP's (90h). Same thing + with conditional jumps. Suppose you have a JZ 90 + and you want it to jump to address 90 everytime, + then type in "A" at the jump instruction and enter + "JMP 90". Then, just write down the machine code as + before. One thing, however. You cannot do what I + have just said above with far calls. Remember, the + numbers will be different in the file as compared to + memory. So what do you do? No problemo. At the + call instruction, trace into the call and place a + "RETF" instruction at the address of the callee. + This will be the location that you will search for + (write down the bytes here) and where you will be + writing to (RETF is CBh in machine language). + 3) Finally, after all this is through, you can enter + your file editor and search for the numbers you + wrote down. Then, you can change the numbers. Now + run the program and it should be cracked. But + remember, always backup the file you are about to + change. + + Using a Memory Overlay + ---------------------- + When do you use these things? You would use memory + overlays when step 3 (stated above) has failed in some way. + Maybe you couldn't find the code, or when you change it, the + program freezes up. Don't fret, the memory overlay is here. + What is a memory overlay? It is an external program (TSR) + that when it reaches a certain point during program + execution, it will change the location in memory you have + specified. It overlays the code during run time. + + + Page 25 + + + + + + The Cracking Manual + + + + Here is what you will need to do to make the overlay + work. First, you must find some way for the program to call + up the overlay code. This can most easily be done by + reprogramming interrupts. So, the first thing you have to do + is look for an interrupt usage near the copy protection code + (usually an INT 21h or INT 10h). When you find this + interrupt (it must be fairly close to the code), write down + the address of the NEXT instruction. You must get down the + segment and the offset. Also, get down the current status of + the registers. For interrupts like INT 21h and INT 10h, + write down the functions numbers (eg. AX,AL,BX,DX,etc.). + Then, keep tracing until the copy protection code. Get the + address of the instruction that you want to change (the + segment and the offset). Also get down the machine language + equivalent of the changed code. This should be all you need + for the overlay program. Here is the overlay program: + +INT_SEG equ 1DA5h ;SEG:OFF of instruction after the +INT_OFF equ 05D1h ; calling interrupt +CHANGE_SEG equ 2DA5h ;SEG:OFF of instruction to change +CHANGE_OFF equ 0432h + +OVERLAY segment para 'code' + + assume cs:OVERLAY,ds:OVERLAY + + org 100h ;This will be a .COM program + +START: jmp INITCODE ;Initialization code + +;************************************************************************** + +OLDINT dw 0,0 ;Storage for old interrupt address + +ADDR_OFF equ +ADDR_SEG equ + +CR equ 0Dh ;Carriage return +LF equ 0Ah ;Line feed +BEEP equ 07h ;Beep +EOS equ '$' ;End of DOS string + +DISPLACEMENT equ CHANGE_SEG - INTSEG + +;************************************************************************** + +NEWINT proc far + + push bp ;Establish stack frame + mov bp,sp + push ax ;Save necessary registers + push bx + push cx + push dx + + + Page 26 + + + + + + The Cracking Manual + + + + push si + push di + push ds + push es + + mov bx,ADDR_OFF ;Get offset + cmp bx,INT_OFF + jnz EXIT + + cmp ax,0201h ;Check for AX=0201h <=(1) + jnz EXIT + cmp bx,0001h ;Check for BX=0001h <=(2) + jnz EXIT + + mov bx,ADDR_SEG ;Get segment + add bx,DISPLACEMENT + mov ds,bx ;This will be the segment of change + + ;change the number at the next line to point to the offset of + ; the address to be changed + mov bx,1C12h ;This is the offset of the change + mov al,0EBh ;This is the byte to be changed + mov [bx],al + + ;change the number at the next line to point to the offset of + ; the address to be changed + mov bx,1C20h ;This is the new offset of the change + mov ax,0B8h ;This is the byte to be changed + mov [bx],ax + mov al,0 ;This is the next byte to be changed + mov [bx+2],al + + pop es ;Restore necessary registers + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + pop bp + iret ;Interrupt return + +EXIT: pop es ;Restore necessary registers + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + pop bp + jmp dword ptr cs:OLDINT ;Jump to old interrupt + + + + Page 27 + + + + + + The Cracking Manual + + + +NEWINT endp + +;************************************************************************** + +FINISH equ $ + +MESSAGE db "This is an overlay loader.",CR,LF + db "Written by The Cyborg.",CR,LF,BEEP,EOS + +INITCODE: + mov ax,cs + mov ds,ax ;DS point to CS + + mov ah,9 ;Print string + mov dx,offset MESSAGE ;The address of the message + int 21h + + mov ax,3510h ;Get old interrupt address + int 21h + mov OLDINT[0],bx ;Save in memory for later use + mov OLDINT[2],es + + mov ax,2510h ;Set new interrupt address + mov dx,offset NEWINT ;Point to new procedure + int 21h + + lea dx,FINISH ;CS:DX of last byte of code to remain + int 27h ; in memory. Terminate and stay + ; resident. + +OVERLAY ends + + end START + + All you have to do is set the first four values in the first + four lines of the file. They are the segment:offset pairs of the + interrupt address and the address of the bytes to be changed. + Also, change the functions to check for at (1) and (2) to + appropriately check for proper code entry. Then, specify which + bytes you will be changing at the specified lines. Then compile + this crack ("ASM OVL {enter}"). + The next program demonstrates a simple loader. It also + demonstrates what you can do if you have a program that utilizes + scripts or dynamically allocated data areas in heap spaces. This + program scans for a known segment in memory for a "keyword". When + it finds this, it can then begin writing new code to overlay the + old data. Note, KEYWORD specifies the keyword to look for. Then, + CRK (0's) is the list of bytes to replace the data areas pointed + to by addresses listed in LIST. The addresses in LIST are + displacement addresses. This means that at the address the + keyword was found in, the appropriate number listed in LIST is + added to that address. There are thirteen addresses whose data + are to be changed in this case. + Also interesting to note is that this program is using two + + + Page 28 + + + + + + The Cracking Manual + + + + interrupt vectors, INT F1h and INT 21h. INT 21h is used in the + same way as the above overlay program uses it. It replaces two + bytes at offset 1FE5h with CDF1h. This is the machine language + equivalent of INT F1h. Now, let's examine what INT F1h actually + does. First, it changes the return address in the stack so that + instead of returning to the address right after the INT F1h + instruction, it will return to another instruction, located at + offset 1FE5. This is the location of the INT F1h instruction. + This interrupt, upon its completion, will replace the INT F1h + instruction with the original instruction and run the program + normally. + The loader itself is simple. It reallocates the memory + located to itself to accommodate a "daughter" program, the program + that it is going to load. If it can't find the program or if an + error has occurred trying to execute the program, the loader will + load itself up as a TSR. Then, you can run the program via DOS. + This loader also checks if INT F1h has been occupied and returns + an error if it is. + +LOADER segment para 'code' + + assume cs:LOADER,ss:LOADER + + org 100h + +BEGIN: jmp INIT + +CR equ 0Dh +LF equ 0Ah +BEEP equ 07h +EOLN equ '$' + +OPTION db 1 ;Options +CRC dw 0 ;Cyclic Redundency Checking data + +START equ $ + +OLDINT1 dw 0,0 +OLDINT2 dw 0,0 +KEYWORD db "weat" +CRK db 0,0,0,0 +LIST dw 0h,014h,019h,02Dh,041h,046h,05Ah,05Fh,073h,087h,08Ch,0A0h,0B4h + + ;********** New Interrupt 1 **********; + +NEWINT1 proc far + + push bp ;Establish stack frame + mov bp,sp + push ax ;Save registers + push bx + push cx + push dx + push di + + + Page 29 + + + + + + The Cracking Manual + + + + push si + push ds + + mov ax,cs + mov ds,ax + + mov ax,word ptr [bp+2] ;Get offset + cmp ax,1FE7h + jnz EXIT1 + +NEXT1: mov ax,1FE5h ;Where to return next + mov word ptr [bp+2],ax + + mov ax,word ptr [bp+4] ;Get segment + mov ds,ax ;Put in data segment + mov bx,1FE5h ;Offset to change + mov ax,0D803h ;The new code to put in + mov [bx],ax ;Store changes + + mov ax,cs ;Get current data segment + mov ds,ax + + mov di,0 ;Where to start search + mov dx,0FF00h ;Search the entire segment + mov bx,0 +COMP: mov di,bx ;Where to begin + mov si,offset KEYWORD ;Get keyword + mov cx,4 ;Lenght of keyword + repe cmpsb ;Compare until done + jz MATCH + inc bx + dec dx ;Done? + jz EXIT1 ;If no match, exit + jmp COMP + +MATCH: mov dx,bx + mov ax,0E07h + int 10h + mov bx,offset LIST ;Get list of codes to change + mov cx,13 ;Number of locations to change +NEXT2: push cx + mov cx,4 ;Lenght of string + mov di,[bx] ;Get destination + add di,dx + mov si,offset CRK ;Get string to copy from + rep movsb ;Copy String + inc bx ;Next location + inc bx + pop cx + loop NEXT2 + +EXIT1: pop ds ;Restore registers + pop si + pop di + + + Page 30 + + + + + + The Cracking Manual + + + + pop dx + pop cx + pop bx + pop ax + pop bp + iret ;Interrupt return + +NEWINT1 endp + + ;********** New Interrupt 2 **********; + +NEWINT2 proc far + + push bp ;Establish stack frame + mov bp,sp + push ax ;Save registers + push bx + push ds + + mov bx,word ptr [bp+2] ;Get offset + cmp bx,0Ch ;See if called from the proper offset + jnz EXIT2 ;If not, exit + + cmp ah,30h ;See if want this function call + jnz EXIT2 ;If not, exit + + mov bx,word ptr [bp+4] ;Get segment + add bx,0F8Dh ;New segment + mov ds,bx + mov bx,1FE5h ;New offset + mov ax,0F1CDh ;The new instruction + mov [bx],ax ;Save changes in memory + +EXIT2: pop ds ;Restore registers + pop bx + pop ax + mov sp,bp + pop bp + jmp dword ptr cs:OLDINT2 ;Call old interrupt + +NEWINT2 endp + +FINISH equ $ + + ;********** Initialization Code **********; + +PARAM dw 0 + db 80h,0 +PARAM1 dw 5 dup(0) +PROG db 8 dup('1234567890') + +MESS db 'Savage Empire eta Crack v1.0 July 15,1991',CR,LF + db 'Loader needed only after creating a character.',CR,LF + db "Press {ENTER} at the copy protection.",CR,LF,BEEP,EOLN + + + Page 31 + + + + + + The Cracking Manual + + + +ERR1 db 'ERROR: Not enough memory. ' + db 'Activating TSR sequence.',CR,LF,BEEP,EOLN +ERR2 db 'ERROR: Could not load program. ' + db 'Activating TSR sequence.',CR,LF,BEEP,EOLN +ERR3 db 'ERROR: Interrupt vector (0xF1) already occupied.',CR,LF + db ' Release memory before restarting.',CR,LF,LF,BEEP,EOLN + +INIT: mov ah,9 ;Print string + mov dx,offset MESS + int 21h + + mov ax,35F1h ;Get interrupt vector + int 21h + mov OLDINT1[0],bx ;Save in memory + mov OLDINT1[2],es + + cmp word ptr es:[bx],8B55h ;Check for vector occupation + jnz CONT1 + + mov ah,9 ;Write string + mov dx,offset ERR3 + int 21h + mov ax,4C03h ;Exit with error 3 + int 21h + +CONT1: mov ax,25F1h ;Set interrupt vector + mov dx,offset NEWINT1 + int 21h + + mov ax,3521h ;Get interrupt vector + int 21h + mov OLDINT2[0],bx ;Save in memory + mov OLDINT2[2],es + + mov ax,2521h ;Change interrupt vector + mov dx,offset NEWINT2 + int 21h + + cmp OPTION,0 ;See if wants to run program + jz EXIT3 + + mov ax,cs + mov ds,ax + mov es,ax + mov bx,offset ENDCODE ;Get end of memory + shr bx,1 ;Convert to paragraphs + shr bx,1 + shr bx,1 + shr bx,1 + inc bx + mov ah,4Ah ;Reallocate memory + int 21h + jnc OKAY1 ;If no error, continue + + + + Page 32 + + + + + + The Cracking Manual + + + + mov ah,9h ;Write string + mov dx,offset ERR1 + int 21h + jmp EXIT3 + +OKAY1: mov ax,cs + mov PARAM,ax + mov PARAM1,ax + mov bx,offset PARAM + mov dx,offset PROG + mov ax,4B00h ;Load and execute child + int 21h + jnc OKAY2 ;If no error, continue + + mov ah,9h ;Write string + mov dx,offset ERR2 + int 21h + jmp EXIT3 + +OKAY2: mov ax,25F1h ;Restore interrupt vector + lds dx,dword ptr OLDINT1 + int 21h + + mov ax,2521h ;Restore interrupt vector + lds dx,dword ptr OLDINT2 + int 21h + + mov ax,4C00h ;Exit with error code 0 + int 21h + +EXIT3: lea dx,FINISH ;Offset of booster + int 27h ;Exit with ejection of booster + +LOADER ends + + end BEGIN + + + + + + + + + + + + + + + + + + + + + Page 33 + + + + + + The Cracking Manual + + + + CONCLUSION + + Conclusion + ---------- + Okay, so we've seen the processes of cracking. If you are + just a beginner and don't know much about programming, you + probably got lost somewhere right after the introduction. I would + suggest that you spend some time learning assembly before doing + anything else. Actually, you don't have to start out with + assembly. I started programming using BASIC. When I got really + good at it, I jumped into Assembly, regardless of how difficult + people said it was. Assembly is not at all difficult if you have + had some previous knowledge of another language. It is only + difficult if you make it hard. And after you've learned assembly, + you get a "feel" for the other languages and can learn them in a + matter of days. Pascal, Modula-2, C, C++, ..., they're are based + on assembly language programming. + Cracking is like the debugging process of programming. To + become experienced with debugging is to become adept at cracking. + You just need lots o' practice as practice makes perfect. + One final note. I got this manual out kinda quickly so there + are bound to be errors, inconsistencies in what I've said, unclear + passages, etc. Well, too bad. If you really want a good manual, + tell me or something and I'll consider it. I got really bored + towards the last parts of the manual so it went pretty fast, + skipping over some stuff. If a lot (and I mean A LOT) of people + want a better manual, tell me and give me suggestions. I'll find + the time to do it somehow. + Anyways, have fun! + - The Cyborg + + + + + + + + + + + + + + + + + + + + + + + + + + + Page 34 + + + diff --git a/textfiles.com/piracy/CRACKING/crak1.txt b/textfiles.com/piracy/CRACKING/crak1.txt new file mode 100644 index 00000000..b2220cce --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crak1.txt @@ -0,0 +1,436 @@ + Chapter I How to Crack + + + ------------------------------------------------------------- + Let's start with a simple introduction to patching a program + using the DOS DEBUG program. The following article will in- + troduce you to the basic ideas and concepts of looking for a + certain area of a program and making a patch to it. + ------------------------------------------------------------- + + + By: Charles Petzold / Specular Vision + Title: Case Study: A Colorful CLS + + This article originally appeared in the Oct. 14,1986 Issue + of PC Magazine (Vol 15. Num 17.). Written by Charles Petzold. + + The hardest part of patching existing programs is determin- + ing where the patch should go. You really have to make an + intelligent guess about the functioning of the program. + + As an example, let's attempt to modify COMMAND.COM so that + is colors the screen on a CLS command. As with any type of + patch try it out on a copy and NOT the original. + + First, think about what we should look for. CLS is differ- + ent from all the other DOS internal Commands, It is the only + internal command that does something to the screen other than + just write to it with simple teletype output. CLS blanks the + screen and homes the cursor. Since it can't do this through + DOS Calls (unless ANSI.SYS is loaded), it is probably calling + the BIOS Directly. The BIOS Interrupt 10h call controls the + video, and so the CLS command probably uses several INT 10h + instructions. The machine code for INT 10h is CD 10. + + (While this same method will work under any version of + PC-DOS, Version 2.0 and later, the addresses I'll be using + are from PC-DOS 3.1. Other versions of PC-DOS(or MS-DOS) will + have different addresses; you should be absolutely certain + that you're using the correct addresses.) + + Load COMMAND.COM into DEBUG: + + DEBUG COMMAND.COM + + and do an R (Registers) command. The size of COMMAND.COM is + in register CX. For DOS 3.1's COMMAND.COM, this value is + 5AAA. + + Now do Search command to look for the CD 10 bytes: + + S 100 L 5AAA CD 10 + + You'll get a list of six addresses, all clustered close to- + + 4 + gether. The first one is 261D. You can now pick an address a + little before that (to see what the first call is doing) and + start disassembling: + + U 261B + + The first INT 10 has AH set to 0F which is a Current Video + State call. The code checks if the returned value of AL + (Which is the video mode) is less than 3 or equal to 7. + These are the text modes. If so, it branches to 262C. If + not, it just resets the video mode with another INT 10 at ad- + dress 2629. + + At 262C, the code first sets the border black (the INT 10 + at 2630), then does another Current Video State call (at + 2634) to get the screen width in register AH. It uses infor- + mation from this call to set DX equal to the bottom right row + and column. It then clears the screen by scrolling the en- + tire screen up with another INT 10 (at 2645), and then sets + the cursor to the zeroth row and zeroth column with the final + INT 10 (at 264D). + + When it scrolls the whole screen, the zero value in AL ac- + tually means blank the screen, the value of BH is the at- + tribute to be used on the blanked area. In an unmodified + COMMAND.COM, BH is set to 7 (Which is white on black) by the + following statement at address 2640: + + MOV BX,0700 + + If you prefer a yellow-on-blue attribute (1E), you can + change this line by going into Assemble mode by entering: + + A + + then entering + + MOV BX,1E00 + + and exiting Assemble mode by entering a blank line. + + Now you can save the modified file: + + W + + and quit DEBUG: + + Q + + When you load the new version of COMMAND.COM (and you can + do so without rebooting by just entering: + + COMMAND + + + 5 + on the DOS command level), a CLS will turn the screen blue + and display characters as yellow. + + If it doesn't or if anything you type shows up as white on + black, that probably means you have ANSI.SYS loaded. If you + use ANSI.SYS, you don't have to make this patch but can in- + stead use the prompt command for coloring the screen. + + END. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 6 + ------------------------------------------------------------- + That was just one section of a very large article that helped + me to get started. Next we'll look at two other articles, + both written by Buckaroo Banzi. These two articles CRACK-1 + and CRACK-2 give you an introduction to the different copy + protection schemes used on IBM PC's, and how to find and by- + pass them. + ------------------------------------------------------------- + + + + By: Buckaroo Banzai + Title: Cracking On the IBM PC Part I + + + Introduction + ------------ + For years, I have seen cracking tutorials for the APPLE + computers, but never have I seen one for the PC. I have de- + cided to try to write this series to help that pirate move up + a level to a crackest. + + In this part, I will cover what happens with INT 13 and how + most copy protection schemes will use it. I strongly suggest + a knowledge of Assembler (M/L) and how to use DEBUG. These + will be an important figure in cracking anything. + + + INT-13 - An overview + -------------------- + + Many copy protection schemes use the disk interrupt + (INT-13). INT-13 is often use to either try to read in a il- + legally formatted track/sector or to write/format a + track/sector that has been damaged in some way. + + INT-13 is called like any normal interrupt with the assem- + bler command INT 13 (CD 13). [AH] is used to select which + command to be used, with most of the other registers used for + data. + + INT-13 Cracking College + ----------------------- + Although, INT-13 is used in almost all protection schemes, + the easiest to crack is the DOS file. Now the protected pro- + gram might use INT-13 to load some other data from a normal + track/sector on a disk, so it is important to determine which + tracks/sectors are important to the protection scheme. I + have found the best way to do this is to use LOCKSMITH/pc + (what, you don't have LS. Contact your local pirate for it.) + + Use LS to analyze the diskette. Write down any track/sector + that seems abnormal. These track are must likely are part of + the protection routine. Now, we must enter debug. Load in + + 7 + the file execute a search for CD 13. Record any address + show. + + If no address are picked up, this mean 1 or 2 things, the + program is not copy protected (right...) or that the check is + in an other part of the program not yet loaded. The latter + being a real hassle to find, so I'll cover it in part II. + There is another choice. The CD 13 might be hidden in self + changing code. Here is what a sector of hidden code might + look like + + -U CS:0000 + 1B00:0000 31DB XOR BX,BX + 1B00:0002 8EDB MOV DS,BX + 1B00:0004 BB0D00 MOV BX,000D + 1B00:0007 8A07 MOV AL,[BX] + 1B00:0009 3412 XOR AL,12 + 1B00:000B 8807 MOV [BX],AL + 1B00:000D DF13 FIST WORD... + + In this section of code, [AL] is set to DF at location + 1B00:0007. When you XOR DF and 12, you would get a CD(hex) + for the INT opcode which is placed right next to a 13 ie, + giving you CD13 or INT-13. This type of code can't and will + not be found using debug's [S]earch command. + + + + Finding Hidden INT-13s + ---------------------- + + The way I find best to find hidden INT-13s, is to use a + program called PC-WATCH (TRAP13 works well also). This pro- + gram traps the interrupts and will print where they were + called from. Once running this, you can just disassemble + around the address until you find code that look like it is + setting up the disk interrupt. + + An other way to decode the INT-13 is to use debug's [G]o + command. Just set a breakpoint at the address give by + PC-WATCH (both programs give the return address). Ie, -G + CS:000F (see code above). When debug stops, you will have + encoded not only the INT-13 but anything else leading up to + it. + + + What to do once you find INT-13 + ------------------------------- + + Once you find the INT-13, the hard part for the most part + is over. All that is left to do is to fool the computer in + to thinking the protection has been found. To find out what + the computer is looking for, examine the code right after the + INT-13. Look for any branches having to do with the + + 8 + CARRYFLAG or any CMP to the AH register. If a JNE or JC + (etc) occurs, then [U]nassembe the address listed with the + jump. If it is a CMP then just read on. + + Here you must decide if the program was looking for a pro- + tected track or just a normal track. If it has a CMP AH,0 + and it has read in a protected track, it can be assumed that + it was looking to see if the program had successfully com- + plete the READ/FORMAT of that track and that the disk had + been copied thus JMPing back to DOS (usually). If this is + the case, Just NOP the bytes for the CMP and the correspond- + ing JMP. + + If the program just checked for the carry flag to be set, + and it isn't, then the program usually assumes that the disk + has been copied. Examine the following code + + INT 13 <-- Read in the Sector + JC 1B00 <-- Protection found + INT 19 <-- Reboot + 1B00 (rest of program) + + The program carries out the INT and find an error (the il- + legally formatted sector) so the carry flag is set. The com- + puter, at the next instruction, see that the carry flag is + set and know that the protection has not been breached. In + this case, to fool the computer, just change the "JC 1B00" to + a "JMP 1B00" thus defeating the protection scheme. + + NOTE: the PROTECTION ROUTINE might be found in more than just + 1 part of the program + + + Handling EXE files + ------------------ + + As we all know, Debug can read .EXE files but cannot write + them. To get around this, load and go about cracking the + program as usual. When the protection scheme has been found + and tested, record (use the debug [D]ump command) to save + & + - 10 bytes of the code around the INT 13. Exit back to dos + and rename the file to a .ZAP (any extension but .EXE will + do) and reloading with debug. Search the program for the 20+ + bytes surrounding the code and record the address found. + Then just load this section and edit it like normal. Save + the file and exit back to dos. Rename it back to the .EXE + file and it should be cracked. + + ***NOTE: Sometimes you have to play around with it for a + while to make it work. + + + + + + 9 + DISK I/O (INT-13) + ----------------- + This interrupt uses the AH resister to select the function + to be used. Here is a chart describing the interrupt. + + AH=0 Reset Disk + AH=1 Read the Status of the Disk + system in to AL + + AL Error + ---------------------------- + 00 - Successful + 01 - Bad command given to INT + *02 - Address mark not found + 03 - write attempted on write protected disk + *04 - request sector not found + 08 - DMA overrun + 09 - attempt to cross DMA boundary + *10 - bad CRC on disk read + 20 - controller has failed + 40 - seek operation failed + 80 - attachment failed + (* denotes most used in copy protection) + AH=2 Read Sectors + + input + DL = Drive number (0-3) + DH = Head number (0or1) + CH = Track number + CL = Sector number + AL = # of sectors to read + ES:BX = load address + output + AH =error number (see above) + [Carry Flag Set] + AL = # of sectors read + + AH=3 Write (params. as above) + AH=4 Verify (params. as above -ES:BX) + AH=5 Format (params. as above -CL,AL + ES:BX points to format + Table) + + ------------------------------------------------------------ + For more information on INT-13 refer to appendix A. + ------------------------------------------------------------ + + END. + + + + + + + + 10 + ------------------------------------------------------------- + In part II, Buck cover's Calls to INT-13 and INT-13 that are + located in different overlays of the program. This is a + method that is used often. + ------------------------------------------------------------- + + + Cracking Tutorial II. + + By: Buckaroo Banzai + Title: Cracking On the IBM PC Part II + + + Introduction + ------------ + + OK guys, you now passed out of Copy Class 101 (dos files) + and have this great new game with overlays. How do I crack + this one. You scanned the entire .EXE file for the CD 13 and + it's nowhere. Where can it be you ask yourself. + + In part II, I'll cover cracking Overlays and the use of + locksmith in cracking. If you haven't read part I, then I + suggest you do so. The 2 files go together. + + + Looking for Overlays + -------------------- + So, you cant find CD 13 in the .EXE file, well, it can mean + 4 things. + + 1: The .EXE (though it is mostly .COM) file is just a + loader for the main file. + + 2: The .EXE file loads in an overlay. + + 3: The CD 13 is encrypted &/or hidden in the .EXE file. + + 4: Your looking at the WRONG file. + + + I won't discuss case 1 (or at least no here) because so + many UNP files are devoted to PROLOCK a + diff --git a/textfiles.com/piracy/CRACKING/crak2.txt b/textfiles.com/piracy/CRACKING/crak2.txt new file mode 100644 index 00000000..69db8ac0 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crak2.txt @@ -0,0 +1,510 @@ + Example Cracks + + + + ------------------------------------------------------------- + OK, now let's put some of this information into practice by + examining a few cracks of some common programs. First we'll + look at a Crack for Mean-18 Golf by Accolade. Accolade has + been one of those companies that has a fervent belief in Copy + Protection. + ------------------------------------------------------------- + + + + + Title: MEAN-18 UnProtect For CGA/EGA Version + + + This crack works by eliminating the code that tests for known + bad sectors on the original diskette to see if it is the + genuine article or an illegal copy. The code begins with an + INT 13 (CD 13 HEX), a DOS BIOS disk service routine followed + a few bytes later by another INT 13 instruction. The program + then checks the returned value for the bit configuration that + signifies the bad sectors and, if all is as expected, contin- + ues on with program execution. + + The code that needs to be patched is in the GOLF.EXE file and + in the ARCH.EXE file. It is identical in both files and lies + near the end of each file. + + In the following steps, you'll locate the start of the test + code and patch it by replacing it with NOP instructions (HEX + 90). The method described uses the DOS DEBUG utility but + Norton's Utility (NU) works too. + + Copy all of the files from the MEAN-18 disk onto a fresh + floppy using the DOS COPY command and place your original + diskette out of harm's way. + + Assuming DEBUG is in the A: drive and the floppy containing + the files to be unlocked is in the B: drive , proceed as fol- + lows: + + First REName the GOLF.EXE file so it has a different + EXTension other than .EXE. + + REN GOLF.EXE GOLF.DEB + + + Next load the file GOLF.DEB into DEBUG and displays the "-" + DEBUG prompt. + + A:> DEBUG B:GOLF.EXE + + 13 + Search for the beginning of the code to be patched by typing: + + + - S CS:100 FFFF CD 13 + + Searches the file for the two byte INT 13 instruction. If + all goes well, two addresses should appear on the screen. + + XXXX:019C + XXXX:01A8 + + XXXX indicates that the numbers preceeding the ":" vary from + system to system but the numbers following the ":" are the + same on all systems. + + The next step is to use the "U" command as indicated to + un-assemble a few bytes in order to verify your position in + the file) + + - U CS:019C + + (Un-assembles 32 bytes of code. Verify the following se- + quence of instructions: + + INT 13 + JB 01E9 + MOV AL,[BX+01FF] + PUSH AX + MOV AX,0201 + INT 13 + POP AX + JB 01E9 + CMP AL,F7 + JNZ 01B5 + + These are the instructions you'll be patching out in the fol- + lowing step) + + - A CS:019C + + This command assembles the new instructions you enter at the + keyboard into the addresses shown. Beginning at CS:019C, and + for the next 21 bytes, ending with and including CS:01B0, en- + ter the no op command "NOP" (90h) followed by a or + . Just hit at address XXXX:01B1 to end the + assemble command.) + + XXXX:019C NOP + XXXX:019D NOP + . + . + . + XXXX:01AE NOP + XXXX:01AF NOP + + 14 + XXXX:01B0 NOP + XXXX:01B1 + + This just wipes out the section of code containing the INT 13 + check. + + Now do a HEX dump and verify that bytes 019C through 01B0 + have been set to 90 HEX. + + - D CS:019C + + If they have, write the patched file to the disk as follows) + + - W + + This writes the patched file back to the + + disk where it can be run by typing GOLF just as before but + now, it can be run from any drive, including the hard + drive) + + Now just [Q]uit or exit back to DOS. This command can be ex- + ecuted at any "-" DEBUG prompt if you get lost. No modifica- + tion will be made to the file on the disk until you issue the + "W" command. + + - Q + + The process is the same for the ARCH.EXE file but because it + is a different length, the segment address, (XXXX part of the + address), will be different. You should find the first INT + 13 instruction at address XXXX:019C and the second one at + XXXX:01A8 as before. + + You will again be patching 21 bytes and you will start with + 019C and end with 01B0 as before. After doing the HEX dump + starting at address 019C, you again write the file back to + the disk with a "W" command then "Q" uit. + + Norton's utilities can also be used to make this patch. Be- + gin by searcing the GOLF.EXE or ARCH.EXE files for the two + byte combination CD 13 (remember to enter these as HEX + bytes). Once located, change the 21 bytes, starting with the + first "CD" byte, to 90 (a NOP instruction). As a check that + you are in the right place, the byte sequence in both files + is CD 13 72 49 8A 87 FF 01 50 B8 01 02 CD 13 58 72 3C 3C F7 + 75 04. After modifying the bytes, write the modified file + back to the disk. It can then be run from any drive. + + END. + + + + + + + 15 + ------------------------------------------------------------ + That was the first the tutorial cracks, here's another crack + based on the same ideas but using Norton's Utilities instead. + The following is an unprotect method for Eypx Submarine. + Eypx is another one of those companies bent on protecting the + world. + ------------------------------------------------------------ + + + By: Assembler Magic + Title: EPYX Submarine Unprotect + + + You will only need to make one modification to the main + executable program of Submarine, SUB.EXE. I will assume that + your computer has a hard disk and that you have a path to + DOS. It's time to fire up DEBUG as follows: + + DEBUG SUB.EXE + + The computer should respond with a "-" prompt. Now look at + the registers, just to make sure everything came up okay. + Type the letter "R" immediately after the prompt. The com- + puter should respond with a few lines of info as follows: + + AX=0000 BX=0001 CX=6103 DX=0000 SP=0080 BP=0000 SI=0000 + DI=0000 DS=12CE ES=12CE SS=37B2 CS=27FC IP=0010 NV UP EI PL + NZ NA PO NC + 27FC:0010 8CC0 MOV AX,ES + - + + Note the value of CS is "27FC". That is the hexadecimal + segment address for the beginning of the program code in your + computer's memory. It is highly probable that the value you + see for CS will differ from mine. Whatever it is, write it + down. Also, the values you see for DS, ES and SS will almost + certainly differ from mine and should not cause you concern. + The other registers should show the same values mine do, and + the flags should start with the same values. + + Next, we will do a search for Interrupt 13's. These are + BIOS (not DOS) Interrupts built into the program which are + used to ensure that the original disk is being used to run + the program. The whole key to this unprotect scheme is to by- + pass these Interrupts in the program code. The tricky part + of this unprotect is to find them! They are not in the seg- + ment of program code starting at the value of CS equal to + "27FC". They are closer to the beginning of the program in + memory. Easy enough! Reset the value of CS to equal the + value of DS as follows; type immediately after Debug's "-" + prompt: + + RCS + + + 16 + Debug will prompt you for the new value of CS with: + + CS:27FC: + + You respond by typing the value of DS you saw when you + dumped the registers the first time. For example, I typed + "12CE". The value you type will be different. Debug + will again respond with the "-" prompt which means we are + ready to do our search. Type in the following after the "-" + prompt: + + S CS:0 FFFF CD 13 + + The computer should respond with three lines of information + which are the addresses of the three Interrupt 13 calls built + into the program. The first four digits are the segment ad- + dress and will equal to the value of CS you have just set. + The second four digits following the colon are the offset ad- + dresses which are of primary interest to us. On my machine + they came back as follows: + + 12CE:4307 + 12CE:431F + 12CE:4335 + + The segment addresses will be identical and the three off- + set addresses should all be relatively close together. Now + look at the first offset address. (As you can see, mine was + "4307".) Write it down. Now we do a bit of Unassembly. + + Type "U4307" which is the letter "U", followed immedi- + ately (with no blank spaces) by whatever your first offset + address turned out to be, followed by a carriage return. If + you are not familiar with unassembled machine code, it will + look like lines of gibberish as follows: + + 12CE:4307 CD13 INT 13 + 12CE:4309 4F DEC DI + 12CE:430A 744C JZ 4358 + . + . + 12CE:431F CD13 INT 13 + 12CE:4321 4F DEC DI + . + . + 12CE:4324 BF0400 MOV DI,0004 + 12CE:4326 B80102 MOV AX,0201 + + In my computer, Unassemble will automatically output 16 + lines of code to the screen. Yours may differ. Note, in the + abbreviated list I have shown above, the addresses at the be- + ginning of the two lines which contain the Interrupt 13's + (INT 13) correspond to the first two addresses we found in + our search. Now we continue the unassemble, and here comes + + 17 + another tricky part. Just type in "U" after the "-" + prompt. + + You'll get sixteen more lines of code with the third Inter- + rupt 13 on a line which begins with the address (CS):4335 if + you have the same version of Submarine as I do. It's not + terribly important to this exercise, but it will at + least show you that things are proceeding okay. Now type in + "U" again after the prompt. You are now looking for + three key lines of code. On my program they appear as fol- + lows: + + 12CE:4335 07 POP ES + 12CE:4356 5D POP BP + 12CE:4357 CB RETF + + The true key is the instruction "POP ES". This instruction + begins the normal return sequence after the program has ex- + ecuted its Interrupt 13 instructions and accompanying checks. + If Debug on your machine prints fewer than 16 lines of code + at a shot, you may have to type in "U" more than twice at the + "-" to find these instructions. (If you haven't found any of + this stuff, either get help on the use of Debug or go back to + using your diskette version!) Write down the offset address + of the "POP ES" instruction; the four digits following the + colon, which in my example is "4354". You're well on your + way now, so please persevere. + + The next step is to modify the program to JUMP around the + code which executes the Interrupt 13's and go immediately to + the instruction which begins the normal return sequence + (again, it's the "POP ES". Type in the following instruc- + tions carefully: + + A4307 + + This first bit tells Debug that new Assembler code will be + inserted at the address of the first Interrupt 13. If your + first Interrupt 13 is at an address other that "4307", use + the correct address, not mine. The computer will prompt you + + with the address: + + 12CE:4307 + + After which you will immediately type: + + JMP 4354 + + This instruction jumps the program immediately to the normal + return code instructions. Again, at the risk of being redun- + dant, if your "POP ES" instruction is at a different address, + use that address, not "4354"! + + The computer will prompt you with the address of the next in- + + 18 + struction if all went well. MAKE SURE you just hit the + carriage return at this point. Debug will then return the + familiar "-" prompt. + + Now it's time to examine your handiwork. Let's do the + unassemble again starting at the address of what had been the + first Interrupt 13 instruction, but which is now the Jump in- + struction. Type in "U4307" or "U" followed by the appro- + priate address and a carriage return. The first line begin- + ning with the address should appear as follows: + + 12CE:4307 EB4B JMP 4354 + + The key here is the four bytes immediately following the ad- + dress. In my example they are "EB4B". Yours may not be. + But, they are VERY IMPORTANT because they represent the ac- + tual machine code which is the Jump instruction. WRITE THESE + FOUR BYTES DOWN AND MAKE SURE THEY ARE CORRECT. + + Now if you want to have some fun before we go on, reset + register CS to its original value by first typing "RCS" + at the "-" prompt. Then type in the original value of CS + that I asked you to write down. Using my example, I typed + "27FC". Next, you will type "G" after the "-" prompt + which means GO! If all went well, SUB should run at this + point. At least it will if you put all of the Submarine + files onto the diskette or into the hard disk subdirectory + where youre working. If it didn't run, you may have made an + error. Check through what you have done. + + Don't give up at this point if it does not run. Your version + of Debug may simply have not tolerated our shenanigans. When + you are done playing, quit Submarine ("Alt-Q") and type a + "Q" after the Debug prompt "-" appears. + + Now comes the tough part. I can't walk you through this + phase in complete detail, because you may be using one of + several programs available to modify the contents of SUB.EXE. + Debug is not the way to go, because it can't write out .EXE + files, only .COM files. + + ------------------------------------------------------------- + Note: Another method of doing this is to REName the SUB.EXE + file so it has a different extension other than .EXE before + you enter DEBUG. That way after you've made the change you + can then [W]rite then changes out to the file right in DEBUG. + Then one drawback is that you can't run the program in DEBUG + once you've changed the name. + ------------------------------------------------------------- + + You have to get into your sector modification package (NORTON + works good) and work on the SUB.EXE file on your new diskette + or your hard disk. Remember, I warned you that doing this on + your hard disk is dangerous if you are not fully aware of + + 19 + what you are doing. So, IF YOU MESS UP, it's YOUR OWN FAULT! + + You are looking for the first occurrence of an Interrupt 13 + (the "CD 13") using the search facility in your program. If + you don't have the ability to search for the two-byte hexa- + decimal code "CD 13" directly, then you will have to manually + search. + + ------------------------------------------------------------- + Note: Norton 4.x now has a search utility. When you get to + the point of typing in the search text, just press the TAB + key, and you can type in the actual hexadecimal code "CD 13". + ------------------------------------------------------------- + + Start at the beginning of SUB.EXE and proceed. Again, you + want to find the first of the three (first from the beginning + of the program). + + I will give you a hint. I found it in NORTON at location + 4407 hexadecimal which is location 17,415 decimal in the + SUB.EXE program file. DOS standard sectors are 512 decimal + bytes. Replace the two bytes "CD 13" with the "EB 4B" or + whatever your Jump instruction turned out to be. Write or + save the modified file. + + That's ALL there is to modifying SUB.EXE. You can go ahead + and execute your program. If you have followed my instruc- + tions, it should run fine. Get help if it doesn't. Now, you + should be all set. You can load onto your hard disk, if you + haven't already. You can run it from a RAM disk using a BAT + file if you really want it to hum. Or, if you have the fa- + cilities, you can copy it from 5-1/4" floppy to 3-1/2" dis- + kette and run it on machines which accept that medium if you + upgrade to a new computer. + + END. + 20 + ------------------------------------------------------------- + Now let's take a look at a newer crack on the program, Space + Station Oblivion by Eypx. At a first [S]earch with Debug and + Norton's Utility no CD 13's could be found, and yet it was + using them... So a different approach had to be taken... + ------------------------------------------------------------- + + + By: PTL + Title: Space Station Oblivion Crack + + + First of all, you must determine which file the INT 13's are + in, in this case it had to be the file OBLIVION.EXE since it + was the main program and probably contained the INT 13's. So + then rename it to a different EXTension and load it into De- + bug. + + Then do a [S]earch for INT 13's. + + -S 100 FFFF CD 13 + + Which will promptly turned up nothing. Hmmm... + + Next you might decide that, maybe, the code was modifying it- + self. So quit from Debug and load up PC-Watch, include all + the INT 13 Calls. For those of you not familiar with + PC-Watch, it is a memory resident program that can be set to + look for any type of BIOS call. When that call is made + PC-Watch prints to the screen the contents of all the regis- + ters and the current memory location that the call was made + from. + + After PC-Watch is initialized, then run the OBLIVION.EXE file + from the hard disk, leaving the floppy drive door open, and + sure enough, when the red light comes on in the diskette + drive, PC-Watch will report the address's of some INT 13 + calls. Which you should then write down. + + From there, quit the game, reboot, (To dump PC-Watch from + memory) and load the OBLIVION.EXE into Debug and issue a [G]o + command with a breakpoint. What address should you use for a + breakpoint? You guessed it, the same address PC-Watch gives + you. + + Well, it locked up did'nt it? Which is quite common in this + line of work so don't let that discourage you. So next re- + loaded it into debug and this time [U]nassemble the address + that you got from PC-Watch. But instead of finding the INT + 13's you'll find harmless INT 21's. + + Hmm... could it be that the program was converting the CD + 21's to CD 13's during the run? Well, to test the idea as- + semble an INT 20 (Program Terminate) right after the first + + 21 + INT 21. Then I run the program, and yes immediately after the + red light comes on the drive, the program will terminate nor- + mally. + + Then [U]nassemble that same area of memory, and low and be- + hold, some of the INT 21's have magically turned into INT + 13's. How clever... + + So, then it is just a matter of locating the address of the + routine that it jumped (JMP) to if the correct disk was found + in drive A:. Once you have that address, just go to the + start of all this nonsense and [A]ssemble a JMP XXXX command. + Where XXXX was the address to jump to if the original disk + was in drive A:. + + Then just [W]rite the file back out to the disk and [Q]uit + debug, and then REName the file back to OBLIVION.EXE + afterwhich it should work fine. + + + END. + + diff --git a/textfiles.com/piracy/CRACKING/crak4.txt b/textfiles.com/piracy/CRACKING/crak4.txt new file mode 100644 index 00000000..5b74c242 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crak4.txt @@ -0,0 +1,287 @@ + +Chapter 4 Cracking Self Booters + + + + ------------------------------------------------------------- + Now we'll take a look at cracking self booters. A few compa- + nies have found this to be the best copy protection scheme + for them, one of which is DataEast, makers of Ikari Warriors, + Victory Road, Lock-On, Karnov, etc... This posses a special + problem to the Amateur Cracker, since they seldom use stan- + dard DOS formats. So let's jump right in! + ------------------------------------------------------------- + + + This is the area where a "Higher than Normal" knowledge of + Assembly Language and DOS Diskette structures, so first of + all, the Basic's. + + + The Disk's Physical Structure + + Data is recorded on a disk in a series of concentric circles, + called Tracks. Each track if further divided into segments, + called Sectors. The standard double-density drives can + record 40 tracks of data, while the new quad-density drives + can record 80 tracks. + + However, the location, size, and number of the sectors within + a track are under software control. This is why the PC's + diskettes are known as soft-sectored. The characteristics of + a diskette's sectors (Their size, and the number per track) + are set when each track is formatted. Disk Formatting can be + done either by the operating system or by the ROM-BIOS format + service. A lot of self booters and almost all forms of copy + protection create unusual formats via the ROM-BIOS diskette + services. + + The 5 1/4-inch diskettes supported by the standard PC BIOS + may have sectors that are 128,256,512, or 1,024 bytes in + size. DOS, from versions 1.00 through 4.01 has consistently + used sectors of 512 bytes, and it is quite possible that this + will continue. + + Here is a table displaying 6 of the most common disk formats: + _____________________________________________________________ + + Type Sides Sectors Tracks Size(bytes) + _____________________________________________________________ + + S-8 1 8 40 160K + D-8 2 8 40 320K + S-9 1 9 40 180K + D-9 2 9 40 360K + QD-9 2 9 80 720K + QD-15 2 15 80 1,200K + _____________________________________________________________ + + + + S - Single Density + D - Double Density + QD - Quad Density + + Of all these basic formats, only two are in widespread use: + S-8 and D-9. The newer Quad Density formats are for the 3 + 1/2" and 5 1/4" high density diskettes. + + + The Disk's Logical Structure + + So, as we have already mentioned, the 5 1/4-inch diskette + formats have 40 tracks, numbered from 0 (the outside track) + through 39 (the inside track, closest to the center). On a + double sided diskette, the two sides are numbered 0 and 1 + (the two recording heads of a double-sided disk drive are + also numbered 0 and 1). + + The BIOS locates the sectors on a disk by a three-dimensional + coordinate composed of a track number (also referred to as + the cylinder number), a side number (also called the head + number), and a sector number. DOS, on the other hand, lo- + cates information by sector number, and numbers the sectors + sequentially from the outside to inside. + + We can refer to particular sectors either by their + three-dimensional coordinates or by their sequential order. + All ROM-BIOS operations use the three-dimensional coordinates + to locate a sector. All DOS operations and tools such as DE- + BUG use the DOS sequential notation. + + The BASIC formula that converts the three-dimensional coordi- + nates used by the ROM-BIOS to the sequential sector numbers + used by DOS is as follows: + + DOS.SECTOR.NUMBER = (BIOS.SECTOR - 1) + DIOS.SIDE + * SECTORS.PER.SIDE + BIOS.TRACK * SECTORS.PER.SIDE + * SIDES.PER.DISK + + And here are the formulas for converting sequential sector + numbers to three-dimensional coordinates: + + BIOS.SECTOR = 1 + DOS.SECTOR.NUMBER MOD SECTORS.PER.SIDE + BIOS.SIDE = (DOS.SECTOR.NUMBER \ SECTORS.PER.SIDE) + MOD SIDE.PER.DISK + BIOS.TRACK = DOS.SECTOR.NUMBER \ (SECTORS.PER.SIDE + * SIDES.PER.DISK) + + (Note: For double-sided nine-sector diskettes, the PC's + most common disk format, the value of SECTORS.PER.SIDE + is 9 and the value of SIDES.PER.DISK is 2. Also note + that sides and tracks are numbered differently in the + ROM-BIOS numbering system: The sides and tracks are num- + bered from 0, but the sectors are numbered from 1.) + + Diskette Space Allocation + + The formatting process divides the sectors on a disk into + four sections, for four different uses. The sections, in the + order they are stored, are the boot record, the file alloca- + tion table (FAT), the directory, and the data space. The + size of each section varies between formats, but the struc- + ture and the order of the sections don't vary. + + The Boot Record: + + This section is always a single sector located at sector + 1 of track 0, side 0. The boot record contains, among other + things, a short program to start the process of loading the + operating system on it. All diskettes have the boot record + on them even if they don't have the operating system. Asisde + from the start-up program, the exact contents of the boot + record vary from format to format. + + The File Allocation Table: + + The FAT follows the boot record, usually starting at + sector 2 of track 0, side 0. The FAT contains the official + record of the disk's format and maps out the location of the + sectors used by the disk files. DOS uses the FAT to keep a + record of the data-space usage. Each entry in the table con- + tains a specific code to indicate what space is being used, + what space is available, and what space is unusable (Due to + defects on the disk). + + The File Directory: + + The file directory is the next item on the disk. It is + used as a table of contents, identifying each file on the + disk with a directory entry that contains several pieces of + information, including the file's name and size. One part of + the entry is a number that points to the first group of sec- + tors used by the file (this number is also the first entry + for this file in the FAT). + + The Data Space: + + Occupies the bulk of the diskette (from the directory + through the last sector), is used to store data, while the + other three sections are used to support the data space. + Sectors in the data space are allocated to files on an + as-needed basis, in units known as clusters. The clusters + are one sector long and on double-sided diskettes, they are a + pair of adjacent sectors. + + + + (From here on I'll continue to describe the basics of DOS + disk structures, and assembly language addressing technics. + + + ------------------------------------------------------------- + Here is a simple routine to just make a backup copy of the + Flight Simulator Version 1.0 by Microsoft. I know the latest + version is 3.x but this version will serve the purpose of + demonstrating how to access the data and program files of a + selfbooter. + ------------------------------------------------------------- + + + By: PTL + Title: Microsoft Flight Simulator 1.00 Unprotect + + + This procedure will NOT convert the Flight Simulator disk to + files that can be loaded on a hard drive. But... it will + read off the data from the original and put it onto another + floppy. And this should give you an idea of how to read data + directly from a disk and write it back out to another disk. + + First of all take UNFORMATTED disk and place it in drive B:. + This will be the target disk. + + Now place your DOS disk (which has Debug) into drive A:, or + just load Debug off you hard disk. + + A>DEBUG + + Then we are going to enter (manually) a little program to + load the FS files off the disk. + + -E CS:0000 B9 01 00 BA 01 00 BB 00 + 01 0E 07 06 1F 88 E8 53 + 5F AA 83 C7 03 81 FF 1C + 01 76 F6 B8 08 05 CD 13 + 73 01 90 FE C5 80 FD 0C + 76 E1 90 CD 20 + + -E CS:0100 00 00 01 02 00 00 02 02 00 00 03 02 + 00 00 04 02 00 00 05 02 00 00 06 02 + 00 00 07 02 00 00 08 02 + + Next we'll [R]eset the IP Register by typing. + + -R IP + + And then typing four zeros after the address prefix. + + xxxx:0000 + + Next insert the original Flight Simulator disk into drive A: + and we'll run our little loader. + + -G =CS:0000 CS:22 CS:2A + + Now enter a new address to load from. + + -E CS:02 0E + -E CS:27 19 + + And run the Loader again. + + -G =CS:0000 CS:22 CS:2A + + New address + + -E CS:02 27 + -E CS:27 27 + + Run Loader + + -G =CS:0000 CS:22 CS:2A + + Here we'll do some [L]oading directly from the disk our- + selves. + + -L DS:0000 0 0 40 + + And the in turn, write it back out to the B: (1) drive + + -W DS:0000 1 0 40 + + Etc... + + -L DS:0000 0 40 28 + -W DS:0000 1 70 30 + -L DS:0000 0 A0 30 + -W DS:0000 1 A0 30 + -L DS:0000 0 138 8 + -W DS:0000 1 138 8 + + When we are all through, [Q]uit from debug and you should + have a backup copy of the Flight Simulator. + + -Q + + And that's all there is to it. + + END. + + + + + + /////////////////////////////////////////////////////// + // The PIRATES' HOLLOW // + // 415-236-2371 // + // over 12 Megs of Elite Text Files // + // ROR-ALUCARD // + // Sysop: Doctor Murdock // + // C0-Sysops: That One, Sir Death, Sid Gnarly & Finn // + // // + // "The Gates of Hell are open night and day; // + // Smooth is the Descent, and Easy is the way.." // + /////////////////////////////////////////////////////// + + diff --git a/textfiles.com/piracy/CRACKING/crakhand.txt b/textfiles.com/piracy/CRACKING/crakhand.txt new file mode 100644 index 00000000..f7efff57 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crakhand.txt @@ -0,0 +1,635 @@ +r57 + + + +1 + + + +R13 + +************************ + * The Cracker Handbook * + ************************ + + by DARTH WADER + Lord of the SITH + +--------------------------------------- +This Handbook will permit you to crack +a game in a few "easy" steps. + +The protection that I am going to deal +with are from the most trivial to the +most complicated mind-boggling ... + + ok, fasten you seat belts + and let's go ... + +--------------------------------------- + +Basic material to have : + +*2 monitors: 1 loading at $c000:49152 + 1 loading at lower in ram + (so you have virtually a monitor to + disassemble everything in mem : if + you have a machine language +(m.l.)prg + that loads at $c000 then you could + use the monitor that is loaded + between the adress $0801 and $a000 + and not be bothered to load and + relocate it somewhere else where it + will not damage the functionning of + the monitor.). +-The ultimate monitor is the one furni + shed with the Final Cartridge, you +can + disassemble from $0000 to $ffff + without any fears and tears.(the moni + tor resides outside the normal cbm + rom/ram system ) +- The monitors on other cartridges are + are using memory and will overwrite + any program placed at the same +adress + than them ... so : no good .... + +*Programming the Commodore 64: it has + an expanded Kernal routines list with + a complete list of how to use it. + and a list of Unlisted M.L. opcodes. + (the title of the book sounds +childish + ,not the contents...) +*Mapping the c-64: may be a plus but +is + optional. + +the 2 previous books are important +sincethey not only list all the INFOS +(zero +page adresses,what they are, all the +stuff used by the internal system AND +they give an explication of their use +: not a 1 line explication, but a very +precise explication from 3 lines to 5 +pages .... definitely an asset to +have. + +--------------------------------------- +let's go cracking !!! +--------------------------------------- + +1) the easiest : + +The companies that are using these +protection schemes must have been cut +from the world. such schemes are used +by SSI (yes IT) and few other but not +worth mentioning (the one that +produced +the shit game HUEY ...)(and I mean it) + +the protection are in Basic and hidden + +a)hidden directory: (SSI) + they play with the filenames:you do + a disk directory and suddenly +nothing + appear on the screen, no cursor,no + "ready"... and you say: My computer + is dead !!! naaahh, + just change the background color +with + poke 53281,1 and you will see the + + :what happened ? : they put in the + disk name some characters that will + change the character color of what + will be printed on the screen. + (like the trick with the REM +statement) -another trick is when you +do a list + and see only one file and ended by + some weird characters ::: + take a monitor, load it,run it and + look at the memory from $0800 + you will then see the COMPLETE dir. + what happened ? : when you do a disk + dir. you do a list to see it. the + list of the directory is treated +like + a basic program, it list whatever is + in memory until it sees 3 following + $00 bytes. The publisher have hidden + somewhere in one filename of the dir + 3 $00 bytes and so like in basic, it + will stop showiing what is after 'em + The monitor bypasses the Basic LIST + routine. You can have 100 following + $00 bytes, you still can look at +the + memory... + -the disk protection: in basic:it is + often a "block-read" and check for a + byte. if not corresponding then: bad + copy ... the basic program is really + easy to understand to crack so i +will + no explain it. ( you can bypass it + by putting a GOTO ... + + i.e: start of program + check disk + if bad disk then crash + else continue + let the game begin + + can be unlocked to be: + + start of prg. + goto "continue" <-- + disk Protection + "continue" <-- + let the game begin + + -why not simply remove the disk prot. + instead of putting the goto ? + -The main program may later check if + the protection program is still +there + +- some of these protection reset the + disk loading vectors: preventing the + use of a fast loader ... + +practical example: Computer ambush: + :hidden directory and instaspeed +basic disk protection ..(a compiled +basic) + -copy all the files using "fast file + copY" (you get rid of the hidden +dir + protection). + - you can see 3 !!! boots : the +first + calls the second,the 2nd calls the + 3rd.... + all of them in basic or instaspeed + the protection is in the second +one + ok ... that's it, all one have to + do is to load the 3rd boot and +that + will do the trick ...(delete boot1 + and boot 2) rename boot 3 as boot + - to run the prg. load "boot",8:run + +--------------------------------------- +enough easy stuff !!! +--------------------------------------- + +2) the regular stuff : + +here are the few rules: +a) have an overview of the protection. +b) all the error checking are made by + way of kernal subroutine callings + so they are easy to recognise +c) THE MOST IMPORTANT: + Do not try to UNDERSTANT everything + you are disassembling. You WILL +lose + a lot of time understanding a prog. + subroutine that does NOT have + anything to do with the protection. + Or if you have found the protection + subroutine, FIND what the results +of + the subr. ARE. (in cracking ELITE, + what made me lose a LOTSA time was + that I was trying to understand how + LENSLOCK (you put a crystal on the + screen to find a code: no crystal + no code and then crash ....) + was working ... my mistake !!!! + +ok ,let's start ... + +first: always try to get the starting + loading adress and ending +adress + of everyfile on the disk. and + write them down... + use a monitor to do so or one +of + your utilities. + ie: on ZOOM you do a + <-#filename and you get these + 2 adresses. + the most important adresses are the + one for the boot. get them ... + +there are 2 possible cases: + load and run automatically + load and you have to type run + +first case: + now lets say the starting address +is + $033c (use of hexadecimal is +easier) + ok, load your monitor: +try to load the boot while in monitor +the format is often: + .L "boot",08,starting adress found +in the example: + .L "boot",08,033c + now, after the loading of the boot, + the disk should stop and the +blinking cursor appear. + now dissassemble from the starting + address you found to the ending a + address you found. + you will see some garbage code,but + after a while,you can see coherent + code: have a kernal table near you + the format of a boot is like : + + load the first file + load the second file + ..... + load the last file + jump (goto) an adress... + + write down the adress where the + program booter goes to. + now you can modify the boot: + by putting a rts instead of the + jump address ... + in the following form : + load first + .... + load last + rts (is equivalent to END in +basic or STOP.) + +how? ok, here is a simulated monitor: + + .D 033c + ., 033c lda #$00 + ., ... (other +commands) + ., 0349 jmp $6000 + ., 034c + . + .A 0349 rts (same adress as the + jump) + +the Rts will overwrite the JMP $6000 + + if you want you can save the new +boot from the starting adress you +got + earlier to the ending ad. + .S "boot 2 ",08,start,ending +(the format may vary from mon to mon + +Why a RTS ? +so we still have the computer under +our +control, and we can disassemble after +all the important files having a role +in the protection have been loaded. +(you see the load have been +successfull +when the read light of the drive is +off +) sometimes a run/stop + restore is +required (these boots often switch off +basic...) (the final cartridge is +reallyhandy...) + + +--------------------------------------- +Relocated coding technique +--------------------------------------- +If for any reason you want to load and +modify a program such a boot somewhere +safe like in the ram ($0800 to $a000), +then you have to do a transposition +table. +let say you have a boot that loads at +$033c , it is a good idea to load it +at $ 133c (in ram area) so if in the +boot there is a reference to : JSR +0339 +you could assume that it is equivalent +to JSR 1339 for your relocated prg. +do you see my point ? +the $133c area is your working area so +keep in mind that it will be loaded at +$033c , not $133c when you will really +load and play the super game you are +cracking (drug dealers give it such + a bad meaning ) ... +now save the new version of the prg +under a dif. name +(ex:test,booty,alpha..) +now get a disk editor:run it,look for +track 18 sector1 : the dir is saved + there. look for the file name you +just +saved if not found then look at the +first 2 bytes of the sector: they +represent the next sector of the disk +where the disk dir is stored .do that +until you +find something that looks like your +filename. +when you have found it:look at the 2 +bytes preceeding the filename: they +represent the track§or where the +frist block of hte file are stored on +the +disk. go to the track & sector. and +look at the 3rd and fourth byte: they +represent the loading adress of the +fileall you need to do is to change +them to +their original value: Lobyte/hibyte +in my exaple : I will see 3c 13 + I will change it to 3c 03 +easy .... now the program will load to +033c ... +that is it ... +this technique is used when some +protection programs are laoded in the +ram under the basic rom . + +That is it ... (lot of words but done +in a few sec.) +--------------------------------------- +Hexadecimal is easier to work with. +can you see the difference between +$033c and $133c AND 828 and 4924 ??? +828 is decimal for $033c +4924 is decimal for 133c +That eases the relocated coding. +--------------------------------------- + +now the cracking itself. +you have created a new boot, loaded +all,kept the adress where the boot +should have jumped to after all the +LOADs. +ok,from that adress, disassemble: +and look for what might look like a +Kernal routine call. (ie: jsr $FFd5) +look for jsr $FFBD, and kernal +routines +that input/output bytes on the +data/seril port... +The first hint is the JSR $FFBD +in the format + lda #$04 + ldx #$00 + ldy #$09 + JSR $ffbd + look at the x and Y register: they +represent the names of the opened file + xy = address of the name + a= its lenght +so if you look at the adress 0900 (my + example) you should see a filename of +4 characters: +This filename is used to send commands +to the disk drive and load: +multipurposetask routine. +if you find at 0900 names like game or +part1, then +that is ok, but if it looks like +b-r 8 0 10 10 then you have found the +bugger ... +The key to success is to have a Kernal +table handy and not to be afraid to + read it as a reference.(you dont read +it as a novel ...). +(the one like b-r , m-e ,etc.. are +buggers ). +now look at the result of the +protectionchecking : +1) jump directly to the game start. + no problem: you can jump pass it + ie: + start + check disk + if ok + begin game + + will be: + + start + jmp (goto) "now" + check disk + if ok + "now" + begin games + + where do I have the place to put + the jump ? + jump uses 3 bytes: you can +overwrite the 3 first bytes of the +disk + protection checking. + "now" is the adress of begin games + : an invisible label. + Why not NOP ? + some games have use the + area where the protections are as + a constant area. :: Each op-codes + of a M.L. prg. has a between 0 and + 255 value. a jmp has a value, a jsr + another one. A nop has a value of + $ae. (double use of code: as +constant and as commands..) + +2) now lets look at the other aspect: + the result of the disk checking +are stored somewhere in memory. + find the adress of the memory +where + they are stored. + + format : + start + check disk + get 10 byte + store them somwhere + go game: + + these values are used as constant +for the game: constant that will +serve + as parameters in the game: number + of enemy space ships, color of the + ships, value of the sprites, + now after you have found the adress + where all the bytes will be loaded: + +chnage the protection check: + + start + check disk + get 10 bytes + store them somewhere (u +know) RTS + go game + + you have to put the rts after all the + disk access have been done.(you can +ove rwrite over the "go game part" +now (you are still in the monitor +arent + you ?) + (you know the adress where the +protect ion starts): + lets call it startad. + . + .G startad + . + you will see the drive blinking.a +few noise,spin,and then stop: cursor +blink ing: ready. now you must save +the part + where the values read by the disk +are + stored in for constant purpose. + (it is often no more than 100 bytes + for the games of broderbund). + save it !!!!! + did you keep the important adresses +? + -where the disk read values are +stored (lets call it alpha) + -where the protections are .. + ok, now on the list with all the +file + with their starting/ending adress, +find the main files wich adresses are +including the one of the alpha +file.(in general, the file including +the alpha file +is the one with the protections.) +ok, load the main file, with the + load"main",08,01 +now load the alpha + load"alpha",08,01 +the alpha must have overwritten a +small +part of the "main" file.now all you +have to do is to bypass the disk +checking +routine (discussed earlier) and save +the new version of the "main" file. +that is it... + +what have you done ?: you have created +a main file as it should be after a + check, all the right datas at the + right place. + +After you have experienced a few +cracking, you will pass all the +unimportant stuff, and get right to +the protection: +The first cracking witout doc took me + 3 days (I disassembled everything) + Lode runner championship: 10 mins. + (I dont count the time spent to +load + type,and save) + you have seen one, you have seen +them all.... + +--------------------------------------- +get a breathe and here comes the + HEAVY LOADS !!!! +--------------------------------------- + +1)RAPID LOCK: they play with the track + and the sectors: + Wherever you load the boot, it + will start automatically... + psi 5 trade co + +2)Pirate Buster: used in bard's tale. + it plays with the internal + stack.(not the public domain + stuff). some few messages +are + worth mentioning in the boot + it was programmed with TSDS + and "lick my userport" +3)Custom DOS: the data are stored on + disk in a very unusual + way, only a different + disk read can load the + data (half track,fat +track ... The WORKS) + + if the game has a lot of disk +access, + the the cracker should REWRITE all +the routines dealing with the drive. + lotsa work .... + +one Very very fast loading game is +Koronis rift:200 blocks in 10 sec. +from 0800 to d000 = hell ... +to crack that you must have an above +average knowledge on the technical +side +of the drive. + +the way of dealing with these games is +like I said earlier: modified boot, +--------------------------------------- +how to deal with the isepic ... +--------------------------------------- +isepic is not perfect a way to prevent +isepic copying is to store data in the +disk drive ram ... (the isepic doesnt +save them ..) +so in the middle of the game the +computer can look for a variable in +the mem. +of the drive. if nothing is found then +crash...I havent found this yet... +---------------------------------------- + + + if you have any question then + send me mail, I am on many boards + + * DARTH WADER * +Lord of the SITH + 8-# + + +UD 7: + + +[ 64 Min. Left. ] + + Credit Pts: 1094 Protocol-Punter 10 + + + +Text-Files 1: + + +8: Text Philez A-O +[UD:Punter][23 Min.][40]: \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/crkibms2.hac b/textfiles.com/piracy/CRACKING/crkibms2.hac new file mode 100644 index 00000000..5b6c3a6d --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crkibms2.hac @@ -0,0 +1,67 @@ + *************************************************************************** + * * + * Cracking On the IBMpc * + * Part II * + * * + *************************************************************************** + +Introduction +------------ + + Ok guys, you now passed out of Kopy Klass 101 (dos files) and have this great +new game with overlays. How the phuck do I crack this bitch. You scanned the +entire .EXE file for the CD 13 and it's nowhere. Where can it be you ask +yourself. + In part II, I'll cover cracking Overlays and the use of locksmith in +cracking. If you haven't read part I, then I suggest you do so. The 2 files +go together. + + +Looking for Overlays +-------------------- + So, you cant find CD 13 in the .EXE file, well, it can mean 4 things. 1, the +.EXE (though it is mostly .COM) file is just a loader for the main file. 2, the +.EXE file loads in an overlay. 3, the CD 13 is encrypted &/or hidden in the +.EXE file. 4, + your looking at the WRONG PHUCKEN PHILE. + I won't discuss case 1 (or at least no here) because so many UNP files are +devoted to PROLOCK and SOFTGUARD, if you can't figure it out with them, your +PHUCKEN stupid. + If you have case 3, use the technique in part I and restart from the beg. And +if you have case 4, shoot your self. + You know the program uses overlays but don't see and on disk? Try looking at +the disk with good old nortons. Any hidden files are probably the overlays. +These are the ones we are after. If you still can't find them, use PC-WATCH +(this program is a must!!! for all crackists. Traps ALL interrupts). + + +Using PC-Watch to Find Overlays +------------------------------- + Start up PC-Watch and EXCLUDE everything in the left col. Search the right +col. until you find DOS21 - OpnFile and select it. Now run the program to be +cracked. Play the game until the protection is checked. Examine you pcwatch +output to see what file was loaded right before it. This probably is the one +holding the check. If not, shit go through all the files. + + +You Have Found the Overlays +--------------------------- + Great, now just crack the overlay as if it was a DOS file. You don't need to +worry about .EXE file, debug can write an overlay file. Part I explains the +basics of cracking. I suggest that you keep a backup copy of the overlay so if +you phuck up, and you will, you can recover quickly. Ah, and you thought +cracking with overlays was going to be hard. + + +Locksmith and Cracking +---------------------- + The copy/disk utility program Locksmith by AlphaLogic is a great tool in +cracking. It's analyzing ability is great for determining what and where the +protection is. + I find it useful, before I even start cracking, to analyze the protected disk +to find and id it's protection. This helps in 2 ways. First, it helps you to +know what to do in order to fake out the protection. Second, it helps you to +find what the program is looking for. + I suggest that you get locksmith if you don't already have it. Check your +local pirate board for the program. I also suggest getting PC-Watch and Norton +Utilities 3.1. All of these program have many uses in the cracking world. \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/crkibmsw.hac b/textfiles.com/piracy/CRACKING/crkibmsw.hac new file mode 100644 index 00000000..4ebc3ba5 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/crkibmsw.hac @@ -0,0 +1,164 @@ + **************************************** + * * + * Cracking On the IBMpc * + * Part I * + * * + **************************************** + +Introduction +------------ + For years, I have seen cracking tutorials for the APPLE computers, but never +have I seen one for the PC. I have decided to try to write this series to help +that pirate move up a level to a crackest. + + In this part, I will cover what happens with INT 13 and how most copy +protection schemes will use it. I strongly suggest a knowledge of Assembly +(M/L) and how to use DEBUG. These will be an important figure in cracking +anything. + +INT-13 - An overview +-------------------- + Many copy protection schemes use the disk interrupt (INT-13). INT-13 is +often use to either try to read in a illegaly formatted track/sector or to +write/format a track/sector that has been damaged in some way. INT-13 is +called like any normal interrupt with the assembler command INT 13 (CD 13). +[AH] is used to select which command to be used, with most of the other +registers used for data. + +INT-13 Cracking Collage +----------------------- + Although, INT-13 is used in almost all protection schemes, the easiest to +crack is the DOS file. Now the protected program might use INT-13 to load some +other data from a normal track/sector on a disk, so it is important to +determine which tracks/sectors are important to the protection scheme. I have +found the best way to do this is to use LOCKSMITH/pc (what, you don't have LS. +Contact your local pirate for it.) Use LS to analyze the diskette. Write down +any track/sector that seems abnormal. These track are must likely are part of +the protection routine. Now, we must enter debug. Load in the file execute a +search for CD 13. Record any address show. If no address are picked up, this +mean 1 or 2 things, the program is not copy protected (bullshit) or that the +check is in an other part of the program not yet loaded. The latter +being a real bitch to find, so I'll cover it in part II. There is another +choice. The CD 13 might be hidden in self changing code. Here is what a +sector of hidden code might look like + +-U CS:0000 +1B00:0000 31DB XOR BX,BX +1B00:0002 8EDB MOV DS,BX +1B00:0004 BB0D00 MOV BX,000D +1B00:0007 8A07 MOV AL,[BX] +1B00:0009 3412 XOR AL,12 +1B00:000B 8807 MOV [BX],AL +1B00:000D DF13 FIST WORD... + + In this section of code, [AL] is set to DF at location 1B00:0007. When you +XOR DF and 12, you would get a CD(hex) for the INT opcode which is placed right +next to a 13 ie, giving you CD13 or INT- 13. This type of code can't and will +not be found using debug's [S]earch command. + +Finding Hidden INT-13s +---------------------- + The way I find best to find hidden INT-13s, is to use a program called PC- +WATCH (TRAP13 works well also). This program traps the interrupts and will +print where they were called from. Once running this, you can just disassemble +around the address until you find code that look like it is setting up the disk +interrupt. + An other way to decode the INT-13 is to use debug's [G]o command. Just set a +breakdown at the address give by PC-WATCH (both programs give the return +address). Ie, -G CS:000F (see code above). When debug stops, you will have +encoded not only the INT-13 but anything else leading up to it. + +What to do once you find INT-13 +------------------------------- + Once you find the INT-13, the hard part for the most part is over. All that +is left to do is to fool the computer in to thinking the protection has been +found. To find out what the computer is looking for, examine the code right +after the INT-13. Look for any branches having to do with the CARRY FLAG or +any CMP to the AH register. If a JNE or JC (etc) occurs, then [U]nassembe the +address listed with the jump. If it is a CMP then just read on. Here you must +decide if the program was looking for a protected track or just a normal track. +If it has a CMP AH,0 and it has read in a protected track, it can be assumed +that it was looking to see if the program had successfully complete the +READ/FORMAT of that track and that the disk had been copied thus JMPing back to +DOS (usually). If this is the case, Just NOP the bytes for the CMP and the +corresponding JMP. If the program just checked for the carry flag to be set, +and it isn't, then the program usually assumes that the disk has been copied. +Examine the following code + + INT 13 <-- Read in the Sector + JC 1B00 <-- Protection found + INT 19 <-- Reboot +1B00 (rest of program) + + The program carries out the INT and find an error (the illegaly formatted +sector) so the carry flag is set. The computer, at the next instruction, see +that the carry flag is set and know that the protection has not been breached. +In this case, to fool the computer, just change the "JC 1B00" to a "JMP 1B00" +thus defeating the protection scheme. + + +NOTE: the PROTECTION ROUTINE might be found in more than just 1 part of the + program + +Handling EXE files +------------------ + As we all know, Debug can read .EXE files but cannot write them. To get +around this, load and go about cracking the program as usual. When the +protection scheme has been found and tested, record (use the debug [D]ump +command) to save + & - 10 bytes of the code around the INT 13. Exit back to +dos and rename the file to a .ZAP (any extension but .EXE will do) and +reloading with debug. Search the program for the 20+ bytes surrounding the +code and record the address found. Then just load this section and edit it +like normal. Save the file and exit back to dos. Rename it back to the .EXE +file and it should be cracked. ***NOTE: Sometimes you have to fuck around for +a while to make it work. + +DISK I/O (INT-13) +----------------- + This interrupt uses the AH resister to select the function to be used. Here +is a chart describing the interrupt. + +AH=0 Reset Disk +AH=1 Read the Status of the Disk + system in to AL + + AL Error + ---------------------------- + 00 - Successful + 01 - Bad command given to INT + *02 - Address mark not found + 03 - write attempted on write prot + *04 - request sector not found + 08 - DMA overrun + 09 - attempt to cross DMA boundary + *10 - bad CRC on disk read + 20 - controller has failed + 40 - seek operation failed + 80 - attachment failed +(* denotes most used in copy protection) +AH=2 Read Sectors + + input + DL = Drive number (0-3) + DH = Head number (0or1) + CH = Track number + CL = Sector number + AL = # of sectors to read + ES:BX = load address + output + AH =error number (see above) + [Carry Flag Set] + AL = # of sectors read + +AH=3 Write (params. as above) +AH=4 Verify (params. as above -ES:BX) +AH=5 Format (params. as above -CL,AL + ES:BX points to format + Table) + + For more information on INT-13 see the IBM Technical Reference Manuals. + +Coming Soon +------------ + In part II, I will cover CALLs to INT-13 and INT-13 that is located in +different overlays of the program \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/diswin.txt b/textfiles.com/piracy/CRACKING/diswin.txt new file mode 100644 index 00000000..d6845ec1 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/diswin.txt @@ -0,0 +1,648 @@ +How To Disassemble A Windows Program + + I think this small exercise (shamelessly abducted from Schulman's book + -> see here) could be very helpful for all the future crackers trying + to get some bearings during their difficult disassembly of Windows + programs. + + One of the problems in reverse engineering, is that nobody teaches you + how to do it, and you have mostly to learn alone the relevant + techniques, loosing an enormous amount of time. + + Disassembling Windows with a reverse engineering approach is *very* + useful for actual cracking purposes, and it's time to form a new + generation of Windows crackers, since the ghastly Microsoft domination + will not easily be crushed without many more good crackers to help us. + What +ORC writes and teaches in his lessons is fundamental, but + unfortunately he does not teach the "elementary" side of cracking + Windows (for DOS cracking, on the contrary, the Crackbook of Uncle Joe + is a good primer for beginners and intermediate alike), so I'll try to + help here to form a strong generation of little strong crackers... as + +ORC wrote to me: "we are all throwing seeds in the air, some of them + will land astray, but some of them will grow". + + Remember that cracking Windows is *very* different, in approach and in + techniques, from cracking DOS. The older ones (that I unconditionally + respect) do not seem to grab it totally... they are probably so + experienced that they can use more or less the same techniques in + cracking all OSs... but in my (humble) opinion, that's not necessarily + the best approach... you see, cracking Windows is "puzzle solving", + cracking DOS is "playing chess"... you'll understand what I mean if + you read what follows. + + Please do excuse my shortcomings both in the techniques I teach (I am + an autodidact) and in the language I use. + + If at any time you feel you should need more references, check the + Windows 3.1. SDK Programmer's Reference, Volume 1: Overview, Chapter + 22, Windows Application Startup. + + A little knowledge of the C language is required in order to + understand a part of the following (you better understand it right + now: the only existing programming language is C, most applications + are written in C, "real" programmers use C... you may dislike it, but + that's the reality, so you better get a little knowledge of C + programming as soon as you can, if you want to crack more + effectively... you'll find enough C tutorials on the net). This said, + most of the following can be used even if you do not know C. + +Disassembling Taskman + + As example for this introduction, I have chosen Taskman.exe, the small + program you'll find inside your C:\WINDOWS directory... you can invoke + it anytime typing CTRL+ESC in Windows 3.1. + + I have done it because Schulman has already (very well) worked on it, + and therefore he spares me a lot of work, and also because I agree + totally with him in his choice: Taskman it's a very good example for + all newbys to Windows cracking. Actually it's a pity that you cannot + (yet) find Schulman's books on the net... I believe they should be + indisputably there! (Anybody with a good scanner reading this?). + + Let's start from the beginning... by looking at TASKMAN's startup + code. Taskman is a very small win 3.1 program, but it's rich in + surprises, as you'll see. After you disassembly taskman.exe with WCB + (see below) and *after* you have printed the listing, you may use the + "Loader" utility to pop out inside winice at the beginning of Taskman: + + start: + 1FBF:4B9 33ED XOR BP,BP ;begins + 1FBF:4BB 55 PUSH BP ;save BP + 1FBF:4BC 9A8D262701 CALL KERNEL!INITTASK + ... + + So we are set for snooping around "live", but first (and that's very + important for Windows programs) we have to prepare a good disassembled + listing of our target. You see, in DOS such a work does not make much + sense, because the disassembled listing would not differ much from + what you get on screen through softice, but in Windows, on the + contrary, we can get quite a lot more out of all the information that + is already present inside our target. The following explains this + point: + + You can use any good disassembler (like Winsourcer, from V + communication, a good version, cracked by the ubiquitous Marquis de + Soiree, is available on the web) but i'll use the disassembled listing + of WCB (Windows CodeBack -> download version 1.5. from my "tools" + page: here). + + WCB is a very good Win 3.1. disassembler, created by the ungarian + codemaster Leslie Pusztai (pusztail@tigris.klte.hu), and, in my modest + opinion, it's far better than sourcer. If you use it, remember that it + works from DOS: the main rule is to create first of all the *.EXL + files for the necessary "mysterious" *.dll with the command: + + wcb -x [mysterious.dll]and you'll be able, afterwards, to disassemble + the *.exe that called them. + + But all this is not necessary for humble Taskman.exe, where we get + following header information: Filename: TASKMAN.EXE Type: Segmented + executable Module description: Windows Task Manager 3.1 Module name: + TASKMAN Imported modules: + + Filename: TASKMAN.EXE + Type: Segmented executable + Module description: Windows Task Manager 3.1 + Module name: TASKMAN + + Imported modules: + 1: KERNEL + 2: USER + + Exported names by location: + 1:007B 1 TASKMANDLGPROC + + Program entry point: 1:04B9 + WinMain: 1:03AE + + and we can get straight the entry point code: + 1.04B9 ; Program_entry_point + 1.04B9 >33ED xor bp, bp + 1.04BB 55 push bp + 1.04BC 9AFFFF0000 call KERNEL.INITTASK + 1.04C1 0BC0 or ax, ax + 1.04C3 744E je 0513 + 1.04C5 81C10001 add cx, 0100 + 1.04C9 7248 jb 0513 + 1.04CB 890E3000 mov [0030], cx + 1.04CF 89363200 mov [0032], si + 1.04D3 893E3400 mov [0034], di + 1.04D7 891E3600 mov [0036], bx + 1.04DB 8C063800 mov [0038], es + 1.04DF 89163A00 mov [003A], dx + 1.04E3 33C0 xor ax, ax + 1.04E5 50 push ax + 1.04E6 9AFFFF0000 call KERNEL.WAITEVENT + 1.04EB FF363400 push word ptr [0034] + 1.04EF 9AFFFF0000 call USER.INITAPP + 1.04F4 0BC0 or ax, ax + 1.04F6 741B je 0513 + 1.04F8 FF363400 push word ptr [0034] + 1.04FC FF363200 push word ptr [0032] + 1.0500 FF363800 push word ptr [0038] + 1.0504 FF363600 push word ptr [0036] + 1.0508 FF363A00 push word ptr [003A] + 1.050C E89FFE call WinMain + 1.050F 50 push ax + 1.0510 E890FF call 04A3 + + This is similar to the standard startup code that you'll find in + nearly *every* Windows program. It calls three functions: InitTask(), + WaitEvent(), and InitApp(). + + We know jolly well about InitTask(), but let's imagine that we would + have here a more mysterious routine than these, and that we would like + to know what for items are hold in the CX, SI etc. register on return + from InitTask() without disassembling everything everywhere... how + should we proceed? + + First of all let's see if the locations [0030] - [003A] are used + elsewhere in our program... this is typical when you work with + disassembled listings: to find out what one block of code means, you + need most of the time to look first at some other block of code. Let's + see.. well, yes! Most of the locations are used again a few lines down + (1.04F8 to 1.0508). + + Five words are being pushed on the stack as parameters to WinMain(). + If only we knew what those enigmatic parameter were... but wait: we do + actually know what those parameters are! WinMain(), the function being + called from this code, always looks like: + + int PASCAL WinMain(WORD hInstance, WORD hPrevInstance, + LPSTR lpCmdLine, int nCmdShow); + + And we (should) know that in the Pascal calling convention, which is + used extensively in Windows because it produces smaller code than the + cdecl calling convention, arguments are pushed on the stack in the + same order as they appear inside the function declaration. That's a + good news for all little crackers! + + Thus, in our example, [0034] must be hInstance, [0032] must be + hPrevinstance, [0038]:[0036] are segment and offset of lpcmdline and + [003A] must be nCmdshow. + + What makes this important is that we can now go and replace *every* + occurrence of [0034] by a more useful name such as hInstance, every + occurrence of [0032] by hPrevInstance and so on. This clarify not just + this section of the listing, but every section of the listing that + refers to these variables. Such global substitutions of useful names + for placeholder names or addresses is indispensable when working with + a disassembled listing. After applying these changes to the fragment + shown earlier, we end up with something more understandable: + + 1.04CB 890E3000 mov [0030], cx + 1.04CF 89363200 mov hPrevInstance, si + 1.04D3 893E3400 mov hInstance, di + 1.04D7 891E3600 mov lpCmdLine+2, bx + 1.04DB 8C063800 mov lpCmdLine, es + 1.04DF 89163A00 mov nCmdShow, dx + 1.04E3 33C0 xor ax, ax + + 1.04E5 50 push ax + 1.04E6 9AFFFF0000 call KERNEL.WAITEVENT + 1.04EB FF363400 push word ptr hInstance + 1.04EF 9AFFFF0000 call USER.INITAPP + 1.04F4 0BC0 or ax, ax + 1.04F6 741B je 0513 + 1.04F8 FF363400 push word ptr hInstance + 1.04FC FF363200 push word ptr hPrevInstance + 1.0500 FF363800 push word ptr lpCmdLine + 1.0504 FF363600 push word ptr lpCmdLine+2 + 1.0508 FF363A00 push word ptr nCmdShow + 1.050C E89FFE call WinMain + + Thus if we didn't already know what InitTask() returns in various + register (our Taskman here is only an example for your later work on + much more mysterious target programs), we could find it out right now, + by working backwards from the parameters to WinMain(). Windows + disassembling (and cracking) is like puzzle solving: the more little + pieces fall into place, the more you get the global picture. Trying to + disassemble Windows programs without this aid would be unhealthy: you + would soon delve inside *hundreds* of irrelevant calls, only because + you did not do your disassemble homework in the first place. + + It was useful to look at the startup code because it illustrated the + general principle of trying to substitute useful names such as + hPrevInstance for useless labels such as [0034]. But, generally, the + first place we'll look examining a Windows program is WinMain(). Here + the code from WCB: + + 1.03AE ; WinMain + 1.03AE >55 push bp + 1.03AF 8BEC mov bp, sp + 1.03B1 83EC12 sub sp, 0012 + 1.03B4 57 push di + 1.03B5 56 push si + 1.03B6 2BFF sub di, di + 1.03B8 397E0A cmp [bp+0A], di + 1.03BB 7405 je 03C2 + 1.03BD 2BC0 sub ax, ax + 1.03BF E9CC00 jmp 048E + + 1.03C2 >C47606 les si, [bp+06] + 1.03C5 26803C00 cmp byte ptr es:[si], 00 + 1.03C9 7453 je 041E + 1.03CB 897EF2 mov [bp-0E], di + 1.03CE EB1E jmp 03EE + + 1.03D0 >26803C20 cmp byte ptr es:[si], 20 + 1.03D4 741E je 03F4 + 1.03D6 B80A00 mov ax, 000A + 1.03D9 F72E1000 imul word ptr [0010] + 1.03DD A31000 mov [0010], ax + 1.03E0 8BDE mov bx, si + 1.03E2 46 inc si + 1.03E3 268A07 mov al, byte ptr es:[bx] + 1.03E6 98 cbw + 1.03E7 2D3000 sub ax, 0030 + 1.03EA 01061000 add [0010], ax + + 1.03EE >26803C00 cmp byte ptr es:[si], 00 + 1.03F2 75DC jne 03D0 + + 1.03F4 >26803C00 cmp byte ptr es:[si], 00 + 1.03F8 741B je 0415 + 1.03FA 46 inc si + 1.03FB EB18 jmp 0415 + + 1.03FD >B80A00 mov ax, 000A + 1.0400 F72E1200 imul word ptr [0012] + 1.0404 A31200 mov [0012], ax + 1.0407 8BDE mov bx, si + 1.0409 46 inc si + 1.040A 268A07 mov al, byte ptr es:[bx] + 1.040D 98 cbw + 1.040E 2D3000 sub ax, 0030 + 1.0411 01061200 add [0012], ax + + 1.0415 >26803C00 cmp byte ptr es:[si], 00 + 1.0419 75E2 jne 03FD + 1.041B 8B7EF2 mov di, [bp-0E] + + 1.041E >6A29 push 0029 + + 1.0420 9AF9000000 call USER.GETSYSTEMMETRICS + 1.0425 50 push ax + 1.0426 1E push ds + 1.0427 681600 push 0016 + 1.042A 9AFFFF0000 call KERNEL.GETPROCADDRESS + 1.042F 8946F4 mov [bp-0C], ax + 1.0432 8956F6 mov [bp-0A], dx + 1.0435 0BD0 or dx, ax + 1.0437 7407 je 0440 + 1.0439 6A01 push 0001 + 1.043B 6A01 push 0001 + 1.043D FF5EF4 call far ptr [bp-0C] + + 1.0440 >68FFFF push selector 1:0000 + 1.0443 687B00 push 007B + 1.0446 FF760C push word ptr [bp+0C] + 1.0449 9AFFFF0000 call KERNEL.MAKEPROCINSTANCE + 1.044E 8BF0 mov si, ax + 1.0450 8956FA mov [bp-06], dx + 1.0453 0BD0 or dx, ax + 1.0455 7426 je 047D + 1.0457 FF760C push word ptr [bp+0C] + 1.045A 6A00 push 0000 + 1.045C 6A0A push 000A + 1.045E 6A00 push 0000 + 1.0460 8B46FA mov ax, [bp-06] + 1.0463 50 push ax + 1.0464 56 push si + 1.0465 8976EE mov [bp-12], si + 1.0468 8946F0 mov [bp-10], ax + 1.046B 9AFFFF0000 call USER.DIALOGBOX + 1.0470 8BF8 mov di, ax + 1.0472 FF76F0 push word ptr [bp-10] + 1.0475 FF76EE push word ptr [bp-12] + 1.0478 9AFFFF0000 call KERNEL.FREEPROCINSTANCE + + 1.047D >8B46F6 mov ax, [bp-0A] + 1.0480 0B46F4 or ax, [bp-0C] + 1.0483 7407 je 048C + 1.0485 6A01 push 0001 + 1.0487 6A00 push 0000 + 1.0489 FF5EF4 call far ptr [bp-0C] + + 1.048C >8BC7 mov ax, di + + 1.048E >5E pop si + 1.048F 5F pop di + 1.0490 8BE5 mov sp, bp + 1.0492 5D pop bp + 1.0493 C20A00 ret 000A + + Let's begin from the last line: ret 000A. In the Pascal calling + convention, the callee is responsible for clearing its arguments off + the stack; this explains the RET A return. In this particular case, + WinMain() is being invoked with a NEAR call. As we saw in the startup + code, with the Pascal calling convention, arguments are pushed in + "forward" order. Thus, from the prospective of the called function, + the last argument always has the *lowest* positive offset from BP + (BP+6 in a FAR call and BP+4 in a NEAR call, assuming the standard + PUSH BP -> MOV BP,SP function prologue, like at the beginning of this + WinMain(). + + Now write the following in your cracking notes (the ones you really + keep on your desk when you work... close to your cocktail glass): + function parameters have *positive* offsets from BP, local variables + have *negative* offsets from BP. + + What does all this mean... I hear some among you screaming... well, in + the case of WinMain(), and in a small-model program like Taskman, + which starts from BP+4, you'll have: + + int PASCAL WinMain(HANDLE hInstance, HANDLE hPrevInstance, + LPSTR lpCmdLine, int nCmdShow); + nCmdShow = word ptr [bp+4] + lpCmdLine = dword ptr [bp+6] + hPrevInstance = word ptr [bp+0Ah] + hInstance = word ptr [bp+0Ch] + + Yeah... let's rewrite it: + + 1.03B6 2BFF sub di, di + 1.03B8 397E0A cmp hPrevInstance, di + 1.03BB 7405 je 03C2 + 1.03BD 2BC0 sub ax, ax + 1.03BF E9CC00 jmp 048E + + 1.03C2 >C47606 les si, dword ptr lpCmdLine + 1.03C5 26803C00 cmp byte ptr es:[si], 00 + + We can now see, for example, that WinMain() checks if hPrevInstance is + zero (sub di,di); if it isn't, it immediately jump to the pops and + exits (jmp 048E). + + Look at the code of WinMain() once more... notice that our good + Taskman appears to be inspecting its command line... funny: the + Windows documentation says nothing about command line arguments to + Taskman... Look around location 1.03D0 above, you'll see that Taskman + appears to be looking for a space (20h), getting a character from the + command line, multiplying it by 10 (0Ah), subtracting the character + zero (30h) and doing other things that seem to indicate that it's + looking for one or more *numbers*. The code line 1.03E7 SUB ax,30h + it's a typical code line inside many routines checking for numbers. + The hex ascii code for numbers is 30 for 0 to 39 for 9, therefore the + transmutation of an ascii code in hex *number* is pretty easy: mov al, + your_number and sub ax,30... you'll find it very often. + + Rather than delve further into the code, it next makes sense to *run* + taskman, feeding it different numbers on the command line, and seeing + what it does (it's surprising how few crackers think of actually going + in and *running* a program before spending much time looking at its + code). + + Normally Taskman runs when you type CTRL+ESC in Windows, but its just + a regular program, that can be run with a command line, like any other + program. + + Indeed, running "TASKMAN 1" behaves differently from just running + "TASKMAN": it positions the Task List in the upper-left corner of the + screen, instead of in the middle. "TASKMAN 666 666" (the number of the + beast?) seems to position it in the lower right corner. + + Basically, the command line numeric arguments seem to represent an + (x,y) position for our target, to override its default position in the + middle of the screen. + + So you see, there are hidden 'goodies' and hidden 'secrets' even + behind really trivial little programs like Taskman (and believe me: + being able to identify this command line checking will be very useful + ;-) when you'll crack applications and/or games that *always* have + backdoors and hidden goodies). + + Back to the code (sip your favourite cocktail during your + scrutinies... may I suggest a Traitor? -> see the legendary FraVia's + cocktail page here) you can see that the variables [0010] and [0012] + are being manipulated. What are these for? + + The answer is *not* to stare good and hard at this code until it makes + sense, but to leave this area and see how the variables are used + elsewhere in the program... maybe the code elsewhere will be easier to + understand (for bigger applications you could in this case use a + Winice breakpoint on memory range, but we'll remain with our WCB + disassembly listing). + + In fact, if we search for data [0010] and [0012] we find them used as + arguments to a Windows API function: + + 1.018B >A31200 mov [0012], ax + 1.018E FF760E push word ptr [bp+0E] + 1.0191 FF361000 push word ptr [0010] + 1.0195 50 push ax + 1.0196 56 push si + 1.0197 57 push di + 1.0198 6A00 push 0000 + 1.019A 9AFFFF0000 call USER.MOVEWINDOW + + This shows us *immediately* what [0010] and [0012] are. MoveWindows() + is a documented function, whose prototype is: + + void FAR PASCAL MoveWindow(HWND hwnd, int nLeft, int nTop, + int nWidth, int nHeight, BOOL fRepaint); + + 1.018B >A31200 mov [0012], ax + 1.018E FF760E push word ptr [bp+0E] ;hwnd + 1.0191 FF361000 push word ptr [0010] ;nLeft + 1.0195 50 push ax ;nTop + 1.0196 56 push si ;nWidth + 1.0197 57 push di ;nHeight + 1.0198 6A00 push 0000 ;fRepaint + 1.019A 9AFFFF0000 call USER.MOVEWINDOW + + In other words, [0010] has to be nLeft and [0012] (whose contents have + been set from AX) has to be nTop. + + Now you'll do another global "search and replace" on your WCB + disassembly, changing every [0010] in the program (not just the one + here) to nLeft, and every [0012] to nTop. + + A lot of Windows cracking is this easy: all Windows programs seem to + do is call API functions, most of these functions are documented and + you can use the documentation to label all arguments to the function. + You then transfer these labels upward to other, possibly quite distant + parts of the program. + + In the case of nLeft [0010] and nTop [0012], suddenly the code in + WinMain() makes much more sense: + + 1.03C2 >C47606 les si, dword ptr lpCmdLine + 1.03C5 26803C00 cmp byte ptr es:[si], 00 ; no cmd line? + 1.03C9 7453 je 041E ; go elsewhere + 1.03CB 897EF2 mov [bp-0E], di + 1.03CE EB1E jmp 03EE + + 1.03D0 >26803C20 cmp byte ptr es:[si], 20 ; if space + 1.03D4 741E je 03F4 ; go elsewhere + + 1.03D6 B80A00 mov ax, 000A + 1.03D9 F72E1000 imul nLeft ; nleft *= 10 + 1.03DD A31000 mov nLeft, ax + 1.03E0 8BDE mov bx, si + 1.03E2 46 inc si + 1.03E3 268A07 mov al, es:[bx] + 1.03E6 98 cbw ; ax = char + 1.03E7 2D3000 sub ax, 0030 ; ax='0' (char-> number) + 1.03EA 01061000 add nLeft, ax ; nleft += number + + 1.03EE >26803C00 cmp byte ptr es:[si], 00 ; NotEndOfString + 1.03F2 75DC jne 03D0 ; next char + ... + + In essence, Taskman is performing the following operation here: + + static int nLeft, nTop; + //... + if (*lpCmdLine !=0) + sscanf(lpCmdLine, "%u %u, &nLeft, &nTop); + + Should you want 3.1. Taskman to appear in the upper left of your + screen, you could place the following line in the [boot] section of + SYSTEM.INI: + + taskman.exe=taskman.exe 1 1 + + In addition, doubleclicking anywhere on the Windows desktop will bring + up Taskman with the (x,y) coordinates for the double click passed to + Taskman on its command line. + + The USER!WM_SYSCOMMAND handler is responsible for invoking Taskman, + via WinExec() whenever you press CTRL+ESC or double click the desktop. + + What else is going on in WinMain()? Let's look at the following block + of code: + + 1.041E >6A29 push 0029 + 1.0420 9AF9000000 call USER.GETSYSTEMMETRICS + 1.0425 50 push ax + 1.0426 1E push ds + 1.0427 681600 push 0016 + 1.042A 9AFFFF0000 call KERNEL.GETPROCADDRESS + 1.042F 8946F4 mov [bp-0C], ax + 1.0432 8956F6 mov [bp-0A], dx + 1.0435 0BD0 or dx, ax + 1.0437 7407 je 0440 + 1.0439 6A01 push 0001 + 1.043B 6A01 push 0001 + 1.043D FF5EF4 call far ptr [bp-0C] ; *1 entry + + The lines push 29h & CALL GETSYSTEMMETRICS are simply the assembly + language form of GetSystemMetrics(0x29). 0x29 turns out to be + SM_PENWINDOWS (look in WINDOWS.H for SM_). + + Thus, we now have GetSystemMetrics(SM_PENWINDOWS). If we read the + documentation, it says that this returns a handle to the Pen Windows + DLL if Pen Windows is installed. Remember that 16-bit return values + *always* appear in the AX register. + + Next we can see that AX, which must be either 0 or a Pen Window module + handle, is pushed on the stack, along with ds:16h. + + Let's immediately look at the data segment, offset 16h: + + 2.0010 0000000000005265 db 00,00,00,00,00,00,52,65 ; ......Re + 2.0018 6769737465725065 db 67,69,73,74,65,72,50,65 ; gisterPe + 2.0020 6E41707000000000 db 6E,41,70,70,00,00,00,00 ; nApp.... + + Therefore: + + 2.0016 db 'RegisterPenApp',0 + + Thus, here is what we have so far: + + GetProcAddress( + GetSystemMetrics(SM_PENWINDOWS), + "RegisterPenApp") + + GetProcAddress() returns a 4 bytes far function pointer (or NULL) in + DX:AX. In the code from WinMain() we can see this being moved into the + DWORD at [bp+0Ch] (this is 16-bit code, so moving a 32-bit value + requires two operations). + + It would be nice to know what the DWORD at [bp-0Ch] is. But, hey! We + *do* know it already: it's a copy of the return value from + GetProcAddress(GetSystemMetrics(SM_PENWINDOWS), "RegisterPenApp)! In + other words, is a far pointer to the RegisterPenApp() function, or + NULL if Pen Windows is not installed. We can now replace all + references to [bp-0Ch] with references to something like + fpRegisterPenApp. + + Remember another advantage of this "dead" Windows disassembling + vis-a-vis of the Winice approach "on live": here you can choose, + picking *meaningful* references for your search and replace + operations, like "mingling_bastard_value" or "hidden_and_- + forbidden_door". The final disassembled code may become a work of art + and inspiration if the cracker is good! (My disassemblies are + beautiful works of poetry and irony). Besides, *written* + investigations will remain documented for your next cracking session, + whereby with winice, if you do not write everything down immediately, + you loose lots of your past work (it's incredible how much place and + importance retains paper in our informatic lives). + + After our search and replaces, this is what we get for this last block + of code: + + FARPROC fpRegisterPenAPP; + fpRegisterPenApp = GetProcAddress( + GetSystemMetrics(SM_PENWINDOWS), + "RegisterPenApp"); + + Next we see [or dx, ax] being used to test the GetProcAddress() return + value for NULL. If non-NULL, the code twice pushes 1 on the stack + (note the PUSH IMMEDIATE here... Windows applications only run on + 80386 or higher processors... there is no need to place the value in a + register first and then push that register) and then calls through the + fpRegisterPenApp function pointer: 1.0435 0BD0 or dx, ax 1.0437 7407 + je 0440 1.0439 6A01 push 0001 1.043B 6A01 push 0001 1.043D FF5EF4 call + dword ptr fpRegisterPenApp + + 1.0435 0BD0 or dx, ax + 1.0437 7407 je 0440 + 1.0439 6A01 push 0001 + 1.043B 6A01 push 0001 + 1.043D FF5EF4 call dword ptr fpRegisterPenApp + + Let's have a look at the Pen Windows SDK doucmentation (and PENWIN.H): + + #define RPA_DEFAULT + void FAR PASCAL RegisterPenApp(UINT wFlags, BOOL fRegister); + + We can continue in this way with all of WinMain(). When we are done, + the 100 lines of assembly language for WinMain() boild own to the + following 35 lines of C code: + + // nLeft, nTop used in calls to MoveWindow() in TaskManDlgProc() + static WORD nLeft=0, nTop=0; + BOOL FAR PASCAL TaskManDlgProc(HWND hWndDlg, UINT msg, WPARAM + wParam, LPARAM lParam); + int PASCAL WinMain(HANDLE hInstance, HANDLE hPrevInstance, + LPSTR lpCmdLine, int nCmdShow) + { + void (FAR PASCAL *RegisterPenApp) (UINT,BOOL); + FARPROC fpDlgProc; + if (hPrevhInstance != 0) + return 0; + if (*lpCmdLine !=0 ) + _fsscanf(lpCmdLine, "%u %u, &nLeft, &nTop); // pseudocode + RegisterPenApp = GetProcAddress(GetSystemMetrics(SM_PENWINDOWS), + "RegisterPenApp"); + if (RegisterPenApp != 0) + (*RegisterPenApp) (RPA_DEFAULT, TRUE); + if (fpDlgProc = MakeProchInstance(TaskManDlgProc, hInstance)) + { + DialogBox(hInstance, MAKEINTRESOURCE(10), 0, fpDlgProc); + FreeProcHInstance(fpDlgProc); + } + if (RegisterPenApp != 0) + (*RegisterPenApp) (RPA_DEFAULT, FALSE); + return 0; + } + + In this lesson we had a look at WinMain()... pretty interesting, isn't + it? We are not done with TASKMAN yet, though... we'll see in the next + lesson wich windows and dialog procedures TASKMAN calls. (-> lesson 2) + + FraVia + + diff --git a/textfiles.com/piracy/CRACKING/diswin2.txt b/textfiles.com/piracy/CRACKING/diswin2.txt new file mode 100644 index 00000000..9881916b --- /dev/null +++ b/textfiles.com/piracy/CRACKING/diswin2.txt @@ -0,0 +1,723 @@ +How To Disassemble A Windows Program + + After we've found and analyzed WinMain() (-> lesson 1), the next + places to inspect when you crack a program are the windows procedures + and dialog procedures (this is true only for Windows *programs*; for + DLL, on the countrary, the cracking procedures are different and the + relvant techniques will be discussed in another lesson). + + These WndProcs and DialogProcs are "callback" procedures: they are + *exported* from Windows executables, almost as the program were a DLL, + so that Windows can call them. + + And -hear, hear!- beacuse they are exported these crucial procedures + have *names* (almost always useful) that are accessible to any decent + Windows disassembler. In Taskman.lst, for example, WCB clearly + identifies TASKMANDLGPROC: + + Exported names by location: + 1:007B 1 TASKMANDLGPROC <- It's a DialogProc ! + + It works out well that the WndProcs and DialogProcs show up so nicely + in the disassembled listings, because, as we know from Windows + programming, these subroutines are "where the action is" in event + driven Windows applications... or at least where the action begins. + + Furthermore we know that these subroutines will be most likely little + more than (possibly very large) message handling switch/case + statements. These usually look something like this: long FAR PASCAL + _export WndProc(HWND hWnd, WORD message, WORD wParam, LONG lPAram) + + long FAR PASCAL _export WndProc(HWND hWnd, WORD message, WORD + wParam, LONG lPAram) + { ... + switch (message) + { + case WM_CREATE: + //... handle WM_CREATE message + break; + + case WM_COMMAND: + //... handle WM_COMMAND message + break; + default: + return DefWindowProc(hwnd, message, wParam, lParam); + } + } + + Wow! Yes! As you already guessed this means that... that we get + immediately 4 parameters for EACH exported WndProc or DlgProc! + + Actually there's no rule that states that a Windows WndProc or DlgProc + has to look like this... it's just that they almost always do! + + Here is how the parameters to the WndProc or DialogProc will appear in + the assembly language listing (after the function prologue): + + long FAR PASCAL _export WndOrDialogProc(HWND hwnd, WORD + message, WORD wParam, LONG lParam); + + lParam = dword ptr [bp+6] + wParam = word ptr [bp+0Ah] + message = word ptr [bp+0Ch] + hWnd or hWndDlg = word ptr [bp+0Eh] + + With this knowledge, we can replace an otherwise meaningless [bp+0Ch] + with a label such as "message", a [bp+0Eh] with a "hwnd" or "hwndDlg", + and so on in *ANY* DialogProc and WndProc in *ANY* Windows program. + + The boilerplate nature of Windows programming greatly simplifies + cracking. For example, here is part of our Taskman exported: + + The problem here, of course, is what to make of all these magic + numbers: 0064, OO1C, 00F4 and so on... how are we going to figure out + what these mean? + + DialogProc: TASKMANDLGPROC: + + 1.007B ; TASKMANDLGPROC + ... (function prologue) + 1.008A 8B760E mov si, hWndDlg ;[bp+0E] + 1.008D 56 push si + 1.008E 6A64 push 0064 + + 1.0090 9AFFFF0000 call USER.GETDLGITEM + 1.0095 8BF8 mov di, ax + 1.0097 8B460C mov ax, message ;[bp+0C] + 1.009A 2D1C00 sub ax, 001C + 1.009D 7416 je 00B5 + 1.009F 2DF400 sub ax, 00F4 + 1.00A2 7436 je 00DA + 1.00A4 48 dec ax + 1.00A5 7503 jne 00AA + 1.00A7 E98301 jmp 022D + + 1.00AA >2D5303 sub ax, 0353 + 1.00AD 7503 jne 00B2 + 1.00AF E9D602 jmp 0388 + + 1.00B2 >E9C801 jmp 027D + + 1.00B5 >837E0A00 cmp word ptr wParam, 0 ;[bp+0A] + 1.00B9 7403 je 00BE + 1.00BB E9BF01 jmp 027D + ... + + When examined via disassembled listings, Windows programs tend to + contain a lot of "magic numbers". Of course the actual source code + would be : + + * #include '<'windows.h'>' and + * #define numeric constants for the various resources (menus, + strings, dialog controls, etc.) that it uses. + + Given a disassembled listing, it should be possible to turn a lot of + these seemingly senseless numbers back into something understandable. + + Let's start with the number 001C in TaskManDlgProc(): + + 1.0097 8B460C mov ax, message ;[bp+0C] + 1.009A 2D1C00 sub ax, 001C + 1.009D 7416 je 00B5 + + If AX holds the *message* parameter to TaskManDlgProc() (line + 1.0097)... then the value 001C must be a Windows WM_ message number + (one of those you can breakpoint to with WINICE's BMSG command, by the + way). Looking in WINDOWS.H, we find that 0x1C is WM_ACTIVATEAPP. + + TaskManDlgProc() is subtracting this value from AX and then jumping + somewhere (let's call it ON_ACTIVATEAPP) if the result is zero... i.e. + if it is WM_ACTIVATEAPP. + + This is an odd way to test whether (message == WM_ACTIVATEAPP): if the + test fails, and we do not take the jump to ON_ACTIVATEAPP, the message + number has 1C subtracted from it... and this value must be taken + account of by the next switch statement: + + 1.009F 2DF400 sub ax, 00F4 ; (+1C=110=WM_INITDIALOG) + 1.00A2 7436 je 00DA ; jump to ON_INITDIALOG + 1.00A4 48 dec ax ; (110+1=111=WM_COMMAND) + 1.00A5 7503 jne 00AA ; no, go elsewhere + 1.00A7 E98301 jmp 022D ; yes, jump to ON_COMMAND + + Other WndProcs & DialogProcs will contain straightforward tests, + rather than testing via subtraction... is a matter of compiler choice. + In any case, a WndProc or DialogProc generally contains a collection + of handlers for different messages. + + In the case of TaskManDlgProc(), we can see that's handling + WM_ACTIVATEAPP, WM_INITDIALOG and WM_COMMAND. By itself, this + information is rather boring... however, it tells us what is happening + *elsewhere* in the function: 1.00B5 must be handling WM_ACTIVATEAPP + messages (therefore let's call it ON_ACTIVATEAPP), 1.00DA must be + handling WM_INITDIALOG, and 1.022D must be handling WM_COMMAND + messages. + + Write it down! This same basic technique -find where the [bp+0Ch] + "message" parameter to the WndProc or DialogProc is being rested, and + from that identify the locations that handle various messages- can be + used in *ANY* Windows program. + + Because handling messages is mostly what Windows applications do, once + we know where the message handling is, we pretty much can have our way + with the disassembled listing. + + Let's look now at TaskManDlgProc(): + + TASKMANDLGPROC proc far + ... + DISPATCH_ON_MSG: + 1.0097 8B460C mov ax, message ;[bp+0C] + 1.009A 2D1C00 sub ax, WM_ACTIVATEAPP ;001C + 1.009D 7416 je ON_ACTIVATEAPP + 1.009F 2DF400 sub ax, 00F4 ; (+1C=110=WM_INITDIALOG) + 1.00A2 7436 je ON_INITDIALOG + 1.00A4 48 dec ax ;(110+1=111=WM_COMMAND) + 1.00A5 7503 jne DEFAULT + 1.00A7 E98301 jmp ON_COMMAND + DEFAULT: + 1.00AA >2D5303 sub ax, 0353 ;(111+353=464=WM_USER+64 + 1.00AD 7503 jne ON_PRIVATEMSG ;00B2= some private msg + 1.00AF E9D602 jmp 0388 + ON_PRIVATEMSG: + 1.00B2 >E9C801 jmp 027D + ON_ACTIVATEAPP: + 1.00B5 >837E0A00 cmp word ptr wParam, 0 ;[bp+0A] + ... ; code to handle WM_ACTIVATEAPP + ON_INITDIALOG: + ... ; code to handle WM_INITDIALOG + ON_COMMAND: + ... ; code to handle WM_COMMAND + 1.022D >8B460A mov ax, wParam ;[bp+0A] + 1.0230 3D6800 cmp ax, 0068 ; ? What's this ? + 1.0233 7503 jne 0238 + 1.0235 E93301 jmp 036B + ... + + This is starting to look pretty reasonable. In particular, once we + know where WM_COMMAND is being handled, we are well on the way to + understand what the application does. + + WM_COMMAND is *very* important for understanding an application + behavior because the handler for WM_COMMAND is where it deals with + user commands such as Menu selections and dialog push button clicks... + a lot of what makes an application unique. + + If you click on "Cascade" in Task manager, for instance, it comes as a + WM_COMMAND, the same occurs if you click on "Tile" or "Switch To" or + "End Task". + + An application can tell which command a user has given it by looking + in the wParam parameter to the WM_COMMAND message. + + This is what we started to see at the ned of the TaskManDlgProc() + exerpt: + + ; We are handling WM_COMMAND, therefore wParam is here idItem, + ; i.e. a control or menu item identifier + 1.022D >8B460A mov ax, wParam ;[bp+0A] + 1.0230 3D6800 cmp ax, 0068 ;ID number for a dialog control + 1.0233 7503 jne 0238 + 1.0235 E93301 jmp 036B + + 1.0238 >7603 jbe 023D + 1.023A E96001 jmp 039D + + 1.023D >FEC8 dec al ;1 + 1.023F 7420 je 0261 ;if wParam==1 goto 1.0261 + 1.0241 FEC8 dec al ;1+1=2 + 1.0243 7503 jne 0248 + 1.0245 E94701 jmp 038F ;if wParam==2 goto 1.038F + + 1.0248 >2C62 sub al, 62 ;2+62=64 + 1.024A 742A je 0276 + 1.024C FEC8 dec al ;64+1=65 + 1.024E 7432 je 0282 + 1.0250 2C01 sub al, 01 ;65+1=66 + 1.0252 7303 jnb 0257 + 1.0254 E94601 jmp 039D + + 1.0257 >2C01 sub al, 01 ;66+1=67 + 1.0259 7703 ja 025E + 1.025B E9D200 jmp 0330 + + It's clear that wParam is being compared (in an odd subtraction way) + to valus 1,2,65,66 and 67. What's going on? + + The values 1 and 2 are standard dialog button IDs: + + #define IDOK 1 + #define IDCANCEL 2 + + Therefore we have here the two "classical" push buttons: + + 1.023D >FEC8 dec al ; 1 = OK + 1.023F 7420 je ON_OK ; If 1 goto 1.0261= ON_OK + 1.0241 FEC8 dec al ; 1+1=2= CANCEL + 1.0243 7503 jne NOPE ; goto neither OK nor CANCEL + 1.0245 E94701 jmp ON_CANCEL ; if 2 goto 1.038F= ON_CANCEL + + The numbers 65, 66 etc are specific to TaskManager however, we will + not find them inside WINDOWS.H... so there is no home to find the + names of the commands to which these magic number correspond, unless + we happen to have a debug version of the program true? NO! FALSE! + + One of the notable things about Windows is that remarkably little + information is lost or thrown away compiling the source code. These + magic numbers seem to correspond in some way to the different Task + Manager push buttons... it's pretty obvious that there must be a way + of having applications tell Windows what wParam they want sent when + one of their buttons is clicked or when one of their menu items is + selected. + + Applications almost always provide Windows with this information in + their resources (they could actually define menus and controls + dynamycally, on the fly, but few applications take advantage of this). + These resources are part of the NE executable and are available for + our merry snooping around. + + This inspections of the resources in an EXE file is carried out by + means of special utilities, like RESDUMP, included with Windows source + (-> in my tool page). For example (I am using "-verbose" mode): + + DIALOG 10 (0Ah), "Task List" [ 30, 22,160,107] + FONT "Helv" + LISTBOX 100 (64h), "" [ 3, 3,154, 63] + DEFPUSHBUTTON 1 (01h), "&Switch To" [ 1, 70, 45, 14] + PUSHBUTTON 101 (65h), "&End Task" [ 52, 70, 45, 14] + PUSHBUTTON 2 (02h), "Cancel" [103, 70, 55, 14] + STATIC 99 (63h), "" [ 0, 87,160, 1] + PUSHBUTTON 102 (66h), "&Cascade" [ 1, 90, 45, 14] + PUSHBUTTON 103 (67h), "&Tile" [ 52, 90, 45, 14] + PUSHBUTTON 104 (68h), "&Arrange Icons" [103, 90, 55, 14] + + YEAH! It's now apparent what the numbers 64h, 65h etc. mean. Imagine + you would write Taskmanager yourself... you would write something on + these lines: + + #define IDD_SWITCHTO IDOK + #define IDD_TASKLIST 0x64 + #define IDD_ENDTASK 0x65 + #define IDD_CASCADE 0x66 + #define IDD_TILE 0x67 + #define IDD_ARRANGEICONS 0x68 + + Let's look back at the last block of code... it makes now a lot more + sense: + + ON_COMMAND: + ; We are handling WM_COMMAND, therefore wParam is here idItem, + ; i.e. a control or menu item identifier + 1.022D >8B460A mov ax, wParam ;[bp+0A] + 1.0230 3D6800 cmp ax, 0068 ;is it the ID 68h? + ... + 1.023D >FEC8 dec al ;1=IDOK=IDD_SWITCHTO + 1.023F 7420 je ON_SWITCHTO ;0261 + 1.0241 FEC8 dec al ;1+1=2=ID_CANCEL + 1.0243 7503 jne neither_OK_nor_CANCEL ;0248 + 1.0245 E94701 jmp ON_CANCEL ;038F + neither_OK_nor_CANCEL: + 1.0248 >2C62 sub al, 62 ;2+62=64= IDD_TASKLIST + 1.024A 742A je ON_TASKLIST ;0276 + 1.024C FEC8 dec al ;64+1=65= IDD_ENDTASK + 1.024E 7432 je ON_ENDTASK ;0282 + 1.0250 2C01 sub al, 01 ;65+1=66= IDD_CASCADE + 1.0252 7303 jnb check_for_TILE ;0257 + 1.0254 E94601 jmp 039D ;something different + check_for_TILE: + 1.0257 >2C01 sub al, 01 ;66+1=67= IDD_TILE + 1.0259 7703 ja 025E ;it's something else + 1.025B E9D200 jmp ON_TILE_or_CASCADE ;0330 + + In this way we have identified location 0330 as the place where + Taskman's "Cascade" and "Tile" buttons are handled... we have renaimed + it ON_TILE_or_CASCADE... let's examine its code and ensure it makes + sense: + + ON_TILE_or_CASCADE: + 1.0330 >56 push hwndDlg ;si + 1.0331 6A00 push 0000 + 1.0333 9A6F030000 call USER.SHOWWINDOW + + 1.0338 9A74030000 call USER.GETDESKTOPWINDOW + 1.033D 8BF8 mov di, ax ;hDesktopWnd + 1.033F 837E0A66 cmp word ptr wParam, 0066 ;IDD_CASCADE + 1.0343 750A jne ON_TILE ;034F + 1.0345 57 push di ;hDesktopWnd + 1.0346 6A00 push 0000 + 1.0348 9AFFFF0000 call USER.CASCADECHILDWINDOWS + 1.034D EB2F jmp 037E + ON_TILE: + 1.034F >57 push di + 1.0350 6A10 push 0010 + 1.0352 9AFFFF0000 call USER.GETKEYSTATE + 1.0357 3D0080 cmp ax, 8000 + 1.035A 7205 jb 0361 + 1.035C B80100 mov ax, 0001 ;1= MDITILE_HORIZONTAL + 1.035F EB02 jmp 0363 + + 1.0361 >2BC0 sub ax, ax ;0= MDITILE_VERTICAL + + 1.0363 >50 push ax + 1.0364 9AFFFF0000 call USER.TILECHILDWINDOWS + 1.0369 EB13 jmp 037E + + Yes, it makes a lot of sense: We have found that the "Cascade" option + in Tile manager, after switching through the usual bunch of + switch/case loops, finally ends up calling an undocumented Windows API + function: CascadeChildWindows()... similarly, the "Tile" routine ends + up calling TileChildWindow(). + + One thing screams for attention in the disassembled listing of + ON_TILE: the call to GetKeyState(). + + As an example of the kind of information you should be able to gather + for each of these functions, if you are serious about cracking, I'll + give you now here, in extenso, the definition from H. Schildt's + "General purpose API functions", Osborne's Windows Programming Series, + Vol. 2, 1994 edition (I found both this valuable book and its + companion: volume 3: "Special purpose API functions", in a second hand + shop, in february 1996, costing the equivalent of a pizza and a + beer!). Besides this function is also at times important for our + cracking purposes, and represents therefore a good choice. Here the + description from pag.385: + + void GetKeyState(int iVirKey) + + Use GetKeyState() to determine the up, down or toggled status of + the specified virtual key. iVirKey identifies the virtual key. To + return the status of a standard alphanumeric character in the + range A-Z, a-z or 0-9, iVirKey must be set equal to its ANSI + ASCII value. All other key must use their related virtual key + codes. The function returns a value indicating the status of the + selected key. If the high-order bit of the byte entry is 1, the + virtual key is pressed (down); otherwise it is up. If you examine + a byte emlement's low-order bit and find it to be 1, the virtual + key has been toggled. A low-order bit of 0 indicates that the key + is untoggled. + + Under Windows NT/Win32, this function returns type SHORT. + + Usage: + + If your application needs to distinguish wich ALT, CTRL, or SHIFT + key (left or right) has been pressed, iVirKey can be set equal to + one of the following: + + VK_LMENU VK_RMENU + VK_LCONTROL VK_RCONTROL + VK_LSHIFT VK_RSHIFT + + Setting iVirKey equal to VK_MENU, VK_CONTROL or VK_SHIFT + instructs GetKeyState() to ignore left and right, and only to + report back the status of teh virtual key category. This ability + to distinguish among virtual-key states is only available with + GetKeyState() and the related functions listed below. + + The following fragment obtains the state of the SHIFT key: + + if(GetKeyState(VK_SHIFT) { + ... + } + + Related Functions: + + GetAsyncKeyState(), GetKeyboardState(), MapVirtualKey(), + SetKeyboardState() + + Ok, let's go on... so we have in our code a "funny" call to + GetKeyState(). Because the Windows USer's Guide says nothing about + holding down a "state" (shift/ctrl/alt) key while selecting a button, + this sounds like another undocumented "goodie" hidden inside TASKMAN. + + Indeed, if you try it out on the 3.1 Taskman, you'll see that clicking + on the Tile button arranges all the windows on the desktop side by + side, but if you hold down the SHIFT key while clicking on the Tile + button, the windows are arranged in a stacked formation. + + To summarize, when the 3.1. Taskman Tile button is selected, the code + that runs in response looks like this: + + Tile: + ShowWindow(hWndDlg, SW_HIDE); // hide TASKMAN + hDesktopWnd = GetDesktopWindow(); + if (GetKeyState(VK_SHIFT) == 0x8000) + TileChildWindows(hDesktopWnd, MDITILE_HORIZONTAL); + else + TileChildWindows(hDesktopWnd, MDITILE_VERTICAL); + + Similarly, the CASCADE option in 3.1. TASKMAN runs the following code: + + Cascade: + ShowWindow(hWndDlg, SW_HIDE); // hide TASKMAN + CAscadeChildWindows(GetDesktopWindow(), 0); + + We can then proceed through each TASKMAN option like this, rendering + the assembly language listing into more concise C. + + The first field to examine in TASKMAN is the Task List itself: how is + the "Task List" Listbox filled with the names of each running + application? + + What the List box clearly shows is a title bar for each visible top + level window, and the title bar is undoubtedly supplied with a call to + GetWindowText()... a function that obtains a copy of the specified + window handle's title. + + But how does TASKMAN enumerate all the top-level Windows? Taskman + exports TASKMANDLGPROC, but does not export any enumeration procedure. + + Most of the time Windows programs iterate through all existing windows + by calling EnumWindows(). Usually they pass to this function a pointer + to an application-supplied enumeration function, which therefore MUST + be exported. This callback function must have following prototype: + + BOOL CALLBACK EnumThreadCB(HWND hWnd, LPARAM lParam) + + Of course, the name a programmer chooses for such an exported function + is arbitrary. hWnd will receive the handle of each thread-associated + window.lParam receives lAppData, a 32-bit user- defined value. This + exported function must return non-zero to receive the next enumerated + thread-based window, or zero to stop the process. + + But here we DO NOT have something like TASKMANENUMPROC in the list of + exported functions... what's going on? Well... for a start TASKMAN IS + NOT calling EnumWindows()... Taskman uses a GetWindow() loop to fill + the "Task List" list box, study following C muster, sipping a good + cocktail and comparing it with the disassembled code you have printed: + + Task List: + listbox = GetDlgItem(hWndDlg, IDD_TASKLIST); + hwnd = GetWindow(hwndDlg, GW_HWNDFIRST); + while (hwnd) + { if ((hwnd != hwndDlg) && //excludes self from list + IsWindowVisible(hwnd) && + + GetWindow(hwnd, GW_OWNER)) + { char buf[0x50]; + GetWindowText(hwnd, buf, 0x50); // get titlebar + SendMessage(listbox, LB_SETITEMDATA, + SendMessage(listbox, LB_ADDSTRING, 0, buf), + hwnd); // store hwnd as data to go + } // with the titlebar string + hwnd = GetWindow(hwnd, GW_HWNDNEXT); + } + SendMessage(lb, LB_SETCURSEL, 0, 0); // select first item + + The "End Task" opton in Taskman just sends a WM_CLOSE message to the + selected window, but only if it's not a DOS box. TASKMAN uses the + undocumented IsWinOldApTask() function, in combination with the + documented GetWindowTask() function, to determine if a given HWND + corresponds to a DOS box: + + End Task: + ... // boring details omitted + if(IsWinOldApTask(GetWindowTask(hwndTarget))) + MaybeSwitchToSelecetedWindow(hwndTarget); + + if(IsWindow(hwndTarget) && + (! (GetWindowLong(hwndTarget, GWL 5STYLE) & WS_DISABLED)) + { + PostMessage(hwndTarget, WM_CLOSE, 0, 0); + } + + The "Arrange Icons" option simply runs the documented + ARrangeIconicWindows() function: + + Arrange Icons: + Showwindow(hWndDlg, SW_HIDE); + ArrangeIconiCWindows(GetDesktopWindow()); + + The "Switch To" option in TASKMAN is also interesting. Like "Tile" and + "Cascade", this too it's just a user-interface covering an + undocupented Windows API function, in this case SwitchToThisWindow(). + + Let's walk through the process of deciphering a COMPLETELY unlabelled + Windows disassembly listing, that will be most of the time your + starting situation when you crack, and let's turn it into a labelled C + code. + + By the way, there does exist an interesting school of research, that + attempts to produce an "EXE_TO_C" automatical converter. The only + cracked version of this program I am aware of is called E2C.EXE, is + 198500 bytes long, has been developed in 1991 by "The Austin Code + Works and Polyglot International" in Jerusalem (Scott Guthery: + guthery@acw.com), and has been boldly brought to the cracking world by + Mithrandir/AlPhA/MeRCeNarY. Try to get a copy of this tool... it can + be rather interesting for our purposes ;-) + + Here is the raw WCB disassembled code for a subroutine within TASKMAN, + called from the IDD_SWITCHTO handling code in TaskManDlgProc(): + + 1.0010 >55 push bp + 1.0011 8BEC mov bp, sp + 1.0013 57 push di + 1.0014 56 push si + 1.0015 FF7604 push word ptr [bp+04] + 1.0018 681A04 push 041A + 1.001B FF7604 push word ptr [bp+04] + 1.001E 680904 push 0409 + 1.0021 6A00 push 0000 + 1.0023 6A00 push 0000 + 1.0025 6A00 push 0000 + 1.0027 9A32000000 call USER.SENDMESSAGE + 1.002C 50 push ax + 1.002D 6A00 push 0000 + 1.002F 6A00 push 0000 + 1.0031 9AEF010000 call USER.SENDMESSAGE + 1.0036 8BF8 mov di, ax + 1.0038 57 push di + 1.0039 9A4C000000 call USER.ISWINDOW + 1.003E 0BC0 or ax, ax + 1.0040 742A je 006C + 1.0042 57 push di + 1.0043 9AFFFF0000 call USER.GETLASTACTIVEPOPUP + 1.0048 8BF0 mov si, ax + 1.004A 56 push si + 1.004B 9AA4020000 call USER.ISWINDOW + 1.0050 0BC0 or ax, ax + 1.0052 7418 je 006C + 1.0054 56 push si + 1.0055 6AF0 push FFF0 + 1.0057 9ACD020000 call USER.GETWINDOWLONG + 1.005C F7C20008 test dx, 0800 + 1.0060 750A jne 006C + 1.0062 56 push si + 1.0063 6A01 push 0001 + 1.0065 9AFFFF0000 call USER.SWITCHTOTHISWINDOW + 1.006A EB07 jmp 0073 + + 1.006C >6A00 push 0000 + 1.006E 9ABC020000 call USER.MESSAGEBEEP + + 1.0073 >5E pop si + 1.0074 5F pop di + 1.0075 8BE5 mov sp, bp + 1.0077 5D pop bp + 1.0078 C20200 ret 0002 + + The RET 0002 at the end tells us that this is a near Pascal function + that expects one WORD parameter, which appears as [bp+4] at the top of + the code. + + Because [bp+4] is being used as the first parameter to SendMessage(), + it must be an HWND of some sort. + + Here is the muster for SendMessage(): LRESULT SendMessage(HWND hWnd, + UINT uMsg, WPARAM wMsgParam1, LPARAM lMsgParam2), where hWnd + identifies the Window receiving the message, uMsg identifies the + message being sent, wMsgParam1 & lMsgParam2 contain 16 bits and 32 + bits of message-specific information. + + Finally, we don't see anything being moved into AX or DX near the end + of the function, so it looks as if this function has no return value: + + void near pascal some_func(HWND hwnd) + + Let's look once more at it... the function starts off with two nested + calls to SendMessage (using the message numbers 41Ah and 409h). These + numbers are greater than 400h, they must therefore be WM_USER+XX + values. Windows controls such as edit, list and combo boxes all use + WM_USER+XX notification codes. + + The only appropriate control in TASKMAN is the list box, so we can + just look at the list of LB_XXX codes in WINDOWS.H. 1Ah is 26 decimal, + therefore 41Ah is WM_USER+26, or LB_GETITEMDATA. Let's see what + Osborne's "Special Purpose API functions" says about it (pag.752): + + LB_GETITEMDATA + When sent: To return the value associated with a list-box item. + wParam: Contains the index to the item in question + lParam: Not used, must be 0 + Returns: The 32-bit value associated with the item + + Similarly, 409h is WM_USER+9, which in the case of a list box means + LB_GETCURSEL. We saw earlier that TASKMAN uses LB_SETITEMDATA to store + each window title's associated HWND. LB_GETITEMDATA will now retrive + this hwnd: + + hwnd = SendMessage(listbox, LB_GETITEMDATA, + SendMessage(listbox, LB_GETCURSEL, 0, 0), 0); + + Notice that now we are caling the parameter to some_func() a listbox, + and that the return value from LB_GETITEMDATA is an HWND. + + How would we know it's an hwnd without our references? We can see the + LB_GETITEMDATA return value (in DI) immediatly being passed to + IsWindow() at line 1.0039: + + ; IsWindow(hwnd = SendMessage(...)); + 1.0031 9AEF010000 call far ptr SENDMESSAGE + 1.0036 8BF8 mov di, ax + 1.0038 57 push di + 1.0039 9A4C000000 call far ptr ISWINDOW + + Next, the hwnd is passed to GetLastActivePopup(), and the HWND that + GetLastActivePopup() returns is then checked with IsWindow()... + IsWindow() returns non-zero if the specified hWnd is valid, and zero + if it is invalid: + + ; IsWindow(hwndPopup = GetLastActivePopup(hwnd)); + 1.0042 57 push di + 1.0043 9AFFFF0000 call USER.GETLASTACTIVEPOPUP + 1.0048 8BF0 mov si, ax ; save hwndPopup in SI + 1.004A 56 push si + 1.004B 9AA4020000 call USER.ISWINDOW + + Next, hwndPopup (in SI) is passed to GetWindowLong(), to get + informations about this window. Here is time to look at WINDOWS.H to + figure out what 0FFF0h at line 1.055 and 800h at line 1.005C are + supposed to mean: + + ; GetWindowLong(hwndPopup, GWL_STYLE) & WS_DISABLED + 1.0054 56 push si ;hwndPopup + 1.0055 6AF0 push GWL 5STYLE ;0FFF0h = -16 + 1.0057 9ACD020000 call USER.GETWINDOWLONG + 1.005C F7C20008 test dx, 0800 ;DX:AX= 800:0= WS_DISABLED + + Finally, as the whole point of this exercise, assuming this checked + window passes all its tests, its last active popup is switched to: + + ; SwitchToRhisWindow(hwndPopup, TRUE) + 1.0062 56 push si ;hwndPopup + + 1.0063 6A01 push 0001 + 1.0065 9AFFFF0000 call USER.SWITCHTOTHISWINDOW + + It's here that all possible questions START: SwitchToThisWindow is not + documented... therefore we do not know the purpose of its second + parameter, apparently a BOOL. We cannot even tell why + SwitchToThisWindow() is being used... when SetActiveWindow(), + SetFocus() or BringWindowToTop() might do the trick. And why is the + last active popup and not the window switched to? + + But let's resume for now our unearthed mysterious function, that will + switch to the window selected in the Task List if the window meets all + the function's many preconditions: + + void MaybeSwitchToSelectedWindow(HWND listbox) + { + HWND hwnd, hwndPopup; + // first figure out wich window was selected in the Task List + if (IsWindow(hwnd = SendMessage(listbox, LB_GETITEMDATA, + SendMessage(listbox, LB_GETCURSEL, 0, 0), 0))) + { + if (IsWindow(hwndPopup = GetLastActivePopup(hwnd))) + { + if (! (GetWindowLong(hwndPopup, GWL_STYLE) & WS_DISABLED)) + { + SwitchToThisWindow(hwndPopup, TRUE); + return; + } + } + MessageBeep(0); //Still here... error! + } + + Now we have a good idea of what TASKMAN does (it sure took a long time + to understand those 3K bytes of code!). In the next lessons we'll use + what we have learned to crack together some common Windows programs. + (->lesson 3) + + FraVia + + diff --git a/textfiles.com/piracy/CRACKING/drlan.txt b/textfiles.com/piracy/CRACKING/drlan.txt new file mode 100644 index 00000000..ce4c9ea5 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/drlan.txt @@ -0,0 +1,107 @@ +Text: tickle.dr +Purpose: Tutorial on cracking Tickle.exe using hmemcpy and memory breakpoints +Program: Tickle.exe - Keeps your ISP connection alive +By: drLAN, mexelite + + +Let's get started cracking this baby... + +Run the program and select: + - Tickle + - Register + +Now type in any name and code, but don't press enter yet. First pop over +in to SoftICE by pressing Ctrl-D. Let's set a breakpoint on hmemcpy. This +routine is often used to manipulate strings in memory. To set the breakpoint +type: bpx hmemcpy. Make sure you get your name and code typed in before you +set the hmemcpy breakpoint, or sICE will break for each character you type. + +Now toggle back to the program with Ctrl-D and press Enter or click OK. As +soon as you hit Enter, sICE pops, at your hmemcpy breakpoint. + +Now let's scan memory for the reg code we entered. I entered the following: + +Name: drLAN +Code: 006969 + +So my search looks like: s 0 l ffffffff '006969' + +sICE should find an echo of this string setting in memory. It found mine +at 013F:0076177C. Your actual segment:offset will probably vary. Ok, so +now we found a copy of our string in memory, now what. Well, let's set a +breakpoint on this memory location. There are many ways to do this and you +may need to use differemt approaches depending on the program you are working +on. Some common approaches are to breakpoint on a memory location (BPM). +Any reads/writes at that location will trigger the breakpoint. Another +approach is to set the breakpoint on a memory range, from the first char of +your reg code to the last. Or, if you know a little about the proggie you +might want to break on a single byte (BPMB), a word (BPMW), or a double word +(BPMD). Each of these approaches has its merrits depending on what you're +looking for. I commonly use BPM and BPMB. + +So based on where it found my string, here are the BPM and BPR approaches. +NOTE: Only use one of the two. I used approach #1. + +#1: Breakpoint on memory location: +bpm 013f:0076177c <== this is the one I set + +#2: Breakpoint on memory range: +bpr 013f:0076177c 013f:00761781 RW + +Note the last two digits changed on the ending range. That's because it is +pointing to the memory location containing the last character of our string. +First character is at 013f:0076177c. String length is 6. So the last char +is at 013f:0076177c+(6-1), or 013f:00761781. + +Usually the program will create another copy of the string in memory before +doing its final comparison(s). So, it's often this second copy we need to +scan for. We could single step through the program for a while, using F10. +After each CALL, do the scan again to see if it has made a second copy. If +so, set a memory breakpoint at that address, too. Don't clear the first one +unless that memory segment is completely overwritten with something different +that the code you typed. + +If you don't feel like stepping through the code for the rest of your life, +you can press Ctrl-D a second time from within sICE and you'll break at +another hmemcpy. If you break on the first memory address, just press Ctrl-D +again until you hit the second hmemcpy. Now scan again and see if there is a +second copy of the string in memory. If so, set your memory breakpoint here. +If not, F10 a few times to step through some code. Do your scan after any +CALL routine. Do the scan periodically anyway. If you type S, then up arrow +it should fill out the rest of your scan command from the buffer, so you don't +have to retype the whole thing each time. + +Eventually you will find the second copy of the string in memory. This will +turn out to be the copy we're interested in. Set your memory breakpoint (BPM) +here. + +Then press Ctrl-D again. Now you should be sitting one instruction before +the good-guy/bad-guy compare routine. The code should look something like +this: + +MOV CL,DL +CMP DL,BL +JNZ 78005DAC ; bad-guy, jump to sorry sucker +TEST CL,CL +JZ 78005DB6 ; good-guy, jump to thanks for registering + +Now, if you scroll up through your data window using your mouse, or change +focus to that window and use Ctrl-Up Arrow, you will see the code that points +these registers at memory locations for the compare routine. You should +see DL being pointed to [EAX] (the good code) and BL being pointed to [ESI] +(our code/the bad guy code). You can verify this with D EAX, and D ESI. If +you scrool up the code you find should look like this: + +MOV ESI,[ESP+18] +MOV EAX,[ESP+14] +MOV DL,[EAX] ; points DL to the memory location of good-guy code +MOV BL,[ESI] ; points BL to the memory location of bad-guy code + +Then we hit the code above... + +D ESI ; bad-guy code (the one we entered) +D EAX ; good-guy code (you know what to do with this one) + +Beautiful, there's your good-guy code. Clear your breakpoints and register +this baby! + diff --git a/textfiles.com/piracy/CRACKING/dumpexe.txt b/textfiles.com/piracy/CRACKING/dumpexe.txt new file mode 100644 index 00000000..45ba2594 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/dumpexe.txt @@ -0,0 +1,665 @@ + + + <*> EXE-dumper version 2.2 <*> + + by + + + 1997 + + + Handle Real name Age Profession Group activity + + Bugsy Benjamin Petersen 23 Programmer Coder, organizer(?) + Spawn Michael Skovslund 22 Programmer Coder, gfx + UniSon Henrik Eiriksson 23 Study IFA Music, art + + PLEASE CHECKOUT OUR INTERNET HOMEPAGE AT : WWW.CYBERNET.DK/USERS/BUGSY + + + +INDEX + History + Introduction + Disclaimer + Keyboard layout + Program documentation + Soft-Ice user notice (New information, please take a look) + GameTools user notice (New information, please take a look) + EatMem utility (New information, please take a look) + How to unpack an exefile + How to get in touch with us + Greetings (New information, please take a look) + + + History + + Version Release Note + + 1.0 Never released to the public, only for our beta-testers + + 1.1 First public release + + 1.2 Now with Soft-Ice debugger support. Activate with INT FCh + + 2.0 Autodump from TD, S-ICE and GAMETOOLS. Detects a lot of things. + Uses UMB. Added Total Memory Dump feature, Show User Screen. Now it + swaps dos-stack so DUMPEXE can be activated at any time (reentrance) + + 2.1 Fixed a bug in dos version check. (Damn) + + 2.2 Added support for overlay as requested by Jos Navarro Martnez + Fixed minor bugs in DUMPEXE. Added mail registration form + Added a utility called EATMEM that allocates 4 KB from within DOS. + Removed the WORD version of this doc file (Did anybody use it ?). + + Introduction + + This program is able to unpack ANY exe-packed file. Many other programs, + such as cup, up, tron, unp and vgacbust give you the same ability. But those + programs can only expand/unpack files packed with known exepackers. By + using the OBSESSiON DUMPEXE toolpack, you can unpack any of those exe-files + that the above utilitys gave up on. Of course this can't be done by inserting + a quarter (kr.) into the crypt-o-mate. We have to do a little more than this. + This is where you, the OBSESSiON DUMPEXE toolpack, and your debugger gets + into the picture. + + All you have to do is this : + Load the exeprogram into your favourite debugger (eg. TD, S-ice, GameTools) + Debug the program until first original (unpacked) instruction + Dump the code/data, using the DUMPEXE program, via the FILE 1 option + Terminate the loaded program + Allocate a 4 Kb memory block via the DUMPEXE program (or use EATMEM.EXE) + Reload the program, and ensure that the entry point is different + Debug the program until first original (unpacked) instruction + Dump the code/data, using the DUMPEXE program, via the FILE 2 option + Terminate the loaded program + Deallocate the 4 Kb memory block via the DUMPEXE program (or use EATMEM.EXE) + Run MAKEEXE with the needed parameters. + Example : MAKEEXE.EXE ORIGINAL.EXE NEWFILE.EXE + + And 'puf', your done. + + To technically understand how this can be done, please refer to selection : + "How to unpack an exefile". + + If this sounds easy, exit your doc reader now, if not, keep on reading. 8-) + + Disclaimer + + This software has been tested and found to work properly. OBSESSiON have no + responsbility whatsoever for any damages caused by use, or misuse of this + software. + + IF YOU DISAGREE WITH ANY OF THOSE TERMS, PLEASE REMOVE THIS SOFTWARE NOW. + + If after a 24 hour test period, you still wish to continue using this + software, you NEED to send us a postcard with your name and address or + register at our homepage at HTTP://WWW.CYBERNET.DK/USERS/BUGSY. The reason is + that it's the ONLY way I can explain to my wife why I have invested MORE than + 200 hours developing this software. This is the only way I can see that + someone really is using this software. If I don't receive anything by mail, + I won't update the program any more. + + This means : + IF NOT (ReceivedAnyPostCardOrEMail) THEN + HALT (Programmer) + ELSE + ReleaseNextVersion + + Keyboard layout + + Left shift + right shift : Activate the resident part of DUMPEXE + TAB : Jump to next menu block + Shift TAB : Jump to previous menu block + Arrow up/down : Next/previous menu selection/block + Arrow left/right : Next/previous digit or menu block + ESC : Terminate DUMPEXE or return to previous state + Enter : Confirm selection/input + + Program documentation + + Install DUMPEXE into memory by starting the file DUMPEXE.EXE. The program + will now go resident (TSR) in memory. This means that it can be envoked at + any time and within any program (such as a debugger). If UMB is available, + the 'DOS stack' and 'Screen swap data' will be placed here. To activate + DUMPEXE, please press and at the same time (also + called the hotkey). A menu like the one shown below, should appear. To return + to interrupted program, press . + + NOTICE : In previous versions you couldn't start DUMPEXE by pressing the + hotkey within the dos command line (InDOS). This has now been + fixed by using the technique called 'DOS stack switching'. + + FIG 1. The main picture of DUMPEXE + + DumpExe v2.2 CARDWARE 1997 by BUGSY/OBSESSiON [1]Ŀ + Dos, 80386, V86 mode, Turbo Debugger [2] + First file [3] Second file [4]ij + CS : 0000 CS : 0000 + IP : 0000 IP : 0000 + SS : 0000 SS : 0000 + SP : 0000 SP : 0000 + PSP : 0000 PSP : 0000 + Size : 00000 (0) Size : 00000 (0) + Name : #NoName#.1 Name : #NoName#.2 + [5][6]ij + Dump exe-code Dump exe-code + Autodetect name Autodetect name + Autodetect size Autodetect size + [7][8]ij + Raster Bar User screen + Memory snapshot Allocate 4Kb + Reset menu Auto config file 2 + Uninstall Fill from debugger + Free 99 kb, Slack 0 kb [9]ij + [10] + Hotkey : (U)ser screen + + Overview + [1] Copyright text. + [2] Information on the operating system and found debuggers. + [3] Data for first memory dump, set by the user. + [4] -"- for second memory dump. + [5] Menu concerning first memory dump. + [6] -"- for second memory dump. + [7] General purpose menu, concerning global use of DUMPEXE. + [8] Utility menu with functions, helps you get the job done faster. + [9] Information about the current memory status. + [10] Shows status messages from DUMPEXE and serves as an input prompt. + + Explenation + [1] Copyright text. + Tells who made this brilliant program. + + [2] Information on the operating system and found debuggers. + Shows if current session is a DOS, WINDOWS or OS/2 session. + Also shows which debuggers have been found active at the present + moment. + + Can show a mixture of the following text strings : + [8086, 80286, 80386], + [Real mode, V86 mode], + [Dos, Win Std, Win Enh, OS/2], + [No debugger, Turbo Debugger, Soft-Ice, GameTools] + + Example : Dos, 80386, Real mode, Soft-Ice, GameTools + + As you can see, it is possible to have more than one debugger loaded + at the same time. This can be usefull when combining Turbo Debugger + and GameTools. + + [3] Data for first memory dump, set by the user. + This subwindow is used to enter information about the program you + want to unpack. You have to fill out ALL fields to get a working + copy of the unpacked program. + + CS : Current code segment + IP : Current instruction pointer + SS : Current stack segment + SP : Current stack pointer + PSP : Current program prefix segment, usually the same as ES + Size : Size of program in bytes + Name : Name of dump file + + To change a value, move the selector to the decided item and press + . Enter the new value and press again. + REMARK : All numbers are shown and entered in heximal values. + The filename can not be entered manuelly. + + [4] -"- for second memory dump. ([3]) + + [5] Menu concerning first memory dump. + It is used for dumping the code/data block entered in [3] or [4]. + + Menu items available are : + + Dump exe-code : Select this one to dump selected code/data block. + + Autodetect name : Let DUMPEXE autodetect the name of the program + its processing, and use it as the dump filename. + + Autodetect size : Let DUMPEXE autodetect the size of the code/data + block. There are two ways to autodetect this + size. It can be done by Stack or by PSP. The + most common way is 'By Stack', because this + usually gives a smaller, and more acurrent image + of the original unpacked exefile. + + [6] -"- for second memory dump. ([5]) + + [7] General purpose menu, concerning the global use of DUMPEXE. + + Menu items available are : + + Raster Bar : Switch between Raster Bar and Textmode Bar. + It's a good idea to choose Textmode Bar if you + are running under other systems than DOS such as + Windows or OS/2. + + Memory snapshot : Takes a snapshot of the first megabyte of memory, + and puts it in a file in the current directory, + called SNAPSHOT.MEM. Use it for whatever you may + like. + + Reset menu : Sets all items to their initial value. Use it if + something, somehow goes bananas. + + Uninstall : Removes the DUMPEXE software from the memory. + Use it if you want to remove the DUMPEXE from + memory. + + [8] Utility menu with functions that helps you get the job done faster. + + Menu items available are : + + User screen : Shows the screen as it was before DUMPEXE was + started. Use this function instead of pressing + and then the hotkey. This function can + also be called by pressing while in view + mode. + + (De)Allocate 4Kb : Used to allocate/deallocate a block of 0100h + paragraphs (4 Kb). This should be done after + the first dump and termination, and before you + reload the program. Please take a look at the + tutorial later in this document. + + NOTICE : This function can ONLY be used within + Turbo Debugger and GameTools. So if + you are using Soft-Ice, please use + the utility called EATMEM.EXE insted. + + Auto-Config : Adds 0101h to all segment registers in [2] and + store them in [3]. It is useful after + preparing for second dump. This works only on + 9 out 10 packed files. Please notice that CS + in [3] matches the one shown by the debugger. + If not, enter all values manually. You only + have to use this function if + "Fill from debugger" fails. + + Fill from debugger : Read the register shown by the debugger and + automatically place the values into first or + second dumpfile. This is a VERVY useful + function, since it gives you the ability to + unpack the exefile FAST. + + [9] Information about the current memory status. + + Free : Amount of free basememory, in Kb. + Slack : Number of memory fragments in Kb, after allocating 4 Kb. + + [10] Status messages from DUMPEXE and input prompt. + This line serves as an error message and input scratch. + + Here are some of the error messages that can appear : + + No size given. + You have to enter how much memory the program needs to dump. + + No memory allocated. + You are trying to auto-config file 2, and you haven't used + "allocate 4KB". You must manually enter the data required to dump + + Can't auto-config file 2, sorry. + You have to manuelly, enter the data required to dump a program. + Or you could use the function : "Fill from debugger" + + The PSP-segment is not valid. + You are using a function that requires a valid PSP segment, + entered in [3] or [4]. + + The PSP-segment for file 1 is not valid. + See the above. + + Can't find name. + DUMPEXE is not able to find the name of the program you want + to dump. The program is using a standard name instead. + + Can't uninstall, vector hooked by another program. + You have loaded another program after DUMPEXE. Unfortunately the + two programs have both hooked onto the same interrupt. Unload the + other program first and try again. + + Can't allocate necessary memory. + Boot your machine with fewer drivers, and try again. If this + does'nt help, you are f..... + + Out of stack. + Your memory is fragmented to much. The DUMPEXE has a 4 Kb stack and + in this case it doesn't seem to be enough. Contact us and ask for + a version with a larger stack, or modify the exeheader yourself. :) + + Can't release memory. + This error is most likely caused by the program you are about to + dump, or the stack of this program has been destroyed. Dump the + code and boot your PC. (the dumpfile should be okay, I hope...) + + Can't make file. + Oops, a disk error. Check your harddisk with "chkdsk /f" or + "scandisk" + + Can't write file, disk full ?. + Free some disk space, and try again. + + Can't deallocate memory. + The MCB (memory control block) has been destroyed. Dump the code + and boot your PC. (again, the dumpfile should be okay, I hope...) + + Soft-Ice user notice + + If you are using Soft-Ice, the hotkey is disabled. This is because Soft-Ice + runs in protected mode and uses its own interrupt vector table. To activate + DUMPEXE, enter the following sequence at the Soft-Ice command line prompt : + + BPX CS:IP : So we can return after Int 0FCh has terminated + GENINT FC : Start the exe-dumper + GENINT FC : Start the exe-dumper again (if you need it) + BC 0 : Clear the breakpoint set by BPX. The number (in this case + 0) is the name of the breakpoint label. + + Don't start DUMPEXE unless you are are at the very first instruction of + the unpacked exefile because your current location might be in the keyboard + handler or equal. + + NOTICE : You cannot use the DUMPEXE menu called 'Allocate 4Kb' within + soft-ice. This function can ONLY be used within Turbo Debugger + and GameTools. Please use the utility called EATMEM.EXE insted. + (Look at selection 'EatMem utility' later) + + GameTools user notice + + If you are using GameTools, be SURE to load DUMPEXE BEFORE you load + GameTools. If you don't, you can't activate DUMPEXE within GameTools. + + EatMem utility + + EatMem is a program that from within dos allows you to allocates + a 4 KB memory block. + + When you start EATMEM.EXE the first time it starts DUMPEXE (if resident) and + allocates a 4 KB memory block. The next time you start EATMEM.EXE it frees + the 4 KB memory block. + + Use this utility if you can't allocate a 4 KB memory block within DUMPEXE. + So insted of using the menu (in DUMPEXE) 'Allocate 4 KB', just return to dos, + and run EATMEM.EXE. When you are finished with the second dump, just run + EATMEM.EXE again, or release the 4 KB memory block via DUMPEXE. + + How to unpack an exefile + + The file named TESTEXE.EXE is a packed exe-file. It is used to illustrate + how to use this tool, and nothing more. The file is packed with pklite + version 2.01 using normal compression. + + I will use Turbo Debugger for this example, because if you know how to use + the ultimate debugger Soft-Ice, you probably don't need this introduction + anyway. + + If you don't know anything about using a debugger, I advise you to consult + your debuggers manual. + + Try to execute the tutorial program TESTEXE.EXE and take look at the text + it displays. The program will tell you if it's packed or not. + + REMEMBER : Start DUMPEXE.EXE before proceeding with the next step. + + Start debugging TESTEXE.EXE by writing : TD.EXE TESTEXE.EXE + + The picture shown, by TD (Turbo Debugger), should look something like + this : + + []CPU 804861[][]ͻ + cs:010050 push ax  ax 0000 c=0 + cs:0101 B82D06 mov ax,062D bx 0000 z=0 + cs:0104 BA8201 mov dx,0182 cx 0000 s=0 + cs:0107 050B63 add ax,630B dx 0000 o=0 + cs:010A 3B060200 cmp ax,[0002] si 0000 p=0 + cs:010E 722A jb 013A di 0000 a=0 + cs:0110 B409 mov ah,09 bp 0000 i=1 + cs:0112 BA1C01 mov dx,011C sp 0200 d=0 + cs:0115 CD21 int 21 ds 62FB + cs:0117 B8014C mov ax,4C01 es 62FB + cs:011A CD21 int 21 ss 64B3 + cs:011C 4E dec si cs 62FB + cs:011D 6F outsw ip 0100 + cs:011E 7420 je 0140 + cs:0120 656E outsb gs:  + Ķ + ds:0000 CD 20 67 69 00 9A C0 00 gi ss:0208 0A76 + ds:0008 00 00 E4 01 D3 29 AE 01 ) ss:0206 8BCB + ds:0010 D3 29 80 02 2E 24 9C 15 ).$ ss:0204 8BF8 + ds:0018 01 01 01 00 02 FF FF FF   ss:0202 8B0E + ds:0020 FF FF FF FF FF FF FF FF ss:020074A6 + + NOTICE : Due to the nature of the PC-memory, the segment registers + (CS, DS, ES, SS) might show different values than the one + shown. + + Start executing the code until cs:0153, by pressing at location cs:0153, + shown below. (Press 2 or 3 times) + + []CPU 804861[][]ͻ + cs:0146 50 push ax  ax 68FF c=0 + cs:0147 B9C500 mov cx,00C5 bx 0000 z=1 + cs:014A 33FF xor di,di cx 0000 s=0 + cs:014C 57 push di dx 0182 o=0 + cs:014D BE5401 mov si,0154 si 02DE p=1 + cs:0150 FC cld di 018A a=0 + cs:0151 F3A5 rep movsw bp 0000 i=1 + cs:0153CB retf sp 01FA d=0 + cs:0154 FD std ds 62FB + cs:0155 8CDB mov bx,ds es 68FF + cs:0157 53 push bx ss 6918 + cs:0158 83C32E add bx,002E cs 62FB + cs:015B 90 nop ip 0153 + cs:015C 03DA add bx,dx + cs:015E 8CCD mov bp,cs  + Ķ + ds:0000 CD 20 67 69 00 9A C0 00 gi ss:0202 0005 + ds:0008 00 00 E4 01 D3 29 AE 01 ) ss:0200 73A0 + ds:0010 D3 29 80 02 2E 24 9C 15 ).$ ss:01FE 0000 + ds:0018 01 01 01 00 02 FF FF FF   ss:01FC 68FF + ds:0020 FF FF FF FF FF FF FF FF ss:01FA0000 + + + The unpacker has copied itself to a location, which is just after the + (not yet) unpacked code location. Singlestep one instruction (), and + you'll hopefully see this : + + []CPU 804861[][]ͻ + cs:0000FD std  ax 68FF c=0 + cs:0001 8CDB mov bx,ds bx 0000 z=1 + cs:0003 53 push bx cx 0000 s=0 + cs:0004 83C32E add bx,002E dx 0182 o=0 + cs:0007 90 nop si 02DE p=1 + cs:0008 03DA add bx,dx di 018A a=0 + cs:000A 8CCD mov bp,cs bp 0000 i=1 + cs:000C 8BC2 mov ax,dx sp 01FE d=0 + cs:000E 80E40F and ah,0F ds 62FB + cs:0011 B104 mov cl,04 es 68FF + cs:0013 8BF2 mov si,dx ss 6918 + cs:0015 D3E6 shl si,cl cs 68FF + cs:0017 8BCE mov cx,si ip 0000 + cs:0019 D1E9 shr cx,1 + cs:001B 4E dec si  + Ķ + ds:0000 CD 20 67 69 00 9A C0 00 gi ss:0206 0000 + ds:0008 00 00 E4 01 D3 29 AE 01 ) ss:0204 0000 + ds:0010 D3 29 80 02 2E 24 9C 15 ).$ ss:0202 0005 + ds:0018 01 01 01 00 02 FF FF FF   ss:0200 73A0 + ds:0020 FF FF FF FF FF FF FF FF ss:01FE0000 + + + Press at location cs:0161 (the retf instruction), found by pressing + 13 - 14 times; and then . That's it. You have now unpacked + the TESTEXE program. If you have done it right, TD shows something like this : + + []CPU 804861[][]ͻ + cs:010F9A00001464 call 6414:0000  ax 0000 c=0 + cs:0114 9A0D00B263 call 63B2:000D bx 0000 z=1 + cs:0119 9A60073A63 call 633A:0760 cx 0000 s=0 + cs:011E 55 push bp dx 0000 o=0 + cs:011F 89E5 mov bp,sp si 0000 p=1 + cs:0121 B80001 mov ax,0100 di 0000 a=0 + cs:0124 9ACD021464 call 6414:02CD bp 0000 i=1 + cs:0129 81EC0001 sub sp,0100 sp 4000 d=0 + cs:012D 9ACC01B263 call 63B2:01CC ds 62FB + cs:0132 BFB400 mov di,00B4 es 62FB + cs:0135 1E push ds ss 6548 + cs:0136 57 push di cs 630B + cs:0137 8DBE00FF lea di,[bp-0100] ip 010F + cs:013B 16 push ss + cs:013C 57 push di  + Ķ + ds:0000 CD 20 67 69 00 9A C0 00 gi ss:4008 0000 + ds:0008 00 00 E4 01 D3 29 AE 01 ) ss:4006 0000 + ds:0010 D3 29 80 02 2E 24 9C 15 ).$ ss:4004 0000 + ds:0018 01 01 01 00 02 FF FF FF   ss:4002 0005 + ds:0020 FF FF FF FF FF FF FF FF ss:400074A0 + + + As you can see there are three far calls. These are direct calls. This means + that it will make a call to a certain location in memory. If we dump the + memory used by TESTEXEE, we'll have an image of the program. But this is not + enough to make a new exefile. This is because an exefile is not just an image + of the memory, like a COM file is. We need a second dump from a different + memory location. This is because of the direct calls. By comparing the two + dumps, we can find the relocations (direct calls) needed to build a new + exefile. Information like min/max memory usage is taken from the original + exefiles header, but let's get on with the tutorial. + + There are serval ways to enter the values of SP, DS, ES, SS, CS and IP into + DUMPEXE. Since we are using one of the supported debuggers, we can use + the "Fill from debugger" function. This function takes register values, shown + by the debugger, and automatically puts them into DUMPEXE. Start DUMPEXE + by pressing the hotkey, and then at the "Fill from debugger" + function. Answer <1> to whatever the values should be places in first or + second dump file. Another way is to remember the values of SP, DS, ES, SS, + CS and IP before pressing the hotkey, and enter the values at their + corresponding locations in [2]. If you decide to do so, you will probably + notice that there is no field for ES. This is because the initial value of + ES, points to the PSP, so write the value of ES in the PSP field instead. + + It's now time to tell DUMPEXE the size of the memory block we want to dump. + Use TAB until you get to [4]. Press at "Autodetect size". There are + two ways of getting the size of the program. One is by using the stack, the + other is by using PSP. 99 % of all cases, you should use "by stack". Press + , and the size will be put into size field. If DUMPEXE somehow fails to + calculate the right value, you have the option of entering a size that you + decide. Press at "Autodetect name", and the name of the executeable + file will be put into the name field. The last thing we have to do is to + dump the program to a file. This is done by pressing at + "Dump exe-code". DUMPEXE will probably do it so fast that you won't notice + the "process message" that appears. + + Below is a picture of DUMPEXE after the first dump. Again, remember that + values varie from dump to dump. + + DumpExe v2.2 CARDWARE 1997 by BUGSY/OBSESSiON Ŀ + Dos, 80386, V86 mode, Turbo Debugger + First file Second file ij + CS : 630B CS : 0000 + IP : 010F IP : 0000 + SS : 6548 SS : 0000 + SP : 4000 SP : 0000 + PSP : 62FB PSP : 0000 + Size : 023D0 (9168) Size : 00000 (0) + Name : TESTEXE.1 Name : #NoName#.2 + ij + Dump exe-code Dump exe-code + Autodetect name Autodetect name + Autodetect size Autodetect size + ij + Raster Bar User screen + Memory snapshot Allocate 4Kb + Reset menu Auto config file 2 + Uninstall Fill from debugger + Free 218 kb, Slack 0 kb ij + + Hotkey : (U)ser screen + + Press (in DUMPEXE) and then in TD. The program has now terminated, + and it's time to allocate a 4KB memory block. + + Start DUMPEXE again, and press enter at "Allocate 4Kb". The menu item will + change to "Deallocate 4Kb". Press , and reload the program by pressing + . Start debugging like you did the first time. When you have reached + the first instruction of the original code, enter all the information, like CS, + SS.... in [3]. Autodetect size and name. Dump the code, and we are almost + done. Again terminate your program, by pressing in TD. Start DUMPEXE + again, and press at 'Deallocate 4Kb'. Exit your debugger. + + Run the MAKEEXE program with parameters : TESTEXE.EXE UNPACKED.EXE + + or like this : MAKEEXE.EXE TEXTEXE.EXE UNPACKED.EXE + + The MAKEEXE program compares the two memory dump and builds a new exefile + out of the information found there and in the original exefiles header. + + After MAKEEXE has built the new exefile, the screen should look like this : + + Ŀ + MakeExe v2.2 CARDWARE 1997 by BUGSY/OBSESSiON + + + Unpacking TESTEXE.EXE into UNPACKED.EXE + + Read dump info + Read exe info + Create new file + Create tempfile + Write relocations + Write zero data + Write code + Write new header + Number of relocations 00BEh + + All done! + + + + Try to execute UNPACKED.EXE (it is now unpacked) and see how it reacts. + + I think this would be enough for you to continue on your own. + + How to get in touch with us + + If you have any questions about the use of these programs, feel free to + contact us. + + You can get in touch with us by : + + Writing a letter to : Benjamin Petersen + Joergen Jensensvej 16B + DK-4700 Naestved + Denmark + + After 1997-04-15 (Y-M-D) : + + Benjamin Petersen + Skovburren 271 + 4700 Naestved + Denmark + + E-Mail us at : bugsy@cybernet.dk + + World Wide Web (WWW) : http://www.cybernet.dk/users/bugsy/default.htm + + Call us at : +45 53 725-610 or +45 40 204-347 + + Greetings + + Our greetings goes to (no order) : + + Darkman/VLAD, Ping (pingelingelater), HiTech, Bionic, Jazz/PM, + --=DaRk sTAlKeR 97=--, JauMing Tseng, Kevin Tseng, Philippe Ahles, + Hades Wu, Jean-Stephane PERRI, Michael Pedersen, tHEpHARAo^mSH + Daniel Fazekas, Jung-ho Ryu, Mariusz Kowalczyk aka -KoVi-, + Jos Navarro Martnez, TBD/FeR, LiBaTiOn, MaNaGeR + +Have fun, and remember there are still some people who DON'T take money +for making ?good? programs. + +[BUGSY/OBSESSiON] \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/exact-in.txt b/textfiles.com/piracy/CRACKING/exact-in.txt new file mode 100644 index 00000000..7016bbaa --- /dev/null +++ b/textfiles.com/piracy/CRACKING/exact-in.txt @@ -0,0 +1,672 @@ + + Introduction To Win95 Cracking + +Introduction to Win95 Cracking + + A few words before beginning + + Giving credits, where credit is due ! So, i'd like to give a really BIG + thanks to ED!SON of United Cracking Force for his tutorial about + Windows 95 cracking, without it i won't be here telling you how to + crack a program under win 95. + Giving ALL the credits... all i learned about cracking is with the help + of great tutorials : 5 Minutes 4 a Crack /NeverOne, Amateur Crackist + Tutorial /Specular Vision, Cracking for Masses /FraVia, Old Red Cracker + Tutorials /+ORC (A Must), The Ancient Art Of Cracking & Cracking 101 + /Buckaroo Banzai, The Cracking Manual /Cyborg, The Uncle Joe CrackBook + /Uncle Joe (heh, what did you expect ?). But also with 40 Hex + Magazines, The Crypt Newsletters, Virus Laboratories And Distribution. + Note : a lot of the explaination i'll give you in Introduction parts + are ripped from some tutorials upper, it's because i wanted to have + something complete you can start with. Tnx again to those who wrot'em. + + For this tutorial you'll need : + ACDSee32 V2.0 Beta + Soft-Ice 3.00 + HexWorkShop + + Introduction to Cracking + + You might be wondering what type of programming skills you need to + become a cracker. Knowing a higher level language such as Basic, + Pascal, or C++ will help you somewhat in that you will have an + understanding of what's involved in the process of writing a program + and how certain aspects of a program function. If you don't have any + programming skills, you have a long road ahead of you. But even if you + can program in a high level language, in order to crack you have to + know assembly... It really doesn't matter what language a program was + written in in order to crack it, because all programs do the same + thing. And that is issue commands to the microprocessor. And all + programs when broken down to their simplest form are nothing more than + a collection of 80XXX instructions and program specific data. This is + the level of assembly language. In assembly you have total control of + the system. This is also the level that the debugger operates at. + + You don't have to become a master at assembly to crack a program, but + it helps. You do need to learn some rudimentary principles, and you + absolutely have to become familiar with the registers of the cpu and + how the 8088 instruction set uses them. There is no way around this. + How proficient you are at assembly will determine how good of a cracker + you become. You can get by on learning a few basic instructions, how to + use a debugger, and one or two simple techniques. This will allow you + to remove a few shareware nag screens, and maybe you'll luck out and + remove the copy protection from a game or two, but that's it. + + You can then dynamically interact with the program and run it one line + of code at a time, and see exactly what the program is doing in real + time as each line of code is executed. You will also be able to + re-assemble instructions (in memory only), edit the contents of memory + locations, manipulate the cpu's registers, and see the effects your + modifications have on the program as it's running. This is also where + all your system crashes will occur... There is a lot of trial and error + involved in cracking. + + As you get better, you'll have to write programs that will implement + your patches if you decide to distribute them. The patches themselves + don't have to be written in assembly. + + The sources code I included in this manual are extremely simple. + They're written in assembly because that's the only language I know how + to program in, but if you are already proficient in a higher level + language, it should be trivial for you to duplicate it's methods in + your preferred language. + + Quick Introduction To Soft-Ice 3.0 + + Okay, okay, i already heard you : Hey exact, you've ripped the ED!SON + introduction. Yes, i've taken it ;) Why should i do something if + someone already did ? So for all of you that didn't have the chance to + have that intro, i've a little remixed it, and here it is... + + Cracking a Windows program is most often more simple than a program + running in Dos. In Windows, it's hard to hide anything from anyone who + really looks for information, as long as Windows own functions are + used. The first (and often only) tool you need is Soft-Ice, a powerfull + debugger from NuMega (http://www.numega.com). Some people find it hard + to use, but i will tell you how to do efficient debugging with it. + + To use Sice, you must load it before windows, to do that, just add the + "Drive:\Path\WINICE.EXE" at the end of your "AUTOEXEC.BAT". Normally, + the Sice Setup should have already done it. I advise you to make a + multi-config in that way, you can load Sice only when you need it. + + Example of multi-config : + ;--- Config.sys + [menu] + menuitem SICE,Load Soft-Ice Debugger Behind Windows + menuitem NORM,Normal Mode + menudefault NORM,5 + [SICE] + [NORM] + [common] + DEVICE=C:\WIN96\HIMEM.SYS + DOS=HIGH + DEVICE=C:\cd\drivers\MTMCDAI.SYS /D:MTMIDE01 + FILES=40 + ;--- EOF Config.sys + + ;--- Autoexec.bat + @ECHO OFF + SET BLASTER=A220 I5 D1 H5 P330 T6 + SET MIDI=SYNTH:1 MAP:E + SET PATH=C:\WIN96;C:\WIN96\COMMAND;C:\DOS;D:\NC + SET TEMP=C:\TEMP + SET SOUND=C:\VIBRA16 + C:\VIBRA16\DIAGNOSE /S + C:\VIBRA16\MIXERSET /P /Q + PROMPT $p$g + goto %config% + :SICE + C:\Progra~1\SoftIc~1\WINICE.EXE + goto common + :NORM + goto common + :common + ;--- EOF Autoexec.bat + + In the config.sys the [menu] indicates that's a multiconfig, it will + display the two menuitem and wait for the user to select. When + selected, the part of the config file refering to it is runned and + followed by the [common] one. In the autoexec.bat there's a %config% + variable set to the user'selection and is used to select witch part of + your bat you will execute. + + So, udpate your system files if they need so, and reboot your machine. + If you don't understand why these config files look like this, refer to + the MS-DOS Help (Type HELP at the dos prompt). + + Now that Sice is loaded into memory, press "CTRL-D" to to pop it up. + Here is a little description of the windows you can see on Sice screen + : + + +----------------------+-------------------------------------------+ + | CPU Registers Window | "WR" En/Disable, "R", "Alt-R" Edit. | + +----------------------+-------------------------------------------+ + | FPU Registers Window | "WF" En/Disable. | + +----------------------+-------------------------------------------+ + | Locals Windows | "WL" En/Disable, "Alt-L" Focus. | + +----------------------+-------------------------------------------+ + | Watch Window | "WW" En/Disable, "Alt-W" Focus. | + +----------------------+-------------------------------------------+ + | Data Window | "WD" En/Disable, "E", "Alt-D" to Edit. | + +----------------------+-------------------------------------------+ + | Code Window | "WC" En/Disable, "A" Edit, "Alt-C" Focus. | + +----------------------+-------------------------------------------+ + | Command Window | Type Commands and read output here. | + +----------------------+-------------------------------------------+ + | Help Line | Get summary help on what you are typing. | + +----------------------+-------------------------------------------+ + + The register window contains the general purpose and flags registers of + the cpu. You will notice that the general purpose registers contain + hexadecimal values. These values are just what happened to be in there + when you brought up the debugger. You will also notice that some of the + flags are highlighted while some are not. The highlighted flags are the + ones that are SET. While the ones that are not highlighted are CLEARED. + Generally, the register are also highlighted when they change value. + From this window you will be able to manipulate the contents of the + cpu's registers. You will change the values of the registers while + debugging a program in order to change the behavior of the running + program. Say you come across a JNZ instruction (jump if not zero), that + instruction makes the decision on whether or not to make the jump based + on the state of the (Z)ero flag. You can modify the condition of the + (Z)ero flag in order to alter the flow of the programs code. By the + same token, you can modify the general purpose registers in the same + manner. Say the AX register contains 0000, and the program bases it's + actions on that value, modifying the AX register to contain a new value + will also have the effect of modifing the flow of the code. After you + become comfortable with using Sice you'll begin to appreciate just how + powerful this window is, and you'll aslo discover soon enough just how + totally it can screw your system if you fuck up. + + The data window will display data as it exists in memory. From this + window you can usually display, search, edit, fill, and clear entire + ranges of memory. The two most common commands for this window are + display and edit. The search command is also useful in cracking. Sice + offers you 4 data windows, you can toggle from one to another using the + "data" command. You can also change the type of data this window is + displaying using the "format" command. You can scroll into the data + window using ALT and arrows or PgUp/PgDn keys. + + The code window is the window in which you will interact with the + running program. This is the most complex window, and it is where the + bulk of debugging occurs. The layout of the window is pretty simple, + the group of 12 numbers with the colon in the middle of them to the far + left of the window is the address:offset of that line of code. Each + line of code in this window is an instruction that the program will + issue to the microprocessor, and the parameters for that instruction. + The registers that contain the address for the current instruction + waiting to be executed are the CS:EIP registers (code segment and + instruction pointer). This line is highlighted, if you havent it in the + code window use the "." command to retrieve it. You will also notice a + group of hex numbers to the right of the addresses, this group of + numbers is the hexadecimal equivalent of the mnemonic instructions. The + next group of words and numbers to the right of the hex numbers are the + mnemonic instructions themselves. You can scroll into the code window + using ALT and arrows or PgUp/PgDn keys. + + For most examples, we'll only need to have the CPU Registers Window, + the Data and the code one. Disable others. I'm in 60 lines mode. So if + all windows are disabled to have the same screen as me do (comment are + preceded by a semi-colon) : + + +--------------------+-------------------------------------+ + | :lines 60 | ; Set 60 lines mode | + +--------------------+-------------------------------------+ + | :color f a 4f 1f e | ; Set psychedelic colors (Optional) | + +--------------------+-------------------------------------+ + | :wd 22 | ; Enable Data Window 22 lines long | + +--------------------+-------------------------------------+ + | :wc 25 | ; Enable Code Window 25 lines long | + +--------------------+-------------------------------------+ + | :wr | ; Enable Register Window | + +--------------------+-------------------------------------+ + | :code on | ; Display instruction bytes | + +--------------------+-------------------------------------+ + + This can seems you strange to have to type all these commands each time + you'll start Sice. In fact, all these command can be done in the + winice.dat file (in your sice directory). Let'see what is in mine : + + +-----------------------------------------------+--------------------------+ + | ;--- Example of Winice.dat | | + +-----------------------------------------------+--------------------------+ + | ; General Variables | | + +-----------------------------------------------+--------------------------+ + | NMI=ON | | + +-----------------------------------------------+--------------------------+ + | SIWVIDRANGE=ON | | + +-----------------------------------------------+--------------------------+ + | LOWERCASE=OFF | ; Disable lowercase | + | | assembly | + +-----------------------------------------------+--------------------------+ + | MOUSE=ON | ; Enable mouse | + +-----------------------------------------------+--------------------------+ + | NOLEDS=OFF | ; Disable led switching | + +-----------------------------------------------+--------------------------+ + | NOPAGE=OFF | | + +-----------------------------------------------+--------------------------+ + | PENTIUM=ON | ; Pentium Op-Codes | + +-----------------------------------------------+--------------------------+ + | THREADP=ON | ; Following Thread | + | | Process | + +-----------------------------------------------+--------------------------+ + | VERBOSE=ON | | + +-----------------------------------------------+--------------------------+ + | PHYSMB=16 | ; Exact Memory Size | + +-----------------------------------------------+--------------------------+ + | SYM=256 | ; Memoy allocated to | + | | symbols | + +-----------------------------------------------+--------------------------+ + | HST=16 | ; Memory allocated to | + | | history | + +-----------------------------------------------+--------------------------+ + | TRA=92 | ; Memory allocated to | + | | back trace buffer | + +-----------------------------------------------+--------------------------+ + | ; Startup sequence | | + +-----------------------------------------------+--------------------------+ + | INIT="lines 60;color f a 4f 1f e;wd 22;wc | | + | 22;wr;code on;x;" | | + +-----------------------------------------------+--------------------------+ + | ; Function Keys | | + +-----------------------------------------------+--------------------------+ + | F5="^G;" | ; Run (CTRL-D) | + +-----------------------------------------------+--------------------------+ + | F8="^T;" | ; Step into functions | + | | (Trace) | + +-----------------------------------------------+--------------------------+ + | F10="^P;" | ; Step Over functions | + | | (Procedure) | + +-----------------------------------------------+--------------------------+ + | F11="^G @SS:ESP;" | ; Step out of function | + +-----------------------------------------------+--------------------------+ + | ; Export Symbols | | + +-----------------------------------------------+--------------------------+ + | EXP=c:\win96\system\kernel32.dll | | + +-----------------------------------------------+--------------------------+ + | EXP=c:\win96\system\user32.dll | | + +-----------------------------------------------+--------------------------+ + | EXP=c:\win96\system\gdi32.dll | | + +-----------------------------------------------+--------------------------+ + | ;--- EOF Winice.dat | | + +-----------------------------------------------+--------------------------+ + + Okay, i think, it speaks by itself. Just a little note for defining + function keys, all commands preceded by ^ are invisible, and all those + followed by a ; are executed (the ; indicates an ENTER). Dont forget to + load the Export Symbols ! + + Cracking ACDSee 32 V2.0 Beta + + Loading ACDSee32.exe into Soft-Ice And Breaking At The Right Point. + Run the Symbol Loader, do "File/Open Module" or you can also click on + the first button on the left of the tool bar and browse until you can + select the file ACDSee32.exe. Now, to start debugging you must to do + "Module/Loads..." or click the "Load button" (next to the "Open" one). + Perhaps Sice poped-up, saying Break Due To Load Module, or something + like that, leave it by pressing "CTRL-D" or typing "X" followed by + "ENTER". You should disable the "Break At WinMain Option" to dont + pop-up Sice each time you load a module (the little lamp button). + + OK, let's go. In ACDSee, click on "Tools/Register..." Fill up the boxes + with what you want. (I've filled them with Name:"Out Rage Pirates" and + Registration:"112233445566"). Generally programs must read the content + of the boxes with one of these functions : + + +----------------+----------------------------------+ + | 16-bit | 32-bit | + +----------------+----------------------------------+ + | GetWindowText | GetWindowTextA, GetWindowTextW | + +----------------+----------------------------------+ + | GetDlgItemText | GetDlgItemTextA, GetDlgItemTextW | + +----------------+----------------------------------+ + + The last letter of the 32 functions tells if the function uses one-byte + or double-byte strings. Double-byte code is RARE. So, now we gonna + enter Sice pressing CTRL-D and set breakpoints on the getting content + of edit boxes : + +:bpx GetWindowText +:bpx GetWindowTexta +:bpx GetWindowTextw +:bpx GetDlgItemText +:bpx GetDlgItemTexta +:bpx GetDlgItemTextw + + Oki, there's no need to set BPs (BreakPointS) 0 and 3 since we know it + is a 32-bit application, but i've put them here to be exhaustive. If + you encounter problems settings these breakpoints, make sure that the + export symbols are loaded in Soft-Ice : edit the file winice.dat and + check if the semi-colons are removed from the exp= that follows the + "Example of export symbols that can be included for chicago" near the + end of file. Generally, you only need to keep kernel32.dll, user32.dll, + gdi32.dll. If you get an error message "No LDT", make sure you dont run + any other DOS application in the background, + + It's not sure that Sice will pop-up, and not all program are calling + these Windows functions. + Continue the program ("CTRL-D"), and click the OK button. It worked, + we're back to Sice ! press "CTRL-D" to continue the process, back to + Sice again ! re-re-press "CTRL-D", no more Sice pop-up. Normal, there's + only two textboxes... Click OK to get back to the registration window. + And now, let's throw an eye into Sice, CTRL-D. There's comments for the + two break points : + +Break due to BPX USER32!GetDlgItemTextA (ET=4.70 seconds) +Break due to BPX USER32!GetDlgItemTextA (ET=269.77 microseconds) + + It's BP 04 let's delete other BPs : + +:bl ; BPs list +00) BPX USER!GetWindowText +01) BPX USER32!GetWindowTexta +02) BPX USER32!CharNextExW +03) BPX USER!GetDlgItemText +04) BPX USER32!GetDlgItemTextA +05) BPX USER32!AppendMenuW +:bc 0 1 2 3 5 ; Clear BPs #0, 1, 2, 3 and 5. + + We'll do it again. Press "CTRL-D" to leave Soft-Ice, and click the OK + button. Magic, we're back in it... Let's do a little focus : where are + we, and what's the hell now ? We are at the start of the "Get Dialog + Item Text A" function, and we are going to find where it is called. + Since we know that when we do a far call to something the next logical + instruction address is stored on the stack, we gonna set a BP on that + address and execute the program until we reach it. G command will + continue the program at the current CS:EIP, and set a temporary BP to + the address indexed (@) in SS:ESP. There's a function key that + automatically do it, normally, it's F11. + +:G @SS:ESP + + Finding Where The Registation Code Is Checked + + Ok, we are back into Sice at the instruction following the call to + DlgItemTextA. We gonna take a look on what's happenning before and + after. Use CTRL-UP and CTRL-DOWN to move into the code window. If you + dont have the code window on your screen you can make it appears by + typing WC (WC 20 will set the code windows to be 20 lines long). You + should see something like following (i've added blank lines and + comments for clarity and future explainations) : + +; Get The Name Into Buffer (ESP+8) + 0040367B 8D442418 LEA EAX, [ESP + 18] ; Buffer(For Name) Address + 0040367F 6A1E PUSH 0000001E ; Max String Size + 00403681 8BB42408010000 MOV ESI, [ESP + 00000108] + 00403688 50 PUSH EAX ; Buffer Address + 00403689 6A6B PUSH 0000006B ; Control ID + 0040368B 8B3D94DA4900 MOV EDI,[USER32!GetDlgItemTextA] + 00403691 56 PUSH ESI ; Dialog Handle + 00403692 FFD7 CALL EDI ; Call GetDlgItemTextA + +; Get The Registration Code Into Buffer (ESP+38) +>00403694 8D442438 LEA EAX, [ESP + 38] ; Buffer(Registration) Addy + 00403698 68C8000000 PUSH 000000C8 ; Max String Size + 0040369D 50 PUSH EAX ; Buffer Address + 0040369E 6882000000 PUSH 00000082 ; Control ID + 004036A3 56 PUSH ESI ; Dialog Handle + 004036A4 FFD7 CALL EDI ; Call GetDlgItemTextA + +; Registration Checking +>004036A6 8D442438 LEA EAX, [ESP + 38] ; Registration Buffer + 004036AA 8D4C2418 LEA ECX, [ESP + 18] ; Name Buffer + 004036AE 50 PUSH EAX ; Save Datas + 004036AF 51 PUSH ECX +!004036B0 E80BF9FFFF CALL 00402FC0 ; Registration Check + 004036B5 83C408 ADD ESP, 00000008 ; Free Stack + 004036B8 85C0 TEST EAX, EAX + 004036BA 7E6E JLE 0040372A ; EAX=0 Means Bad Reg... + +; Do Something, sure... ;) + 004036BC 8D442438 LEA EAX, [ESP + 38] + 004036C0 8D4C2418 LEA ECX, [ESP + 18] + 004036C4 50 PUSH EAX + 004036C5 51 PUSH ECX + 004036C6 E895FAFFFF CALL 00403160 + 004036CB 83C408 ADD ESP, 00000008 + 004036CE 833D44F0480000 CMP DWORD PTR [0048F044], 00000000 + 004036D5 740B JE 004036E2 + 004036D7 A144F04800 MOV EAX, [0048F044] + 004036DC 8BC8 MOV ECX, EAX + 004036DE 8B18 MOV EBX, [EAX] + 004036E0 FF13 CALL DWORD PTR [EBX] + 004036E2 833D40F0480000 CMP DWORD PTR [0048F040], 00000000 + 004036E9 740C JE 004036F7 + 004036EB A140F04800 MOV EAX, [0048F040] + 004036F0 8BC8 MOV ECX, EAX + 004036F2 8B18 MOV EBX, [EAX] + 004036F4 FF5314 CALL [EBX+14] + +; Close Registration Windows, And pops : "Thanks Registering" + 004036F7 6A01 PUSH 00000001 + 004036F9 56 PUSH ESI + 004036FA FF15F4DA4900 CALL [USER32!EndDialog] + 00403700 6A00 PUSH 00000000 + 00403702 6820324000 PUSH 00403220 + 00403707 56 PUSH ESI + 00403708 FF15F8DA4900 CALL [USER32!GetParent] + 0040370E 50 PUSH EAX + 0040370F 68E4000000 PUSH 000000E4 + 00403714 A148F04800 MOV EAX, [0048F048] + 00403719 50 PUSH EAX + 0040371A FF1544DB4900 CALL [USER32!DialogBoxParamA] + 00403720 B801000000 MOV EAX, 00000001 + 00403725 E92EFFFFFF JMP 00403658 + +; Pops up a window saying : "Your name and registration code do not match." + 0040372A 6A00 PUSH 00000000 + 0040372C A104F34800 MOV EAX, [0048F304] + 00403731 50 PUSH EAX + 00403732 68ACF34800 PUSH 0048F3AC + 00403737 56 PUSH ESI + 00403738 FF15E4DA4900 CALL [USER32!MessageBoxA] + 0040373E 6882000000 PUSH 00000082 + 00403743 56 PUSH ESI + 00403744 FF15F0DA4900 CALL [USER32!GetDlgItem] + 0040374A 50 PUSH EAX + 0040374B FF1548DB4900 CALL [USER32!SetFocus] + 00403751 B801000000 MOV EAX, 00000001 + 00403756 E9FDFEFFFF JMP 00403658 + + Let's do a some analysis on what we are seeing. We are at 0157:00403694 + (Your segment address may be different, it depends on what you load, + update my values with yours). The previous instruction is the call to + the GetDlgItmeTextA. Again, you can scroll in the code windows with + "CTRL-UP", "CTRL-PGUP", "CTRL-DOWN" and "CTRL-PGDOWN". You can also + make the Focus to the code window by pressing "Alt-C" and use the UP, + DOWN, PGUP, PGDOWN to scroll it. + + In C, the call to the GetDlgItemTextA should look like this : + +int GetWindowText (int windowhandle, char *buffer, int maxlen); + So the push eax is the buffer address, let's have a look : + +:d esp+18 ; You can also use "db esp+18" for byte display + We've got it, it's our name ! We saw that in few intructions, there + will be second call to the GetDlgItemTextA, the CALL EDI at + 0157:004036A4. We dont want Sice to break, so we will disable it : + +:bd 4 ; Disable BP 4 + After that second call, there's another one followed by a test on the + eax value... humm suspicious, is there any check inside that routine ? + That's what we gonna determine fastly. We gonna trace the code stepping + over function calls. Press P (Procedure trace) then ENTER (normally + it's F10 key). Press it several times. + + After you've reached 0157:004036A6 (the second call) our registration + code appears in the data window (if it is big enought, else you can + scroll it down using Alt-DOWN) our predictions were right ;). You are + now reaching the TEST AX,AX intruction (0157:004036BA), then there's a + branch to another routine (0157:0040372A), the program will follow it + and soon you will get a message saying that your registration code is + wrong... (0157:00403738). + + So now we are sure that the call before the test was done to check the + data we've enterred, and that the branch choose the direction to the + Registration Not Match message. What if we change the direction the + program took? + + Let's go, enable BP 4. + +:be 4 ; Enable BP 4 + + Leave Sice (CTRL-D), click on OK to get back to the registration + window, and click on OK again to pop-up into Sice. Press CTRL-D another + time to go to the second GetDlgItemTextA call and press F11 to go out + of that function call. Now step to the branch (F10 until you reach + 0157:004036BA). And change the zero flag value to disable it: + +:r fl z ; Toggle Zero Register FLag + Then leave the proggy to himself (CTRL-D). We've done it ! The + beautifull message appears : thanks for supporting our products, etc, + etc... + + Hu Oh, Hey, what's that stupid program ? If i click on the little eye + (the about button in the toolbar), it's telling me it is not registered + !!!? Fucking damn thing, we gonna gotcha ! + + Oki, let's think two seconds... what's the matter ? Well everything + seems like if ACDSee checks the name and the registration at every + times it shows them. So, to avoid this problem, we've got to give him + the answer he wait each times he call the registration checker. + First of all, we must verify our affirmations, we must know if the + routine wich is called by the about button is effectively the piece of + code into this call. Go into Soft-Ice using the BP we've set on the + GetDlgItemTexta (go to the registration window and press enter), and + press F11. Now, we're going to put another BP into the call. + +:bpx 0157:00402FC0 ; Change the address in regard to yours + Now we gonna try, leave Soft-Ice (it will pop-up two times because BP 4 + is still enabled, we're not interrested into these breaks), close the + registration window by clicking cancel and finally click on the about + button... Yep! back in Sice, we were right !!! So everything we've got + to do now is to send back a satisfying answer to the calling code... + + Patching ACDSee + + Actually in your code window, you should have something like the + following piece of code. All we've got to do is to leave this routine + with EAX different from 0... + +; Check Name Lenght +>00402FC0 56 PUSH ESI + 00402FC1 8B742408 MOV ESI, [ESP + 08] + 00402FC5 56 PUSH ESI + 00402FC6 E835000000 CALL 00403000 ; check name length (1st) + 00402FCB 83C404 ADD ESP, 00000004 +!00402FCE 85C0 TEST EAX, EAX +!00402FD0 7504 JNE 00402FD6 ; branch is followed +!00402FD2 33C0 XOR EAX, EAX ; Set EAX to 0 (BAD!) + 00402FD4 5E POP ESI + 00402FD5 C3 RET ; Exit 1 + +; Check Registration Code +:00402FD6 8B44240C MOV EAX, [ESP + 0C] +:00402FDA 50 PUSH EAX +:00402FDB 56 PUSH ESI +:00402FDC 6848F34800 PUSH 0048F348 ; "-294378973" +:00402FE1 E86AE70100 CALL 00421750 ; The key is herein (2nd) +:00402FE6 83C40C ADD ESP, 0000000C +:00402FE9 83F801 CMP EAX, 00000001 +:00402FEC 1BC0 SBB EAX, EAX +:00402FEE 5E POP ESI +:00402FEF 40 INC EAX +:00402FF0 C3 RET ; Exit 2 + + So what we gonna do is erase the three instructions that works on EAX + with our own code. Dont forget to change the address in regard to your. + Erasing the branch will assure us that only our code will be followed. + There's thousand of way to modify this code, i choosed the following : + +:a 0157:00402FCE ; Assemble +0157:00402FCE mov eax,1 +0157:00402FD3 nop +0157:00402FD3 ; Press escape to stop assembling +:bc 0 ; Clear BP on 0157:00402FC0 + + And now let's check our work ! Press CTRL-D, welldone, the thanks for + registering message appears... Okay, now click on the about button... + (suspens) !!!YES!!! we've registered it. + + Oki let's do our work, now we've only got to make the patch... + What we need to know is where are these instructions in the + ACDSee32.exe file. I've use HexWorkShop for win95 and found them making + a search for 85C0750433C0 (the instructions Opcodes, if Sice doesnt + show the type "CODE ON") the one interesting us are at offset 23CE. Now + we must make a little proggy to replace these bytes with our code. Here + it is : + +;--- ORP-A32B.ASM + Title Patch For ACDSee 32 2.0 Beta + .Model Huge + .386 + .Stack 100h + + .Code + mov ax,cs + mov ds,ax + mov es,ax + + mov ax,3d02h + mov dx,offset cs:fname ; DX=*FileName + int 21h ; DOS/FileOpen + jc errorlbl ; Jump On Errors + + mov word ptr [offset cs:fname],ax ; BX=Handle + mov bx,ax + + mov ax,4200h + xor cx,cx ; Segment + mov dx,23ceh ; Offset + int 21h ; DOS/FileSeekSet + jc errorlbl ; Error ! + + mov ax,4000h + mov bx,word ptr [offset fname] ; BX=Handle + mov cx,6 ; Lenght + mov dx,offset patch ; Buffer + int 21h ; DOS/WriteFile + jc errorlbl + + mov ax,3e00h + mov bx,word ptr [offset fname] ; BX=Handle + int 21h ; DOS/CloseFile + jc errorlbl + + mov dx,offset cs:text2 + jmp getout + +errorlbl: + mov dx,offset cs:text1 ; Print +getout: mov ah,9 + int 21h + + mov ah,4ch ; Get Out Of Here ! + int 21h + +patch db 0B8H,001H,000H,000H,000H,090H ; MOV EAX,00000001 - NOP +fname db 'ACDSEE32.EXE',0 +text1 db 0ah,0dh,'Error Handling File' +text2 db 0ah,0dh,'Patch By Exact /oRP',0ah,0dh,'$' +end;--- EOF ORP-A32B.ASM + + You can compile it with tasm 3.1 and tlink 5.1 (they can be found on my + home page) in that manner : + +TASM /m9 /n /q orp-a32b +TLINK /3 /x orp-a32b + + I think there is not so much comment to add at the source, anyway if + you have any problems understanding what happening in there, you must + find a book about programming (you can also try to get Helppc). + + Final Note + + Ok, this is the End... + A really BIG thanks is going to ACP of UCF for sending me W32DASM ! + + Have Fun With This Stuff ! + eXact /oRP + aka sice_boy + diff --git a/textfiles.com/piracy/CRACKING/firstwin.txt b/textfiles.com/piracy/CRACKING/firstwin.txt new file mode 100644 index 00000000..8a389faa --- /dev/null +++ b/textfiles.com/piracy/CRACKING/firstwin.txt @@ -0,0 +1,31 @@ + MEXELITE '97 PRESENTS + + "Your first Windoze crack" + by + YOSHi + +Introduction. +------------- +There is one reocurring thing I see in all cracking tutorials; they are not suitable for the absolute beginner. Either they dont explain what the debugger is doing or they go too fast and skip over sections. With this, I hope to set some people straight on the fundamental issues of cracking Windoze95 programs. By the way if you are somewhat experienced please leave now; you will not learn anything you dont already know. + +Beginning. +---------- +Ok, the first thing you need to do is download the "target", we will use a horribly limited program called "Hot Chilli 2.0". It is a decent program for creating Java applets with a major restriction: you can only use this program 4 times in 9 days and you can't use your applets unless you register the program. So download this, it is on all Tucows sites under "HTML Special Effects". The only other thing you need is Softice. Here I'm using version 3.0, but it makes no difference what version your using. Now load up Softice in your config.sys (by the way, for anyone who cares, "ice" means "in-circut emulator") and run HotChilli. Notice the nag at the beginning? Its hard to miss and very annoying. But look, there is the option to register! So click on that, and enter a name and a code. Now enter Softice (probably control-d) and type "bpx hmemcpy" (What is bpx? Bpx makes Softice break on a call to a Windoze function, such as hmemcpy, messagebox, etc. What is hmemcpy? Hmemcpy means "high memory copy"; it copies data from one place to another, like when it reads your bogus info, so the program can access it there). Now return to HotChilli and press enter, and Softice will pop up. Now type 's 0 l ffffffff "yourregcode"' (What is this "s 0 l ffffffff" garbage? This will make Softice look through the memory to find the string specified in the quotes). Softice will give you an address, and the offset s probably above 8000000, because thats where Windoze keeps its temporary data. So anyway, type "bpm theaddresssofticegivesyou" (What is bpm? Bpm is a breakpoint on a memory range, and Softice will break on all read or writes to or from that address). Now press control-d again to leave Softice (Why???? Because we want to see where our string checked. When we enter, be broke due to hmemcpy. Since that's not what we want, we press control-d again. Now we are in the code of hmemcpy, but we see in our code window at the top: "REP MOVSD". So its moving our string! Press F10 a few times to get past the "REP MOVSB". Now we want to look for our string again, becaude it just got moved. So instead of typing 's 0 l ffffffff "yourregcode"' we can just type "s" and it will repeat the search for you. Softice will give you a new address but this time instead of typing "bpm theaddress" we want to change the first bpm, because Windoze is bound to so something else with that space sometime or another, either during this cracking session or the next, causing unnecessary breaks. So type "bpe 01" (What is Bpe? Bpe edits a previously added breakpoint. Why 01? You could type "bl" (lists all your breakpoints) but we know we've only entered 2 breakpoints, and the first one is numbered "00". Anyway, Softice should show something like "BPMB 0030:80126431 RW". Just change the address to the new one, and press enter. Now press control-d to leave softice, and you break in at the comparison routine. You will see something that looks like this: +Mov cx, yourcode +Mov dx, goodcode +Cmp cx, dx +All you have to do now is type one of the following: +ed dx +d dx +? dx +The first will let you modify the value while showing it to you, +The second will show you the value, +And so will the third. +Now type "bd *" (What? Bd * disables all breakpoints) and go back to the program and put in the correct code. +MAKING A KEY GENERATOR. +----------------------- +Instead of searching for your code, look for your name (and bpm on it). Write down -Everything- that is done to the name to make the code. Now write a program in C that will get a name (name = gets();), build the code from it and then show the user the valid code. + +Contacting the Author. +---------------------- +Look for YOSHi or _YOSHi on EfNet, and while your at it stop by #cracking4newbies, we love to help people out. \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/hotchil2.txt b/textfiles.com/piracy/CRACKING/hotchil2.txt new file mode 100644 index 00000000..edb34c73 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/hotchil2.txt @@ -0,0 +1,51 @@ +How to crack Hot Chilli V2.0??? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Hot Chilli V2.0 +comment - Hot Chilli is a very nice Java proggie (very user friendly) + that I cracked cuz some dude in #cracking4newbies (Efnet) + Asked acrack for it... + It's kinda old, and I`m sure some1 else cracked it already and + released it... but, no1 ever wrote a tut on it! (That's for sure) + and I decided to write tut on this VERY simple crack for all + u newbies out there............;) + +URL :Http://www.webcreations.com.au/Hotchilli/download.htm +Username:^pain^ '97 +Key :1765-7654-8765 + +After entering the key, just restart the program, and it's regged! ;) + +Now, How did I do it??? ;) (Sorry if its not clear enough...) +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +u do as following: +1.Bpx Hmemcpy (in softice ofcourse!); +2.press OK on the reg dialog box.... +3.Press F12 untill u get to the Hotchilli code (until u`re no longer in the + user32 code...) +4.when u're in the hotchilli code, press F10 until u get to this instruction: + mov (Register),(something) + mov (register),(something) + Call (some address here...) + JNZ (Some address here...) +5.Now before the call is committed, just look at the registers Values... + (with D (REGISTER)) then, u`ll see the code waiting for ya! :) + + Welpy , Have phun with this shit! ;) + +And - I'd like to hear from u guys out there! +email me commento's to: pain-less@usa.net + +Have phun...... + +Greets goes to the following: +ACP(what's bout da job man? ;}),Niabi,|Lasher| (long time no see man..), +JosephCo,Sice_Boy,Volcanic (If u`ll see this tut!),Robbin,ACiDScOrP,drlan, +razzi,Deadlist,|Caligo| +And all the rest of the dudes that I've forgotten in #cracking and #cracking4newbies... + + ^pain^ '97 /mEXELiTE! + + + diff --git a/textfiles.com/piracy/CRACKING/howto1.txt b/textfiles.com/piracy/CRACKING/howto1.txt new file mode 100644 index 00000000..46958093 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howto1.txt @@ -0,0 +1,306 @@ + + HOW TO CRACK, A TUTORIAL - LESSON 1 + by +ORC (the old red cracker) + +-> How to crack, an approach LESSON 1 +How to crack, tools and tricks of the trade LESSON 2 +How to crack, hands on, paper protections LESSON 3 (1-2) +How to crack, hands on, time limits LESSON 4 +How to crack, hands on, disk-CDrom access LESSON 5 +How to crack, funny tricks LESSON 6 (1-2) +How to crack, intuition and luck LESSON 7 +How to crack windows, an approach LESSON 8 +How to crack windows, tools of the trade LESSON 9 +How to crack, advanced cracking LESSON A (1-2) +How to crack, zen-cracking LESSON B +How to crack, cracking as an art LESSON C +How to crack INDEX + +LESSON 1 - HOW TO CRACK, AN APPROACH + + The best way to learn cracking (i.e. understanding, broadly +individuating, locating exactly and eliminating or suspending or +deferring one or more protection schemes inside a software +application you do not possess the source code of) is to begin +your tampering experiments using OLDER applications which have +OLDER protection schemes. + In this way you 'll quickly grasp the base techniques of the +trade. Do not forget that the evolution of the protection schemes +has not been a one way road... strictly speaking it's not even +an evolution: you'll eventually find some very clever new tricks, +but most of the time you 'll unearth only various trite +repetitions of past (and well known) tricks. This is no wonder: +the REAL knowledge of the "commercial" programmers themselves +(the "protectionists") is often very limited indeed: they are +inclined to use the old methods (albeit somehow changed, +sometimes even improved) instead of conceiving new methods. This +typical "commercial" degeneration happens every time people act +for money instead of doing things for the sake of it or for +pleasure. This "commercial" trend is blindly encouraged by the +stupid, money-oriented society we are coerced to live in. + So I'll begin the "hands on" part (-> starting from lesson +3), using as examples, some "old" applications and some "old" +tricks. We'll be able to come later over to the newest protection +schemes in order to understand them, and you 'll learn how to +defeat this kind of junk too. I'll also explain WHERE you can +find a lot of programs to crack for next to no money at all, and +HOW 'grossomodo', you should proceed in your work. + +The applications you'll use to learn with can be divided into: +1 - Password crippled applications (the easiest to crack) +2 - applications crippled on how many times, or how many + days, you use them (fairly easy to crack) +3 - applications crippled on which date you use them before + (easy to crack) +4 - applications that have some functions present but + disabled (sometimes easy, sometimes difficoult) +5 - applications crippled on Disk access (protections schemes + that are now defined as "obsolete") and apps crippled on + CD-ROM presence (more or less the same methodes, but - + somehow- not defined as "obsolete") (vey easy to crack) +6 - CRYPTOGRAFED ADDS ON (i.e. one of the previous protection + schemes, but with some scrambled or self modifying code + (XORring and SHRLing codes) (fairly easy to crack) +7 - None of the above (sometimes difficoult to crack) + +WHERE TO GET THE STUFF + The recent widespread appearance of "Demo"-CDROM on magazine +covers is a treasure for all crackers! Obviously even if they are +cheap, you should never buy such magazines immediately on their +release, coz after a short time you 'll get all the copies that +remain unsold for next to free. The demos on CD-ROMs will permit +you to gather quickly a lot of applications -old and new- that +have somehow been crippled (at times with interesting schemes). +Truly a wonderful world of cracking possibilities! Gee! For next +to no money you can secure on one CDROM the whole of LOTUS +applications (or Microsoft or Wordperfect, or you name them) on +"trial for 30 days" or "try it 20 times" editions. You'll really +enjoy to crack them and to use them subsequently for ever and +ever (and/or graciously donate them on the Web to the poor lamers +that have no money and no brain). + GAMES are definitely not to be frowned upon! They are +extraordinarily interesting from a cracker prospective coz they +are often "overprotected". With this I mean that they possess +protection schemes of a relatively HIGH level hidden inside files +that are not very large. Now, see, it is much more easy, and +simple to track down and eliminate protection schemes inside a +single 35.000 bytes long executable file than to locate them +inside a collection of many lengthy DLLs and overlaids that could +have swollen as long as 2.000.000 bytes each. The lazy bunch of +"modern" programmers relies systematically for protection schemes +on this "hide the sting in the wide desert" logic. As a matter +of fact they are no longer able to program in assembler: they +bank more and more on overbloated "fatty" monstrosities like +Visual Basic, Delphy or Visual C++. (But do not worry... I'll +nevertheless teach you how to crack -and quickly- those huge apps +too). + There is another reason for employing games instead of +applications as study material: often EXACTLY THE SAME protection +schemes that you find in a simple (and short) shareware game will +be used -without much improving- a little later in order to +"protect" some huge and extremely expensive graphic application. + For this reason in my tutorial we'll often crack games +protection schemes, even if we'll later apply what we learn +mainly in order to crack the protection schemes of commercial +applications, or to crack the access protection routines to +remote servers, or BBS, or even ATM (cash dispensers). + Here follows an example cracking session, that will show you +-I hope- the dos and donts of our art: let's crack together as +introductory example a time crippled application. We'll learn +later (-> LESSON 4) that all applications that are crippled on +time (i.e. "how many times" you use them or "how long" you use +them) rely on analogous protection schemes (albeit with a huge +palette of small variations): +1- they may have a counter which "clicks" every so often: FIND + IT AND DISABLE IT! +2- they may fetch the time_clock interrupts in your machine: + INTERCEPT THEM YOURSELF! +3- they may compare a random_seed with a variable: NOOP IT! +4- they may check randomly the date of your other, unrelated, + files on the hard disk: find this verification routine and + INVERT the JUMPS! +I wanted to start with a modern example of this "counter clicks" +protection type, just to give you a feeling for cracking, and I +have chosen a widely published demo: you should be able to find +it pretty easily. In order to show you some of the problems you +may encounter we'll crack this example "wrongly" (you'll learn +how to crack effectively in the "HANDS ON" lessons). + EXAMPLE: ARCADE POOL, Demonstration version, PC Conversion +by East Point Software Ltd, (c) Team 17 Software Ltd 1994. This +demo has been published by many magazines on their CDRom covers +throughout 1995. + What follows will be useful even if you do not have our +example; nevertheless you should get a copy of this widespread +demo in order to better grasp some of the points that follow. + This nice demo of a billiard game is time-crippled. It is +crippled on how long you use it: i.e., you can only play 2 +minutes, afterwards a "nag" reminder of where and how you can buy +the real version snaps: protectionist squalor at its best. + So, how do you proceed? Where does the beginning begin? +Here is what you could (but not necessarily should) do: + + Get [Soft-ice] and load it in your config.sys. See the TOOLS +OF THE TRADE lesson (-> LESSON 2) about this debugger. Version +2.6 of [Soft-Ice] has been cracked by MARQUIS DE SOIREE and can +be found on the Web for free. +- vecs s (save all the vectors before loading the babe) +- start [pooldemo.exe] +- vecs c (vector compare, save a printing of all hooked + vectors) +- enter and leave Soft-ice a few times to understand what's + going on and where in [pooldemo.exe] are we roaming around + (you should always check MORE THAN ONCE your findings when + you snoop around: nothing moves and confuses pointers in a + more frenzied way than good old "inactive" DOS). +- have a good look at the map of memory usage ("map") +- now "snap_save" the main memory regions where + [pooldemo.exe] dwells... snapping saves "photographyes" of + memory areas. +- do not do anything, let just the seconds go by. +- "snap_compare" every two or three seconds without moving + anything at all on the game board (no mouse_clicking, + NOTHING), so that the only changes are (hopefully) the + changes caused by the time counters. +- snap_compare twice in a second. +- snap_compare at second 00:59 and at second 1:01. +- snap_compare just before and just after the time limit and + the snapping of the nag screen. +- Now collect carefully your printed "snaps" data: write + clearly on the various sheets the occurrences of the snaps. +- now comes the graceful "zen-cracking" moment: Sit down with + a dry Martini and Wodka (obviously only russian Wodka will + do) and contemplate the printing of the various mutant + locations. Feel, perceive, empathize! Look closely at the + locations that have changed in the snap compares. Analyse, + interpretate, evaluate. +- Mmm! Hey! Something fishy is changing there, and there, and + there! (you are lucky, few do actually change in this case: + only two dozen) +- breakpoint on execute at the location that you believe act + as a "continuous" counter, i.e. the location that triggers + the "a second went by" event when it zeroes. +- Now set the occurrence counter of BPX in order to break at + the moment where the location "refills" and restarts from + the beginning (the equivalent of "one second" went by, + let's start anew). Use the occurrence counter in order not + to single-step through the program your life long! +- IN THIS CASE you 'll quickly locate the refill at location + 3DD0. Here follows the "refill" line: + xxxx:3DCC C706F1013C00 MOV WORD PTR [01F1], 003C +The "3C" byte at xxxx:3DD0 represents a counter_byte... i.e. the +program "charges" 3C in this location and then DECs it step by +step to 3B, 3A, 39, 38 etc... till 0. When it reaches 0: bingo! +Sucker user has lost one second more of his precious two minutes. + Now, you would get a first wizard level if you searched +further on for the exact point where you get the "nag screen" in +order to eliminate the whole witless protection, but you may +think you got it already and you remember anyway that the first +principle in cracking is the following: "once you can eliminate +the effects of a protection, do not look further!" + Most of the time this is true: you do not always need to +eliminate a "whole" protection scheme (unless you are just +studying it for the joy of it). It's normally easier (and +quicker) to eliminate the "effects" of a given protection scheme. +Unfortunately this is not true in this case. + Here you believe that you have already found the way: you +got the counter that charges the reverse clock that triggers the +particular protection scheme of [pooldemo.exe]. Now you may think +that if you could modify the refill_value... say changing "3C" +to "EE" (Yeah, the maximum would be FF... but it's always good +practice to avoid such extreme values when cracking) you should +get four times more playtime for your game... more than enough +in order to make the protection scheme useless. + So you change location xxxx:3DD0 from "3C" to "EE". To work +on bytes you should use a good Hexeditor like PSEDIT (Parity +solutions, [Psedit.exe], brilliant shareware: see the "tool of +the trade" section) but you could also work with simpler +debuggers like [debug] or [symdeb] (-> see lesson 2). If you do, +remember to work on a "dead" copy of your crippled [*.exe] file, +i.e.: + ren POOLDEMO.EXE POOLDEMO.DED + symdeb POOLDEMO.DED + -s (cs+0000):0 Lffff C7 06 F1 01 C3 <- this string + corresponds to the + refill line). + cs:3E85 <- symdeb gives you two locations as answer + cs:3EEA + -e cs:3E85+4 EE <- refill changed from C3 to EE + -w + ren POOLDEMO.DED POOLDEMO.EXE +Now you run your tampered pooldemo. You think you cracked it, you +glee with satisfaction... but loo! Nothing at all has changed, +everything's as lame as before, you still have only 2 minutes +playtime. How disappointing: how comez it did'nt work? + Well, for a start you have not been attentive enough! The +search in debug gave you TWO locations, you moron, and not just +the one you just tampered with. Check and you 'll see that the +second location (cs:3EEA) is a MIRROR/CONTROL location (more on +this later). Some times there exist "double" locations... coz at +times it's quicker to use a double routine than to use a +branching if or switch structure... some times the second +locations do mirror the first ones and correct them on the fly +if need be. + So you need to modify this too... you act as said above but +this time you enter in debug a + -e cs:3EEA+4 EE +before writing back the dead file and then renaming it to exe and +then running it... and loo! Hoow sloow! THERE YOU ARE! Your +crippled POOLDEMO.EXE is now (sort of) unprotected: You think +that you can now play the stupid game up to 12 minutes real time, +even if the protection scheme (and the counter) "believes" that +it is playing only two minutes. + So you begin to play, and the seconds look veeery sloow, and +everything seems OK, but -alas- NO! At screen second 28 you get +the irritating "two minutes are over" nag screen! Obviously you +were dead wrong: the program "knows" the time directly from the +timer... you only modified the stupid counter ON THE SCREEN. + So it's back to cracking, and now you are angry, and forget +the quiet ways of the zen-analyse and begin the heavy cracking +you should reserve -if ever- for really complicated schemes. You +now start to check the hooked vectors (you did your routinely +VECS_save before loading pooldemo in [Soft-ice] and your +VECS_compare afterwards) and you see some findings that you +believe interesting: + vecs c + 08 1EFD:84C6 0CD1:17AC <- the clock + 09 1EFD:85EC 136A:069C <- the keyboard + 22 0BCE:02B1 0BCE:017E <- the terminate + That's more like it -you think. Smack at the beginning: the +first hooked vector does it! It's good old interrupt_08: the +timer_clicker! + Some basics for those of you that do not know anything: +INT_08 controls indirectly the INT_1C timer interrupt. The 8253 +clock chip generates an IRQ_0 hardware interrupt at a rate of +18.2 interrupts per second. This gives control to the ISR +(Interrupt Service Routine) that the INT_08 points to... and this +should be at 0CD1:17AC, but has been hooked here, by pooldemo, +to 1EFD:84C6. + One of the actions taken by the INT_08 ISR within the BIOS +is to issue a software interrupt call to INT_1C, just in case any +software modules within the system have established an intercept. +If no intercepts have been established, the default contents of +the INT_1C vector point to an iret instruction within the BIOS, +so that a null action results. (Iret retrieves the three words +of stack information which were automatically saved when the +interrupt call began, and uses them to restore execution control +to the appropriate point). + Normally a protectionist would intercept INT_1C, coz at +every ISR from INT_08 the CPU would fetch the contents of the +corrisponding interrupt vector and make an interrupt style call +to the code at that address (which should contain the iret at +address F000:9876 but can contain any trick they could think of). + So -you think- the protectionist hooked here INT_08 directly +(a pretty infrequently used protection scheme by the way): What +now? + A rather drastic misure would be, in such circumstances, to +disable the IRQ_0 level timer interrupt, which is controlled by +bit 0 of the mask register, at address I/O 0021h. The controllers +have IMRs (Interrupt Mask Registers) which can be used to hide +or mask specific interrupts. The IMR of the first controller is +located at port address 21h, while the IMR of the second +controller is located at port 0a1h. When bit 0 within the mask +register is set to 1, no further interrupts will be recognized +for this IRQ level. This unfortunately won't work here, but it's +an interesting technique per se, so you better learn it anyway, +just in case you should need it elsewhere: + diff --git a/textfiles.com/piracy/CRACKING/howto2.txt b/textfiles.com/piracy/CRACKING/howto2.txt new file mode 100644 index 00000000..6ed92990 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howto2.txt @@ -0,0 +1,466 @@ + + HOW TO CRACK, A TUTORIAL - LESSON 2 + by +ORC (the old red cracker) + +How to crack, an approach LESSON 1 +-> How to crack, tools and tricks of the trade LESSON 2 +How to crack, hands on, paper protections LESSON 3 (1-2) +How to crack, hands on, time limits LESSON 4 +How to crack, hands on, disk-CDrom access LESSON 5 +How to crack, funny tricks LESSON 6 (1-2) +How to crack, intuition and luck LESSON 7 +How to crack windows, an approach LESSON 8 +How to crack windows, tools of the trade LESSON 9 +How to crack, advanced cracking LESSON A (1-2) +How to crack, zen-cracking LESSON B +How to crack, cracking as an art LESSON C +How to crack INDEX + +LESSON 2- How to crack, tools and tricks of the trade + +LOST IN THE DARK CODEWOODS + When you break into a program you end up in portions of code +that are unfamiliar to you. It is also not uncommon for the +breakpoints to occur outside of the confines of the program you +want to crack. Getting your bearings is, in these cases, very +important. + One of the handiest utilities is the memory dump tool -it +tells you where all the device drivers and TSR are loaded, in +which memory locations the program you are cracking dwells, how +much memory is left and what the next program load point is. The +tools you use should report on the following: +- the contents of interrupt vectors +- the state of the BIOS data area, beginning at address 40:0 +- internal structures within DOS, such as the MCB chain, the + SFT (System File Table) chain, the chain of installed + device drivers, the PSPs and memory allocations associated + with installed TSRs +- memory allocation statistic from XMS and EMS drivers + + When seeking to understand a section of foreign code, you +must be especially careful to seek the real intent of the code. +Consider using a profiler prior to undertaking an analysis of an +unfamiliar program. This will help you by ensuring that you don't +waste time studying sections of the program that aren't even +involved in the protection scheme you are chasing down. + Using a utility that charts a program's calling hierarchy +can give you an important perspective on how your babe conducts +its internal operations. + +YOUR DEBUGGER: YOUR FAVOURITE TOOL + First and foremost, your debugger must be designed for use +with resident modules (or must be itself a resident module). +Trying to crack with simplistic [debug.com] is a sure way to get +absolutely nowhere. We recommend Softice.exe from Nu-Mega +technologies (Version 2.6 [S-Ice.exe] has been cracked by MARQUIS +DE SOIREE and its vastly available on the Web). You could also +use [Periscope] or [Codeview] or Borland's Turbodebugger... all +these programs have been boldly cracked and/or distributed and +are now on the Web for free... learn how to use YAHOO and find +them. In emergency cases you could fix some quick cracking +patches using [debug] or [symdeb], but, as said above, most of +the time these older debuggers won't do. I'll nevertheless ALWAYS +give the final crack procedure for [debug.com], in order to +permit even idiots to crack their programs (altruistic, isn't +it... besides, every wizard has started with debug.com). + When you first smell a protection, it can be tempting to +immediately begin your crack using invasive types of techniques. +While there is certainly nothing wrong with this approach, +provided that you are fairly familiar with the protection scheme +used, going in too deep too soon can be a problem when you don't +have a strong hunch. Most of the time you'll end up missing +important details. So first of all sit down and ponder... that's +the zen-way, the only one that really works. + Single-stepping is expensive, not only because of the time +it requires but also because of the amount of detail with which +you must contend. Your immediate goal is to home in on the +protection scheme through a series of successively refined traps, +your broader aim is to get an overview idea of the program's +action... the wise use of breakpoints will condense these +minutiae into an understandable form. + The first step is to try to identify the section of the +program where the protection scheme is snapping. + Once you are able to isolate a certain section of a program, +breakpoints can be used to gather a trace history of the +program's execution. If your debugger sports a backtrace buffer, +logging window, or similar feature, by all means learn how to use +it. The debugger it's your best weapon, you must know all the +possibilities it offers and all the capabilities it possesses. +Having a debugger's display output echoed to a printer is another +possibility. + Using breakpoints is beneficial for two basic reasons: speed +and reduction of detail. Manual single-stepping is invaluable +when you are close to the protection scheme, but too much of it +will bore you to death. + When selecting breakpoint locations and the types of +breakpoint to use, it is important to step back once more, drink +a cool Martini-Wodka (use only Moskovskaja: non-russian Wodkas +are appalling) and ask yourself: "What is this going to tell me?" +and "What else will I need to know once the break occurs?". MOST +IMPORTANT OF ALL: "Is my current cracking approach the simplest +and most direct?", coz you do not want to waste precious cracking +time. + When devising a set of breakpoints it is wise to consider +how "a trail of bread crumbs" can be left. Not allowing for an +execution chronicle from the start can mean having to restart a +cracking session. + Setting breakpoints on certain software interrupt calls is +an excellent way to get an overview of a program's operations. +The INT_21 DOS services interrupt is probably the most universal +useful of these, with BIOS interrupts such as the INT_13 (BIOS +Disk services) and INT_16 (BIOS keyboard services) useful for +specific cracking. + When working with a debugger, evaluative breakpoints are +usually your best shot. To avoid having to deal with a plethora +of calls, you would want to have a debugger capable of being told +to "break on any INT_21 call except where AH == 2C or AH == 0B". + A real understanding of the working of a program is surely +important, but don't overdo it! To reverse-engineer even a small +program can involve many hours of analysis and documentation +work. If you'll not be able to use the zen-cracking techniques +described in this tutorial (sadly not everybody can) pace +yourself and make sure your chair is comfortable: you'll be +sitting for quite a spell. + Much of the work involved in reverse-engineering consist of +chasing down tentacles. In order to understand the operations of +one function, you must understand what happens within each of the +functions it calls- its child functions. To understand these +child functions you must study their children; and so on down the +calling hierarchy tree. Then there is the data. Tracing tentacles +based on a program's calling hierarchy is a directed process. +Each function you encounter is basically a list of other +functions you must reckon with. When it comes to analyzing a +function's interrelationship with the program's data structure, +no such list is provided. You must have instinct, feeling and +luck. + Data analysis requires more of a broad-based inquisition. +For each memory variable you are interested in, you must survey +all functions to determine which ones read and write that +variable. The use of memory conditional breakpoints and of a +disassembler that builds a cross-reference table can make this +task a lot easier. (Use Sourcer! It's a fairly good tool and +version 4.08 of [sr.exe] has been long ago cracked by me, +ORC, +and distributed on the Web). + +ALL SYSTEM CALLS IN ONE LOCATION + Remember that if the program you are cracking was written +in assembler in the first place (very unlikely knowing the +laziness of to_days programmers), it is probable that system +calls are made directly from the functions which need them. But +when a program is developed in a high-level language, it is more +likely that common library functions will be used for many +operations involving system calls. When a program makes all of +its INT_21 calls from the same location, you know that this is +certainly the case. + Now, what happens sometimes is that the programmers write +the whole application in a overbloated language like C++, but are +afterwards compelled to "speed up" critical sections of the code +writing them in assembler. And loo! A section where you +repeatedly find assembler crafted patches is precisely the +section containing the protection scheme! So you could have a +program with all INT_21 calls from the same location but for one +or two calls which are coming out of the section where the morons +have "hidden" their protection strategy. By just "looking" at the +dead code of a program, you should be capable to tell wich parts +have been "added on" in a later phase. They presents themselves +as unevenness and irregularities, especially if you use an +utility that represents graphicallly the code of a program. +Protections are often added on at the end. + Should you determine that the system calls relevant to your +cracking are made from common library functions, all is not lost. +The specific function from which these library calls were made, +the function you are seeking to locate, is executing at some +point in between these calls. Break in with your debugger at the +end of the first system call, just where it is returning to the +point of call. From there, trace through the remainder of the +common library routine until it returns to its caller. In short +order, you should find yourself in the function you need to see. +The trick is to be able to identify it for what it is. + +ASCIIZ IN CODE + In the interest of gaining an overall familiarity with the +program you want to crack, it can be enlightening to use a hex +dump utility to examine the message strings contained within the +program's binary modules. If the program happens to load its +message strings from separate files, your search has just been +simplified. + Your debugger's memory-dumping feature is one tool that can +be useful for this type of exploration. You could also construct +a filtering program, which would read a binary file and output +all sequences of bytes that are comprised of displayable +characters and are over a certain minimum length (the best +cracker tools are often the ones you write yourself). + When a protection scheme is marked by the issuance of a +specific message on the screen, you could go into the program and +locate the code that emits this message, and then determine what +triggers it. A good way to start the location process is to see +if a system call is used to display the string. Interrupt INT_21, +INT_10 or INT_29 are usually used to display text messages to the +console. + When the message's display is not a result of one of these +system calls, direct video writing is probably being used. If you +know the screen location used, and if that part of video memory +is not used for anything else at the time (a big if), a memory +write breakpoint could be set on the video buffer address +corresponding to the first character's position. If this won't +work, use the step-over/step-around tracing technique while +watching for the message to appear. + Now you found it: from a disassembled listing, you could +locate the address of the message string and then survey the +reminder of the file for any instructions that reference this +address. [Sourcer.exe] can generate labels for specific memory +locations and then generate a cross-reference table showing where +these labelled locations are referenced. Otherwise, load the +disassembled listing file into your editor and use its search +capabilities. Manually searching for such things in a listing +will make you old before your time. + +CODE AND DATA + When stepping through code at the assembler level, watch out +for interrupt calls that are followed by data. Sometimes you will +find an interrupt call, typically within the range INT_34 to +INT_3F, where several bytes immediately following the interrupt +instruction will be data rather than code. + Be especially suspicious of this type of code-and-data +mixture when your debugger's disassembly output of the +instructions immediately following an interrupt call doesn't make +sense. Sometimes you can determine the offset of the next true +instruction by inspecting the following code and data. In other +cases, you will have to trace through the interrupt call to see +how it accesses the data following the interrupt call instruction +and how it manipulates the return address on the stack. + +HOOKED VECTORS + Seeing what interrupt intercepts already exist within a +system before running the program you want to crack, as well as +what interrupt handlers are established by the target program, +can provide useful clues. For example, if a protection +establishes an INT_09 intercept just before the snapping of a +keyboard verification routine, your range of suspects has just +been narrowed significantly. + To study the interrupt vector activities of an application, +a vector dump map utility is useless. It can't be run while the +application you want to crack is running. One solution is to run +the program under a debugger and watch for system calls to INT_21 +functions 25h (set interrupt vector) and 35h (get interrupt +vector), but in the event that the program reads and writes +interrupt vectors directly, this method will not give you a +complete picture. Normally you'll use a spy (trace) utility. + APPLYING A MEMORY WRITE BREAKPOINT TO A SPECIFIC VECTOR OR +TO THE ENTIRE TABLE is another way to deal with this. + Note that some sort of direct vector writing must be +occurring if a vector change is detected between system calls. + If a vector change is detected during a system call but it +isn't function 25h of INT_21, suspect that an IRQ handler may be +effecting the change. + +LITTLE TRICKS OF THE TRADE: determining interrupt vector +addresses + How do you determine the interrupt vector addresses? As +example let's find the address of the INT_21 interrupt vector. +Since the interrupt vector table starts at address 0000:0000 +(easy to remember, isn't it?) and there are four bytes per +vector, the basic process is to multiply the interrupt number +four times and use the result at the offset with a segment of +zero. +x21h + x21h = x42 +x42h + x42h = x84 +The int_21 vector is located at address 0000:0084 +You could also use a calculator, for instance, the address of +INT_63 is x63*4=x18c = 0000:018C + +LITTLE TRICKS OF THE TRADE: address conversion + After a painstaking cracking session, you have finally +determined that a byte of memory at address 6049:891C is the +trigger. But when you isolate the offending instruction, you find +that the address it is generating when the protection occur is +different, being 6109:7D1C instead! How can this be? + An 80x86 type CPU, when running in real or VM86 mode, uses +what is known as segment:offset type addressing. One side effect +of this addressing method is that one physical address can be +equivalent to many different segment:offset addresses. + To find the PHYSICAL ADDRESS for a given segment:offset do +the following: +- convert the segment portion of the address to a 1-based number +by multiplying it by 16 (x10)... it's easy: add 0 at the right +end of the number!... + 6049 -> 60490 + 6109 -> 61090 +now all you have to do is to add this value to the offset value + 60490+891C -> 68DAC + 61090+7D1C -> 68DAC +Got it? +And the other way round? If you have a physical address, say +19AC3, and you want to obtain a segment:offset address you must +first of all decide in which segment you want the address... if, +say, you choose segment 16CC, you proceed as follows: + 16CC -> 16CC0 + 19AC3-16CC0 = 2E03 (offset) + address for 19AC3 in segment 16CC = 16CC:2E03 + +TOOLS OF THE TRADE +[MEMSCAN.EXE] + One of the most fascinating tools that I have ever seen is +a (very old) program: MEMSCAN.EXE. +This program was originally written in 1988 by Scott A. Mebust, +running in CGA. It's a "visual" utility: it enables you to see +graphically the 1-meg of PC memory in 8 kbyte chunks. It's a +powerful tool in order to locate quickly bit mapped graphics and +other 'objects' in memory, like program data tables, stack areas, +code areas, available RAM, etc. I used this great idea to create +(in C) my own tools: a "dead_programs scanner" and an ameliorate +version of Memscan itself. Looking at the VISUAL STRUCTURE of a +program it's a great help when you'll crack higher levels. + +[TRACKMEM.COM] + A very good tool by James W.Birdsall, tracks memory usage +of programs (EMS, XMS, conventional). + +[SCANCODE.COM] + "THE" scancode lister, by the code_masters from clockwork +software. The must utility for crackers that do not learn all +scancodes by heart. + +[MAP.EXE] + Actually "MAP2", THE memory mapper from the code_masters at +clockwork software. It's a very good tool and an interesting one +too, coz you get it with the "Nigel" nag screens. They are not +difficult to remove (a "passletter" protection scheme, you'll +learn how to find and remove it from [Map.exe] in LESSON 3.2). + +[FILEDUMP.COM] [HEXDUMP.COM] [TDUMP.EXE] [DUMP.EXE] + There are hundred of file dump utilities, coz file dumping +is one of the first exercise they learn you at C-school. +Hexdump.com is 558 bytes long, Tdump.exe 120.704, pick the one +you like better or write your own (even better). Filedump.com, +by Daniel M.O'Brien, 1046 bytes long, it's nice. + +[SPRAY.COM] + That's a good crack utility indeed! This 1989 program by +Daniel M.O'Brien gives you a "post-mortem" picture of your +memory. You redirect it to and study it at ease. It's +difficult to say how many hours of cracking it did spare me (you +should study the program, only 252 bytes long, and will have to +modify it a bit, coz it's pretty primitive, in the original +version, for instance, the redirection to the printer works only +if there is NO SPACE between "spray" and ">"). + +[VEXE.EXE] + A good EXE files analyzer, useful for windows programs too +(see --> LESSON 7). Some of its functions are present in +TDUMP.EXE too. This 1991 program by S.Krupa it's sometimes very +useful. + +[SNOOP UTILITIES --> KGB.EXE INTMON.EXE INTRSPY.EXE etc...] +[TRACE UTILITIES --> TRACE.EXE STEPDOS.EXE etc...] + A must to study the "calling hierarchy" of an unknown +program. KGB.EXE, a 1992 program by Petr Hor k could be the best +one. I'll teach you how to crack without any of them (you do not +need them if you zen-crack), but they can nevertheless be very +useful in some situations. Stepdos.exe is a excellent program: +a pleasure to crack in order to use it for slightly different +purposes :=) + +[SOURCERING UTILITIES] + SR.EXE can be used for sourcering unknown programs. It's a +fairly good sourcering tool. Version 4.08 has been long ago +cracked by me (it's a "ORIGINAL NUMBERCODE" protected program) +and distributed on the Web, so you should easily find it. This +said, you should NEVER use such a brute force approach, unless +you are really desperate: I'll teach you how to crack without +sourcering (you don't need to sourcer if you zen-crack). + +[HEXEDITORS] +Every idiot has written at least one hexeditor, and you can find +very bad tools everywhere (the SIMTEL collection, on the Web, +lists at least 35 hexeditors). I suggest you write your own and +contribute to the flood, or (better) get PSEDIT.EXE, a good 1990 +program by Gary C. Crider (Parity Solutions, 1903 Pavia Ct. +Arlington, TX 76006... sometimes even americans can write good +programs). If you do use it (as you should) disapt the nag screen +as small exercise in cracking. + +[DEBUGGER] + Your best friend in cracking, your weapon, your hidecloak... +I suggest [Softice.exe] from Nu-Mega technologies (Version 2.6 +has been cracked by MARQUIS DE SOIREE and its vastly available +on the Web). You could also use [Periscope] or [Codeview] or +Borland's Turbodebugger... all these programs have been boldly +cracked and/or distributed and are now on the Web for free... +learn how to use YAHOO and find them. It's the only tool you 'll +REALLY need, believe me. So choose wisely and learn how to use +backtrace ranges and breakpoint on user written qualifications +routines. You 'll be able to crack almost EVERYTHING using these +features in the right way. + + You should get all the programs mentioned above (and more) +for free on the Web. Use them, but also modify them recklessly! +REMEMBER THAT YOU ARE (GOING TO BE) A CRACKER! The first programs +you should crack and modify are therefore your very tools! So +steal the code of the best tools you find! Snatch the best +routines and change them for the better! That's the whole point +in cracking: a mission to IMPROVE the best accomplishments of +humanity's genius :). + +HOW TO CRACK, ZEN-CRACKING + You 'll learn, beginning with next lesson, how to crack +systematically the different protection schemes: paper & password +protections, time protections, access protections. At the end of +the "methodolocical" part, you'll be able to deprotect programs, +but you will still not be a cracker. In order to crack in a real +effective way you must use what I call (lacking a better +definition) "zen-cracking". I 'll give you right now an example +of this, so that you know what I'm talking about, but -unless you +are already capable- you'll have to finish the tutorial for +"normal" cracking before attempting this techniques. Let's zen- +crack together a password protection scheme (aka "paper +protection", coz you need the original manual of the program in +order to answer). This one is based on the typing, at the nag +screen, of the correct sequence of numbers. We are using as +example a game for the reasons explained in lesson 1, but you 'll +find the SAME protection scheme in the access protection +procedure of the old Tapestry networks... so do not frown upon +games protections. + +INDIANAPOLIS 500, Papyrus software & Electronic Arts, 1989 +It's a rather widespread program, so you should be able to find +it pretty easily. The nag screen asks for data based on the +historical performances of race cars... that means that the +answers will consist in two to three digits. + Now, the normal way to crack such a program will be +described in lesson 3.1 and embodyes following steps: +- snap save program memory areas before typing your answer +- snap compare after typing, say, "666" +- search for the sequence 36,36,36 (i.e. 666) +- breakpoint on memory range for reading +- look at the program part fetching your data +- find the snap procedure +- disable it. + The above it's a relatively quick crack, and most of the +time 'll be fairly effective, but there is a better way: the "zen +way", the only one that can really bring you to crack peculiar +protection schemes. +- Run the program and break in at the nag screen +- Answer consist of 2-3 digits? Search for "AC" (i.e. the +instruction LODSB, load digit of answer in AL) in the area 500 +bytes BEFORE and 500 bytes AFTER your position. You'll get some +locations. (In the case of INDY 500 you get 6 such locations). +- "feel" the locations (that's the tricky part). +- OK, you already made it! Here is the protection strategy: + 8BBF28A5 MOV DI,[BX+A528]<-- DI points to coded data area +:compare_loop + AC LODSB <-- load first digit of answer in AL + B4FF MOV AH,FF <-- load mask in AH + 2A25 SUB AH,[DI] <-- sub coded data from mask and get + real answer + 47 INC DI <-- ready to get next coded data + 3AC4 CMP AL,AH <-- user answer = real answer ? + 751A JNZ bagger_off_you_do_not_know_the_right_answer + 0AC0 OR AL,AL <-- more numbers? + 75F2 JNZ compare_loop + 59 POP CX <-- nice guy, you may go on + ... +And if the protection scheme had been more far away? And if you +cannot "feel" the right one? And if my grandma had wheels? You'll +learn it, believe me. +Now let's quickly crack this crap. diff --git a/textfiles.com/piracy/CRACKING/howto3a.txt b/textfiles.com/piracy/CRACKING/howto3a.txt new file mode 100644 index 00000000..ba146d4e --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howto3a.txt @@ -0,0 +1,113 @@ + + HOW TO CRACK, A TUTORIAL - LESSON 3 (1) + by +ORC (the old red cracker) + +How to crack, an approach LESSON 1 +How to crack, tools and tricks of the trade LESSON 2 +-> How to crack, hands onn, paper protections LESSON 3 (1/2) +How to crack, hands on, time limits LESSON 4 +How to crack, hands on, disk-CDrom access LESSON 5 +How to crack, funny tricks LESSON 6 (1/2) +How to crack, intuition and luck LESSON 7 +How to crack windows, an approach LESSON 8 +How to crack windows, tools of the trade LESSON 9 +How to crack, advanced cracking LESSON A (1/2) +How to crack, zen-cracking LESSON B +How to crack, cracking as an art LESSON C +How to crack INDEX + +LESSON 3 (1) +HOW TO CRACK, HANDS ON - Password protected programs + +SOME PROBLEMS WITH INTEL's INT +The INT instruction is the source of a great deal of the +flexibility in the PC architecture, because the ability to get +and set interrupt vectors means that system services (included +DOS itself) are infinitely extensible, replaceable and +MONITORABLE. Yet the Int instruction is also remarkably +inflexible in two key ways: +- an interrupt handler DOES NOT KNOW which interrupt number + invoked it. +- the int instruction itself expects an IMMEDIATE operand: + you cannot write MOV AX,x21, and then INT AX; you must + write INT x21. +That would be very good indeed for us cracker... unfortunately +many high level language compilers compile interrupts into PUSHF +and FAR CALL instruction sequences, rather than do an actual INT. +Another method is to PUSH the address of the handler on the stack +and do RETF to it. + Some protection schemes attempt to disguise interrupt calls, +this is particularly frequent in the disk access protection +schemes (-> see LESSON 5) that utilize INT_13 (the "disk" +interrupt). + If you are attempting to crack such programs, the usual +course of action is to search for occurrences of "CD13", which +is machine language for interrupt 13. One way or another, the +protection scheme will have to use this interrupt to check for +the special sectors of the disk. If you examine a cross section +of the program, however, you 'll find programs which do not have +"CD13" in their machine code, but which clearly are checking the +key disk for weird sectors. How comez? + There are several techniques which can be used to camouflage +the protection scheme from our nice prying eyes. I'll describe +here the three such techniques that are more frequent: +1) The following section of code is equivalent to issuing an +INT 13 command to read one sector from drive A, side 0, track +29h, sector ffh, and then checking for a status code of 10h: + cs:1000 MOV AH,02 ;read operation + cs:1002 MOV AL,01 ;1 sector to read + cs:1004 MOV CH,29 ;track 29h + cs:1006 MOV CL,FF ;sector ffh + cs:1008 MOV DX,0000 ;side 0, drive A + cs:100B XOR BX,BX ;move 0... + cs:100D MOV DS,BX ;...to DS register + cs:100F PUSHF ;pusha flags + cs:1010 PUSH CS ;pusha CX + cs:1011 CALL 1100 ;push address for next + instruction onto stack and branch + cs:1014 COMP AH,10 ;check CRC error + cs:1017 ... rest of verification code + ... + ... + cs:1100 PUSHF ;pusha flags + cs:1101 MOV BX,004C ;address of INT_13 vector + cs:1104 PUSH [BX+02] ;push CS of INT_13 routine + cs:1107 PUSH [BX] ;push IP of INT_13 routine + cs:1109 IRET ;pop IP,CS and flags +Notice that there is no INT 13 command in the source code, so if +you had simply used a debugger to search for "CD13" in the +machine code, you would never have found the protection routine. + +2) Another technique is to put in a substitute interrupt +instruction, such as INT 10, which looks harmless enough, and +have the program change the "10" to "13 (and then back to "10") +on the fly. A search for "CD13" would turn up nothing. + +3) The best camouflage method for interrupts I have ever +cracked (albeit not on a INT 13) was a jump to a section of the +PROGRAM code that reproduces in extenso the interrupt code. This +elegant (if a little overbloated) disguise mocks every call to +the replicated interrupt. +Bear all this in mind learning the following cracks. + +CRACKING PASSWORD PROTECTED PROGRAMS + Refer to lesson one in order to understand why we are using +games instead of commercial applications as learn material: they +offer the same protection used by the more "serious" applications +(or BBS & servers) although inside files that are small enough +to be cracked without loosing too much time. + A whole series of programs employ copy protection schemes +based upon the possess of the original manual or instructions. +That's obviously not a very big protection -per se- coz everybody +nowadays has access to a photocopier, but it's bothering enough +to motivate our cracks and -besides- you'll find the same schemes +lurking in many other password protected programs. + Usually, at the beginning of the program, a "nag screen" +requires a word that the user can find somewhere inside the +original manual, something like: "please type in the first word +of line 3 of point 3.3.2". Often, in order to avoid mistakes, the +program indicates the first letter of the password... the user +must therefore only fill the remaining letters. + +Some examples, some cracks: + diff --git a/textfiles.com/piracy/CRACKING/howto3b.txt b/textfiles.com/piracy/CRACKING/howto3b.txt new file mode 100644 index 00000000..d0eedb8f --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howto3b.txt @@ -0,0 +1,208 @@ + + HOW TO CRACK, A TUTORIAL - LESSON 3 (2) + by +ORC (the old red cracker) + +How to crack, an approach LESSON 1 +How to crack, tools and tricks of the trade LESSON 2 +-> How to crack, hands on, paper protections LESSON 3 (1-2) +How to crack, hands on, time limits LESSON 4 +How to crack, hands on, disk-Cdrom access LESSON 5 +How to crack, funny tricks LESSON 6 (1-2) +How to crack, intuition and luck LESSON 7 +How to crack windows, an approach LESSON 8 +How to crack windows, tools of the trade LESSON 9 +How to crack, advanced cracking LESSON A (1-2) +How to crack, zen-cracking LESSON B +How to crack, cracking as an art LESSON C +How to crack INDEX + +LESSON 3 (2) - HOW TO CRACK, HANDS ON (3.2) Passwords, second +part, and something about passletters + +You have seen in the previous lesson that the use of a password +protection, independently of the coding and hiding methods used +to store them in memory, implies the use of a comparing procedure +with the password that the user types in. You therefore have many +options to begin your cracking work: +- find the location of the user password +- find the "echo" in memory of the real password +- find the routine that compares both +- find the passwords hideout and encryption type +- find the go_ahead_nice_buyer exit or jump +- find the beggar_off_ugly_copier exit or jump +just to name the more obvious ones. In order to make things more +difficult for us crackers, the protectionists have devised many +counter-strategies, the more obvious ones being: +- keeping the various part of the store/compare/hide routines +well apart in code (no match for zen-cracking); +- filling these routines with "bogus" compares, bogus jumps +and bogus variables, in order to make things more difficult for +the crack (no match for decent crackers); +- disseminating the code with anti-debugger tricks, like INT_3 +instructions or jumps in and out protected mode (no match for our +beloved [Soft-Ice]); +- trying to eliminate the need for passwords altogether +letting the user input "one letter" or "one number" or "one +image" as answer to some variable question. In this lesson I'll +teach you how to crack these "passletters" protection techniques. + +Let's first resume the "uses" of a password protection: + +PASSWORDS AS PERMISSION TO ACCESS +These passwords serve to acknowledge that a legitimate user is +using the program. This is the type of password that you'll find, +for example, protecting your user account on Compuserve, on +Networks or even in ATM machines used by banks or corporations. +These require a little hardwiring to crack: ATM passnumber +protection schemes rely on an answer from the central computer +(they do NOT verify only the three magnetic areas in the magnetic +strip on the card). The lines between ATM's & their hosts are +usually 'weak' in the sense that the information transmitted on +them is generally not encrypted in any way. (Some banks use +encrypted information, but this is fairly easy to crack too). +So for ATMs you should do the following 1) cross over the +dedicated line between the ATM and the host; 2) insert your +computer between the ATM and the host; 3) Listen to the "normal" +messages and DO NOT INTERFERE YET; 4) Try out some operations +with a legal card, make some mistakes, take note of the various +codes; 5) When you are ready insert a fraudulent card into the +ATM. Now the following happens: +- the ATM sends a signal to the host, saying "Hey! Can I give +this guy money, or is he broke, or is this funny card invalid?"; +- the microcomputer intercepts the signal from the host, +discards it, sends on the "there's no one using the ATM" signal; +- the host gets the "no one using" signal and sends back its +"good, keep watching out if somebody comes by, and for God's sake +don't spit out any money on the street!" signal to the ATM; +- the microcomputer intercepts this signal (again), throws it +away (again), and sends the "Wow! That guy is like TOO rich! Give +him as much money as he wants. In fact, he's so loaded, give him +ALL the cash we have! He is a really valued customer." signal. +- the ATM obediently dispenses cash till the cows come home. + All this should be possible, but as a matter of fact it has +not much to do with cracking, unless there is a special software +protection on the line... so if you want to work on ATMs contact +our fellow phreakers/hackers and learn their trade... and +please remember to hack only cash dispenser that DO NOT HAVE a +control camera :=) + +PASSWORDS AS REGISTRATION +This type of password is often used in shareware programs. When +you register the shareware program, you are sent a password that +you use to upgrade your shareware program to a complete and more +powerful version. This method, used frequently for commercial +applications, has recently been used quite a lot by many windows +applications that come "crippled" on the magazines cover CD-roms, +requiring you to telephone a hot line (and paying) in order to +get the "unique key" to unlock the "special protection". It's all +bullshit: we'll learn in the "how to crack windows" lessons how +easy it is to disable the various routines that verify your +entry. + +PASSWORDS AS COPY PROTECTIONS +This type of password is often used for games and entertainment +software. The password query does not usually appear any more at +the start of the program, or as the program is loading. Instead, +the password query appears after one or more levels are completed +(this innovation was pioneered by "EOB I" and the "Ultima" +series) or when the user reloads a saved game or session. + +DONGLE PASSWORDS + A few extremely expensive programs use a dongle (also called +an hardware key). A dongle is a small hardware device containing +a password or checksum which plugs into either a parallel or a +serial port. Some specially designed dongles even include +complete program routines. Dongles can be cracked, but the amount +of work involved is considerable and the trial and error +procedure currently used to crack them via software is extremely +tedious. It took me more than a week to crack MULTITERM, +Luxembourger dongle protected program. The quickest method to +crack dongle protected programs, involves the use of pretty +complicated hardware devices that cannot be dealt with here. I +myself have only seldom seen them, and do not like at all to +crack dongles via software, coz it requires a huge amount of zen +thinking and of luck and of time. If you want more information +on the hardware way to crack dongles, try to contact the older +ones on the appropriate web sites, they may even answer you if +you are nice, humble and really technically interested. + + The obvious principle, that applies to the software password +types mentioned above is the following: The better the password +is hidden, and the better it is encrypted, the more secure the +program will be. The password may be +- encrypted and/or +- in a hooked vector and/or +- in an external file and/or +- in a SMC (Self modifying code) part + + Let's finally inspect the common "ready_made" protection +schemes (used by many programmers that do not program +themselves): +* password read in +* letters added to a key to be entered +* complement of the letters formed xoring with 255 +* saved key (1 char) +* saved password (256 chars) +* saved checksum (1 char), as protection, against simple + manipulations +* generating file PASSWORD.DAT with password, to be inserted + inside a different file than the one containing the calling + routine +Now the lazy programmer that wants to "protect" his program +searches first the file where the password is stored, then loads +the key, the password and the checksum. He uses a decrypt +procedure to decrypt the password and a check_checksum procedure +to check whether the password was modified. All this is obviously +crackabe in few seconds. + +[PASSWORD ACCESS INSIDE THE SETUP] + Some computers have a password protected access INSIDE the +Setup (at the beginning), the protection scheme does not allow +a boot with a floppy and does not allow a setup modify. In these +cases the only possible crack is an old hack method: +* open the PC +* find on the motherboard a small jumper (bridge) with the + words "Pw" +* take it away +* PC on +* run the setup with F1 or Del (depending from the BIOS) (the + protection will not work any more) +* deactivate inside the setup the option password +* PC off +* put the small jumper (bridge) back again +* close the PC +* PC on, cracked (if you want to be nasty you could now use + the setup to set YOUR password) + If you want to know more about access refuse and access +denying, encryption and locking of the FAT tables, get from the +web, and study, the (very well written) code of a virus called +"Monkey", that does exactly this kind of devastation. Virus +studying is, in general, very useful for cracking purposes, coz +the virus'code is at times +- very well written (pure, tight assembly) +- using concealing techniques not much different from the + protection schemes (often far superior) +- using the most recent and best SMC (self modifying code) + tricks + + But, and this is very important, do not believe that the +protection schemes are very complicated! Most of the time the +protection used are incredibly ordinary: as a final example of +our paper protection schemes, let's take a program released not +long ago (1994), but with a ridiculous protection scheme: TOP +(Tiger on the prowl) a simulation from HPS. +Here the cracking is straightforward: +- MAP(memory_usage) and find main_sector +- type "AAAA" as password +- (s)earch main_sector:0 lffff "AAAA" +- dump L80 "AAAA" location -40 (gives you a "wide" dump), + this gives you already the "echo" of the correct password +- breakpoint on memory read & write to "AAAA" location and + backtrace the complete main_sector +it's done! Here the code_lines that do protect TOP: + 8A841C12 MOV AL,[SI+121C] move in AL first user letter + 3A840812 CMP AL,[SI+1208] compare with echo + 7402 JZ go_ahead_nice_buyer + EB13 JMP beggar_off_ugly_cracker + +Now let's quickly crack it: diff --git a/textfiles.com/piracy/CRACKING/howto5.txt b/textfiles.com/piracy/CRACKING/howto5.txt new file mode 100644 index 00000000..ea4970ec --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howto5.txt @@ -0,0 +1,487 @@ + +HOW TO CRACK, by +ORC, A TUTORIAL + +Lesson 5.1: Disk & CD-Rom access (basics) + +LESSON 5 (1) - HOW TO CRACK, HANDS ON - Disk/CDROM access (plus +bypasses "on the fly") + +Somewhere I have to put the bypasses (loader programs) in this +tutorial, allow me to put them here: + +Preparing a loader to bypass a protection [MARIO ANDRETTI] + At time the protectionists hook vectors in order to impose +a particular protection. In this (and similar) cases a good +crack-way is to prepare a "loader" program, that "de-hooks" the +vector used for the protection. This kind of crack can be used +also for internet cracking (on some firewall configurations, see +lesson A.2). + As example let's take "Mario andretti racing challenge", a +stupid game that uses the SAME (!) protection scheme you'll still +find to day on some access routines of military servers around +the witlessly called "free" world. + +In order to crack this cram you would prepare a loader on the +following lines: + +loc code instruction what's going on +------------------------------------------------------- +:0100 EB44 JMP 0146 +... +:0142 0000 <- storing for offset of INT_21 +:0144 5887 <- storing for segment of INT_21 +:0146 FA CLI +:0147 0E PUSH CS +:0148 1F POP DS +:0149 BCB403 MOV SP,03B4 +:014C FB STI +:014D 8C1EA901 MOV [01A9],DS <- save DS +:0151 8C1EAD01 MOV [01AD],DS three +:0155 8C1EB101 MOV [01B1],DS times +:0159 B82135 MOV AX,3521 <- get INT_21 +:015C CD21 INT 21 in ES:BX +:015E 891E4201 MOV [0142],BX <- store offset +:0162 8C064401 MOV [0144],ES <- store segment +:0166 BA0201 MOV DX,0102 +:0169 B82125 MOV AX,2521 <- set INT_21 to +:016C CD21 INT 21 DS:0102 +:016E 0E PUSH CS +:016F 07 POP ES <- ES= current CS +:0170 BBB403 MOV BX,03B4 +:0173 83C30F ADD BX,+0F +:0176 B104 MOV CL,04 +:0178 D3EB SHR BX,CL <- BX= 3C +:017A B8004A MOV AX,4A00 <- Modify memory block +:017D CD21 INT 21 to 3C paragraphs +:017F BA9E01 MOV DX,019E <- ds:dx=program name +:0182 BBA501 MOV BX,01A5 <- es:bx = param. block +:0185 B8004B MOV AX,4B00 <- load ma.com +:0188 CD21 INT 21 +:018A 2E8B164201 MOV DX,CS:[0142] <- reset old int_21 +:018F 2E8E1E4401 MOV DS,CS:[0144] +:0194 B82125 MOV AX,2521 +:0197 CD21 INT 21 +:0199 B8004C MOV AX,4C00 <- terminate with return +:019C CD21 INT 21 code +:019E 6D612E636F6D00 "ma.com" + 0000 fence +:01A7 B2015887 +:01AB B2015887 +:O1AF B2015887 + 0000 fence + +let's now prepare a routine that hooks INT_21: + +push all +CMP AX,2500 <- go on if INT_21 service 25 +JNZ ret +CMP Word Ptr [0065], C00B <- go on if location 65 = C00B +JNZ ret +MOV Byte Ptr [0060], EB <- crack instructions +MOV Byte Ptr [0061], 3C +MOV Byte Ptr [0062], 40 <- INC AX +MOV Byte Ptr [0063], 90 <- NOP +MOV Byte Ptr [0064], 48 <- DEC AX +pop all +JMP FAR CS:[0142] <- JMP previous INT_21 + + From now on this loader will work every time that a program +with location [0065] containing an 0R AX,AX instruction (0BC0: +it's the case of ma.com) calls INT_21 service 25 (hook a vector), +the target program will be modified on the fly and will get, at +location [0060], the instruction JMP 3C locations ahead, despite +the fact that it has routines capable of self checking in order +to make sure it has not been modified. + The most important thing is the routine that YOU write that +will precede the call to INT_21 (or any other INT) service 25 (or +any other service) in order to crack on the fly the offending +program. I'll show you another one, this one for [Reach for the +skies] (reach.com): + +push all +CMP AH,3D <- is it service 3D? (open file) +JNZ ret <- no, so ret +CMP DX,13CE <- you wanna open file at 13CE? +JNZ ret <- no, so ret +MOV AX,[BP+04] <- in this case +MOV DS,AX +CMP Byte Ptr [B6DA],74 <- old instructions +JNZ 015B +CMP Byte Ptr [B6DB],0F <- ditto +JNZ 015B +CMP Byte Ptr [B6DC],80 <- ditto, now we now where we are +JNZ 015B +MOV Byte Ptr [B6DA],EB <- crack +MOV Byte Ptr [B697],40 <- camouflaged no-opping +MOV Byte Ptr [B698],48 <- cam nop +MOV Byte Ptr [B699],90 <- cam nop +MOV Byte Ptr [B69A],40 <- cam nop +MOV Byte Ptr [B69B],48 <- cam nop +MOV DX,CS:[0165] +MOV DS,CS:[0167] +MOV AX,2521 <- set hook +INT 21 +POP all +JMP FAR CS:[0165] +Here you did change the instruction 740F in the instruction EB0F, +and you did "noop" the instructions at B697-B69B. (Well, more +elegantly than "noop" them with "90" bytes, you choose a INC AX, +DEC AX, NOP, INC AX, DEC AX sequence instead! There are sound +reasons to use a sequence of "working" instructions instead of +NOPs: recent protection schemes "smell" patched nops inside the +program and trash everything if they find more than -say- three +consecutive NOPs! You should always try to choose THE LESS +INTRUSIVE and MORE "CAMOUFLAGED" solution when you crack!) + You can apply this kind of crack, on the same lines, to many +programs that perform self checking of the code and hook the +vectors. + +REAL DISK ACCESS STUFF + Now we may come to the subject of this lesson: + As usual, let's begin from the beginning: history is always +the key that allows an understanding of present and future, in +cracking matters too. As the older 5 1/4 inch big black floppy +disks were still used (the 320K/8 tracks or 360K/9 tracks ones, +that were really "floppy" and have nowadays almost disappeared) +one of the more common methods to protect a program, was to +format the "master" (key) disk in a weird way. Old floppy disk +for the PC did usually store 360K at 9 sectors per track. + Some basics for those of you that do not know anything: in +order to defeat this kind of cracks you need to know two things: +the floppy disk parameter block (FDPB) and the interrupt routines +dealing with format/read disk (basically INT_13). + Most often, the protection scheme is to either format one +or more sectors or tracks with sector sizes other than the +standard 512 bytes, or to either give one of the sectors a wild +sector number like 211 or just not format a whole track of +eight/nine/15 sectors. If you, for instance, have got the same +(very old) copy of VisiCalc master I do, you'll find that sector +8 on track 39 is missing entirely. The interrogation with +assembly or with an "ad hoc" utility (I use the tools I wrote +myself, but you 'll be able to find many such utilities in public +domain, the oldest one, from 1984 (!) being the seasoned [U-ZAP] +an "Ultra utility" from the "Freesoft company") will tell you +which sector numbers were altered, their size in bytes, and if +they were formatted with a CRC error (another not so fancy +trick). + The floppy disk parameters are stored in the BIOS: interrupt +vector 1E contains the address of the floppy disk parameter +block. The FDPB's contents are the following: +Offset Function crackworthy? Example +0 Step rate & head unload no DF +1 head load time no 02 +2 Motor on delay no 25 +3 Number of bytes per sector yes 02 +4 Last sector number yes 12 +5 Gap length yes 1B +6 Data track length yes FF +7 Format gap length yes 54 +8 Format byte no F6 +9 Head settle time no 0F +A Motor start time no 02 + +0) Offset #0: the left "nybble" (single digit) of this value + is the step rate time for the disk drive head. The right + nybble is the disk head unload time. These values are best + left alone. +1) Offset #1: again, don't fool around with these values. The + left nybble is the disk head load time, and the right + nybble is the direct memory access mode select. +2) Wait time until motor is turned off. Not normally of use. +3) Bytes-per-sector value: AH-HAH! If you place a "0" in this + value, the PC expects all sectors to be 128 bytes long. A + "1" means a sector size of 256 bytes, a "2" means 512 + bytes (this is the standard DOS value), and a "3" means + 1024 bytes per sector. +4) Highest sector number on a track: this is used for + formatting and tells DOS how many sectors there are on each + track. +5) Gap length for diskette reads: this is what you fool around + with if you keep getting CRC errors when you try to read a + non-standard size sector. Normally, you can just leave this + alone except when formatting with a U-Format tool. +6) Data length: This contains the number of bytes in a sector + when the value in table byte #4 doesn't contain a 0, 1, 2, + or 3. +7) Number of bytes in the gap between sectors: this is also + only used when formatting special tracks. +8) Format fill byte: When formatting, this is the + initialization byte that will be placed in all new sectors. +9) Head settle time: leave this alone. +A) Motor start time: don't fool with this either. +In order to modify globally the number of tracks on a given disk +and the number of sectors per track you can always format with +the DOS command switches "/t:" and "/n:" + FORMAT /t:tracks /n:sectors + + If you want to find out what the existing parameters are, +run [Debug.exe] or [Symdeb.exe] and enter the following commands: +- d 0:78 l 4 <- get FDPB address + 0000:0070 22 05 00 <- debugger's likely response +- d 0:522 l a <- get 10 FDPB values + 0000:520 DF 02 25 02 12 1B FF... <- see preceding table + + Remember that all standard disk formats under DOS support +a sector size of 512 bytes, therefore, for one-sided 5.25 inch +floppies: + 40t*8s*512b=163.840 bytes (160Kb) + 40t*9s*512b=184.320 bytes (180Kb) +and for two-sided 5.25 inch floppies: + 40t*8s*512b*2sides=327.680 bytes (320Kb) + 40t*9s*512b*2sides=368.640 bytes (360Kb) + Beginning with DOS version 3.0 (Yeah, more and more +history!) a new floppy disk format has been supported: The IBM +AT (80286 CPU) introduced the so called "high capacity" 5.25 u- +inch floppy, capable of storing 1.2M at 15 sectors per track: + 80t*15s*512b*2sides=1.228.800 bytes (1.2Mb) + Later on were introduced the to-day universally used 3.5 +inch floppies, the ones inside a rigid small plastic cartridge, +and we have, similarly: + 3.5-inch double sided/double density 720K + 3.5-inch double sided/quad density (HD) 1440K + 3.5-inch double sided/high density 2880K + + +[INT_13, AH=18, Set media type for format] + In order to create weird layouts, the protectionists use +interrupt 13h, service 18h, that specifies to the formatting +routines the number of tracks and sectors per track to be placed +on the media: +* Registers on entry: AH=18h; CH=Nø of tracks; CL= Sectors + per track; DL= Drive number (A=0; B=1;C=2... bit 7 is set + if the drive is an hard disk) +* Registers on Return: DI: Offset address of 11-byte + parameter table; ES: Segment address of 11-byte parameter + table. + +[INT_13, AH=2, Read disk sectors] +In order to read them, they have to use INT_13, service 2, read +disk sectors, with following layout: +* Registers on entry: AH=2h; AL= Nø of sectors; BX= Offset + address of data buffer; CH=track; CL= Sector; DH= Head + (side) number; DL= Drive number; ES: Segment address of + data buffer. +* Registers on Return: AH= return code. If the carry flag is + not set, AH=0, therefore the weird sector has been read, if + on the contrary the carry flag is set, AH reports the + status byte as follows: +76543210 HEX DEC Meaning +1 80h 128 Time out - drive crazy + 1 40h 064 Seek failure, could not move to track + 1 20h 032 Controller kaputt + 1 10h 016 Bad CRC on disk read + 1 09h 009 DMA error - 64K boundary crossed + 1 08h 008 DMA overrun + 1 04h 004 Bad sector - sector not found + 11 03h 003 Write protect! + 1 02h 002 Bad sector ID (address mark + 1 01h 001 Bad command + +[Return code AH=9: DMA boundary error] + One of the possible errors should be explained, coz it is +used in some protection schemes: AH=9 DMA boundary error, means +that an illegal boundary was crossed when the in formation was +placed into RAM. DMA (Direct memory access) is used by the disk +service routines to place information into RAM. If a memory +offset address ending in three zeros (ES:1000, ES: 2000...) falls +in the middle of the area being overlaid by a sector, this error +will occur. + +[INT_13, AH=4 Verify disk sectors] + Another possible protection interrupt is interrupt 13H, +service 4, Verify disk sectors. Disk verification takes place on +the disk and DOES NOT involve verification of the data on the +disk against data in memory! This function has no buffer +specification, does not read or write a disk: it causes the +system to read the data in the designated sector or sectors and +to check its computed cyclic redundancy check (CRC) against data +stored on the disk. See INT_13, AH=2 registers and error report. + +[CRC] + The CRC is a checksum, that detects general errors. When a +sector is written to disk, an original CRC is calculated AND +WRITTEN ALONG with the sector data. The verification service +reads the sector, recalculates the CRC, and compares the +recalculated CRC with the original CRC. + + + + We saw that some protection schemes attempt to disguise +interrupt calls. This is particularly frequent in the disk access +protection schemes that utilize INT_13 (the "disk" interrupt). + If you are attempting to crack such programs, the usual +course of action is to search for occurrences of "CD13", which +is machine language for interrupt 13. One way or another, the +protection scheme has to use this interrupt to check for the +special sectors of the disk. If you examine a cross section of +the program, however, you'll find programs which do not have +"CD13" in their machine code, but which clearly are checking the +key disk for weird sectors. How comez? + There are several techniques which can be used to camouflage +the protection scheme from our nice prying eyes. I'll describe +here the three such techniques that are more frequent: +1) The following section of code is equivalent to issuing an +INT 13 command to read one sector from drive A, side 0, track +29h, sector ffh, and then checking for a status code of 10h: + cs:1000 MOV AH,02 ;read operation + cs:1002 MOV AL,01 ;1 sector to read + cs:1004 MOV CH,29 ;track 29h + cs:1006 MOV CL,FF ;sector ffh + cs:1008 MOV DX,0000 ;side 0, drive A + cs:100B XOR BX,BX ;move 0... + cs:100D MOV DS,BX ;...to DS register + cs:100F PUSHF ;pusha flags + cs:1010 PUSH CS ;pusha CX + cs:1011 CALL 1100 ;push address for next + instruction onto stack and branch + cs:1014 COMP AH,10 ;check CRC error + cs:1017 ... rest of verification code + ... + ... + cs:1100 PUSHF ;pusha flags + cs:1101 MOV BX,004C ;address of INT_13 vector + cs:1104 PUSH [BX+02] ;push CS of INT_13 routine + cs:1107 PUSH [BX] ;push IP of INT_13 routine + cs:1109 IRET ;pop IP,CS and flags +Notice that there is no INT 13 command in the source code, so if +you had simply used a debugger to search for "CD13" in the +machine code, you would never have found the protection routine. + +2) Another technique is to put in a substitute interrupt +instruction, such as INT 10, which looks harmless enough, and +have the program change the "10" to "13 (and then back to "10") +on the fly. A search for "CD13" would turn up nothing. + +3) The best camouflage method for interrupts I have ever +cracked (albeit not on a INT 13) was a jump to a section of the +PROGRAM code that reproduces in extenso the interrupt code. This +elegant (if a little overbloated) disguise mocks every call to +the replicated interrupt. + +LOADING ABSOLUTE DISK SECTORS +Old good [debug.com] has been called the "swiss army knife" of +the cracker. It allows a lot of nice things, inter alia the +loading, reading, modifying and writing of absolute sectors of +the disks. The sector count starts with the first sector of track +0, next sector is track 0, second side (if double sided), then, +back to the first side, track 1, and so on, until the end of the +disk. Up to 80h (128) sectors can be loaded at one time. To use +you must specify starting address, drive (0=A, 1=B, etc...), +starting sector and number of sectors to load. + - l 100 0 10 20 +This instruction tells DEBUG to load, starting at DS:0100, from +drive A, sector 10h for 20h sectors. This allows at times the +retrieval of hidden and/or weird formatted data. If you get an +error, check the memory location for that data. Often times, part +of the data has been transferred before the error occurs, and the +remainder can be manually entered or gathered through repetitive +retries. + +Bear all this in mind learning the following cracks. +Let's now crack an "oldie" primitive: +MS Flight simulator (old version 2.12, from 1985!) +This old program used -in 1985!- following beautiful protection +scheme: on the disk you had only a "stub", called FS.COM with few +bytes, which had following instructions: + +loc code instruction what's going on +------------------------------------------------------- +:0100 FA CLI ;why not? +:0101 33C0 XOR AX,AX ;ax=0 +:0103 8ED0 MOV SS,AX ;ss=0 +:0105 BCB0C0 MOV SP,C0B0 ;SP=C0B0 +:0108 8EC0 MOV ES,AX ;ES=0 +:010A 26C70678003001 MOV Wptr ES:[0078],0130 ;Wp 0:78=130 +:0111 268C0E7A00 MOV ES:[007A],CS ;0:7A=Segment +:0116 BB0010 MOV BX,1000 ;BX=1000 +:0119 8EC3 MOV ES,BX ;ES=1000 +:011B 33DB XOR BX,BX ;BX=0 +:011D B80102 MOV AX,0201 ;AH=2 AL=1 sector +:0120 BA0000 MOV DX,0000 ;head=0 drive=0 +:0123 B96501 MOV CX,0165 ;track=1 sector=65 (!) +:0126 CD13 INT 13 ;INT 13/AH=2 +:0128 B83412 MOV AX,1234 ;AX=1234 +:012B EA00000010 JMP 1000:0000 ;JMP to data we just read +:0130 CF IRET ;Pavlovian, useless ret + + You see what's happening in this old protection scheme, +don't you? Herein you can watch the same snap that happens in +more recent (much more recent) protection schemes (as you'll see +in the next lesson): the protection searches for a weird +formatted sector and/or for particular data. + That should be no problem for you any more: you should just +reverse engineer everything (and that goes on pretty quickly: +just watch and break on the INT_13 calls), fetch the "weird" +data, tamper the whole crap and have your soup as you like it. + One more word about "old" protection schemes. Be careful not +to spurn them! Some of them are + --CLEVER + --STILL USED + --DIFFICULT TO CRACK... I mean, this older DOS programs had +nice protections... it's pretty annoying to crack windows +programs that require a registration number: as you saw in Lesson +3, you just type your name and a serial number of your choice in, +say "666666666", break into the program with WINICE, search the +"666666666" and search too, for good measure, your own name, set +a memory read breakpoint where the number dwells and look at the +code that manipulates your input. As [Chris] rightly pointed out, +you can even rip the code straight out of the program and create +a key generator which will produce a valid code. This code will +work for any name you typed in only in the "pure maths +manipulation" protection schemes, and will on the contrary be +specific, following the name you typed in, the "alpha-maths +manipulation" protection schemes (like MOD4WIN, see the Windows +lessons), watch in this case the "pseudo-random xoring" of the +letters that compose your name. + --STUNNING, coz new ideas have always been infrequent, and +they are getting more and more rare in this objectionable world +of lazy, incapable programmers patronizing us with ill-cooked +outrages like Windows'95... yeah, as usual there is no +"development" at all, quite the contrary, I would say. Take a +step backward, sip a good Martini-Wodka (please remember that +only Ice cubes, Dry Martini, Wodka Moskovskaja, Schweppes' +"Indian tonic" a green olive from Tuskany and a maltese lemon +zest will really be perfect) and watch from your balcony, with +unsullied eyes, your town and the people around you: slaves +everywhere, leaving home at 7.30 in the morning, stinking in a +progression of identical cars, forced to interminably watch +advertisement panels and endlessly listen to boorish publicity, +happy to go to work (if they happen to have the "luck" to work, +in this inequitable society) the whole day long in order to +produce other cars in order to buy, one day, a new car with a +different colour... + Why people don't look at the stars, love each other, feel +the winds, ban the stinking cars from the places where they live +and eat, study colours... name yourself a not-consumistic +activity? Why don't they read any poems any more? No poetry any +more, in the grey society of the publicity-spots slaves...poetry +will soon be forbidden, coz you cannot CONSUME as you read poems, +and in this farce of a society you are BOUND to consume, that's +the only thing they want you to do... you are CULTIVATED to +consume... no books worth to read any more... stupid american +conventional cram everywhere... boy, at times I'm missing some +well placed neutron bombs, the ones that would kill all these +useless zombies and leave noble books and good Wodka untouched. +It's difficult to believe in democracy any more... if I ever +did... all the useless zombie do -unfortunately- vote, and they +do vote for "smiling semblances", for "conventionally minded +idiots" that so act as if they would "really" be like what they +"look" like and could not care less about anything else than +making bucks and defend intolerant and petty patterns. The slaves +choose the people they have "seen" on TV... as if the egyptians +would VOTE for their pharaohs, exhilarated under the whips of +publicity... sorry, at times I forget that you are here for the +cracks, and could not care less about what I think... + + You 'll obtain the OTHER missing lessons IF AND ONLY IF you +mail me back (via anon.penet.fi) with some tricks of the trade +I may not know that YOU discovered. Mostly I'll actually know +them already, but if they are really new you'll be given full +credit, and even if they are not, should I judge that you +"rediscovered" them with your work, or that you actually did good +work on them, I'll send you the remaining lessons nevertheless. +Your suggestions and critics on the whole crap I wrote are also +welcomed. + ++ORC an526164@anon.penet.fi + diff --git a/textfiles.com/piracy/CRACKING/howto6.txt b/textfiles.com/piracy/CRACKING/howto6.txt new file mode 100644 index 00000000..06a5f5ad --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howto6.txt @@ -0,0 +1,455 @@ + +HOW TO CRACK, by +ORC, A TUTORIAL + +Lesson 6.1: Funny tricks (1) + + +LESSON 6 (1) - Funny tricks. Xoring, Junking, Sliding +EXERCISE 01: [LARRY in search of the King] + Before the next step let's resume what you have learned in +the lessons 3-5, beginning with a very simple crack exercise +(again, we'll use the protection scheme of a game, for the +reasons explained in lesson 1): SEARCH FOR THE KING (Version +1.1.). This old "Larry" protection sequence, is a "paper +protection" primitive. It's a very widespread (and therefore easy +to find) program, and one of the first programs that instead of +asking meaningful passwords (which offer us the possibility to +immediately track them down in memory) asked for a random number +that the good buyer could find on the manual, whereby the bad +cracker could not. (Here you choose -with the mouse- one number +out of 5 possible for a "gadget" choosen at random). I don't need +any more to teach you how to find the relevant section of code +(-> see lesson 3). Once you find the protection, this is what you +get: + +:protection_loop + :C922 8E0614A3 MOV ES,[A314] +... + :C952 50 0E PUSH AX & CS + :C954 E81BFF CALL C872 <- call protection scheme + :C957 5B POP BX twice + :C959 8B76FA MOV SI,[BP-06] <- prepare store_room + :C95C D1E6 SHL SI,1 <- final prepare + :C95E 8942FC MOV [BP+SI-04],AX <- store AX + :C961 837EFA00 CMP Word Ptr [BP-06],+00 <- good_guy? + :C965 75BB JNZ C922 <- loop, bad guy + :C967 8E0614A3 MOV ES,[A314] + :C96B 26F606BE3501 TEST Byte Ptr ES:[35BE],01 <- bad_guy? + :C971 74AF JZ C922 <- loop, bad guy + :C973 8B46FC MOV AX,[BP-04]... <- go on good guy + +Let's see now the protection scheme called from :C954 + :C872 55 PUSH BP +... + :C8F7 90 NOP + :C8F8 0E PUSH CS + :C8F9 E87234 CALL FD6E <- call user input + :C8FC 5B POP BX + :C8FD 5B POP BX + :C8FE 8B5E06 MOV BX,[BP+06] + :C901 D1E3 SHL BX,1 + :C903 39872266 CMP [BX+6622],AX <- right answer? + :C907 7505 JNZ C90E <- no, beggar_off + :C909 B80100 MOV AX,0001 <- yes, AX=1 + :C90C EB02 JMP C910 + :C90E 2BC0 SUB AX,AX <- beggar_off with AX=0 + :C910 8BE5 MOV SP,BP + :C912 5D POP BP + :C913 CB RETF <- back to main + +Here follow 5 questions, please answer all of them: +1) Where in memory (in which locations) are stored the "right" + passnumbers? Where in memory is the SEGMENT of this + locations stored? How does the scheme get the OFFSET? +2) Would setting NOPs instructions at :C965 and :C971 crack? + Would it be a good idea? +3) Would changing :C907 to JZ crack? Would it be a good idea? +4) Would changing :C907 to JNZ C909 crack? Would it be a good + idea? +5) Write down (and try) at least 7 OTHER different patches to + crack this scheme in spades (without using any NOP!). +Uff! By now you should be able to do the above 5 exercises in +less than 15 minutes WITHOUT USING THE DEBUGGER! Just look at the +data above and find the right answers feeling them... (you 'll +now which one are the right one checking with your debugger... +score as many points as you like for each correct answer and sip +a good Martini-Wodka... do you know that the sequence should +ALWAYS be 1) Ice cubes 2) Martini Dry 3) Wodka Moskovskaja 4) +olive 5) lemon 6) Schweppes Indian tonic? + +Let's now come to the subject of this lesson: +-----> [Xoring] (Simple encryption methods) + One easy way to encrypt data is the XOR method. XOR is a bit +manipulation instruction that can be used in order to cipher and +decipher data with the same key: + Byte to encrypt key result + FF XOR A1 5E + 5E XOR A1 FF +As you can see XOR offers a very easy way to encrypt or to +decrypt data, for instance using the following routine: + encrypt_decrypt: + mov bx, offset_where_encryption/decryption_starts + xor_loop: + mov ah, [bx] <- get current byte + xor ah, encrypt_value <- engage/disengage xor + mov [bx], ah <- back where you got it + inc bx <- ahead one byte + cmp bx, offset_start_+_size <- are we done? + jle xor_loop <- no, then next cycle + ret <- back where we came from + +The encrypt_value can be always the same (fixed) or chosen at +random, for instance using INT_21, service 2Ch (get current time) +and choosing as encrypt_value the value reported in DL (but +remembering to discard the eventual value 0, coz otherwise it +would not xor anything at all!) + random_value: + mov ah,2Ch + int 21h + cmp dl,0 + je random_value + mov encrypt_value,dl + The problem with XORing (and with many other encryption +methods), is that the part of the code that calls the encryption +routine cannot be itself encrypted. You'll somewhere have, "in +clear" the encryption key. + + The protectionist do at times their best to hide the +decrypting routine, here are some common methods: + +-----> JUNK FILLING, SLIDING KEYS AND MUTATING DECRYPTORS + These are the more common protection method for the small +decryption part of the program code. This methods, originally +devised to fool signature virus scanners, have been pinched from +the polymorphic virus engines of our fellows viriwriters, and are +still in use for many simple decryption protection schemes. For +parts of the following many thanks go to the [Black Baron], it's +a real pity that so many potential good crackers dedicate so much +time to useless (and pretty repetitive) virus writing instead of +helping in our work. This said, virus studying is VERY important +for crackers coz the code of the viri is +* ULTRAPROTECTED +* TIGHT AND EFFECTIVE +* CLOAKED AND CONCEALED. + +Let's show as example of the abovementioned protection tactics +the following ultra-simple decryptor: + MOV SI,jumbled_data ;Point to the jumbled data + MOV CX,10 ;Ten bytes to decrypt +mn_loop: XOR BYTE PTR [SI],44 ;XOR (un_scramble!) a byte + INC SI ;Next byte + LOOP mn_loop ;Loop the 9 other bytes + +This small program will XOR the ten bytes at the location pointed +to by SI with the value 44. Providing the ten bytes were XORed +with 44 prior to running this decryptor the ten bytes will be +restored to their original state. +In this very simple case the "key" is the value 44. But there are +several tricks involving keys, the simplest one being the use of +a "sliding" key: a key that will be increased, or decreased, or +multiplied, or bit-shifted, or whatever, at every pass of the +loop. + +A possible protection can also create a true "Polymorph" +decryptor, a whole decryptor ROUTINE that looks completely +different on each generation. The trick is to pepper totally +random amounts of totally random instructions, including JUMPS +and CALLS, that DO NOT AFFECT the registers that are used for the +decryption. Also this kind of protection oft uses a different +main decryptor (possibly from a selection of pre-coded ones) and +oft alters on each generation also all the registers that the +decryptor uses, invariably making sure that the JUNK code that +it generates doesn't destroy any of the registers used by the +real decryptor! So, with these rules in mind, here is our simple +decryptor again: + + MOV DX,10 ;Real part of the decryptor! + MOV SI,1234 ;junk + AND AX,[SI+1234] ;junk + CLD ;junk + MOV DI,jumbled_data ;Real part of the decryptor! + TEST [SI+1234],BL ;junk + OR AL,CL ;junk +mn_loop: ADD SI,SI ;junk instr, but real loop! + XOR AX,1234 ;junk + XOR BYTE PTR [DI],44 ;Real part of the decryptor! + SUB SI,123 ;junk + INC DI ;Real part of the decryptor! + TEST DX,1234 ;junk + AND AL,[BP+1234] ;junk + DEC DX ;Real part of the decryptor! + NOP ;junk + XOR AX,DX ;junk + SBB AX,[SI+1234] ;junk + AND DX,DX ;Real part of the decryptor! + JNZ mn_loop ;Real part of the decryptor! + +As you should be able to see, quite a mess! But still executable +code. It is essential that any junk code generated by the +Polymorph protection is executable, as it is going to be peppered +throughout the decryptor. Note, in this example, that some of the +junk instructions use registers that are actually used in the +decryptor! This is fine, providing the values in these +registers aren't destroyed. Also note, that now we have random +registers and random instructions on each generation. So, a +Polymorph protection Engine can be summed up into three major +parts: + 1 .. The random number generator. + 2 .. The junk code generator. + 3 .. The decryptor generator. +There are other discrete parts but these three are the ones where +most of the work goes on! + +How does it all work? Well a good protection would +* choose a random selection of registers to use for the +decryptor and leave the remaining registers as "junk" registers +for the junk code generator. +* choose one of the compressed pre-coded decryptors. +* go into a loop generating the real decryptor, peppered with +junk code. +From the protectionist's point of view, the advantages of this +kind of method are mainly: +* the casual cracker will have to sweat to find the decryptor. +* the casual cracker will not be able to prepare a "patch" for +the lamers, unless he locates and patches the generators, (that +may be compressed) coz otherwise the decryptor will vary every +time. + +To defeat this kind of protection you need a little "zen" feeling +and a moderate knowledge of assembler language... some of the +junk instructions "feel" quite singular when you look at them +(->see lesson B). Besides, you (now) know what may be going on +and memory breakpoints will immediately trigger on decryption... +the road is open and the rest is easy (->see lessons 3-5). + +-----> Starting point number magic +For example, say the encrypted code started at address 10h, the +following could be used to index this address: + MOV SI,10h ;Start address + MOV AL,[SI] ;Index from initial address +But sometimes you'll instead find something like the following, +again based on the encrypted code starting at address 10h: + + MOV DI,0BFAAh ;Indirect start address + MOV AL,[DI+4066h) ;4066h + 0BFAAh = 10010h (and FFFF = 10h)!! +The possible combinations are obviously infinite. + + +[BIG KEYS] (Complicated encryption methods) + Prime number factoring is the encryption used to protect +sensible data and very expensive applications. Obviously for few +digit keys the decoding is much easier than for, say, 129 or 250 +digit keys. Nevertheless you can crack those huge encryption too, +using distributed processing of quadratic sieve equations (which +is far superior for cracking purpose to the sequential processing +methods) in order to break the key into prime numbers. To teach +you how to do this sort of "high" cracking is a little outside +the scope of my tutorial: you'll have to write a specific short +dedicated program, linking together more or less half a thousand +PC for a couple of hours, for a 250 bit key, this kind of things +have been done quite often on Internet, were you can also find +many sites that do untangle the mysteries (and vagaries) of such +techniques. + As References I would advocate the works of Lai Xueejia, those +swiss guys can crack *everything*. Begin with the following: +Xuejia Lai, James Massey, Sean Murphy, "Markov Ciphers and + Differential Cryptanalysis", Advances in Cryptology, + Eurocrypt 1991. +Xuejia Lai, "On the Design and Security of Block Ciphers", + Institute for Signal and Information Processing, + ETH-Zentrum, Zurich, Switzerland, 1992 +Factoring and primality testing is obviously very important for +this kind of crack. The most comprehensive work I know of is: +(300 pages with lengthy bibliography!) + W. Bosma & M. van der Hulst + Primality Testing with Cyclotomy + Thesis, University of Amsterdam Press. +A very good old book you can incorporate in your probes to build +very effective crack programs (not only for BBS accesses :=) is +*the* "pomerance" catalog: +Pomerance, Selfridge, & Wagstaff Jr. + The pseudoprimes to 25*10^9 + Math. Comp. Vol 35 1980 pp. 1003-1026 + +Anyway... make a good search with Lykos, and visit the relevant +sites... if encryption really interests you, you'll be back in +two or three (or thirty) years and you'll resume cracking with +deeper erudite knowledge. +[PATENTED PROTECTION SYSTEMS] + The study of the patented enciphering methods is also *quite* +interesting for our aims :=) Here are some interesting patents, +if you want to walk these paths get the complete texts: + [BEST] USPat 4168396 to Best discloses a microprocessor +for executing enciphered programs. Computer programs which have +been enciphered during manufacture to deter the execution of the +programs in unauthorized computers, must be decrypted before +execution. The disclosed microprocessor deciphers and executes +an enciphered program one instruction at a time, instead of on +a continuous basis, through a combination of substitutions, +transpositions, and exclusive OR additions, in which the address +of each instruction is combined with the instruction. Each unit +may use a unique set of substitutions so that a program which can +be executed on one microprocessor cannot be run on any other +microprocessor. Further, Best cannot accommodate a mixture of +encrypted and plain text programs. + [JOHNSTONE] USPat 4120030 to Johnstone describes a +computer in which the data portion of instructions are scrambled +and in which the data is of necessity stored in a separate +memory. There is no disclosure of operating with instructions +which are completely encrypted with both the operation code and +the data address portion being unreadable without a corresponding +key kernel. + [TWINPROGS] USPat 4183085 describes a technique for +protecting software by providing two separate program storages. +The first program storage is a secure storage and the second +program storage is a free storage. Security logic is provided to +check whether an output instruction has originated in the secure +store and to prevent operation of an output unit which receives +output instructions from the free storage. This makes it +difficult to produce information by loading a program into free +storage. + [AUTHENTICATOR] USPat 3996449 entitled "Operating System +Authenticator," discloses a technique for authenticating the +validity of a plain text program read into a computer, by +exclusive OR'ing the plain text of the program with a key to +generate a code word which must be a standard recognizable code +word which is successfully compared with a standard corresponding +code word stored in the computer. If there is a successful +compare, then the plain text program is considered to be +authenticated and is allowed to run, otherwise the program +is not allowed to run. + +ELEMENTS OF [PGP] CRACKING +In order to try to crack PGP, you need to understand how these +public/private keys systems work. Cracking PGP seems extremely +difficult, though... I have a special dedicated "attack" computer +that runs 24 hours on 24 only to this aim and yet have only begun +to see the light at the famous other end of the tunnel. It's +hard, but good crackers never resign! We'll see... I publish here +the following only in the hope that somebody else will one day +be able to help... +In the public key cryptosystems, like PGP, each user has an +associated encryption key E=(e,n) and decryption key D=(d,n), +wherein the encryption keys for all users are available in a +public file, while the decryption keys for the users are only +known to the respective users. In order to maintain a high level +of security a user's decoding key is not determinable in a +practical manner from that user's encoding (public) key. Normally +in such systems, since + e.multidot.d.ident.1 (mod(1 cm((p-1),(q-1)))), +(where "1 cm((p-1),(q-1))" is the least common multiple of the +numbers p-1 and q-1) + +d can be determined from e provided p and q are also known. +Accordingly, the security of the system is dependent upon the +ability to determine p and q which are the prime factors of n. +By selecting p and q to be large primes, the resultant composite +number n is also large, and correspondingly difficult to factor. +For example, using known computer-implemented factorization +methods, on the order of 10.sup.9 years is required to factor a +200 digit long number. Thus, as a practical matter, although a +user's encryption key E=(e,n) is public, the prime factors p and +q of n are effectively hidden from anyone due to the enormous +difficulty in factoring n. These aspects are described more fully +in the abundant publications on digital signatures and Public-Key +Cryptosystems. Most public/private systems relies on a message- +digest algorithm. + A message-digest algorithm maps a message of arbitrary length +to a "digest" of fixed length, and has three properties: +Computing the digest is easy, finding a message with a given +digest "inversion" is hard, and finding two messages with the +same digest "collision" is also hard. Message-digest algorithms +have many applications, not only digital signatures and message +authentication. RSA Data Security's MD5 message-digest algorithm, +developed by Ron Rivest, maps a message to a 128-bit message +digest. Computing the digest of a one-megabyte message takes as +little as a second. While no message-digest algorithm can yet +be secure, MD5 is believed to be at least as good as any other +that maps to a 128-bit digest. + As a final gift, I'll tell you that PGP relies on MD5 for a +secure one-way hash function. For PGP this is troublesome, to say +the least, coz an approximate relation exists between any four +consecutive additive constants. This means that one of the design +principles behind MD4 (and MD5), namely to design a collision +resistant function, is not satisfied. You can construct two +chaining variables (that only differ in the most significant bit +of every word) and a single message block that yield the same +hashcode. The attack takes a few minutes on a PC. From here you +should start, as I did. + +[DOS 4GW] cracking - This is only a very provisory part of this +tutorial. DOS 4GW cracking will be much better described as soon +as [Lost soul] sends his stuff, if he ever does. For (parts of) +the following I thank [The Interrupt]. + Most applications of every OS, and also of DOS 4GW, are +written in C language, coz as you'll have already learned or, +either, you'll learn, only C allows you to get the "guts" of a +program, almost approaching the effectiveness of assembler +language. + C is therefore the LANGUAGE OF CHOICE for crackers, when you +prepare your tools and do not directly use assembler routines. +Besides... you'll be able to find VERY GOOD books about C for +next to nothing in the second hand bookshops. All the lusers are +throwing money away in spades buying huge, coloured and +absolutely useless books on unproductive "bloated" languages like +Visual basic, C++ and Delphy. Good C new books are now rare +(books on assembler language have always been) and can be found +almost exclusively on the second hand market. Find them, buy +them, read them, use them for your/our aims. You can find a lot +of C tutorials and of C material on the Web, by all means DO IT! +Be a conscientious cracker... learn C! It's cheap, lean, mean and +very productive (and creative) :=) + Back to the point: most stuff is written in C and therefore +you need to find the "main" sub-routine inside the asm. With +DOS/4GW programs, search the exe file for "90 90 90 90", almost +always it'll be at the start of the compiled code. Now search for +an INT_21 executed with 4C in AH, the exec to dos code (if you +cannot "BPINT 21 AH=4C" with your tool, then search for the +sequence "b4 4c cd 21". This is the equivalent to [mov AH,4C & +int 21]: it's the most direct call, but as you'll have already +learned, there are half a dozen ways to put 4C in AX, try them +all in the order of their frequency). + A few bytes above the INT_21 service 4C, you'll find the +call to the "main" subroutine: "E8 xx xx". Now place a "CC" byte +a few bytes above the call in the exe and run the exe under a +debugger. When the computer tries to execute the instruction +you'll be throw back in the debugger coz the "CC" byte acts as +INT_01 instruction. Then proceed as usual. + +[THE "STEGONATED" PASSWORD HIDEOUT] + A last, very nice trick should be explained to every wannabe +cracker, coz it would be embarrassing to search for passwords or +protection routines that (apparently) are not there. They may be +hidden INSIDE a picture (or a *.waw file for that matter). This +is steganography, a method of disguising messages within other +media. + Depending on how many shades of grey or hues of colour you want +to have, a pixel can be expressed using 8. 16, 32 or even more +bits. If the least significant bit is changed. the shade of the +pixel is altered only one-256th, one-65,OOOth or even less. No +human eye could tell the difference. + What the protectionist does, is hijack the least significant +bit in each pixel of a picture. It uses that bit to store one bit +of a protection, or of a password (or of a file, or of a secret +message). Because digitized pictures have lots of pixels, it's +possible to store lots of data in a single picture. A simple +algorithm will transfer them to the relevant parts of the program +when it needs be, and there we'll intercept them. You'll need to +learn very well the zen-cracking techniques to smell this kind +of stuff though (-> see lesson B). + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + + You 'll obtain the OTHER missing lessons IF AND ONLY IF you +mail me back (via anon.penet.fi) with some tricks of the trade +I may not know that YOU discovered. Mostly I'll actually know +them already, but if they are really new you'll be given full +credit, and even if they are not, should I judge that you +"rediscovered" them with your work, or that you actually did good +work on them, I'll send you the remaining lessons nevertheless. +Your suggestions and critics on the whole crap I wrote are also +welcomed. + +an526164@anon.penet.fi (+ORC) + diff --git a/textfiles.com/piracy/CRACKING/howto8a.txt b/textfiles.com/piracy/CRACKING/howto8a.txt new file mode 100644 index 00000000..907e207f --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howto8a.txt @@ -0,0 +1,325 @@ + +HOW TO CRACK, by +ORC, A TUTORIAL + +Lesson 8.1: How to crack Windows, an approach + +-------------------------------------------------------- + SPECIAL NOTE: Please excuse the somehow "unshaven" + character of the windows lessons... I'm cracking the + newest Windows '95 applications right now, therefore + at times I had to add "on the fly" some corrections to + the older Windows 3.1 and Windows NT findings. + "homines, dum docent, discunt". +--------------------------------------------------------- + +-> 1st THING TO REMEMBER +The NE format does give every windows executable the equivalent +of a debug symbol table: A CRACKER BLISS! + +-> UNDOCUMENTED DEBUGGING +One of the many feature of Windows based on undocumented +foundations is the "ability to debug". +A word about undocumented functions in the MS-Operating Systems: +Microsoft manipulates its rule and domination of the operating +systems in use to day (MS-DOS, Windows, Windows '95) with two +main wicked aims: +1) getting the concurrence completely bankrupt (that's the + scope of all the using of undocumented functions and + CHANGING them as soon as the concurrence uses them). The + battle against Borland was fought in this way. +2) getting all future "programmers" to use windows as a "black + box" that only Microsoft engineers (if ever) can master, so + that everybody will have to sip the ill-cooked abominations + from Microsoft without ever having a chance to alter or + ameliorate them. +Strange as it may seem, only the sublime cracker community fights +against these intolerable plans. All stupid governments and +lobbies -on the contrary- hide behind the fig-leaf of the +"market" "freedom" in order to ALLOW such heinous developments +(I'm speaking as if they were capable to opposing them even if +they wanted, which they do not. Be assured, they couldn't anyway, +"Governments" are deliberately MADE to serve Gates and all the +remaining suckers, and lobbies are the shield of feudalism. You +can forget "democracy", the only rule existing is a malevolent +oligarchy based on money, personal connections, defect of +culture, lack of knowledge and dictatorship of bad taste through +television in order to keep the slaves tamed... enough now...) +The windows situation is particularly reminiscent of the older +situation in DOS, where for years the key "load but don't +execute" function, used by debuggers, such as [DEBUG], [SYMDEB] +and [CODEVIEW], was "reserved" by Microsoft. + The windows debugging library, WINDEBUG.DLL, a number of +undocumented functions and even the interface it provides are +undocumented! The WinDebug() function is used by all available +windows debuggers, including [CVW] (CodeView for Windows), [TDW] +(TurboDebugger for Windows), [Multiscope] and [Quick C for +Windows] (the last two are GUI, not text debuggers. The use of +WinDebug() doesn't show up in MAPWIN output 'coz debuggers link +to it at run-time via the amazing GetProcAddress() function. + WinDebug() is a hacked 32-bit version, for the old Windows +3.0, of the poorly documented DOSPTrace() function from OS/2 1.x +(study these older Operating Systems! Studying the past you'll +understand EVERYTHING! Sometime I think that the only way to hack +and crack correctly is to be more a software historian than a +programmer... fac sapias et liber eris!). DOSPTrace is, in turn, +based on the ptrace() function in Unix. + Like DosPTrace(), WinDebug() takes commands such as Go, +Single-Step, Write&Read Registers, Write&Read Memory. It returns +to its caller either when the command completes or when a +breakpoint occurs (or a DLL load). These commands and +notifications appear in a large structure whose address is passed +in WinDebug(). + WinDebug() was renamed CVWIN.DLL (and TDWIN.DLL) for Windows +3.1., all crackers should study it and get the maximum possible +documentation about it. As you will see in the following, it is +worth to study also TOOLHELP.DLL (what Microsoft would like you +to fiddle with) and INT_41h (the real debugging interface). + +Interrupt handling under Windows + Interrupt handling under Windows can be tricky: you need to +use Toolhelp (a rather scaring lobotomy for your programs) or to +have special code for Standard vs. Enhanced modes, because the +information on the stack of an interrupt or exception handler +differs between the two windows modes. In addition, some handlers +would be installed using INT_21h, while others are set up using +DPMI services. Toolhelp has quite a bit of internal code that +"cooks" the interrupts and sends them to you in an easily +digestible form. + Remember that Windows uses GP faults as a "hacker" method +of doing ring transitions that are not allowed with legal 80x86 +instructions: the virtual memory system of Enhanced mode is +implemented via the page fault. + +Some tools for cracking windows (-> see lesson 9) +----------------- DEBUGGERS +CVW and TDW (you have to know the function's + segment:offset address beforehand in order + to crack a function) +WCB [Windows Codeback] by Leslie Pusztai (it's + a really cool tool!) +WDEB386 Microsoft's WDEB386 (clumsy, and requires a + second monitor) +Soft-Ice/Windows best (BY FAR!) windows debugger! NuMega is + so good I am at times really sorry to crack + their products! [WINICE] is the single, + absolutely essential debugger and snooping + utility for windows crackers. Get it! + +----------------- POST MORTEM INSPECTORS +CORONER, etc. (a lot of shareware) +MS-DrWatson Old and clumsy +Borland's Winspector THE BEST! It has the BUILDSYM utility + that allows the creation of a debug + .SYM file from an .EXE without debug + information. + + +----------------- INSPECTORS +MS-Spy Old +Borland's WinSight (Best one, select "Other") +MicroQuill's Windows DeMystifiers (from Jeff Richter): + VOYEUR (hold SHIFT picking Message Selection), COLONEL, + MECHANIC and ECOLOGIST + +----------------- SNOOPERS +[INFSPY.EXE], 231.424 bytes, version 2.05 28/8/1994 by Dean +Software Design, may be the more complete one. +[SUPERSPY.EXE], 24.576 bytes, 10,6,1994, quite handy for quick +informations. +[WINVIEW.EXE], 30.832 bytes, Version 3.00 by Scott McCraw, MS(c) +1990-1992, this is the old MS-Spy, distributed by MS +[TPWSPY.EXE], 9.472 bytes, quite primitive, but you get the +pascal source code with it. + + +-> INSIDE A WINDOWS '95 DEBUGGER + You can debug a program at the assembly-language level +without any debugging information. The DOS [DEBUG] program does +that, allowing breakpoints and single-stepping, all of which +implies that the hardware must be cooperating. Back in the time +of the 4-MHz Z-80s, you used a debugger that plugged interrupt +op codes into the instruction stream to generate breakpoints. + Nothing has changed. That's how you debug a program on a +80586 (=Pentium). The x86 architecture includes software +interrupts. The 1-byte op code xCC is the INT_03 instruction, +reserved for debuggers. You can put the INT_03 op code in place +of the program instruction op code where the break is to occur +and replace the original op code at the time of the interrupt. +In the 80386 and later, you can set a register flag that tells +the processor to generate a not-intrusive INT_01 instruction for +every machine instruction executed. That device supports single +stepping. + The Win32SDK (Windows '95 software developer's kit) includes +functions that allow one program to launch another program and +debug it. The SDK's debug API takes care of how the interrupts +and interrupt vectors get managed. The logical consequence of +such an approach is that fewer and fewer people will be able to +know what's going on inside an application. The bulk of the +programmers -in few years time- will not be able any more to +reverse engineer an application, unless the few that will still +understand assembler-language do offer them the tools to do it. +Microsoft -it is evident- would like the programmers to use a +"black box" approach to programming, writing nice little "hallo +world" application and leaving to the engineers in Microsoft +alone the capacity to push forward (and sell) real programs that +are not toy application. + The Win32 documentation seems vast, almost luxurious, until +you begin serious work and you discover its shortcomings, like +the fact that extended error codes are not documented, and +numerous APIs are documented either incorrectly or so poorly that +you must burn precious time testing them. What we definitely need +is to find some secret fellows inside Microsoft (like good old +Prometeus) that smuggles to the outside the real documentation +that the Microsoft engineers have reserved for themselves. If you +are reading this and do work for Microsoft, consider the +possibility of double-crossing your masters for the sake of +humanity and smuggle us the secret information. + In windows '95 a debugger program launches a program to be +debugged by calling the _CreateProcess function, specifying in +an argument that the program is to be debugged. Then the debugger +program enters a loop to run the program. At the top of the loop +the debugger calls _WaitForDebugEvent. + Each time _WaitForDebugEvent returns it sets indicators that +tell about the vent that suspended the program being debugged. +This is where the debugger traps breakpoints and single-step +exceptions. _WaitForDebugEvent fills in an event structure that +contains among other things the address that was interrupted end +the event that caused the interrupt. + The debugger calls _GetThreadContext to get the running +context of the debugged program, including the contents of the +registers. The debugger can, as the result of cracker +interaction, modify these values and the contents of the debugged +program's memory. + The debugger sets breakpoints by saving the op code at the +instruction to be intercepted and putting the INT_03 op code at +its place, it's always the same old marmalade. When the +breakpoint occurs, the debugger replaces the original op code in +the program's instruction memory, and decrements the interrupted +program counter in the saved context so that execution resumes +at the instruction that was broken. + To single-step a program, the debugger sets a bit in the +context's flags register that tells the processor to generate an +INT_01 for every instruction cycle. When that interrupt occurs, +the debugger checks to see if the interrupted address is at a new +source-code line number. If not, the debugger continues +execution. Otherwise, the debugger displays the new line in the +IDE and waits for the cracker to take an action that resumes the +program. + While the debugged program is suspended, the debugger +interacts with the cracker and provides full access to the +debugged program's context and memory. This access permits the +cracker to examine and modify part of the code. + To resume the debugged program, the debugger resets the +program's context by calling _SetThreadContext and calls +_ContinueDebugEvent. Then, the debugger returns to the top of the +loop to call _WaitForDebugEvent again. + To extract debug information from a Win32 executable file, +you must understand the format of that file (best thing to do, +to practice yourself, would be to reverse engineer small +programs). The executable file has two sections not found in +other executable files: ".stab" and ".stabstr". How nice that +they used names that suggest their purpose (nomen est omen). +You'll find them inside a table of fixed-length entries that +include entries for .text, .bss, .data and .idata. Inside these +sections the compilers put different parts of a program. + There are several different formats for encoding debug +information in an executable file. Borland's Turbo Debugger one +format. Microsoft's CodeView another. The gnu-win32 port from +Cygnus the stab format, an acronym meaning "symbol table", +although the table contains much more than just symbol +information. + The .stab section in a portable executable file is a table +of fixed-length entries that represent debugging information in +the stab format. The .stabstr section contains variable-length, +null terminated strings into which the .stab table entries point. + The documentation for the stab format is available in text +format on the Cygnus ftp site (ftp.cygnus.com//pub/gnu-win32). + Stabs contain, in a most cryptic format, the names and +characteristics of all intrinsic and user-defined types, the +memory address of every symbol in external memory and on the +stack, the program counter address of every function, the program +counter address where every brace-surrounded statement block +starts and ends, the memory address of line numbers within +source-code files, and anything else that a debugger needs. The +format is complex and cryptic because it is intended to support +any source-code language. It is the responsibility of a debugger +program to translate the stab entries into something meaningful +to the debugger in the language being debugged. + + Windows '95 invokes dozens of INT_21 services from 32-bit +code, including KERNEL32.DLL and possess Krn32Mutex, which +apparently controls access to certain parts of the kernel. Some +of the functions in KERNEL32 can be blocked by the Win16Mutex, +even though Microsoft says this isn't the case. + +SO, I WANNA CRACK, WHAT SHOULD I DO? + I'll show you a simple windows crack, so easy it can be done +without WINICE: let's take [WINPGP4.1.] (front-end for PGPing in +windows, by Geib - I must thank "Q" for the idea to work on this +crack). + Using WCB you'll find out quickly that the "CONGRATULATIONS +your registration number is OK" and the "SORRY, your registration +number is not correct" data blocks are at the block starting at +36.38B8 (respectively at 36.38D5 and 36.3937), that relocs to +13.081B. + Looking at 13.0000 and following code, you'll find a push +38D5 (68D538) and a push 3937 (683739) at 13.064D and 13.06AE. + The road to the crack is now open, you just need to find and +"fool" the calling routines. You'll learn the exact procedures +for this kind of WINcracks in part 2 and 3 of -> Lesson 8. Let's +now have a look at the protection scheme (disassembly from WCB): +... +13.0E88 660FBF46F8 movsx eax, word ptr [bp-08] +13.0E8D 668946F4 mov [bp-0C], eax +13.0E91 668B46F4 mov eax, [bp-0C] +13.0E95 6669C00A000300 imul eax, 0003000A +13.0E9C 668946F0 mov [bp-10], eax +13.0EA0 668B4606 mov eax, [bp+06] +13.0EA4 663B46F0 cmp eax, [bp-10] +13.0EA8 7505 jne 0EAF <- beggar_off +13.0EAA B80100 mov ax, 0001 <- flag 1 = "Right!" +13.0EAD EB04 jmp 0EB3 <- and go on +beggar_off: +13.0EAF 33C0 xor ax,ax <- flag 0 = "Nope!" +13.0EB1 EB00 jmp 0EB3 <- and go on + + I want you to have a good look at this protection scheme. +IT'S THE SAME OLD SOUP! You do remember lesson 3 and the +protection schemes of the old DOS stupid games of the '80s, don't +you? IT'S THE SAME OLD SOUP! In this "up-to-date" "new" windows +application, in WINPGP version 4.1 of 1995/1996, exactly the same +kind of protection is used to "conceal" the password! +A) compare user input with memory echo +B) beggar off if not equal with AX=0 +C) go on if equal with AX=1... how boring! + Besides, look at all the mov eax, and eax, moves preceding +the compare! That's a typical pattern for these "number_password" +protections! I wrote (years ago) a little crack utility that +searches for code blocks with a "66" as first instruction_byte +repeating in four or more consecutive instructions and it still +allows me to crack more than half of these windows password smuts +in less than three seconds flat. The IMUL instruction creates the +"magic" number, and if you give a closer look at the mathematical +part of the "conceal" routine, it could help you to crack +analogous schemes used in order to protect the "Instant access" +(c) & (tm) time_crippled software :=) + Now you could crack the above code in 101 different ways, +the most elegant one would probably substitute je 0EAF (or jZ +0EAF, that's the same) to the jne 0EAF at 13.0EA8. You just write +a 74 at the place of the 75, like you did for the cracks in +1978... how boring: it's really the same old soup! (But you'll +see some new tricks in the next lessons). + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + ++ORC 526164@anon.penet.fi diff --git a/textfiles.com/piracy/CRACKING/howto8b.txt b/textfiles.com/piracy/CRACKING/howto8b.txt new file mode 100644 index 00000000..9ff00640 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howto8b.txt @@ -0,0 +1,448 @@ + +HOW TO CRACK, by +ORC, A TUTORIAL + +Lesson 8.2: How to crack Windows, a deeper approach + +--------------------------------------------------------- + SPECIAL NOTE: Please excuse the somehow "unshaven" + character of the windows lessons... I'm cracking the + newest Windows '95 applications right now, therefore + at times I had to add "on the fly" some corrections to + the older Windows 3.1 and Windows NT findings. + "homines, dum docent, discunt". +--------------------------------------------------------- + +-> 1st THING TO REMEMBER +If you thought that DOS was a mess, please notice that windows +3.1 is a ghastly chaos, and windows 95 a gruesome nightmare of +ill-cooked spaghetti code. Old Basic "GOTO" abominations were +quite elegant in comparison with this concoction... One thing is +sure: This OS will not last... it's way too messy organised, +impossible to consolidate, slow and neurotic (but I must warn +you... I thought exactly the same things about DOS in 1981). + The most striking thing about windows 95 is that it is neither +meat not fish: neither 16 nor 32... you could call it a "24 bit" +operating system. + We'll never damage Microsoft interests enough to compensate for +this moronic situation... where you have to wait three minutes +to get on screen a wordprocessor that older OS (and even old DOS) +kick up in 5 seconds. I decide therefore, hic et nunc, to add an +ADDENDUM to this tutorial: Addendum 1 will be dedicated to teach +everybody how to crack ALL Microsoft programs that do exist on +this planet. I'll write it this sommer and give it away between +the "allowed" lessons. + Anyway you can rely on good WINICE to crack everything, you'll +find it on the web for free, I use version 1.95, cracked by [The +Lexicon] (do not bother me for Warez, learn how to use the search +engines on the web and fish them out yourself). Learn how to use +this tool... read the whole manual! Resist the temptation to +crack immediatly everything in sight... you 'll regret pretty +soon that you did not wanted to learn how to use it properly. +A little tip: as Winice is intended more for software developers +than for crackers, we have to adapt it a little to our purposes, +in order to make it even more effective: a good idea is to have +in the *.DAT initialization file following lines: + INIT = "CODE ON; watchd es:di; watchd ds:si;" + TRA = 92 +This way you'll always have the hexadecimal notation on, two very +useful watch windows for passwords deprotection and enough buffer +for your traces. + +WINDOWS 3.1. basic cracking: [ALGEBRAIC PROTECTIONS] + The most used windows protections are "registration codes", +these must follow a special pattern: have a "-" or a "+" in a +predetermined position, have a particular number in particular +position... and so on. +For the program [SHEZ], for instance, the pattern is to have a +14 bytes long alphanumeric sequence containing CDCE1357 in the +first 8 bytes. + The second level of protection is to "connect" such a +pattern to the alphanumeric contents of the NAME of the user... +every user name will give a different "access key". This is the +most commonly used system. + As most of these protections have a "-" inside the answering +code, you do not need to go through the normal cracking procedure +(described in the next lesson): +* load WINICE +* hwnd [name_of_the_crackanda_module] +* choose the window Handle of the snap, i.e, the exact + "FIELD" where the code number input arrives... say 091C(2) +* BMSG 091C WM_GETTEXT +* Run anew +* Look at the memory location(s) +* Do the same for the "Username" input FIELD. (Sometimes + linked, sometimes not, does not change much, though) +* BPR (eventually with TRACE) on the memory locations (these + will be most of the time FOUR: two NUMBERCODES and two + USERNAMES). The two "mirrored" ones are the most important + for your crack. At times there will be a "5th" location, + where the algebraic play will go on... +* Look at the code that performs algebraic manipulations on + these locations and understand what it does... +* Disable the routine or jump over it, or reverse it, or + defeat it with your own code... there are thousand + possibilities... +* Reassemble everything. + +Uff... quite a long cracking work just to crack some miserable +program... isn'there a quicker way? OF COURSE THERE IS! Actually +there are quite a lot of them (see also the crack of Wincat Pro +below): Look at the following code (taken from SNAP32, a screen +capture utility for Windows 95, that uses a pretty recent +protection scheme): + + XOR EBX,EBX ; make sure EBX is zeroed + MOV BL, [ESI] ; load input char in BL + INC ESI ; point at the next character + MOV EDI,EBX ; save the input character in EDI + CMP EBX,+2D ; input char is a "-" ? + JZ ok_it's_a_+_or_a_- + CMP EBX,+2B ; input char is a "+" ? + JNZ Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it +:ok_it's_a_+_or_a_- + XOR EBX,EBX ; EBX is zeroed + MOV BL,[ESI] ; recharge BL + INC ESI ; point to next char (do not check - or +) +:Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it + XOR EBP,EBP ; zero EBP + CMP DWORD PTR [boguschecker], +01 + ... + +even if you did not read all my precedent lessons, you do not +need much more explications... this is a part of the algebraic +check_procedure inside the SNAP32 module... you could also get +here through the usual + USER!BOZOSLIVEHERE + KERNEL!HMEMCPY + USER!GLOBALGETATOMNAME +Windows wretched and detestable APIs used for copy protections, +as usual with WINICE cracking, and as described elsewhere in my +tutorial. + The above code is the part of the routine that checks for the +presence of a "+" or a "-" inside the registration number (many +protections scheme requires them at a given position, other need +to jump over them). + Now sit down, make yourself comfortable and sip a good Martini- +Wodka (invariably very useful in order to crack... but be aware +that only Moskowskaia russian Wodka and a correct "Tumball" glass +will do, do not forget the lemon)... what does this "-" stuff +mean for us little crackers? + It means that we can search directly for the CMP EBX,+2B +sequence inside any file protected with these schemes... and +we'll land smack in the middle of the protection scheme! That's +amazing... but you will never underrate enough the commercial +programmers... the only really amazing thing is how simpleton the +protectionists are! You don't believe me? Try it... you 'll get +your crack at least 4 out of 5 times. + Yes I know, to find this code is not yet to crack it... but for +this kind of copy protection (that's the reason it is so +widespread) there is no single solution... each makes a slightly +different algebraic manipulation of the alphanumeric and of the +numeric data. It's up to you to crack the various schemes... here +you can only learn how to find them and circumvene them. I'll not +give you therefore a "debug" crack solution. You'll find it +yourself using my indications (see the crack of the Wincat Pro +program below). + +WHERE ARE THE CODES? WHERE ARE THE MODIFIED FILES? WHERE DO THE +PROTECTIONS KEEP COUNT OF THE PASSING DAYS? +Most of the time the protection schemes use their own *.ini files +in the c:\WINDOWS directory for registration purposes... at time +they even use the "garbage sammler" win.ini file. Let's take as +example WINZIP (versions 5 and 5.5), a very widespread program, +you'll surely have one shareware copy of it somewhere between +your files. + In theory, winzip should be registered per post, in order to +get a "NEW" copy of it, a "registered" copy. + This scares most newby crackers, since if the copy you have +it's not full, there is no way to crack it and make it work, +unless you get the REAL stuff. The youngest among us do not +realize that the production of a real "downsized" demo copy is +a very expensive nightmare for the money-infatuated commercial +programmers, and that therefore almost nobody does it really... +nearly all "demos" and "trywares" are therefore CRIPPLED COMPLETE +PROGRAMS, and not "downsized" demos, independently of what the +programmers and the protectionists have written inside them. + Back to Winzip... all you need, to crack winzip, is to add a +few lines inside the win.ini file, under the heading [WinZip], +that has already been created with the demo version, before the +line with "version=5.0". + I will not help you any further with this... I'll leave it to +you to experiment with the correct sequences... inside win.ini +you must have following sequence (these are only template to +substitute for your tries inside WINICE... you'll get it, believe +me): + [WinZip] + name=Azert Qwerty + sn=######## + version=5.5 + + The *important* thing is that this means that you DO NOT NEED +to have a "new registered version" shipped to you in order to +make it work, as the protectionist sellers would like you to +believe. The same applies most of the time... never believe what +you read in the read.me or in the registration files... + This brings me to a broader question: NEVER believe the +information they give you... never believe what television and/or +newspapers tell you... you can be sure that the only reason they +are notifying you something is to hinder you to read or +understand something else... this stupid_slaves_society can only +subsist if nobody thinks... if you are really interested in what +is going on, real information can be gathered, but surely not +through the "conventional" newspapers and/or news_agencies (and +definitely NEVER through television, that's really only for the +stupid slaves)... yes, some bit of information can be +(laboriously) gathered... it's a cracking work, though. + +HOW TO CRACK INFORMATION [WHERE WHAT] +* INTERNET + In the middle of the hugest junk collection of the planet, some +real information can be laboriously gathered if you do learn how +to use well the search engines (or if you do build your ones... +my spiders are doing most of the work for me... get your robots +templates from "Harvest" or "Verify" and start your "spider +building" activity beginning from Martijn Koster's page). As +usual in our society, in the Internet the real point is exactly +the same point you'll have to confront all your life long: HOW +TO THROW AWAY TONS OF JUNK, HOW TO SECLUDE MYRIADS OF USELESS +INFORMATION and HOW TO FISH RARE USEFUL INFORMATION, a very +difficult art to learn per se. Internet offers some information, +though, mainly BECAUSE it's (still) unregulated. You want a +proof? You are reading it. + +* SOME (RARE) NEWSPAPERS. + The newspaper of the real enemies, the economic powers that +rule this slaves world, are paradoxically most of the time the +only ones worth studying... somewhere even the real rulers have +to pass each other some bits of real information. The "Neue +Zuercher Zeitung", a newspaper of the Swiss industrials from +Zuerich, is possibly the best "not_conformist trend analyzer" +around that you can easily find (even on the web). These +swissuckers do not give a shit for ideology, nor preconcerted +petty ideas, the only thing they really want is to sell +everywhere their ubiquitous watches and their chocolates... in +order to do it, a land like Switzerland, with very high salaries +and a good (and expensive) social system, must use something +brilliant... they found it: a clear vision of the world... as a +consequence this newspaper is very often "against" the trend of +all the other medias in the world, the ones that are used only +in order to tame the slaves... If the only language you know is +english (poor guy) you could try your luck with the weekly +"Economist"... you'll have to work a lot with it, coz it has been +tailored for the "new riches" of the Tatcher disaster, but you +can (at times) fish something out of it... they do a lot of +idiotic propaganda, but are nevertheless compelled to write some +truth. American newspapers (at least the ones you can get here +in Europe) are absolute shit... one wonders where the hell do the +americans hyde the real information. + On the "non-capitalistic" side of information there is a +spanish newspaper "El Pais" that seems to know about what's going +on in South America, but it's so full of useless propaganda about +irrelevant Spanish politics that it's not really worth reading. +The monthly "Le Monde diplomatique" offers something too... this +one exaggerates a little on the pauperistic "third world" side, +but has a lot of useful information. See what you can do with all +this information (or disinformation?) + +[BELIEVE THE COUNTRARY] + Another good rule of thumb in choosing your medias is the +following... if all medias around you assure, for instance, that +"the Serbians are evil"... the only logical consequence is that +the Serbians are not so evil at all and that "the Croats" or some +other Yugoslavian shits are the real culprits. This does not mean +at all that the Serbians are good, I warn you, it means only what +I say: something is surely hidden behind the concerted propaganda +you hear, the best reaction is to exaggerate in the other +direction and believe the few bit of information that do say the +countrary of the trend. This rule of thumb may be puerile, but +it works somehow most of the time... if somewhere everybody +writes that the commies are bad then THERE the commies must not +be so bad at all and, conversely, if everybody in another place +writes that the commies are all good and nice and perfect (like +the Soviet propaganda did) then THERE the commies are surely not +so good... it's a matter of perspective, much depends on where +you are, i.e. whose interests are really at stake. There is NEVER +real information in this society, only propaganda... if you still +do not believe me do yourself a little experiment... just read +the media description of a past event (say the Vietnam war) as +written AT THE MOMENT of the event and (say) as described 10 +years later. You'll quickly realize how untrustworthy all +newspapers and medias are. + +* SEMIOTICS You'll have to study it (as soon as you can) to +interpret what they let you believe, in order to get your +bearings. A passing knowledge of ancient RHETORIC can help quite +a lot. Rhetoric is the "Softice" debugger you need to read +through the propaganda medias: concentrate on Periphrasis, +Synecdoche, Antonomasia, Emphasis, Litotes and Hyperbole at the +beginning... you'll later crack higher with Annominatio, +Polyptoton, Isocolon and all the other lovely "figurae +sententiae". + +Enough, back to software cracking. + +HOW A REGISTRATION CODE WORKS [WINCAT] + Let's take as an example for the next crack, a Username- +algebraic registration code, WINCAT Pro, version 3.4., a 1994 +shareware program by Mart Heubel. It's a good program, pretty +useful to catalogue the millions of files that you have on all +your cd-roms (and to find them when you need them). +The kind of protection Wincat Pro uses is the most utilized +around: the username string is manipulated with particular +algorithms, and the registration key will be made "ad hoc" and +depends on the name_string. It's a protection incredibly easy to +crack when you learn how the relevant procedures work. + [WINCAT Pro] is a good choice for cracking studies, coz you +can register "over your registration" one thousand times, and you +can herefore try for this crack different user_names to see all +the algebrical correspondences you may need to understand the +protection code. + In this program, when you select the option "register", you +get a window where you can input your name and your registration +number (that's what you would get, emailed, after registering +your copy). If you load winice and do your routinely hwnd to +individuate the nag window, and then breakpoint on the +appropriate memory ranges you'll peep in the working of the whole +bazaar (this is completely useless in order to crack these +schemes, but it'll teach you a lot for higher cracking, so you +better do it also with two or three other programs, even if it +is a little boring): a series of routines act on the input (the +name) of the user: the User_name_string (usn). First of all the +usn_length will be calculated (with a REPNZ SCASB and a following +STOSB). Then various routines store and move in memory the usn +and the registration_number (rn) and their relative lengths. In +order to compare their lengths and to check the correct +alphanumeric correspondence between usn and rn, the program first +uppercases the usn and strips all eventual spaces away. + Here the relevant code (when you see an instruction like +SUB AL,20 you should immediately realize that you are in a +uppercasing routine, which is important for us, since these are +mostly used for password comparisons)... here the relevant Winice +unassemble and my comments: +253F:00000260 AC LODSB <- get the usn chars +253F:00000261 08C0 OR AL,AL <- check if zero +253F:00000263 740F JZ 0274 <- 0: so usn finished +253F:00000265 3C61 CMP AL,61 <- x61 is "a", man +253F:00000267 72F7 JB 0260 <- not a lower, so loop +253F:00000269 3C7A CMP AL,7A <- x7A is "z", what else? +253F:0000026B 77F3 JA 0260 <- not a lower, so loop +253F:0000026D 2C20 SUB AL,20 <- upper it if it's lower +253F:0000026F 8844FF MOV [SI-01],AL<- and hyde it away +253F:00000272 EBEC JMP 0260 <- loop to next char +253F:00000274 93 XCHG AX,BX +... +The instruction MOV [SI-01],AL that you see here is important +at times, coz it points to the location of the "pre-digested" +usn, i.e. the usn formatted as it should be for the number +comparison that will happen later. In some more complicated +protection schemes the reasoning behind this formatting is the +following: "Stupid cracker will never get the relation algorhitm +usn <-> rn, coz he does not know that usn AND rn are slightly +changed before comparing, ah ah... no direct guessing is +possible". Here is only "polishing": you have to "polish" a +string before comparing it in order to concede some mistakes to +the legitimate user (too many spaces in the name, upper-lower +case mismatch, foreign accents in the name etc.) You just need +to know, for now, that this checking is usually still 5 or 6 +calls ahead of the real checking (it's what we call a "green +light"). + You should in general realize that the real checking of the +algebrical correspondence follows after a whole series of memory +operations, i.e.: cancelling (and erasing) the previous (if ever) +attempts; reduplicating the usn and the rn somewhere else in +memory; double checking the string lengths (and saving all these +values somewhere... be particularly attentive when you meet stack +pointers (for instance [BP+05]): most of the programs you'll find +have been written in C (what else?). C uses the stack (SS:SP) to +pass parameters or to create local variables for his procedures. +The passwords, in particular, are most of the time compared to +data contained within the stack. If inside a protection a BP +register points to the stack you have most of the time fished +something... remember it pupils: it will spare you hours of +useless cracking inside irrelevant routines. Back to our CATWIN: +another little check is about the "minimal" length allowed for +a user name, in our babe, for instance, the usn must have at +least 6 chars: + 230F:00003483 3D0600 CMP AX,0006 + 230F:00003486 730F JAE 3497 <- go to nice_name +:too_short + 230F:00003488 BF9245 MOV DI,4592 <- no good: short + After a lot of other winicing you'll finally come across +following section of the code: +2467:00000CA3 B90100 MOV CX,0001 +2467:00000CA6 03F1 ADD SI,CX +2467:00000CA8 2BC1 SUB AX,CX +2467:00000CAA 7213 JB 0CBF +2467:00000CAC 40 INC AX +2467:00000CAD 368B4F04 MOV CX,SS:[BX+04] <- here +2467:00000CB1 0BC9 0R CX,CX +2467:00000CB3 7D02 JGE 0CB7 +2467:00000CB5 33C9 XOR CX,CX +2467:00000CB7 3BC1 CMP AX,CX +2467:00000CB9 7606 JBE 0CC1 +2467:00000CBB 8BC1 MOV AX,CX +2467:00000CBD EB02 JMP 0CC1 +2467:00000CBF 33C0 XOR AX,AX +2467:00000CC1 AA STOSB <- and here +2467:00000CC2 8BC8 MOV CX,AX +2467:00000CC4 F3A4 REPZ MOVSB <- and here! +2467:00000CC6 8EDA MOV DS,DX +2467:00000CC8 FC RETF 0008 + + This is obviously the last part of the checking routine +(I'll not delve here with the mathematical tampering of it, if +you want to check its workings, by all means, go ahead, it's +quite interesting, albeit such study is NOT necessary to crack +these schemes). The important lines are obviously the MOV +CX,SS:[BX+04], the STOSB and the REPZ MOVSB (as usual in password +protection schemes, you do remember lesson 3, don't you?). + You should be enough crack-able :=) by now (if you have read +all the precedent lessons of my tutorial), to find out easily, +with these hints, how the working of the protection goes and +where dwells in memory the ECHO of the correct rn (passkey) that +matches the name you typed in. Remember that in these kind of +cracks the ECHO is present somewhere (90% of the cases). There +are obviously one thousand way to find such ECHOs directly, +without going through the verificayions routines... for instance +you could also find them with a couple of well placed +snap_compares, it's a "5 minutes" cracking, once you get the +working of it. I leave you to find, as interesting exercise, the +routine that checks for a "-" inside the rn, a very common +protection element. + In order to help you understand the working of the protection +code in [Wincat Pro] I'll give you another hint, though: if you +type "+ORC+ORC+ORC" as usn, you'll have to type 38108-37864 as +rn, if you usn as usn "+ORC+ORC" then the relative rn will be +14055-87593. But these are my personal cracks... I have offered +this information only to let you better explore the mathematical +tampering of this specific program... you'll better see the +snapping mechanism trying them out (going through the routines +inside Winice) alternatively with a correct and with a false +password. Do not crack Wincat with my combination! If you use a +different usn than your own name to crack a program you only show +that you are a miserable lamer... no better than the lamers that +believe to "crack" software using huge lists of serial numbers... +that is really software that they have stolen (Yeah: stolen, not +cracked). You should crack your programs, not steal them... +"Warez_kids" and "serial#_aficionados" are only useless zombies. +I bomb them as soon as I spot them. YOU ARE (gonna be) A CRACKER! +It makes a lot of a difference, believe me. + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + + "If you give a man a crack he'll be hungry again + tomorrow, but if you teach him how to crack, he'll + never be hungry again" + +an526164@anon.penet.fi + diff --git a/textfiles.com/piracy/CRACKING/howto9a.txt b/textfiles.com/piracy/CRACKING/howto9a.txt new file mode 100644 index 00000000..84e7c917 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howto9a.txt @@ -0,0 +1,610 @@ +

HOW TO CRACK, by +ORC, A TUTORIAL +Lesson 9 (1): How to crack Windows, Hands on +[Winformant][Snap32] + + + THE [DATA_CONSTRAINT] TRICK - [WINFORMANT 4] + I have chosen an older windows application for Win 3.1. +(WIN4MANT.EXE, 562271 bytes, Version 1.10, by Joseph B. Albanese; +you'll find it searching the web with the usual tools, see how +to do it at the end of this lesson), in order to show you how to +use a nice little trick, at times really useful in cracking +password protected programs: [data_constraint]. Inside almost all +protection routines, as you have already learned, there is a +moment when on the stack the ECHO of the real, "correct" +passnumber or password appears. The location of this ECHO varies, +but most of the time it'll be in a range of +- 0x90 bytes from +one of the locations where the user input dwells. This is due to +datadump windows constraints inside the tools used by the +protectionists... but this use is bound to diminish... especially +after this lesson :=) + +[WINFORMANT CRACKING] + This application is -per se- crappy, I doubt you'll ever use +it... but its curious (and pretty rare) "deactivate" mode is +nevertheless very interesting for us: you can "unregister" +Winformant on the fly if you feel the need to. + This feature is pretty useful for scholars that like to +investigate password algorithms with valid and invalid codes +without having to reinstall every time to delete a valid code. +For your cracking exercises choose programs that have +"REVERSIBLE" protections (rare) or that can be re-registered a +billion times (more frequent). Programs that keep the valid +registration on *.ini or special files will also do the job: you +just change a couple of lines to "unregister" them. + The trick of this lesson: [data_constraint], or "password +proximity", bases on the protectionist's need to keep an eye on +the protection "working" when he assembles it. He must "see" the +relationships between USER INPUT NUMBER, USER INPUT TRANSFORMED +and the CORRECT NUMBER ANSWER (in our jargon: the "Bingo"). These +relationships must be constantly checked In order to debug the +protection code. Mostly they will dwell TOGETHER inside a small +stack area, allowing them to be "seen" in the SAME watchwindow. +Most of the time, therefore, the "ECHO" will "materialize" + +shortly not very far away from one of the locations of the USER +INPUT. Let's crack: + +* Fire Winice and then Winformant +* Choose HELP and then choose REGISTRATION +* Fill the registration fields with "+ORC+ORC" as "Registrant" +and "12121212" as "Activation" code (use whatever you fancy). +CTRL+D ;switch to Winice +:task ;let's see what's the name of this crap +TaskName SS:SP StackTop StackBot StackLow TaskDB hQueue Events +WINWORD 1AD7:85F2 4A52 8670 7532 1247 122F 0000 +PROGMAN 1737:200A 0936 2070 1392 066F 07F7 0000 +DISKOMAT *2C5F:6634 1D3C 6AC6 5192 2CB7 2C9F 0000 + +:hwnd DISKOMAT ;which window is getting the input? +WinHandle Hqueue QOwner Class Name Window Procedure +0EB4(0) 2C9F DISKOMAT #32769 04A7:9E6B + 0F34(1) 2C9F DISKOMAT #32768 USER!BEAR306 + 365C(1) 2C9F DISKOMAT #32770 2C3F:0BC6 + 36BC(2) 2C9F DISKOMAT Button 2C3F:1CEA + 3710(2) 2C9F DISKOMAT Edit 2C3F:24BE +... and many more irrelevant windows. + +Let's pinpoint the code, here the relevant window is the first +"Edit" one, for obvious reasons (more on this later). +:bmsg 3710 wm_gettext ;set breakpoint +CTRL+D ;run the babe until you get: +Break Due to BMSG 3710 WM_GETTEXT C=01 + Hwnd=3710 wParam=0050 lParam=2C5F629A msg=000D WM_GETTEXT +2C3F:000024BE B82F2C MOV AX,2C2F +So! Now we have "pinpointed" the babe (more on "pinpointing" +later). Let's snoop around a little: look at the stack to fetch +your babe's last call (if it does not show immediately, just keep +pinpointing, for instance on GetWindowText() or do a BPRW +diskomat (very useful), and then try and retry the stack... +should this too fail to work, search for your input in memory (in +the 30:0 lffffffff selector, as usual) and breakpoint range on +it with ReadWrite, and then stack, stack, stack... until you get +the "real" list of calls coming from your babe's protection. +:stack ; let's see +USER(19) at 073F:124C [?] through 073F:1239 +CTL3D(02) at 2C3F:0D53 [?] through 2C3F:0D53 +DISKOMAT(01) at 2C97:20B9 [?] through 2C97:20B9 +DISKOMAT(01) at 2C97:3D94 [?] through 2C97:3D94 +DISKOMAT(01) at 2C97:49E2 [?] through 2C97:4918 +DISKOMAT(04) at 2C7F:EA20 [?] through 2C7F:EA20 +USER(01) at 04A7:19BE [?] through USER!GETWINDOWTEXT +== CTL3D(02) at 2C3F:24BE [?] through 04A7:3A3C + + Beautiful stack fishing! Do immediately a BPX on babe:EA20. +2C7F:EA35 9A25ABA704 CALL USER!GETWINDOWTEXT +2C7F:EA3A 8D46AE LEA AX,[BP-52] ;load ptr "+ORC+ORC" +2C7F:EA3D 16 PUSH SS ;save pointer segment +2C7F:EA3E 50 PUSH AX ;save pointer offset +2C7F:EA3F 9A768D872C CALL 2C87:8D76; get strlen "ORC+ORC" +2C7F:EA44 83C404 ADD SP,+04 +2C7F:EA47 3D2800 CMP AX,0028 +2C7F:EA4A 762C JBE EA78 +... +2C7F:EA97 8D46AE LEA AX,[BP-52] ;load ptr "+ORC+ORC" +2C7F:EA9A 16 PUSH SS ;various algors on input +2C7F:EA9B 50 PUSH AX ;follow here, we do not +... ;need to care +2C7F:EAB2 0F851101 JNE EBC7 +2C7F:EAB6 8D8E5CFF LEA CX,[BP+FF5C] ;ptr "12121212" +2C7F:EABA 16 PUSH SS +2C7F:EABB 51 PUSH CX +2C7F:EABC 9A768D872C CALL 2C87:8D76 ;get strlen "12121212" +2C7F:EAC1 83C404 ADD SP,+04 +2C7F:EAC4 50 PUSH AX +2C7F:EAC5 8D865CFF LEA AX,[BP+FF5C] ;ptr "12121212" HERE! +2C7F:EAC9 16 PUSH SS +2C7F:EACA 50 PUSH AX +...etc, various algors on input follow here + + OK, it's enough: now obviously follows the code that +"algorithmize" the number string, and then, somewhere, you'll +have the hideous compare that divides good guys and bad crackers. +You could examine, and crack, and search... + BUT NOW IT'S THE "MAGIC MOMENT" OF THE ECHO! We know and *feel* +it: The echo must be somewhere... how do we find it? Searching +"12121212" in memory fishes at least 10 different locations... +:s 30:0 lffffffff '12121212' +Pattern Found at 0030:0005AD6A +.... (7 more) +Pattern Found at 0030:80509D6A +Pattern Found at 0030:8145AD6A + Should we look for all occurrences of string '12121212', +starting with the two at 80000000, dumping +-0x90 around it... +until we find the echo? We could, and it would work, but that's +not zen... that's boring! In other protections these locations +could proliferate on purpose, to deter the casual cracker. There +must be some other way... And lo and behold! YES! There is a +quicker way... THE LAST loading of the numeric input string in +the code (the one after the strlen count) is the "right" one for +our cracking purposes, coz protections follow (mostly) this +pattern (remember: we are inside a "stack-heavy" section of the +code... if you want to crack higher I suggest you read some good +literature about stack working, stack tricks and stack magics +with the Intel processors): + LOAD NAMEString - COUNT NAMEStringLen + + LOAD NAMEString - TRANSFORM NAMEString + LOAD CODEString - COUNT CODEStringLen + LOAD CODEString + *ECHO must be here* + TRANSFORM CODEString + *ECHO must be here* + COMPARE TRANSFORMED_NAMEString WITH TRANSFORMED_CODEString + + This means that at line +2C7F:EAC5 8D865CFF LEA AX,[BP+FF5C] ;ptr "12121212" +you'll already have your echo somewhere... just dump the memory +around the pointer [BP+FF5C]: +:d 2c5f:61e8 ;these numbers will differ in your computer +02 62 2F 06 02 00 26 2E-A3 4E A3 4E 01 00 38 30 .b/...&..N.N..80 +33 37 2D 36 34 36 2D 33-38 33 36 00 01 06 02 00 37-646-3836..... +2F 06 75 62 C3 2E B7 04-F2 24 2F 06 CE 6E 2F 06 /.ub.....$/..n/. +49 00 5A 00 01 00-04 2C 2F 06 AE 24 36 62 00 00 I.Z......,/..$6b +74 62 7A 2E B7 04 36 62-01 00 C2 62 2F 2C 26 2E tbz...6b...b/,&. +03 01 BA 0F AE 24 5F 02-C9 01 5E 02 BA 01 5F 02 .....$_...^..._. +31 32 31 32 31 32 31 32-00 0C 00 BC 02 00 00 00 12121212........ +00 49 00 BA 0F-AE 24 F2 24 2F 06 00 00 00 00 00 ....I....$.$/... +AF 17 00 E2 5F-7A 62 FE FF 79 1B BA 0F 00 00 00 ......._zb..y... +96 0B 01 00 02 4E 00-37 01 8A 62 D2 0F 8F 17 00 .....N..7..b.... +2F 06 00 37 01-98 62 20 10 16 03 2F 06 00 00 00 /.....7..b .../. +C2 62 2B 4F 52 43 2B 4F-52 43 00 0D AE 24 2F 06 .b+ORC+ORC...... + + Look at this dump: everybody is there! The stack pointers points +in the middle, at string "12121212". 0x50 bytes before it you'll +find our good old ECHO (i.e. the CORRECT passnumber) and 0x50 + +bytes afterwards you'll see your handle: here "+ORC+ORC". + It's cracked! The code for my "+ORC+ORC" is 8037-646-3836... +Now begin your assignments: if you rally want to learn cracking: +- "Unregister" and find anew your own code for your own + handle. *DO NOT* use serial numbers with any other name + that your own handle, that's miserable stealing, not + cracking. I'll begin to punish the serial#_aficionados on + the Web, coz I like real outlaws, but I detest stupid + pickpockets. +- Study the two coding algorithms, the one for the input name + and the one for the input number, this will be very useful + for your future cracking sessions. +- Find the "Compare", i.e. the code that sets the two usual + flags "good guy, you may move on" and "bad cracker, beggar + off", and +- Create a "real" crack for this protection, that will allow + anybody you think deserves it, with any name and any + password number, to get through. + +[CRACKING SNAP 32] + Snap 32 (SNAP32.EXE 356.352 bytes, 24/11/95, Version 2.54, +by Greg Kochaniak) is a "snapshot" shareware program for Windows +95, that allows users to save the screen, parts of it, or a +single window. It's a very common 'try before you buy' program, +limited to 30 days use. You'll find it everywhere on the Web. If +you do not know how to search the Web (poor guy!), learn at the +end of this lesson the correct procedure to find all the files +you need on the Net and get them automatically emailed to you +(that's something you should learn: SEARCHING! It's even more +important than cracking!). + Snap32 is not very interesting (I don't think I used it more +than a couple of times), but its protection is: in order to (try + +to) deter casual crackers it does not compare strings, it +compares a "magic" sum (from Namestring) with another magic sum +(from Numberstring). And: +* SUMS magics inside the GDI, not inside its own code; +* USES a look_up table for input validation instead of + "plain" code; +* COMPARES the "magic" manipulation from input NUMBER with + the "magic" manipulation from input NAME. + + + The cracking procedure for most of these windows programs is +pretty simple and relatively straightforward: + +1) SEE THE NAME OF YOUR BABE AND ITS QUEUE SELECTOR +:task ;This is the Winice95 command you type after firing +snap32 and getting at the "Enter License" nag window: + +TaskName SS:SP StckTp StckBt StckLw TaskDB Hqueue Events +Snap32 0000:0000 006 AC000 006B0000 270E D27 0000 + +OK, the babe is Snap32,it's HQUEUE is 0xD27, it's TaskDB is +0x27OE, orright. + +2) SEE THE MODULES OF YOUR BABE: +:map32 snap32 ;Your command +Owner Obj Name Obj# Address Size Type +SNAP32 .text 0001 0137:00401000 00043000 CODE RO +SNAP32 .rdata 0002 013F:00444000 00002E00 IDATA RO +SNAP32 .data 0003 013F:00447000 00009000 IDATA RW +SNAP32 .idata 0004 013F:00471000 00001C00 IDATA RW +SNAP32 .rsrc 0005 013F:00473000 00001600 IDATA RO +SNAP32 .reloc 0006 013F:00475000 00004C00 IDATA RO + +OK, so the code is in selector 137:(as usual), and you have there +43000 bytes of code from 401000 to 401000+43000; the DATA, +ReadWrite and ReadOnly, are in selector 13F: (as usual). + +3) SEE THE HANDLE OF THE PROTECTION "NAG" WINDOW +:hwnd snap32 ;Your command +Window Handle Hqueue SZ Qowner Class Name Window Procedure + 0350(1) 0D27 32 SNAP32 #02071 144F:0560 + 0354(2) 0D27 32 SNAP32 #02071 17CF:102E + ... and many more windows that we do not care of. + + OK, so, for our cracking purposes, it's Handle 0x350. Most of +the times the "nag" window you want to crack will be the first +one in the hwnd listing (coz it was the last one to appear). +Watch the number in parentheses that follows the Whandle: (1) is +a mother, (2) are "children" windows. At times you'll find under +"Class Name" something like "Edit" (see before the Winformant +cracking)... SNIFF THERE! At times the "Window Procedure" code +location in a list of more than twenty, will be slightly +different for one or two windows... SNIFF THERE! + +4) BREAKPOINT MESSAGE WM_GETTEXT (or any other WM_ that you can +think of in order to "pinpoint" the code of our babe). +"Pinpointing" the code is extremely important in windows +cracking... this idiotic OS moves code, data and stack out and +inside the pages all the time... so you'll keep getting on +"INVALID" sections without a correct pinpointing. Good +Pinpointing points are in general: + BMSG xxxx WM_GETTEXT (good for passwords) + BMSG xxxx WM_COMMAND (good fro OK buttons) + BPRW *your babe* TW (good for tracking) + u USER!GETWINDOWTEXT (u and then BPX inside the code) + u GETDLGITEM (for the Hwnd of an Item inside a + Dialog Box) + CSIP NOT GDI (if you have too many interferences) + u USER!SHOWWINDOW (bpx with counter occurrence to get to + the "right" window) + u GETSYSTEMTIME (for "time-crippled" software) +and many others pinpointing points you'll learn. If you are +really desperate for pinpointing, just do a BMSG xxxx WM_MOVE and +then move the nag window, this will always work. Let's go on: + +:bmsg 350 wm_gettext ;Your command +OK, so the code is ready to be pinpointed. + +5)RUN THE PROGRAM TO THE BREAKPOINT: +CTRL+D ;Your command to exit Winice and run + until it pops out at breakpoint +OK, now you pop out inside Winice somewhere... (look at the stack +to know where) so the code has been pinpointed. + +6) SEARCH THE DATA AREA for your input string (4 Gigabytes from +30:0... remember that DATA are *always* in 30:0 to 30:FFFFFFFF +and CODE is *always* in 28:0 to 28:FFFFFFFF). In most protection +the "registration_number" string must match the "username" +string, which cannot be constrained, in order to allow users to +choose whatever stupid name they fancy. Some protections requires +fixed symbols inside the "username" string, though... in these +rare eventualities, just apply to the "username" string what +we'll do here with the "registration_number" string. The point +to remember is: begin always with the protection fumbling your +number, crack only if necessary the protection that fumbles your +name. Let's search now. + +:s 30:0 lffffffff '12121212' ;Your command + Pattern Found at 0030:80308612 + +80000000 is good. Lower era videos, mirrors and BIOS, higher +(around C0000000) you have the OS dustbins... the point to +remember is: investigate always FIRST the 80000000 locations. + +7) BREAKPOINT ON MEMORY RANGE ON THIS STRING. +By the way: prepare a watch window dex 3 es:di, you'll soon see +how useful such an automated watchwindow is in password cracking. + +:bpr 30:80308612 30:80308612+8 RW ;Your command + +OK Now we'll begin to dig out the relevant parts of the code. +Remember that you must breakpoint *every* copy of the string that +protection generates. A typical copy routine, very frequently +used in windows copy protection schemes, dwells inside +KERNEL!HMEMCPY (+0076): + +0117:9E8E 66C1E902 SHR ECX,02 +0117:9E92 F36766A5 REPZ MOVSD ;makes a copy in es:di +0117:9E96 6659 POP ECX +0117:9E98 6683E103 AND ECX,+03 +0117:9E9C F367A4 REPZ MOVSB +0117:9E9F 33D2 XOR DX,DX + +In fact, this piece of copying code is so often used for password +verifications that sometimes you just need to bpx on 0117:9E92 +to get the correct stack sequence... but let's, for now, continue +without such little tricks: just keep on BPRring (Breakpoint on +memory range) all copies that protection makes. + +8) LET THE BABE RUN, it will breakpoint on all manipulations of +your input string. One of them will lead to the magic. +8.1.) VALIDATION phase +There are many routines that check and "validate" your inputs. +The most common ones check that your numbers ARE really numbers, +i.e. in the range 0x30-0x39. Usually this is done with: + CMP EAX,+30 + JB no_number + CMP EAX,+39 + JA no_number +At times the protectionists use TABLES instead... The number +itself is used as a pointer to a "ready made" table where the +relevant magic can be used as a protection. Imagine that a number +4 in your input points to a code section that throws you +immediately outside the validation routine... or imagine that a +number 7, if found in your input, fetches a magic code that +removes the whole program from your harddisk (or worse): "Ah, ah! +Stupid cracker will never know that he should not have used +number 4... and definitely not number 7! Next time he'll +learn..." Yes, tables have been used for such nasty tricks. +Here the relevant code for the "validation" part of our +protection (still checking my favourite input string '12121212'): +:check_if_valid +0137:4364AE 8A16 MOV DL,[ESI] ;load license number +0137:4364B0 33C0 XOR EAX,EAX ;zero AX +0137:4364B2 668B0451 MOV AX,[ECX+2*EDX] ;look table for 84 +0137:4364B6 83E008 AND EAX,+08 ;OK if AND'S TO zero +0137:4364B9 85C0 TEST EAX,EAX ;and therefore +0137:4364BB 7403 JZ 004364C0 ;go on +0137:4364BD 46 INC ESI ; ready for next number +0137:4364BE EBCD JMP 0043648D +:strip_-_&_+_signs +0137:4364C0 33DB XOR EBX,EBX ;clean BX +0137:4364C2 8A1E MOV BL,[ESI] ;load license number +0137:4364C4 46 INC ESI ;ready for next +0137:4364C5 8BFB MOV EDI,EBX ;save copy +0137:4364C7 83FB2D CMP EBX,+2D ;is it a "-"? +0137:4364CA 7405 JZ 004364D1 +0137:4364CC 83FB2B CMP EBX,+2B ;is it a "+"? + +8.2.) MANIPULATION (summing magic numbers) +Your wisely set breakpoints on memory range for the occurrence +of the string "12121212" will pop you out, inter alia, inside +following piece of code (note how this part of protection dwells +inside GDI, and NOT inside the code selector of snap32): +0557:11BD 33C0 XOR EAX,EAX ;zero AX +0557:11BF 66648B06 MOV AX,FS:[ESI] ;load number +0557:11C3 83C602 ADD ESI,+02 ;point to next + +0557:11C6 66833C4700 CMP WORD PTR [EDI+2*EAX],+00 +0557:11CB 0F8424010000 JE 000012F5 +0557:11D1 668B0442 MOV AX,[EDX+2*EAX] ;load from magic table +0557:11D5 03D8 ADD EBX,EAX ;save sum in EBX +0557:11D7 49 DEC ECX ;till we are done +0557:11D8 75E5 JNZ 000011BF ;loop along + +Interesting, isn't it? Protection is using this GDI routine to +create a SUM (through pointers to another table) that depends on +your very input numbers. We are now very near to the crack... can +you *feel* it? If not, prepare yourself a good Martini Vodka! +This is the correct way to do it: + * Get a "highball" glass; + * Put some ice cubes inside it (2 or 3); + * Add Martini Dry (From Martini & Rossi). Fill to 1/3; + * Add Moskowskaja Wodka (the only real Vodka). Fill to 2/3; + * Add a zest of lemon (From Malta or Southern France); + * Add a green "sound" olive (from Italy or Israel); + * Add Schweppes Indian Tonic. Fill to the brim. +Sit deeper and relax, sip slowly and *feel* where the code of the +protection scheme you are cracking "moves"... It's like a +current... a slow tide. If you still do not believe me, just try +it. + +We'll now find out where protection stores the "magic" sum (and +now you'll pop out inside the very own snap32 code, this is the +"real" protection part): + +8.3.) The ludicrous "HIDING" of the magic sum +0137:40437E 83C404 ADD ESP,+04 +0137:404381 8B4DE8 MOV ECX,[EBP-18] +0137:404384 8945F0 MOV [EBP-10],EAX ;***HERE!*** +0137:404387 68FF000000 PUSH 000000FF +0137:40438C 8D8574FBFFFF LEA EAX,[EBP+FFFFFB74] ;load string +0137:404392 50 PUSH EAX ;push it +0137:404393 E886410100 CALL 0041851E ;manipulate +0137:404398 8D8574FBFFFF LEA EAX,[EBP+FFFFFB74] ;load string +0137:40439E 50 PUSH EAX ;push it +0137:40439F E88C210300 CALL 00436530 ;manipulate + +As you can see, the protection is very simple: The "magic" sum +is hidden only two lines before the further manipulations of the +input string. We have found location 137:404384, here, in the +CORRECT way, through bprring of the string that has been +manipulated in the GDI, but actually, we could have found it +quickly just checking superficially what's happening "around" all +manipulations of the input string. Do we really need to follow +all manipulations of our registration_number and eventually also +all manipulation of our username? NO, not at all: we just set a +BPR on the stack location where protection hides the sum [EBP-10] +and we'll see what happens: 90% of these protections just create +two sums, a sum from your username and a sum from your +registration_number... somewhere there will be a compare that +must use this location (or a copy of it... we'll see). + +8.4.) COMPARING THE MAGICS FROM THE TWO INPUT STRING +Breakpoint on memory range on the sum location [EBP-10] that you +saw in the previous code and you'll land at this piece of code: +0137:404412 E82F050000 CALL 00404946 +0137:404417 83C40C ADD ESP,+0C +0137:40441A 3B45F0 CMP EAX,[EBP-10] ;comp AX & magicsum +0137:40441D 740F JZ 0040442E +0137:40441F 68C0874400 PUSH 004487C0 +0137:404424 E8149E0000 CALL 0040E23D +0137:404429 83C404 ADD ESP,+04 +0137:40442C EB5B JMP 00404489 +0137:40442E 893DA0714400 MOV [004471A0],EDI +0137:404434 85FF TEST EDI,EDI + +That's it, you have made it! We found the compare between the +"username" magic number (for my "+ORC+ORC" string that's here +0x7C25621B) in AX (we do not need to know how this landed +there... it's irrelevant!) and the "license_number" '12121212' +(whose magic is here 0x00B8F47C) stored in [pointer-10.] How do +we find now the correct INPUT number for +ORC+ORC? Well, it's +easy... the "magic number" must be the same... therefore: + +Cracked=Dec(0x7C25621B) +Cracked=2082824731 + + That was it. Old Snap32 has been cracked. You could now +prepare a crack in order to distribute this program around +without its simple protection. Good cracked applications should +be given free (i.e. cracked) to all the people that NEED them and +do not have the money to buy them. Don't forget that in this +intolerable society the 0,5% of the citizens own the 56% of the +industrial capital and the 63% of the propaganda machines (data + +from US researchers... therefore suspect... the real situation +is probably even worser) effectively conditioning the destiny of +millions of slaves, moronized by television watching. So crack +the applications and give them to the people you care and the +peolple that need them, but for the others... just EXPLAIN +everybody how you did it... this is real help: giving knowledge, +not wares. DO NOT use my handle and my codes to crack this +program, get yours, I gave you mine only as an help for this +cracking lesson. I have showed you the way enough... THIEFS, not +crackers, use the codes that others have found. You are (gonna +be) CRACKERS! Remember it, look straight ahead, crack accurately +and keep your tommy in. + +HOW TO SEARCH THE INTERNET FOR FILES WITHOUT MOVING A FINGER + It's amazing: most of the people roaming around inside Internet +DO NOT know how to use effectively the web. I'll be very +altruistic and explain how to fetch the very example of Snap32, +the babe we cracked in this lesson. + +1) Choose an archie from this list (I will not explain you what +an archie is, you should know it... if you do not, be ashamed): + archie.univie.ac.at 131.130.1.23 Austria + archie.belnet.be 193.190.248.18 Belgium + archie.funet.fi 128.214.6.102 Finland + archie.univ-rennes1.fr 129.20.254.2 France + archie.th-darmstadt.de 130.83.22.1 Germany + archie.ac.il 132.65.16.8 Israel + archie.unipi.it 131.114.21.10 Italy + archie.uninett.no 128.39.2.20 Norway + +2) Email a message to your archie: + To: archie.univie.ac.at (for instance) + Subject: (nothing on this field) + Body: set search sub (substrings too) + set maxhits 140 (max 140 hits) + set maxhitspm 9 (not the same file all over) + find snap32 (we want this) + +3) After a while you'll get (per email) your answer: Here the +answer from the Austrian archie + +Host ftp.wu-wien.ac.at (137.208.8.6) + Last updated 17:48 9 Aug 1995 + Location: /pub/systems/windows.32/misc + FILE -rw-r----- 128957 bytes 15:59 16 Jun 1995 snap32.zip +Host space.mit.edu (18.75.0.10) + Last updated 00:45 4 Mar 1996 + Location: /pub/mydir + FILE -rw-r--r-- 407040 bytes 11:55 28 Nov 1995 snap32.exe + +4) ftpmail your file (Browsing is no good: too busy and lame). +Again, I will not explain you what an FTPMAIL server is: learn +it by yourself... choose a good one from this list (there are +many more... you'll learn): + bitftp@vm.gmd.de (Germany) + ftpmail@ieunet.ie (Ireland) + bitftp@plearn.edu.pl (Poland) + ftpmail@ftp.sun.ac.za (South Africa) + + ftpmail@ftp.sunet.se (Sweden) + ftpmail@ftp.luth.se (Sweden) + ftpmail@src.doc.ic.ac.uk (United Kingdom) + +To: ftpmail@ftp.sun.ac.za. (for instance) +Subject: (leave blank) +Body: open space.mit.edu (the last occurrence that + the archie sent) + cd/pub/mydir (get the correct subdir) + bin (prepare for BINARY) + get snap32.exe (I want this) + quit (bye) + +5) Your FTPMAIL server will first notice you a receipt: + +FTP EMAIL response... +ftpmail has received the following job from you: + reply-to +ORC + open space.mit.edu +ORC@now.here + get snap32.exe +ftpmail has queued your job as: 1834131821.5514 +Your priority is 1 (0 = highest, 9 = lowest) +Requests to sunsite.doc.ic.ac.uk will be done before other jobs. +There are 14 jobs ahead of this one in the queue. +4 ftpmail handlers available. +To remove send a message to ftpmail containing just: +delete 1834131821.5514 + +After a while you'll get a second message, with your file +uuencoded inside... everything has been done. +YESSIR! there is absolutely no need to loose time on the WWW, +"surfing" idiotically from a junk site to the next or waiting +hours to download some slow file from an instable server! Wasting +time of your own LIFE, that you could use to read poetry, to make +love, to look at the stars, to sail slowly between the Aegean +islands or to start a nice cracking session. What's the point of +wasting your time when machines can perform all the searches you +need better, more productively and faster than you ever could... +YESSIR! You can get *everything* on the Web, and without paying +your Internet provider more than a couple of dimes... Nice, isn't +it? + +By now, if you have followed all my lessons, you should be able +to crack relatively quickly "normal" applications. There are some +new projects for 1997: a cracking "university", that will allow +us to prepare for the divine war against Microsoft repulsive +dominion. If you do not have already chosen your handle (your +"cracker" name, that's it), you may consider choosing an handle +with a "+" somewhere inside it or, eventually, add a "+" to your +handle. This sign is used by me and by friends that have studied +and/or contributed. But a "+" in your handle ("official +ORC +cracker") will mean even more: +1) allows support from me personally (on a "do ut des" basis) +2) allows pupils to identify each other (good for joining + forces) +3) will open you (eventually) the doors to the "higher" + cracking university I'll set up on the Web in 1997. +(I'm not getting megalomaniac... In reality I only need a "quick" +method to know on which (anonymous) people I can count on for the +next phase). + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + + + ++ORC an526164@anon.penet.fi diff --git a/textfiles.com/piracy/CRACKING/howtoa.txt b/textfiles.com/piracy/CRACKING/howtoa.txt new file mode 100644 index 00000000..5fb6efb9 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howtoa.txt @@ -0,0 +1,336 @@ + +HOW TO CRACK, by +ORC, A TUTORIAL + +Lesson A.1: Advanced Cracking: Internet Cracking (Unix) + +-------------> INTERNET CRACKING: FIREWALLS + With each new company that connects to the "Information +Superhighway" new frontiers are created for crackers to explore. +Site administrators (Siteads) have implemented various security +measures to protect their internal networks. One of these is +xinetd, covered later. A more general solution is to construct +a guarded gateway, called a [Firewall], that sits between a +site's internal network and the wild and woolly Internet where +we roam. In fact only one third of all Internet connected +machines are already behind firewalls. Most information services +have to deal with the same problem we have: getting OUT through +a local firewall or GETTING INTO a service through their +Firewall. There lays also the crack_solution. +------------> What is a Firewall? + The main purpose of a Firewall is to prevent unauthorized +access between networks. Generally this means protecting a site's +inner network from the Internet. If a site has a firewall, +decisions have been made as to what is allowed and disallowed +across the firewall. These decisions are always different and +always incomplete, given the multiplicity of Internet, there are +always loopholes where a cracker can capitalize on. + A firewall basically works by examining the IP packets that +travel between the server and the client. This provides a way to +control the information flow for each service by IP address, by +port and in each direction. + A firewall embodies a "stance". The stance of a firewall +describes the trade-off between security and ease-of-use. A +stance of the form "that which is not expressly permitted is +prohibited" requires that each new service be enabled +individually and is seldom used, coz very slow and annoying. +Conversely, the stance "that which is not expressly prohibited +is permitted" has traded a level of security for convenience. It +will be useful to guess the stance of the firewall you are +cracking when making probe decisions. + A firewall has some general responsibilities: +* First and foremost if a particular action is not allowed by +the policy of the site, the firewall must make sure that all +attempts to perform the action will fail. +* The firewall should log suspicious events +* The firewall should alert internal administration of all +cracking attempts +* Some firewall provide usage statistics as well. + +------------> Types of Firewall + In order to avoid head-scratching, it's a good idea to know +the TOPOLOGY of "your" firewall -and its limitations- before +attempting to get through it. Discussed below are two popular +firewall topologies. Although other types exist, the two below +represent the basic forms; most other firewalls employ the same +concepts and thus have -luckily- the same limitations. + 1) THE DUAL-HOMED GATEWAY + A dual-homed Gateway is a firewall composed of a single +system with at least two network interfaces. This system is +normally configured such that packets are not directly routed +from one network (the Internet) to the other (the internal net +you want to crack). Machines on the Internet can talk to the +gateway, as can machines on the internal network, but direct +traffic between nets is blocked. + In discussing firewalls, it's generally accepted that you +should think of the inner network as a medieval castle. The +"bastions" of a castle are the critical points where defence is +concentrated. In a dual-homed gateway topology, the dual-homed +host itself is called the [BASTION HOST]. + The main disadvantage of a dual-homed gateway, from the +viewpoints of the users of the network and us crackers alike, is +the fact that it blocks direct IP traffic in both directions. Any +programs running on the inner network that require a routed path +to external machines will not function in this environment. The +services on the internal network don't have a routed path to the +clients outside. To resolve these difficulties, dual-homed +gateways run programs called [PROXIES] to forward application +packets between nets. A proxy controls the conversation between +client and server processes in a firewalled environment. Rather +than communicating directly, the client and the server both talk +to the proxy, which is usually running on the bastion host +itself. Normally the proxy is transparent to the users. + A proxy on the bastion host does not just allow free rein +for certain services. Most proxy software can be configured to +allow or deny forwarding based on source or destination addresses +or ports. Proxies may also require authentication of the +requester using encryption- or password-based systems. + The use of proxy software on the bastion host means that the +firewall administrator has to provide replacements for the +standard networking clients, a nightmare in heterogeneous +environments (sites with many different operating systems +platforms, PC, Sun, IBM, DEC, HP...) and a great burden for +administrator and users alike. + 2) THE SCREENED HOST GATEWAY + A screened host gateway is a firewall consisting of at least +one router and a bastion host with a single network interface. +The router is typically configured to block (screen) all traffic +to the internal net such that the bastion host is the only +machine that can be reached from the outside. Unlike the dual- +homed gateway, a screened host gateway does not necessarily force +all traffic through the bastion host; through configuration of +the screening router, it's possible to open "holes" in the +firewall to the other machines on the internal net you want to +get into. + The bastion host in a screened host firewall is protected +from the outside net by the screening router. The router is +generally configured to only allow traffic FROM SPECIFIC PORTS +on the bastion host. Further, it may allow that traffic only FROM +SPECIFIC EXTERNAL HOSTS. For example the router may allow Usenet +news traffic to reach the bastion host ONLY if the traffic +originated from the site's news provider. This filtering can be +easily cracked: it is relying on the IP address of a remote +machine, which can be forged. + Most sites configure their router such that any connection +(or a set of allowed connections) initiated from the inside net +is allowed to pass. This is done by examining the SYN and ACK +bits of TCP packets. The "start of connection" packet will have +both bits set. If this packets source address is internal... or +seems to be internal :=) the packet is allowed to pass. This +allows users on the internal net to communicate with the internet +without a proxy service. + As mentioned, this design also allows "holes" to be opened +in the firewall for machines on the internal net. In this case +you can crack not only the bastion host, but also the inner +machine offering the service. Mostly this or these machine/s will +be far less secure than the bastion host. + New services, for instance recent WEB services, contain a +lot of back doors and bugs, that you'll find in the appropriate +usenet discussion groups, and that you could use at freedom to +crack inner machines with firewall holes. Sendmail is a good +example of how you could crack in this way, read the whole +related history... very instructive. The rule of thumb is "big +is good": the bigger the software package, the more chance that +we can find some security related bugs... and all packages are +huge nowadays, 'coz the lazy bunch of programmers uses +overbloated, buggy and fatty languages like Visual Basic or +Delphy! +Finally, remember that the logs are 'mostly) not on the bastion +host! Most administrators collect them on an internal machine not +accessible from the Internet. An automated process scan the logs +regularly and reports suspicious information. + + 3) OTHER FIREWALL TOPOLOGIES +The dual-homed gateway and the screened host are probably the +most popular, but by no mean the only firewall topologies. Other +configurations include the simple screening router (no bastion +host), the screened subnet (two screening routers and a bastion +host) as well as many commercial vendor solutions. + +------------> Which software should we study? +Three popular unix software solutions allow clients inside a +firewall to communicate with server outside: CERN Web server in +proxy mode, SOCKS and the TIS Firewall toolkit. +1) The CERN Web server handles not only HTTP but also the other +protocols that Web clients use and makes the remote connections, +passing the information back to the client transparently. X-based +Mosaic can be configured for proxy mode simply by setting a few +environment variables. +2) The SOCKS package (available free for anonymous ftp from +ftp.nec.com in the file + /pub/security/socks.cstc/socks.cstc.4.2.tar.gz +includes a proxy server that runs on the bastion host of a +firewall. The package includes replacements for standard IP +socket calls such as connect(), getsockname(), bind(), accept(), +listen() and select(). In the package there is a library which +can be used to SOCKSify your crack probes. +3) The Firewall Toolkit +The toolkit contains many useful tools for cracking firewall and +proxy server. netacl can be used in inetd.conf to conceal +incoming requests against an access table before spawning ftpd, +httpd or other inetd-capable daemons. Mail will be stored in a +chroot()ed area of the bastion for processing (mostly by +sendmail). +The Firewall toolkit is available for free, in anonymous ftp from +ftp.tis.com in the file + /pub/firewalls/toolkit/fwtk.tar.Z +The popular PC firewall solution is the "PC Socks Pack", for MS- +Windows, available from ftp.nec.com It includes a winsock.dll +file. + + The cracking attempts should concentrate on ftpd, normally +located on the bastion host. It's a huge application, necessary +to allow anonymous ftp on and from the inner net, and full of +bugs and back doors. Normally, on the bastion host, ftpd is +located in a chroot()ed area and runs as nonprivileged user. If +the protection is run from an internal machine (as opposing the +bastion host), you could take advantage of the special inner-net +privileges in hostp.equiv or .rhosts. If the internal machine +"trusts" the server machine, you'll be in pretty easily. + Another good method, that really works, is to locate your +PC physically somewhere along the route between network and +archie server and "spoof" the firewall into believing that you +are the archie server. You'll need the help of a fellow hacker +for this, though. + Remember that if you gain supervisor privileges on a machine +you can send packets from port 20, and that in a screened host +environment, unless FTP is being used in proxy mode, the access +filters allow often connections from any external host if the +source port is 20 and the destination port is greater than 1023! + remember that NCSA Mosaic uses several protocols, each on +a different port, and that -if on the firewall no proxy Web +server is operating- each protocol must be dealt with +individually, what lazy administrators seldom do. + Be careful for TRAPS: networking clients like telnet and ftp +are often viciously replaced with programs that APPEAR to execute +like their namesake, but actually email an administrator. A +fellow cracker was almost intercepted, once, by a command that +simulated network delays and spat out random error messages in +order to keep me interested long enough to catch me. Read the +(fictions) horror story from Bill Cheswick: "An evening with +Berferd in which a cracked is lured, endured and studied", +available from ftp.research.att.com in + /dist/internet_security/berferd.ps +As usual, all kind of traps can be located and uncovered by +correct zen-cracking: you must *FEEL* that some code (or that +some software behaviour) is not "genuine". Hope you believe me +and learn it before attempting this kind of cracks. + +------------> How do I crack Firewalls? + Some suggestions have been given above, but teaching you how +to crack firewalls would take at least six complete tutorial +lessons for a relatively unimportant cracking sector, and you +would almost surely get snatched immediately, 'coz you would +believe you can crack it without knowing nothing at all. So, for +your sake, I'll teach you HOW TO LEARN IT, not HOW TO DO IT +(quite a fascinating difference): First Text, then the software +above. For text, start with Marcus Ranum's paper "Thinking about +Firewalls", available from ftp.tis.com in the file/pub/firewalls/firewalls.ps.Z +and do an archie search for newer literature. +Join the firewall discussion list sending a message to +majordomo@greatcircle.com, you'll get a message with +instructions, as usual, lurk only... never show yourself to the +others. + You can find for free on the web quite a lot of early +versions of proxy software. Study it, study it and then study it +again. The cracking efforts on your copies, and your machines, +before attempting anything serious, are MANDATORY if you do not +want to be immediately busted on the Internet. When you feel +ready to try serious cracking, you must OBLIGATORY start with a +small BBS which uses a firewall version you already studied very +well (sysops are not firewall administrators, and many of them +do not know nothing about the software they use). As soon as you +gain access to the bastion host, remember to subvert entirely the +firewall itself before entering the inner net. +If you feel ready and everything went well so far, if your zen- +cracking abilities are working well... then take a moment for +yourself... prepare yourself a good Martini-Wodka (you should +only use Moskovskaia), take a deep breath and by all means go +ahead! You will then be able to try your luck on the Cyberspace +and get quickly busted (if you did not follow my admonitions and +if you cannot zen-crack) or, may be, fish quite a lot of +jewels... :=) + +-------------> INTERNET CRACKING: XINETD + [Xinetd] a freely available enhanced replacement for the +internet service daemon inetd, allows just those particular users +to have FTP or Telnet access, without opening up access to the +world. Xinetd can only protect the system from intrusion by +controlling INITIAL access to most system services and by logging +activities so that you can detect break-in attempts. However, +once a connection has been allowed to a service, xinetd is out +of the picture. It cannot protect against a server program that +has security problems internally. For example, the finger server +had a bug several years ago that allowed a particularly clever +person to overwrite part of its memory. This was used to gain +access to many systems. Even placing finger under the control of +xinetd wouldn't have helped. + Think of the secured firewall system as a fortress wall: +each service that is enabled for incoming connections can be +viewed as a door or window in the walls. Not all these doors have +secure and reliable locks. The more openings are available, the +more opportunities are open for us. +-------------> What xinetd does +Xinetd listens to all enabled service ports and permits only +those incoming connection request that meet authorization +criteria. +- Accept connections from only certain IP addresses +- Accept connections only from authorized users +- Reject connections outside of aithorized hours +- Log selected service when connections are accepted or + rejected, capturing following informations: + * Remote Host Address + * User ID of remote user (in some cases) + * Entry and Exit time + * Terminal type + Support login, shell, exec and finger + +-------------> SERVICES TO CRACK & + UNWITTING INSIDE COMPLICES +In this order the easy services: + FTP TELNET LOGIN (rlogin) SHELL (rcmd) EXEC +In this order the more difficult ones: + MOUNT TFT FINGER NFS(Network File System) + DNS(Domain Name Service) +Remember that sendmail (SMTP), by default, accepts a message from +any incoming connection. The "sender" of such a message can +appear to have originated anywhere, therefore your claim of +identity will be accepted! Thus you can forge a message's +originator. Most of the recipients inside the protected +(firewalled) net will take your claim at face value and send you +(to the "return address" you provide) all the sensitive +information you need to crack the system. Finding unwitting +inside complices is most of the time pretty easy. + By far the best method, for entering xinetd, is to get the +real version from panos@cs.colorado.edu, modify the system files +in order to have some backdoors, and then distribute them to the +mirror servers on the WEB. Each time a new administrator will +download "your" version of xinetd, you'll have an easy access to +the "protected" system. + On the Nets, it's important to conceal your identity (they +will find you out pretty quickly if you do not). The best method +is to obtain the IP address of a legitimate workstation during +normal hours. Then, late at night, when the workstation is known +to be powered-off or disconnected from a dialup PPP link, a +different node on the network can be configured to use the +counterfeit IP address. To everyone on the network, it will +appear that the "legitimate" user is active. If you follow this +strategy, you may want to crack somehow more negligently... the +search for the cracker will go on -later- in the false confidence +that a sloppy novice (the legitimate user) is at work, this will +muddle the waters a little more. + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + + You'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + ++ORC an526164@anon.penet.fi + diff --git a/textfiles.com/piracy/CRACKING/howtoca.txt b/textfiles.com/piracy/CRACKING/howtoca.txt new file mode 100644 index 00000000..b838fb6e --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howtoca.txt @@ -0,0 +1,410 @@ +HOW TO CRACK, by +ORC, A TUTORIAL +LESSON C (1) - How to crack, Cracking as an art +[BARCODES] [INSTANT ACCESS] + +[BARCODES] + First of all, let me stress the importance of cracking in +our everyday life. Cracking it's not just about software, it's +about information, about all patterns of life. To crack is to +refuse to be controlled and used by others, to crack is to be +free. But you must also be yourself free from petty conventions +in order to crack properly. + You must learn to discerne cracking possibilities all around +yourself, and believe me, the development of this ghastly society +brings every day new codes, protections and concealing +mechanismes. + All around us grows a world of codes and secret and not so +secret patterns. Codes that are at times so familiar and common +that we do not even notice them any more... and yet they are +there to fool us, and yet they offer marvellous cracking +possibilities. + + Let's take as an striking example BARCODES... those little +lines that you see on any book you buy, on any bottle you get, +on any item around you... do you know how they work? If you do +not you may be excused, but you cannot be excused if you never +had the impulse to understand them... crackers are curious by +nature... heirs of an almost extinct race of researchers that has +nothing in common with the television slaves and the publicity +and trend zombies around us. Cracker should always be capable of +going beyond the obvious, seek knowledge where others do not see +and do not venture. + +[BARCODE HISTORY] + Let's begin with a little history. Universal Product Code +(UPC) was adopted for commercial use by the grocery industry in +the USA. Among the advantages were a rapid, accurate and reliable +way of entering stock information into a computer and the +possibility to sack a lot of workers and to do more profit. The +early success led to the development of the European Article +Numbering System (EAN), a symbology similar to UPC, that is +widely used in Europe and in the rest of the World. I'll teach +you to crack this one, since I do not -fortunately- live in the +States. Keep in mind, anyway, that there are different barcode +symbologies, each with its own particular pattern of bars. The +UPC/EAN code used on retail products is an all-numeric code; so +is the Interleaved 2 of 5 Code. Code 39 includes upper case +letters, digits, and a few symbols. Code 128 includes every +printable and unprintable ASCII character code. The most new one +is a 2-D code. These are special rectangular codes, called +stacked barcodes or matrix codes. They can store considerably +more information than a standard barcode. They require special +readers which cost more than a standard scanner. The practical +limit for a standard barcode depends on a number of factors, but +20 to 25 characters is an approximate maximum. For applications +that need more data, matrix codes are used. For example, the next +time you receive a package from United Parcel Service look for +a small square label with a pattern of dots and a small bullseye +in the centre. This is a MaxiCode label, and it is used by UPS +for automatic destination sortition. + The manufacturer's ID number on the barcode uniquely +identifies products. These numbers are managed by the Uniform +Code Council in Dayton, Ohio for the States and Canada and by the +EAN authority (Internationale Article Numbering Association) in +Bruxelles, for Europe and the rest of the World. The +manufacturer's ID number accounts for some digits of the code, +which leaves other digits to be assigned in any way the producer +wants. He provides retail outlets with a list of his products and +their assigned codes so that they can be entered in the cash +register system. Many codes are NOT on the products and are added +by the supermarkets on the fly, using an internal code schema +that may be non standard. Now it's enough... let's crack. + BARCODES are the only thing an automated casher needs to see +on a product to calculate its price and automatically catalogate +the sold merchandise... imagine (just imagine it :=) coz it would +be extremely illegal to act in this way) somebody would fasten +an adhesive home-made codebar label direct on the top of the +supermarket/mall/retail store label, say on a bottle of Pomerol +(that's a very good but unfortunately very expensive french +wine). + The new label would mean for the casher something like +"cheap wine from Bordeaux, France, cost so and so, everything +it's OK, do not worry"... do you think that anybody would come +to the idea that there is something wrong with the label, with +the bottle or with you? I have been codebaring for years and had +only once a problem, coz my printer was running out of ink and +the scanner in the supermarket could not read it... so what? Act +uninterested, always wear jackets of the utmost quality, shetland +pullovers and beautiful expensive shoes... (all articles that you +may codebar too, by the way), in this society appearance and look +count much more than substance and knowledge... LET'S USE THIS +TO OUR ADVANTAGE! Nobody will ever come to the idea that you may +actually really know the working of the scheme... coz codebar is +pretty complicated and not exactly exceptionally public. On the +Web there are a lot information about it, but most of them are +useless, unless you know how to search most of the time you'll +find only sentences like this one: + "The calculated check digit is the twelfth and final + digit in the U.P.C.code. It is calculated based on a + specific algorithm, and is necessary to ensure that + the number is read or key-entered correctly." + +But good +ORC will now explain you everything you need to crack: + +[THE 13 BAR "CODES"] +Each barcode label has 13 values, from #0 to #12 (that's the EAN +code, the UPC american one has only 12, from #0 to #11). + #0 and #1 indicate the origin of the product. + #2 to #11 give the article code + #12 (the last and 13th one) is a checksum value, that + verifies the validity of all the other numbers. +How is it calculated? #12 is calculated in 4 steps + VALUE A: You sum odd position numbers (#0+#2+#4+#6+#8+#10) + VALUE B: You sum even position numbers and multiply by 3 + ((#1+#3+#5+#7+#9+#11)*3) + VALUE C: You sum value A and value B + VALUE D: You mod value C (you divide by 10 and only keep + the remaining units, a very widespread checking scheme as + you'll see in the software part of this lesson) + If the result is not zero, you subtract it from 10. +Now look at a barcode label, get some books or other barcoded +items and *watch* it... +Bar codes are supposed to have "quiet zones" on either side of +the symbol. Quiet zones are blank areas, free of any printing or +marks,typically 10 times the width of the narrowest bar or space +in the bar code. Failure to allow adequate space on either side +of the symbol for quiet zones can make it impossible to read the +bar code. + +On the barcode there are two "borders", left and right, and a +"middle" longer line. These three lines are longer than the +others and are used to "regulate" the scanner to whatever +dimension has been used for the barcode. +#0 dwells left of the first (left) border and has a special +meaning, the other 12 numbers are written "inside" the code and +are divided in two "groups" by the middle bar. +Each value is coded through SEVEN bars: black=1 and White=0. +These form two couples of "optic" bars of different widths. +We come now to the "magic" part: In order to bluff the +simpletons, barcode uses three different SETS of characters to +represent the values 0-9. This should make it impossible for you +to understand what's going on, as usual, in this society, slaves +should not need to worry with the real functioning of things. + Here are the graphic codes of the three graphic sets: + + CODE A CODE B (XOR C) CODE C (NOT A) +0: 0001101 (13) 0100111 (39) 1110010 (114) +1: 0011001 (25) 0110011 (51) 1100110 (102) +2: 0010011 (19) 0011011 (27) 1101100 (108) +3: 0111101 (61) 0100001 (33) 1000010 (066) +4: 0100011 (35) 0011101 (29) 1011100 (092) +5: 0110001 (49) 0111001 (57) 1001110 (078) +6: 0101111 (47) 0000101 (05) 1010000 (080) +7: 0111011 (59) 0010001 (17) 1000100 (068) +8: 0110111 (55) 0001001 (09) 1001000 (072) + +9: 0001011 (11) 0010111 (23) 1110100 (116) + +Borders: 101 +Centre: 01010 + +- The C graphic set is a "NOT A" graphic set. +- The B graphic set is a "XOR C" graphic set. +- each value has two couples of bars with different widths + + Now watch some labels yourself... see the difference between the +numbers left and the numbers right? The first "half" of the +barcode is coded using sets A and B, the second "half" using set +C. As if that were not enough, A and B are used inside the first +"half" in a combination that varies and depends from value #0, +following 10 different patterns: + #1 #2 #3 #4 #5 #6 + 0 A A A A A A + 1 A A B A B B + 2 A A B B A B + 3 A A B B B A + 4 A B A A B B + 5 A B B A A B + 6 A B B B A A + 7 A B A B A B + 8 A B A B B A + 9 A B B A B A + +"Ah! Stupid buyer will never understand why the same values gives +different bars! Nothing is as reliable as barcodes!" :=) + +Let's take as example the codebar for Martini Dry: +BARCODE: 8 0 00570 00425 7 +Let's see: we have a 8 0 0 = booze +Then a 000570 as ABABBA and a 004257 as C +"Even" sum: 8+0+5+0+0+2 = 15 (even sum) +Then a 0+0+7+0+4+5= 16 and 16 *3 = 48 (odd sum) +Then a 15+48=63 +63 === 3 +10 - 3 = 7 = checksum +Pattern = 8 = ABABBA CCCCCC + +OK, one more example: Osborne Windows programming series Volume +2 General purpose API functions (always here on my table)... +BARCODE: 9 7 80078 81991 9 +Let's see: we have a 9 7 8 = book +Then a 780078 as ABBABA and a 819919 as C +"Even" sum: 9+8+5+8+8+4 = 42 (even sum) +Then a 7+1+5+2+4+4= 23 and 23 * 3 = 69 (odd sum) +Then a 42+69=111 +111 === 1 +10 - 1 = 9 = checksum +Pattern = 9 = ABBABA + +Well... what's the point of all this? +The point, my pupils, is that who DOES NOT KNOW is taken along +on a boat ride, who KNOWS and LEARNS can use his knowledge in +order to try to beat blue and black the loathsome consumistic +oligarchy where we are compelled to live. Try it out for +yourself... if you crack correctly and wisely your supermarket, +mall and library bills will be cut to almost zero. + Write a small program to print whichever codebar you fancy +(or whichever your mall uses) in whichever size on whichever sort +of label you (or better your targets) fancy... it's quickly done +with Visualbasic or Delphy... but you'll not find much on the Web +Alternatively you could also write, as I did long ago, a short +c program in dos, using a modified upper char set... and there +you are, have labels... see the world. + A small word of caution... crack only ONE item at time and +try it out first with the SAME label for the same product... i.e. +the correct code for that item, but on your own label. If it goes +through your program works good, if not, nobody will ever be able +to harm you. Anyway it never happens anything, never: the bar +code reading equipments have great tolerance, coz the scanners +must be able to recognize barcodes that have been printed on many +different medias. You should choose labels similar to the ones +effectively used only in order not to arise human suspects, coz +for all the scanner itself cares, your label could be pink with +green stripes and with orange hand-written, numbers. Mind you, +we are still just academically imagining hypothetical situations, +coz it would be extremely illegal to act in such an inconsiderate +manner. + CRACKING POWER! It's true for barcodes, for Telecom bills, +for Compuserve accounts, for Amexco cards, for banking cheques +(do you know what MICR is? Magnetic Ink Character Recognition... +the stylized little printing on the lower left of new cheques... +there is a whole cracking school working on it), for registration +numbers... you name it, they develope it, we crack it... + Begin with barcodes: it's easy, nice and pretty useful! Live +in opulence, with the dignity and affluence that should always +distinguish real crackers. Besides... you should see the +assortment of 'Pomerols' in my "Cave-a-vin" :=) + +[INSTANT ACCESS] + The (c) Instant access routines are a commercial protection +scheme used to "unlock" complete commercial applications that +have been encrypted on CD- +ROMs which are distributed (mostly) through reviews. + This is an ideal cracking target: it's commercial software, +complete, uncrippled and of (relatively) prominent quality, that +you can get in tons for the price of a coke. Obviously this kind +of protection represents an ideal subject for our lessons. This +fairly intricate protection scheme has not yet been cracked by +anybody that I am aware of, anyway not publicly, therefore it's +an ideal candidate for a "strainer" to my university. I'll teach +you here how to crack it in three lessons, C.1, C.2 and C.3. I warn +you... it's a difficult cracking session, and this protection +represents quite an intellectual challenge. But if you are +seriously interested in our trade you will enjoy these lessons +more than anything else. + This cracking is intended as an "assignment" for my +HCU +"cracking university": you'll find inside lessons C.1 and C.2 a +relatively deep "introduction" to Instant access cracking. This +will teach you a lot anyway, and spare you hours of useless +roaming around, bringing you straight to the cracking point. But +I'll release the third part of this session, with the complete +solution (lesson C.3) on the Web only in october 1996, not a day +before. All the students that would like to apply to the Higher +Cracking University, opening on the web 01/01/1997, should work +in July, August and September (three months is more than enough +time) on this assignment. They should crack completely the +instant access scheme and send me their solutions, with a good +documentation of their cracking sessions, before 30/09/1996 +(WATCH IT! You can crack this scheme in -at least- three +different paths, be careful and choose the *best* one. WATCH IT! +Some of the informations) in lesson C.1 and C.2 are slightly incorrect: +check it!). +There are four possibilities: +1) The candidate has not found the crack or his solution is + not enough documented or not enough viable... the candidate + is therefore not (yet) crack-able, he will not be admitted + to the +HCU 1997 curses, better luck in 1998; +2) The cracking solution proposed by the candidate is not as + good as mine (you'll judge for yourself in october) but it + works nevertheless... he'll be admitted at the 1997 + courses; +3) The cracking solution of the candidate is more or less + equal to mine, he'll be admitted, personally monitored, and + he'll get all the material he needs to crack on higher + paths; +4) The cracking solution of the candidate is better than mine, + he'll be admitted, get all the material he wishes and asked + to teach us as well as study with us: "homines, dum docent, + discunt". + +[Cracking Instant access] + The user that wants to "unlock" a software application +protected with (c) Instant Access must enter first of all a +REGISTRATION number string, which through a series of +mathematical manipulations gives birth to a special "product" +code. On the basis of this "product code" the user is asked to +phone the commercial protectors (and pay) in order to get a +special "unlock code" that will allow him to decrypt the relevant +software. + This kind of "passnumber" protection routines are widely +used for software unlocking, BBS access, server access, backdoor +opening and many other protection schemes. We have already seen +password cracks in different lessons of this tutorial (in +particular Lessons 3.1 and 3.2 for DOS and Lessons 8.1, 8.2 and +9.1 for WIN) albeit on a more simplistic scale: there it did +mostly not matter very much *HOW* you passed the protection: once +passed, you could have access to the application. This is not the +case with (c) Instant Access. Face it: it's a little boring, but +important that you learn how to defeat intricate protection +routines (you'll meet them often in the next years) and I believe +that the following example will give you a "feeling" for the +right cracking approach. + In this case we must not only "crack" this protection scheme +but also study it thoroughly in order to achieve our blessed +aims. This is a very good exercise: reverse disassembling will +teach you a lot of little tricks that you'll be able to use in +your other future cracking sessions. + Instant access (c) is a exceptionally widespread protection +scheme, and it should be relatively easy for you to gather some +encrypted software that has been protected with this method... +*DO IT QUICKLY!!* After the Web publishing of this lessons (I am +sending C.1 to 8 pages and 4 usenet groups on 25/06/1996) this +protection is obviously as dead as a Dodo. The "Accessors" guys +will have to conceive something smarter if they want to keep +selling "protections" to the lamer producers of "big" software. + BTW, if you are reading this and are working for some +commercial "protection" company, consider the possibility to +double cross your masters! Deliver me anonymously all the future +projects you are working on! That will amuse me, speed up the +advent of a true altruistic society and earn you the respect of +the better part of humanity. + As I said, many "huge" application are still protected with +this "Instant access" system. I have personally bought at least +7 or 8 "second hand" CD-ROMs packed full with Microsoft, Lotus, +Norton, Symantec, you name it, applications all "protected" +through this crap. The cost of this bunch of CD-ROMs was the +equivalent of a bottle of Dry Martini, maybe less. The same +software is sold, unlocked, to zombies and lusers for ludicrous +amounts of money. + Never buy CD-ROMs magazines when they appear! Be cool! Buy +them two or three months after the publishing date! Buy +"remainders" or "second hand" CD-ROM magazines "at kilo price"... +Come to think of it, never buy *anything* when it appears or when +some (paid) advertiser tells you to... remember that "trends", +"vogues", "fashions" and "modes" are only different names for the +whips that drill and chain the dull-witted slaves of this +loathsome society: "clever crackers consider cool, crack cheap, +cheat customary culture" (a rhetorical figure: an "Alliteration". +To defend yourself learn rhetoric... it's a more powerful and +more useful weapon than Kung-fu). + The "triple" password protection routine in (c) Instant +Access is very interesting from a cracker point of view. It's a +relatively complex scheme: I'll teach you to crack it in two +phases: First of all you must find the "allowed" registration +code, the one that "ignites" the "product code". We must crack +and understand this re_code first if we want to crack the rest. + Just for the records, I am cracking here (c) Action Instant +access version 1.0 (CD-ROM found on a old copy of "Personal +Computer World" of August 1994, packed full with encrypted Lotus, +Symantec, Claris and Wordperfect applications. Just to be sure +I crosschecked my results with another CD-ROM which also has +applications protected with (c) Instant Access: Paragon +Publishing's PC OFFICE: the protection scheme remains the same). + +I am focusing for this lesson on the cracking of the specific +protection for the encrypted Symantec's Norton Utilities v.8.0. + Please refer to the previous lessons for the basic +techniques used in order to find the protection routine inside +our babe... for "low" cracking purposes you -basically- type a +number (in this case, where the input gets 10 numbers, we'll use +"1212-1212-12"), do your search inside the memory (s 30:0 +lffffffff "your_string") and then set memory breakpoints on all +the relevant memory locations till winice pops (I know, I know, +buddies... there are more effective ways... but hold your mouth: +for now we'll keep them among us: let's make things a little +harder for the protectionists who read this... Besides: the old +approach works here flawlessly). After getting the Registration +window on screen the Winice standard procedure is: + :task ; how + :heap IABROWSE ; where & what + :hwnd IABROWSE ; get the Winhandle + :bpx [winhandle] WM_GETTEXT ; pinpoint code + :bpx GetProcAddress ; in case of funny routines + :dex 0 ds:dx ; let's see their name + :gdt ; sniff the selectors + :s 30:0 lffffffff "Your_input_string" ; search in 4 giga data + :bpr [all memory ranges for your string that are above 80000000] +and so on. (continued in lesson C.2) + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you rediscovered them +with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. ++ORC an526164@anon.penet.fi diff --git a/textfiles.com/piracy/CRACKING/howtocb.txt b/textfiles.com/piracy/CRACKING/howtocb.txt new file mode 100644 index 00000000..f089c0fa --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howtocb.txt @@ -0,0 +1,494 @@ +HOW TO CRACK, by +ORC, A TUTORIAL +LESSON C (2) - How to crack, Cracking as an art +[INSTANT ACCESS] + + cracking Instant Access (2) - strainer for the +HCU + +[SEE LESSON C.1 for the first part of this cracking session] + Here follow the relevant protection routines for the first +(The "Registration") number_code of Instant Access, with my +comments: you have to investigate a little the following code. + Later, when you'll crack on your own, try to recognize the +many routines that fiddle with input BEFORE the relevant (real +protection) one. In this case, for instance, a routine checks the +correctness of the numbers of your input: + +This_loop_checks_that_numbers_are_numbers: +1B0F:2B00 C45E06 LES BX,[BP+06] ; set/reset pointer +1B0F:2B03 03DF ADD BX,DI +1B0F:2B05 268A07 MOV AL,ES:[BX] ; get number +1B0F:2B08 8846FD MOV [BP-03],AL ; store +1B0F:2B0B 807EFD30 CMP BYTE PTR [BP-03],30 +1B0F:2B0F 7C06 JL 2B17 ; less than zero? +1B0F:2B11 807EFD39 CMP BYTE PTR [BP-03],39 +1B0F:2B15 7E05 JLE 2B1C ; between 0 & 9? +1B0F:2B17 B80100 MOV AX,0001 ; no, set flag=1 +1B0F:2B1A EB02 JMP 2B1E ; keep flag +1B0F:2B1C 33C0 XOR AX,AX ; flag=0 +1B0F:2B1E 0BC0 OR AX,AX ; is it zero? +1B0F:2B20 7507 JNZ 2B29 ; flag NO jumps away +1B0F:2B22 8A46FD MOV AL,[BP-03] ; Ok, get number +1B0F:2B25 8842CC MOV [BP+SI-34],AL ; Ok, store number +1B0F:2B28 46 INC SI ; inc storespace +1B0F:2B29 47 INC DI ; inc counter +1B0F:2B2A C45E06 LES BX,[BP+06] ; reset pointer +1B0F:2B2D 03DF ADD BX,DI ; point next number +1B0F:2B2F 26803F00 CMP BYTE PTR ES:[BX],00 ; input end? +1B0F:2B33 75CB JNZ 2B00 ; no:loop next num + + You now obviously understand that the "real" string is +stored inside memory location [BP+SI-34]... set a memory +breakpoint on this area to get the next block of code that +fiddles with the transformed input. Notice how this routine +"normalizes" the input, strips the "-" off and puts the 10 +numbers together: +user input: 1 2 1 2 1 2 1 2 1 2 End + 1E7F:92E2 31 32 31 32 31 32 31 32 31 32 00 45 AF 1F 70 9B + Stack ptr: 0 1 2 3 4 5 6 7 8 9 A B C D E F + Let's now look at the "real" protection routine: the one + +that checks these numbers and throw you out if they are not +"sound". Please pay attention to the following block of code: + +check_if_sum_other_9_numbers_=_remainder_of_the_third_number: +:4B79 8CD0 MOV AX,SS ; we'll work inside the stack... +:4B7B 90 NOP +:4B7C 45 INC BP +:4B7D 55 PUSH BP ; save real BP +:4B7E 8BEC MOV BP,SP ; BP = stackpointer +:4B80 1E PUSH DS ; save real Datasegment +:4B81 8ED8 MOV DS,AX ; Datasegment = stacksegment +:4B83 83EC04 SUB SP,+04 +:4B86 C45E06 LES BX,[BP+06] ; BX points input_start +:4B89 268A07 MOV AL,ES:[BX] ; load first number +:4B8C 98 CBW ; care only for low +:4B8D C45E06 LES BX,[BP+06] ; reset pointer +:4B90 50 PUSH AX ; save 1st number +:4B91 268A4701 MOV AL,ES:[BX+01] ; load 2nd number +:4B95 98 CBW ; only low +:4B96 8BD0 MOV DX,AX ; 2nd number in DX +:4B98 58 POP AX ; get 1st number +:4B99 03C2 ADD AX,DX ; sum with second +:4B9B C45E06 LES BX,[BP+06] ; reset pointer +:4B9E 50 PUSH AX ; save sum +:4B9F 268A4707 MOV AL,ES:[BX+07] ; load 8th number +:4BA3 98 CBW ; only low +:4BA4 8BD0 MOV DX,AX ; 8th number in DX +:4BA6 58 POP AX ; old sum is back +:4BA7 03C2 ADD AX,DX ; sum 1+2+8 +:4BA9 C45E06 LES BX,[BP+06] ; reset pointer +:4BAC 50 PUSH AX ; save sum +:4BAD 268A4703 MOV AL,ES:[BX+03] ; load 4rd number +:4BB1 98 CBW ; only low +:4BB2 8BD0 MOV DX,AX ; #4 in DX +:4BB4 58 POP AX ; sum is back +:4BB5 03C2 ADD AX,DX ; sum 1+2+8+4 +:4BB7 C45E06 LES BX,[BP+06] ; reset pointer +:4BBA 50 PUSH AX ; save sum +:4BBB 268A4704 MOV AL,ES:[BX+04] ; load 5th number +:4BBF 98 CBW ; only low +:4BC0 8BD0 MOV DX,AX ; #5 in DX +:4BC2 58 POP AX ; sum is back +:4BC3 03C2 ADD AX,DX ; 1+2+8+4+5 +:4BC5 C45E06 LES BX,[BP+06] ; reset pointer +:4BC8 50 PUSH AX ; save sum +:4BC9 268A4705 MOV AL,ES:[BX+05] ; load 6th number +:4BCD 98 CBW ; only low + +:4BCE 8BD0 MOV DX,AX ; #6 in DX +:4BD0 58 POP AX ; sum is back +:4BD1 03C2 ADD AX,DX ; 1+2+8+4+5+6 +:4BD3 C45E06 LES BX,[BP+06] ; reset pointer +:4BD6 50 PUSH AX ; save sum +:4BD7 268A4706 MOV AL,ES:[BX+06] ; load 7th number +:4BDB 98 CBW ; only low +:4BDC 8BD0 MOV DX,AX ; #7 in DX +:4BDE 58 POP AX ; sum is back +:4BDF 03C2 ADD AX,DX ; 1+2+8+4+5+6+7 +:4BE1 C45E06 LES BX,[BP+06] ; reset pointer +:4BE4 50 PUSH AX ; save sum +:4BE5 268A4708 MOV AL,ES:[BX+08] ; load 9th number +:4BE9 98 CBW ; only low +:4BEA 8BD0 MOV DX,AX ; #9 in DX +:4BEC 58 POP AX ; sum is back +:4BED 03C2 ADD AX,DX ; 1+2+8+4+5+6+7+9 +:4BEF C45E06 LES BX,[BP+06] ; reset pointer +:4BF2 50 PUSH AX ; save sum +:4BF3 268A4709 MOV AL,ES:[BX+09] ; load 10th # +:4BF7 98 CBW ; only low +:4BF8 8BD0 MOV DX,AX ; #10 in DX +:4BFA 58 POP AX ; sum is back +:4BFB 03C2 ADD AX,DX ; 1+2+8+4+5+6+7+9+10 +:4BFD 0550FE ADD AX,FE50 ; clean sum to 0-51 +:4C00 BB0A00 MOV BX,000A ; BX holds 10 +:4C03 99 CWD ; only AL +:4C04 F7FB IDIV BX ; remainder in DX +:4C06 C45E06 LES BX,[BP+06] ; reset pointer +:4C09 268A4702 MOV AL,ES:[BX+02] ; load now # 3 +:4C0D 98 CBW ; only low +:4C0E 05D0FF ADD AX,FFD0 ; clean # 3 to 0-9 +:4C11 3BD0 CMP DX,AX ; remainder = pampered #3? + +:4C13 7407 JZ 4C1C ; yes, go on good guy +:4C15 33D2 XOR DX,DX ; no! beggar off! Zero DX +:4C17 33C0 XOR AX,AX ; and FLAG_AX = FALSE +:4C19 E91701 JMP 4D33 ; go to EXIT +let's_go_on_if_first_check_passed: +:4C1C C45E06 LES BX,[BP+06] ; reset pointer +:4C1F 268A4701 MOV AL,ES:[BX+01] ; now load #2 anew +:4C23 98 CBW ; only low +:4C24 05D7FF ADD AX,FFD7 ; pamper adding +3 +:4C27 A38D5E MOV [5E8D],AX ; save SEC_+3 +:4C2A 3D0900 CMP AX,0009 ; was it < 9? (no A-F) +:4C2D 7E05 JLE 4C34 ; ok, no 0xletter +:4C2F 832E8D5E0A SUB WORD PTR [5E8D],+0A ; 0-5 if A-F +:4C34 C45E06 LES BX,[BP+06] ; reset pointer +:4C37 268A07 MOV AL,ES:[BX] ; load 1st input number +:4C3A 98 CBW ; only low +:4C3B 05C9FF ADD AX,FFC9 ; pamper adding +7 +:4C3E A38F5E MOV [5E8F],AX ; save it in FIR_+7 +:4C41 0BC0 OR AX,AX ; if #1 > 7 +:4C43 7D05 JGE 4C4A ; no need to add 0xA +:4C45 83068F5E0A ADD WORD PTR [5E8F],+0A ; FIR_+7 + 0xA +now_we_have_the_sliders_let's_prepare_for_loop: + +:4C4A C45E0E LES BX,[BP+0E] ; Set pointer to E +:4C4D 26C747020000 MOV WORD PTR ES:[BX+02],0000 ; 0 flag +:4C53 26C7070000 MOV WORD PTR ES:[BX],0000 ; 0 flag +:4C58 C706975E0900 MOV WORD PTR [5E97],0009 ; counter=9 +:4C5E E99500 JMP 4CF6 ; Jmp check_counter +loop_8_times: +:4C61 C45E06 LES BX,[BP+06] ; reset pointer +:4C64 031E975E ADD BX,[5E97] ; add running counter +:4C68 268A07 MOV AL,ES:[BX] ; load # counter+1 +:4C6B 98 CBW ; only low +:4C6C 50 PUSH AX ; save 10th number +:4C6D A18D5E MOV AX,[5E8D] ; ld SEC_+3 down_slider +:4C70 BA0A00 MOV DX,000A ; BX holds 0xA +:4C73 F7EA IMUL DX ; SEC_+3 * 0xA +:4C75 03068F5E ADD AX,[5E8F] ; plus FIR_+7 up_slider +:4C79 BAA71E MOV DX,1EA7 ; fixed segment +:4C7C 8BD8 MOV BX,AX ; BX = Lkup_val=(SEC_+3*10+FIR_+7) +:4C7E 8EC2 MOV ES,DX ; ES = 1EA7 +:4C80 268A870000 MOV AL,ES:[BX+0000] ; ld 1EA7:[Lkup_val] +:4C85 98 CBW ; only low: KEY_PAR +:4C86 8BD0 MOV DX,AX ; save KEY_PAR in DX +:4C88 58 POP AX ; repops 10th number +:4C89 03C2 ADD AX,DX ; RE_SULT=KEY_PAR+#10 +:4C8B 05D0FF ADD AX,FFD0 ; polish RE_SULT +:4C8E 99 CWD ; only low: RE_SULT +:4C8F 8956FC MOV [BP-04],DX ; save here KEY_PAR [9548] +:4C92 8946FA MOV [BP-06],AX ; save here RE_SULT [9546] +:4C95 0BD2 OR DX,DX ; KEY_PAR < 0? +:4C97 7C0F JL 4CA8 ; yes: KEY_PAR < 0 +:4C99 7F05 JG 4CA0 ; no: KEY_PAR > 0 +:4C9B 3D0900 CMP AX,0009 ; KEY_PAR = 0 +:4C9E 7608 JBE 4CA8 ; no pampering if RE_SULT < 9 +:4CA0 836EFA0A SUB WORD PTR [BP-06],+0A ; else pamper +:4CA4 835EFC00 SBB WORD PTR [BP-04],+00 ; and SBB [9548] +:4CA8 C45E0E LES BX,[BP+0E] ; reset pointer to E +:4CAB 268B4F02 MOV CX,ES:[BX+02] ; charge CX [958C] +:4CAF 268B1F MOV BX,ES:[BX] ; charge BX slider [958A] +:4CB2 33D2 XOR DX,DX ; clear DX to zero +:4CB4 B80A00 MOV AX,000A ; 10 in AX +:4CB7 9A930D2720 CALL 2027:0D93 ; call following RO_routine + + This is the only routine called from our protection, inside the +loop (therefore 8 times), disassembly from WCB. Examining this +code please remember that we entered here with following +configuration: DX=0, AX=0xA, CX=[958C] and BX=[958A]... + 1.0D93 56 push si ; save si + 1.0D94 96 xchg ax, si ; ax=si, si=0xA + 1.0D95 92 xchg ax, dx ; dx=0xA ax=dx + 1.0D96 85C0 test ax, ax ; TEST this zero + 1.0D98 7402 je 0D9C ; zero only 1st time + 1.0D9A F7E3 mul bx ; BX slider! 0/9/5E/3B2... + 1.0D9C >E305 jcxz 0DA3 ; cx=0? don't multiply! + 1.0D9E 91 xchg ax, cx ; cx !=0? cx = ax & ax = cx + 1.0D9F F7E6 mul si ; ax*0xA in ax + 1.0DA1 03C1 add ax, cx ; ax= ax*0xA+cx = M_ULT + 1.0DA3 >96 xchg ax, si ; ax=0xA; si evtl. holds M_ULT + 1.0DA4 F7E3 mul bx ; ax= bx*0xA + 1.0DA6 03D6 add dx, si ; dx= dx_add + 1.0DA8 5E pop si ; restore si + 1.0DA9 CB retf ; back to caller with two + parameters: DX and AX +Back_to_main_protection_loop_from_RO_routine: +:4CBC C45E0E LES BX,[BP+0E] ; reset pointer +:4CBF 26895702 MOV ES:[BX+02],DX ; save R_DX par [958C] +:4CC3 268907 MOV ES:[BX],AX ; save R_AX par [958A] +:4CC6 0346FA ADD AX,[BP-06] ; add to AX RE_SULT [9546] +:4CC9 1356FC ADC DX,[BP-04] ; add to DX KEY_PAR [9548] +:4CCC C45E0E LES BX,[BP+0E] ; reset pointer +:4CCF 26895702 MOV ES:[BX+02],DX ; save R_DX+KEY_PAR [958C] + +:4CD3 268907 MOV ES:[BX],AX ; save R_AX+RE_SULT [958A] +:4CD6 FF0E8D5E DEC WORD PTR [5E8D] ; down_slide SEC_+3 +:4CDA 7D05 JGE 4CE1 ; no need to add +:4CDC 83068D5E0A ADD WORD PTR [5E8D],+0A ; pamper adding 10 +:4CE1 FF068F5E INC WORD PTR [5E8F] ; up_slide FIR_+7 +:4CE5 A18F5E MOV AX,[5E8F] ; save upslided FIR_+7 in AX +:4CE8 3D0900 CMP AX,0009 ; is it over 9? +:4CEB 7E05 JLE 4CF2 ; no, go on +:4CED 832E8F5E0A SUB WORD PTR [5E8F],+0A ; yes, pamper -10 +:4CF2 FF0E975E DEC WORD PTR [5E97] ; decrease loop counter +check_loop_counter: +:4CF6 833E975E03 CMP WORD PTR [5E97],+03 ; counter = 3? +:4CFB 7C03 JL 4D00 ; finish if counter under 3 +:4CFD E961FF JMP 4C61 ; not yet, loop_next_count +loop_is_ended: +:4D00 C45E06 LES BX,[BP+06] ; reset pointer to input +:4D03 268A4701 MOV AL,ES:[BX+01] ; load 2nd number (2) +:4D07 98 CBW ; only low +:4D08 05D0FF ADD AX,FFD0 ; clean it +:4D0B BA0A00 MOV DX,000A ; DX = 10 +:4D0E F7EA IMUL DX ; AX = SEC_*10 = 14 +:4D10 C45E06 LES BX,[BP+06] ; reset pointer +:4D13 50 PUSH AX ; save SEC_*10 +:4D14 268A07 MOV AL,ES:[BX] ; load 1st number (1) +:4D17 98 CBW ; only low +:4D18 8BD0 MOV DX,AX ; save in DX +:4D1A 58 POP AX ; get SEC_*10 +:4D1B 03C2 ADD AX,DX ; sum SEC_*10+1st number +:4D1D 05D0FF ADD AX,FFD0 ; clean it +:4D20 99 CWD ; only low +:4D21 C45E0A LES BX,[BP+0A] ; get pointer to [9582] +:4D24 26895702 MOV ES:[BX+02],DX ; save 1st (1) in [9584] +:4D28 268907 MOV ES:[BX],AX ; save FINAL_SUM (15) [9582] +:4D2B 33D2 XOR DX,DX ; DX = 0 +:4D2D B80100 MOV AX,0001 ; FLAG TRUE ! +:4D30 E9E6FE JMP 4C19 ; OK, you_are_a_nice_guy +EXIT: +:4D33 59 POP CX ; pop everything and +:4D34 59 POP CX ; return with flag +:4D35 1F POP DS ; AX=TRUE if RegNum OK +:4D36 5D POP BP ; with 1st # in [9584] +:4D37 4D DEC BP ; with FINAL_SUM in [9582] +:4D38 CB RETF + + Let's translate the preceding code: first of all the pointers: +At line :4B86 we have the first of a long list of stack ptrs: + LES BX,[BP+06] + This stack pointer points to the beginning of the input string, +which, once polished from the "-", has now a length of 10 bytes, +concluded by a 00 fence. At the beginning, before the main loop, +9 out of our 10 numbers are added, all but the third one. + Notice that protection has jumped # 3 (and added # 8 out of the +line). The rest is straightforward. Now, at line :4BFD we have +our first "cleaning" instruction. You see: the numbers are +hexadecimal represented by the codes 0x30 to 0x39. If you add +FE50 to the minimum sum you can get adding 9 numbers (0x30*9 = +0x160) You get 0. The maximum you could have adding 9 numbers, +on the contrary is (0x39*9=0x201), which, added to FE50 gives +0x51. So we'll have a "magic" number between 0x0 and 0x51 instead +of a number between 0x160 and 0x201. Protection pampers this +result, and retains only the last ciffer: 0-9. Then protection +divides this number through 0xA, and what happens? DX get's the +REMAINDER of it. + If we sum the hexcodes of our (1212-1212-12) we get 0x1BE (we +sum only 9 out of then numbers: the third "1" -i.e. "31"- does +not comes into our count); 0x1BE, cleaned and pampered gives E. +Therefore (0xE/0xA = 1) We get 1 with a remainder of 4. + You may observe that of all possible answers, only sums +finishing with A, B, C, D, E or F give 1 (and rem=0,1,2,3,4 or +5). Sums finishing 0 1 2 3 4 5 6 7 8 or 9 give 0 as result and +themselves as reminder. The chance of getting a 0,1,2,3 or 4 are +therefore bigger as the chance of getting a 5, 6, 7, 8 or 9. We +are just observing... we do not know yet if this should play a +role or not. + Now this remainder is compared at :4C11 with the third number +polished from 0x30-0x39 to 0-9. This is the only protection check +for the registration number input: If your third number does not +match with the remainder of the sum of all the 9 others numbers +of your input you are immediately thrown out with FLAG AX=FALSE +(i.e. zero). + To crack the protection you now have to MODIFY your input string +accordingly. Our new input string will from now on be "1242-1212- +12": we have changed our third number (originally a "2") to a "4" +to get through this first strainer in the correct way. Only now +protection starts its mathematical part (We do not know yet why +it does it... in order to seed the random product number? To +provide a check for the registration number you'll input at the +end? We'll see). +- Protection saves the second number of your input (cleaned + with FFD7) in SEC_+3 [5E8D], pampering it if it is bigger + than 9 (i.e. if it is 0xA-0xF). Here you'll have therefore + following correspondence: 0=7 1=8 2=9 3=0 4=1 5=2 6=3 7=4 + 8=5 9=6. The second number of your input has got added +3. + This is value SEC_+3. In (lengthy) C it would look like + this: + If (RegString(2)is lower than 7) RegString(2) = RegString(2)+3 + Else Regstring(2) = ((RegString(2)-10)+3) +- Protection saves your first number in FIR_+7 [5E8F] with a + different cleaning parameter (FFC9). The next pampering + adds 0xA if it was not 7/8/9 therefore you have here + following correspondence 7=0 8=1 9=2 0=3 1=4 2=5 3=6 4=7 + 5=8 6=9). This is value FIR_+7. In (lengthy) C it would + look like this: + If (RegString(1) is lower than 3) RegString(1) = RegString(1)+7 + Else Regstring(1) = ((RegString(1)-10)+7) + So protection has "transformed" and stored in [5E8D] and [5E8F] +the two numbers 1 and 2. In our RegString: 1242-1212-12 the first +two numbers "12" are now stored as "94". These will be used as +"slider" parameters inside the main loop, as you will see. + Only now does protection begin its main loop, starting from the +LAST number, because the counter has been set to 9 (i.e. the +tenth number of RegString). The loop, as you'll see, handles only +the numbers from 10 to 3: it's an 8-times loop that ends without +handling the first and second number. What happens in this +loop?... Well, quite a lot: Protection begins the loop loading +the number (counter+1) from the RegString. Protection then loads +the SEC_+3 down_slider parameter (which began its life as second +number "transformed"), multiplies it with 0xA and then adds the +up_slider parameter FIR_+7 (at the beginning it was the first +number transformed). + This sum is used as "lookup pointer" to find a parameter +inside a table of parameters in memory, which are all numbers +between 0 and 9. Let's call this value Lkup_val. +Protection looks for data in 1EA7:[Lkup_val]. In our case (we +entered 1242-1212-12, therefore the first SEC_+3 value is 9 and +the first FIR_+7 value is 4): [Lkup_val] = 9*0xA+4; 0x5A+4 = +0x5E. At line :4C80 therefore AL would load the byte at 1EA7:005E +(let's call it KEY_PAR), which now would be ADDED to the # +counter+1 of this loop. In our case KEY_PAR at 1EA7:005E it's a +"7" and is added to the pampered 0x32=2, giving 9. + Let's establish first of all which KEY_PAR can possibly get +fetched: the maximum is 0x63 and the minimum is 0x0. The possible +KEY_PARs do therefore dwell in memory between 1EA7: and +1EA7:0063. Let's have a look at the relative table in memory, +where these KEY_PARs are stored ("our" first 0x5Eth byte is +underlined): +1EA7:0000 01 03 03 01 09 02 03 00-09 00 04 03 08 07 04 04 +1EA7:0010 05 02 09 00 02 04 01 05-06 06 03 02 00 08 05 06 +1EA7:0020 08 09 05 00 04 06 07 07-02 00 08 00 06 02 04 07 +1EA7:0030 04 04 09 05 09 06 00 06-08 07 00 03 05 09 00 08 +1EA7:0040 03 07 07 06 08 09 01 05-07 04 06 01 04 02 07 01 +1EA7:0050 03 01 08 01 05 03 03 01-02 08 02 01 06 05 07 02 +1EA7:0060 05 09 09 08 02 09 03 00-00 04 05 01 01 03 08 06 +1EA7:0070 01 01 09 00 02 05 05 05-01 07 01 05 08 07 01 09 +1EA7:0080 08 07 07 04 04 08 03 00-06 01 09 08 08 04 09 09 +1EA7:0090 00 07 05 02 03 01 03 08-06 05 07 06 03 07 06 07 +1EA7:00A0 04 02 02 05 02 04 06 02-06 09 09 01 05 02 03 04 +1EA7:00B0 04 00 03 05 00 03 08 07-06 04 08 08 02 00 03 06 +1EA7:00C0 09 00 00 06 09 04 07 02-00 01 01 01 01 00 01 FF +1EA7:00D0 00 FF FF FF FF 00 FF 01-00 00 00 00 00 00 00 00 + + An interesting table, where all the correspondences are +between 0 and 9... are we getting some "secret" number here? But, +hey, look there... funny, isn't it? Instead of only 0-0x63 bytes +we have roughly the DOUBLE here: 0-0xC8 bytes (the 01 sequence +starting at CA "feels" like a fence). We'll see later how +important this is. At the moment you should only "perceive" that +something must be going on with a table that's two time what she +should be. + As I said the result of KEY_PAR + input number is polished +(with a FFDO) and pampered (subtracting, if necessary, 0xA). +Therefore the result will be the (counter+1) input number + +KEY_PAR (let's call it RE_SULT], in our case, (at the beginning +of the loop) a 9. Now (DX=0 because of the CWD instruction) DX +will be saved in [9548] and RE_SULT in [9546]. + Now Protection prepares for the RO_routine: resets its pointer +and charges CX and BX from [958C] and from [958A] respectively, +charges AX with 0xA and sets DX to zero. + The routine performs various operations on AX and DX and saves +the results in the above mentioned locations [958A] and [958C]. + Now KEY_PAR and RE_SULT are added respectively to the DX and AX +value we got back from the RO_routine call, and saved once more +in the last two locations: AX+RE_SULT in [958A] and DX+KEY_PAR +in [958C] + Now the value in SEC_+3 is diminished by 1 (if it was 9 it's now +8, if it was zero it will be pampered to 9). It's a "slider" +parameter (in this case a down_slider), typically used in +relatively complicated protections to give a "random" impression +to the casual observer. The value in FIR_+7, on the contrary, is +augmented by one, from 4 to 5... up_sliding also. + Protection now handles the next number of your input for the +loop. In our case this loop uses following protection +configuration with our "sliding" parameters: + Input # pamp_2nd pamp_1st Lookup value KEY_PAR # RE_SULT +# 10 = 2, SEC_+3= 9, FIR_+7= 4, Lkup_val = 0x5E, KEY=7 +2 = 9 +# 9 = 1, SEC_+3= 8, FIR_+7= 5, Lkup_val = 0x55, KEY=3 +1 = 4 +# 8 = 2, SEC_+3= 7, FIR_+7= 6, Lkup_val = 0x4C, KEY=4 +2 = 6 +# 7 = 1, SEC_+3= 6, FIR_+7= 7, Lkup_val = 0x43, KEY=7 +1 = 7 +# 6 = 2, SEC_+3= 5, FIR_+7= 8, Lkup_val = 0x3A, KEY=0 +2 = 2 +# 5 = 1, SEC_+3= 4, FIR_+7= 9, Lkup_val = 0x31, KEY=4 +1 = 5 +# 4 = 2, SEC_+3= 3, FIR_+7= 0, Lkup_val = 0x1E, KEY=5 +2 = 7 +# 3 = 4, SEC_+3= 2, FIR_+7= 1, Lkup_val = 0x15, KEY=2 +4 = 5 +Notice how our "regular" input 21212124 has given an "irregular" +94672575. + You may legitimately ask yourself what should all this mean: +what are these RE_SULTs used for? Well they are used to slide +another parameter: this one inside the called routine... this is +what happens to AX and DX inside the routine, and the lines after +the called routine: +:4CBF 26895702 MOV ES:[BX+02],DX ; save R_DX par [958C] +:4CC3 268907 MOV ES:[BX],AX ; save R_AX par [958A] +:4CC6 0346FA ADD AX,[BP-06] ; add to AX RE_SULT [9546] +:4CC9 1356FC ADC DX,[BP-04] ; add to DX KEY_PAR [9548] +:4CCC C45E0E LES BX,[BP+0E] ; reset pointer to E +:4CCF 26895702 MOV ES:[BX+02],DX ; save R_DX+KEY_PAR [958C] +:4CD3 268907 MOV ES:[BX],AX ; save R_AX+RE_SULT [958A] + + :4CC6 :4CC9 :4CCF Odd_DX :4CD3 slider_sum + RE_SULT [958A] [958C] [958C] [958A] + + 0 0 0 0 0 + 9 5A 0 0 9 + 4 3AC 0 0 5E + 6 24F4 0 0 3B2 + 7 71CE 1 1 24FB + 2 7220 4 E 71D0 + 5 7572 4 90 7225 + 7579 + +Now the loops ends, having handled the input numbers from tenth +to third. Protection loads the second number and multiplies it +by 10 (let's call this result SEC_*10), in our case 2*0xA=14. +Protection loads the first number and adds it to the +multiplication, in our case 1+0x14=0x15 (FINAL_SUM]. +Now everything will be added to FFDO to "clean" it. +Pointer will now be set to the end of the input number. +DX, zeroed by CDW, will be saved as parameter in [9584] and the +cleaned and pampered sum will be saved in [9582]. +FLAG is set to true and this routine is finished! No parameter +are passed and the only interesting thing is what actually +happens in the locations [9582], [9584], [958A] and [958C], i.e.: +FINAL_SUM, 0, slider_sum, odd_dx. + In the next lesson we'll crack everything, but I'll give you +already some hints here, in case you would like to go ahead on +your own: we'll see how the scheme used for the third (the +registration) number show analogies and differences with the +scheme we have studied (and cracked) here for the first number. +Our 3434-3434-3434-3434-34 input string for the registration +number will be transformed in the magic string +141593384841547431, but this will not work because the "magic" +12th number: "1" will not correspond to the remainder calculated +inside this check through the previous locations of the other +checks. + Here the things are more complicated because every little +change in your input string transforms COMPLETELY the "magic" +string... therefore in order to pass the strainer you'll have to +change 3434-3434-3434-3434-34 in (for instance) 7434-3434-3434- +3434-96. The "magic" string 219702960974498056 that this +registration input gives will go through the protection strainer. +Only then we'll be able to step over and finally crack the whole +protection... it's a pretty complicated one as I said. Now crack +it pupils... you have three months time. From this crack depends +your admission to the Uni, there will be no other admission text +till summer 1997 (it's a hell of work to prepare this crap)... +work well. + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) some tricks of the trade I may not +know but YOU've discovered. I'll probably know most of them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + + ++ORC an526164@anon.penet.fi \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/howtocp2 b/textfiles.com/piracy/CRACKING/howtocp2 new file mode 100644 index 00000000..ee648f6d --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howtocp2 @@ -0,0 +1,73 @@ + +---------------------------------------------------+ + + IBM Disk Cracking Made Simple + + + + + + By + + + Phobos + + + of the Lunatic Phringe BBS + + + 312-965-3677 300/1200 Baud + + +---------------------------------------------------+ + + This File is for Informational Purrposes only. The author + or the system operator of any bbs on which this might appear is not + responsible for the actions of others reading this file and maybe + using the information presented here. They have their own brains and + they can think for themselves, so there!! + + + This describes how to take games that are full disks (usually + the ones you get in a store) and turn them into a transferrable file. + You can change the disk into a file and archive it for later use, like + in case you blow the original disk or something like that. There are + basically two types of files that you canb turn the full disk game + into. There are files ending with .CP2 and .DSK We will first + discuss the CP2 files. + + CP2 Files + ---------------- + + You can create a CP2 file from a full disk game by using a + program called Snatchit.com and CopyIIpc.exe. You have to put the + game disk in drive a, and place Snatchit and CopyIIpc in the same + subdirectory on a hard drive. (If you have not got a hard drive, + you can use a RAM drive program.) You run the Snatchit program + and when it asks to read a Source File, or a Source Disk, you type + in a Source Disk. The program will then Read the disk, and turn it + into a file (You chose the name) ending in .CP2, and place it on + the hard drive. (Or on the RAM drive). + + You can then Archive the file and do with it what you want. + To change a .CP2 file, back into a full disk game, you place a blank + disk in drive a, and the .CP2 file, Snatchit, and Copyiipc on the + hard drive in the same directory (Or in the RAM drive). You run + the snatchit program, and type F where it says sourse file or + disk. (you are reading a source file). It will then read the file + and place it on the disk. When you re boot the disk, the game will + start. + + DSK Files + ----------------- + DSK files are created in much the same way as CP2 files, except + you use a program called Disksq to change the full disk game into a + file and diskunsq to change the file into a full disk game. There is + no copy program needed for disk squishing and unsquishing. Running + the programs gives complete instrictions. Depending on the program + size, you may or may not need a hard drive. But a hard drive is + always a good idea. + + CONCLUSION + ------------------- + Both type of files are easy to obtain. It seems to me that creating + the CP2 files is fatser then the DSK files. The Snatchit program along + with CopyIIpc will take care of almost any kind of full disk you may + encounter. These are very good Cracking programs and They have always + served me well. One thing is kind of strange, when you snatch a file + off of a copyrighted disk, it sometimes comes up to be around 400k, + even though the disk is only has 360 k storage space on it. This is + why a Hard drive is a good idea. You don't have to worry about running + out of space. + + Snatchit, Copyiipc, and the Disk Squishing programs are + avaliable on the Lunatic Phringe BBS at 312-965-3677. 300/1200 Baud. + Both Diskunsq and Disksq are Archived into one file for ease of + downloading. I hope this has been of help to you. + diff --git a/textfiles.com/piracy/CRACKING/howtocrk.txt b/textfiles.com/piracy/CRACKING/howtocrk.txt new file mode 100644 index 00000000..a026d0d6 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/howtocrk.txt @@ -0,0 +1,9216 @@ +HOW TO CRACK, by +ORC, A TUTORIAL + +-------------------------------------------------------------- + +(Htocrk10.txt) Lesson 1: an approach + +(Htocrk20.txt) Lesson 2: tools and tricks of the trade + +(Htocrk31.txt) Lesson 3.1: hands on, paper protections (1) + +(Htocrk32.txt) Lesson 3.2: hands on, paper protections (2) + +(Htocrk51.txt) Lesson 5.1: disk & CD-Rom access (basics) + +(Htocrk61.txt) Lesson 6.1: funny tricks + +(Htocrk81.txt) Lesson 8.1: how to crack Windows, an approach + +(Htocrk82.txt) Lesson 8.2: how to crack Windows, a deeper approach + +(Htocrk91.txt) Lesson 9.1: how to crack Windows, hands on + +(Htocrka1.txt) Lesson A.1: advanced cracking: internet cracking (Unix) + +(Htocrkc1.txt) Lesson C.1: how to crack, cracking as an art + +(Htocrkc2.txt) Lesson C.2: how to crack, cracking as an art HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + Lesson 1: an approach + +--------------------------------------------------------------------------- + + [Pooldemo.exe] + + -------------------------------------- + + The best way to learn cracking (i.e. understanding, broadly + +individuating, locating exactly and eliminating or suspending or + +deferring one or more protection schemes inside a software + +application you do not possess the source code of) is to begin + +your tampering experiments using OLDER applications which have + +OLDER protection schemes. + + In this way you 'll quickly grasp the base techniques of the + +trade. Do not forget that the evolution of the protection schemes + +has not been a one way road... strictly speaking it's not even + +an evolution: you'll eventually find some very clever new tricks, + +but most of the time you 'll unearth only various trite + +repetitions of past (and well known) tricks. This is no wonder: + +the REAL knowledge of the "commercial" programmers themselves + +(the "protectionists") is often very limited indeed: they are + +inclined to use the old methods (albeit somehow changed, + +sometimes even improved) instead of conceiving new methods. This + +typical "commercial" degeneration happens every time people act + +for money instead of doing things for the sake of it or for + +pleasure. This "commercial" trend is blindly encouraged by the + +stupid, money-oriented society we are coerced to live in. + + So I'll begin the "hands on" part (-> starting from lesson + +3), using as examples, some "old" applications and some "old" + +tricks. We'll be able to come later over to the newest protection + +schemes in order to understand them, and you 'll learn how to + +defeat this kind of junk too. I'll also explain WHERE you can + +find a lot of programs to crack for next to no money at all, and + +HOW 'grossomodo', you should proceed in your work. + + This tutorial is for people who are getting started with + +cracking. Maybe you are just contemplating doing some cracking, + +maybe you have tried it with mixed success. If you are here to + +get aimed in the right direction, to get off to a good start with + +the cracking tricks and procedures, then you have come for the + +right reason. I can't promise you'll get what you want, but I'll + +do my best. On the other hand, if you have already turned out + +some working cracking code in assembler and already cracked many + +different protection schemes, then this tutorial is likely to be + +on the elementary side for you. (If you want to review a few + +basics and have no where else pressing to go, then by all means + +stay). + + In order to crack successfully you need four basic things: + +* A passing knowledge of assembler language (the more you + + know, the better and quicker you crack) + +* Some intuition + +* Some help from more experienced cracker + +* A non mercantile mind (more about this later) + +The applications you'll use to learn with can be divided into: + +1 - Password crippled applications (the easiest to crack) + +2 - applications crippled on how many times, or how many + + days, you use them (fairly easy to crack) + +3 - applications crippled on which date you use them before + + (easy to crack) + +4 - applications that have some functions present but + + disabled (sometimes easy, sometimes difficult) + +5 - applications crippled on Disk access (protections schemes + + that are now defined as "obsolete") and applications + +crippled on + + CD-ROM presence (more or less the same methods, but - + + somehow- not defined as "obsolete") (very easy to crack) + +6 - CRYPTOGRAFED ADDS ON (i.e. one of the previous protection + + schemes, but with some scrambled or self modifying code + + (XORring and SHRLing codes) (fairly easy to crack) + +7 - None of the above (sometimes difficult to crack) + +WHERE TO GET THE STUFF + + The recent widespread appearance of "Demo"-CDROM on magazine + +covers is a treasure for all crackers! A short time after their + +release you 'll get all the copies that remain unsold for next + +to free. The demos on CD-ROMs will permit you to gather quickly + +a lot of applications -old and new- that have somehow been + +crippled (at times with interesting schemes). Truly a wonderful + +world of cracking possibilities! Gee! For next to no money you + +can secure on one CDROM the whole of LOTUS applications (or + +Microsoft or Wordperfect, or you name them) on "trial for 30 + +days" or "try it 20 times" editions. You'll really enjoy to crack + +them, to use them for ever and ever and/or graciously donate them + +on the Web to the poor lamers that have no money and no brain. + + GAMES are definitely not to be frowned upon! They are + +very interesting from a cracker prospective coz they are often + +"overprotected". With this I mean that they possess protection + +schemes of a relatively HIGH level hidden inside files that are + +relatively small. Now, see, it is much more easy, and simple, to + +track down and eliminate protection schemes inside a single + +35.000 bytes long executable file than to locate them inside a + +collection of many lengthy DLLs and overlaids that could have + +swollen as long as 2.000.000 bytes each. The lazy bunch of + +"modern" programmers relies systematically for protection schemes + +on this "hide the sting in the wide desert" logic. As a matter + +of fact they are no longer able to program in assembler: they + +bank more and more on overbloated "fatty" atrocities like Visual + +Basic, Delphy or Visual C++. (Don't worry... I'll nevertheless + +teach you how to crack -and quickly- those huge applications + +too). + + There is another reason for employing games instead of + +applications as study material: often EXACTLY THE SAME protection + +schemes that you find in a simple (and short) shareware game will + +be used -without much improving- a little later in order to + +"protect" some huge and extremely expensive graphic application. + + For this reason in my tutorial we'll often crack games + +protection schemes, even if we'll later apply what we learn + +mainly in order to crack the protection schemes of commercial + +applications, or to crack the access protection routines to + +remote servers, or BBS, or even ATM (cash dispensers). + + Here follows an example cracking session, that will show you + +-I hope- the dos and donts of our art: let's crack together as + +introductory example a time crippled application. We'll learn + +later (-> LESSON 4) that all applications that are crippled on + +time (i.e. "how many times" you use them or "how long" you use + +them) rely on analogous protection schemes (albeit with a huge + +palette of small variations): + +1- they may have a counter which "clicks" every so often: FIND + + IT AND DISABLE IT! + +2- they may fetch the time_clock interrupts in your machine: + + INTERCEPT THEM YOURSELF! + +3- they may compare a random_seed with a variable: NOOP IT! + +4- they may check randomly the date of your other, unrelated, + + files on the hard disk: find this verification routine and + + INVERT the JUMPS! + +I wanted to start with a modern example of this "counter clicks" + +protection type, just to give you a feeling for cracking, and I + +have chosen a widely published demo: you should be able to find + +it pretty easily. In order to show you some of the problems you + +may encounter we'll crack this example "wrongly" (you'll learn + +how to crack effectively in the "HANDS ON" lessons). + + EXAMPLE: ARCADE POOL, Demonstration version, PC Conversion + +by East Point Software Ltd, (c) Team 17 Software Ltd 1994. This + +demo has been published by many magazines on their CDRom covers + +throughout 1995. + + What follows will be useful even if you do not have our + +example; nevertheless you should get a copy of this widespread + +demo in order to better grasp some of the following points. + + This nice demo of a billiard game is time-crippled. It is + +crippled on how long you use it: i.e., you can only play 2 + +minutes, afterwards a "nag" reminder of where and how you can buy + +the real version snaps: protectionist squalor at its best. + + So, how do you proceed? Where does the beginning begin? + +Here is what you could (but not necessarily should) do: + + Get [Soft-ice] and load it in your config.sys. See the TOOLS + +OF THE TRADE lesson (-> LESSON 2) about this debugger. Version + +2.6 of [Soft-Ice] has been cracked by MARQUIS DE SOIREE and can + +be found on the Web for free. + +- vecs s (save all the vectors before loading the babe) + +- start [pooldemo.exe] + +- vecs c (vector compare, save a printing of all hooked + + vectors) + +- enter and leave Soft-ice a few times to understand what's + + going on and where in [pooldemo.exe] are we roaming around + + (you should always check MORE THAN ONCE your findings when + + you snoop around: nothing moves and confuses pointers in a + + more frenzied way than good old "inactive" DOS). + +- have a good look at the map of memory usage ("map") + +- now "snap_save" the main memory regions where + + [pooldemo.exe] dwells... snapping saves "photographs" of + + memory areas. + +- do not do anything, let just the seconds go by. + +- "snap_compare" every two or three seconds without moving + + anything at all on the game board (no mouse_clicking, + + NOTHING), so that the only changes are (hopefully) the + + changes caused by the time counters. + +- snap_compare twice in a second. + +- snap_compare at second 00:59 and at second 1:01. + +- snap_compare just before and just after the time limit and + + the snapping of the nag screen. + +- Now collect carefully your printed "snaps" data: write + + clearly on the various sheets the occurrences of the snaps. + +- now comes the graceful "zen-cracking" moment: Sit down with + + a dry Martini and Wodka (obviously only russian Wodka will + + do) and contemplate the printing of the various mutant + + locations. Feel, perceive, empathize! Look closely at the + + locations that have changed in the snap compares. Analyze, + + interpretate, evaluate. + +- Mmm! Hey! Something fishy is changing there, and there, and + + there! (you are lucky, few do actually change in this case: + + only two dozen) + +- breakpoint on execute at the location that you believe act + + as a "continuous" counter, i.e. the location that triggers + + the "a second went by" event when it zeroes. + +- Now set the occurrence counter of BPX in order to break at + + the moment where the location "refills" and restarts from + + the beginning (the equivalent of "one second" went by, + + let's start anew). Use the occurrence counter in order not + + to single-step through the program your life long! + +- IN THIS CASE you 'll quickly locate the refill at location + + 3DD0. Here follows the "refill" line: + + xxxx:3DCC C706F1013C00 MOV WORD PTR [01F1], 003C + +The "3C" byte at xxxx:3DD0 represents a counter_byte... i.e. the + +program "charges" 3C in this location and then DECs it step by + +step to 3B, 3A, 39, 38 etc... till 0. When it reaches 0: bingo! + +Sucker user has lost one second more of his precious two minutes. + + Now, you would get a first wizard level if you searched + +further on for the exact point where you get the "nag screen" in + +order to eliminate the whole witless protection, but you may + +think you got it already and you remember anyway that the first + +principle in cracking is the following: "once you can eliminate + +the effects of a protection, do not look further!" + + Most of the time this is true: you do not always need to + +eliminate a "whole" protection scheme (unless you are just + +studying it for the joy of it). It's normally easier (and + +quicker) to eliminate the "effects" of a given protection scheme. + +Unfortunately this is not true in this case. + + Here you believe that you have already found the way: you + +got the counter that charges the reverse clock that triggers the + +particular protection scheme of [pooldemo.exe]. Now you may think + +that if you could modify the refill_value... say changing "3C" + +to "EE" (Yeah, the maximum would be FF... but it's always good + +practice to avoid such extreme values when cracking) you should + +get four times more playtime for your game... more than enough + +in order to make the protection scheme useless. + + So you change location xxxx:3DD0 from "3C" to "EE". To work + +on bytes you should use a good Hexeditor like PSEDIT (Parity + +solutions, [Psedit.exe], brilliant shareware: see the "tool of + +the trade" section) but you could also work with simpler + +debuggers like [debug] or [symdeb] (-> see lesson 2). If you do, + +remember to work on a "dead" copy of your crippled [*.exe] file, + +i.e.: + + ren POOLDEMO.EXE POOLDEMO.DED + + symdeb POOLDEMO.DED + + -s (cs+0000):0 Lffff C7 06 F1 01 C3 <- this string + + corresponds to the + + refill line). + + cs:3E85 <- symdeb gives you two locations as answer + + cs:3EEA + + -e cs:3E85+4 EE <- refill changed from C3 to EE + + -w + + ren POOLDEMO.DED POOLDEMO.EXE + +Now you run your tampered pooldemo. You think you cracked it, you + +glee with satisfaction... but loo! Nothing at all has changed, + +everything's as lame as before, you still have only 2 minutes + +playtime. How disappointing: how comez it didn't work? + + Well, for a start you have not been attentive enough! The + +search in debug gave you TWO locations, you moron, and not just + +the one you just tampered with. Check and you 'll see that the + +second location (cs:3EEA) is a MIRROR/CONTROL location (more on + +this later). Some times there exist "double" locations... coz at + +times it's quicker to use a double routine than to use a + +branching if or switch structure... some times the second + +locations do mirror the first ones and correct them on the fly + +if need be. + + So you need to modify this too... you act as said above but + +this time you enter in debug a + + -e cs:3EEA+4 EE + +before writing back the dead file and then renaming it to exe and + +then running it... and loo! Hoow sloow! THERE YOU ARE! Your + +crippled POOLDEMO.EXE is now (sort of) unprotected: You think + +that you can now play the stupid game up to 12 minutes real time, + +even if the protection scheme (and the counter) "believes" that + +it is playing only two minutes. + + So you begin to play, and the seconds look veeery sloow, and + +everything seems OK, but -alas- NO! At screen second 28 you get + +the irritating "two minutes are over" nag screen! Obviously you + +were dead wrong: the program "knows" the time directly from the + +timer... you only modified the stupid counter ON THE SCREEN. + + So it's back to cracking, and now you are angry, and forget + +the quiet ways of the zen-analyze and begin the heavy cracking + +you should reserve -if ever- for really complicated schemes. You + +now start to check the hooked vectors (you did your routinely + +VECS_save before loading pooldemo in [Soft-ice] and your + +VECS_compare afterwards) and you see some findings that you + +believe interesting: + + vecs c + + 08 1EFD:84C6 0CD1:17AC <- the clock + + 09 1EFD:85EC 136A:069C <- the keyboard + + 22 0BCE:02B1 0BCE:017E <- the terminate + + That's more like it -you think. Smack at the beginning: the + +first hooked vector does it! It's good old interrupt_08: the + +timer_clicker! + + Some basics for those of you that do not know anything: + +INT_08 controls indirectly the INT_1C timer interrupt. The 8253 + +clock chip generates an IRQ_0 hardware interrupt at a rate of + +18.2 interrupts per second. This gives control to the ISR + +(Interrupt Service Routine) that the INT_08 points to... and this + +should be at 0CD1:17AC, but has been hooked here, by pooldemo, + +to 1EFD:84C6. + + One of the actions taken by the INT_08 ISR within the BIOS + +is to issue a software interrupt call to INT_1C, just in case any + +software modules within the system have established an intercept. + +If no intercepts have been established, the default contents of + +the INT_1C vector point to an iret instruction within the BIOS, + +so that a null action results. + + Normally a protectionist would intercept INT_1C, coz at + +every ISR from INT_08 the CPU would fetch the contents of the + +corresponding interrupt vector and make an interrupt style call + +to the code at that address (which should contain the iret at + +address F000:9876 but can contain any trick they could think of). + + So -you think- the protectionist hooked here INT_08 directly + +(a pretty infrequently used protection scheme by the way): What + +now? + + A rather drastic measure would be, in such circumstances, + +to + +disable the IRQ_0 level timer interrupt, which is controlled by + +bit 0 of the mask register, at address I/O 0021h. When bit 0 + +within the mask register is set to 1, no further interrupts will + +be recognized for this IRQ level. This unfortunately won't work + +here, but it's an interesting technique per se, so you better + +learn it anyway, just in case you should need it elsewhere: + +--- Trick to disable the timer ("IRQ_0 masking" by +ORC) --- + +* prompt $t and hit ENTER a few times, see how the dos_clock + + is merrily ticking along? + +* enter DEBUG.COM + +* Assemble using the command 'a' + +- a + +in al,21 + +or al,1 + +out 21,al + +ret + +RETURN + +RETURN <- twice to exit immediate assembler + +- g 100 <- to run the tiny program. + +- q <- to quit debug. + +prompt $t is still on: hit ENTER a few times: + +whoa! The clock has stopped advancing! + + Compliments: you loaded the current mask register's contents + +into AL, you set the mask bit in the bit 0 position (which + +corresponds to IRQ_0) at then updated the value back to the mask + +register. + +When you are ready to activate IRQ_0 events again, reenter DEBUG, + +run the following and then reset the clock you stopped with DOS + +TIME command: + +- a + +in al,21 + +and al,fe + +out 21,al + +ret + +RETURN twice + +- g 100 + +- q + +A word of caution: with the timer click disabled some processes + +will not operate correctly: once you access the diskette drive, + +the motor will continue to run indefinitely afterwards, etcetera. + +------------------------------------------------------- + + Unfortunately the above technique cannot work with our + +[pooldemo.exe], where you now are looking closely to the INT_08 + +hook you found, believing that it hides the protection scheme: + +herein you find immediately the EoI (End_of_interrupt: MOV + +AL,20h... OUT 20h,AL). Both controllers have a second port + +address at 20h (or 0a0h), from which the instructions are given. + +The most important is the EoI command (20h). This instruction + +indicates the end of the interrupt handler and frees up the + +corresponding controller for the next interrupt. If somebody + +writes a new custom interrupt handler (as many protectionists + +do), it's up to him to see to it that at the end of the handler + +the EoI command (20h) is written to either port 20h or port 0a0h. + + After the EoI follow the usual pushes, then some CALLS then + +a call that issues some OUT 40,AL that look like timer refreshing + +(OUT transfers data to an output port and ports 40-42 correspond + +to the Timer/counter). Some do_maintenance follows, then a double + +CALL, one more conditional CALL and then a "mysterious" call FAR + +CS:[AA91] on which depends a byte PTR[970C] that decides another + +final CALL... then the routine pops all registers and irets away. + + Ah! You say, and begin disassembling, reverse engineering + +and looking inside each suspect call (the quicker method in + +these cases is to breakpoint calls on entrance and see if you + +find the one that's only called at the awakening of the time + +limit protection). + + You work, and work, and work... and eventually find nothing + +at all, coz the protection of this program is NOT HERE! + + Back to the zen-analyze of the snap printings... we forsake + +it too soon, as you will see. + + If you watch with more attention the compare locations for + +the range DS:0 DS:FFFF you 'll notice that one of them changes + +relatively slowly from 0 to 1 to 2 to 3 and so on... the + +precedent location changes very quickly, and runs the complete + +cycle 0...FF. That's a counter, at locations DS:0009 and DS:000A! + +How long will it tick along? Well, we saw above that the "charge" + +every second is 3C, so it will be x3C*x78=x1C20, coz x78 is 120 + +seconds, i.e. the two minutes time limit. + + Now search this 1C20 value around inside the code + +(protections are most of the time at the beginning of the + +CS:offset section), and you 'll find quickly what follows: + +The protection in [pooldemo.exe] is at code_locations + +CS:0A8A 813E20A7201C CMP WORD PTR [A720], 1C20 + + compare location A720 with limit 1C20 + +CS:0A90 7C07 JL okay_play_a_little_more + +CS:0A92 E834FD CALL beggar_off_time_is_up + + BINGO!: FOUND! + +Now let's quickly crack it: + +------------------------------------------------ + +CRACKING POOLDEMO.EXE (by +ORC, January 1996) + +ren pooldemo.exe pooldemo.ded + +symdeb pooldemo.ded + +- s cs:0 Lffff 81 3E 20 A7 20 1C + +xxxx:yyyy <- this is the answer of the debugger + +- e xxxx:yyyy+5 4C <- this time limit is much better + +- w + +- q + +ren pooldemo.ded pooldemo.exe + +------------------------------------------------- + + We have done here a "weak" crack: we limited ourselves to + +accept a (better) time limit, changing it from 1C20 to 4C20 (4 + +minutes instead of two). We could obviously have done a more + +radical crack if we had changed the JL (jump lower) instruction + +in a JMP (jump anyway) instruction. In this case it would have + +worked, but for reasons that will be explained in lesson 4, you + +should choose a rather delicate approach in cracking when you + +deal with time-limit protection schemes. + + As you have seen, in this artificial cracking session we + +found the protection scheme after a little snooping around. But, + +as you will see in the hands on part, there are always MANY ways + +to crack a single protection scheme. You could -for instance- + +have found this protection the other way round: set a trace on + +memory range for the program, restricting the trace to the first + +part of it (say CS:0 to CS:1000, if you do not fetch anything you + +can always try the other blocks). Breakpoint at the nag screen, + +have a look at the last 300-400 backtraced instructions, if you + +did not move anything, everything will follow a repetitive + +pattern, until the protection snaps on: + + ... + + JL 0A99 + + CMP BYTE PTR [A72A],01 + + ... + + JL 0A99 + + CMP BYTE PTR [A72A],01 + + ... + + for ages and ages and then... + + ... + + JL 0A99 + +E834FD CALL 0759 <- BINGO! (CALL beggar_off_time_is_up) + +... there it is, found the other way round. (But this apparently + +better method is unfortunately very unstable: it depends on your + +timing of the breaking in and on the distance between protection + +and nag screen, therefore the somehow more complicated, but more + +sure previous one should be favoured). + + The reason why "minimal" approaches in cracking are often + +more successful than heavy vector_cracking, is that the programs + +are hardly ever "overprotected", and therefore the protections + +are seldom difficult to find (and those that are really worth + +cracking for study reasons). + + Sometime you don't even need to crack anything at all! Some + +applications are fully functional -per se-, but have been + +crippled in a hurry in order to release them as demos. The + +commercial programmers want only money, do not even try to + +understand our zen ways, and do not care at all for a well done + +job. That means, among other things, that the hard disk of the + +user will be cluttered with files that the main program module + +never calls. A typical example of this sloppy method is the demo + +of [Panzer General] from SSI that appeared in the summer '95. + +This was in reality no less than the complete beta version of the + +game: you just had to substitute to one of the two "allowed" + +scenarios one of the 20 or more scenarios of the beta version in + +order to play them freely... you didn't ever need to crack! + + The pooldemo crack example above should not discourage you + +from cracking intuitively. Be careful! Perform a thoroughly + +zen_analyze before attempting deeper methods: do remember that + +you want to crack the protection scheme SOMEHOW, and not + +necessarily following the same line of thought that the + +programmer eventually WANTED YOU TO CRACK IT with. + +Well, that's it for this lesson, reader. Not all lessons of my + +tutorial are on the Web. + + You 'll obtain the missing lessons IF AND ONLY IF you mail + +me back (via anon.penet.fi) with some tricks of the trade I may + +not know that YOU discovered. Mostly I'll actually know them + +already, but if they are really new you'll be given full credit, + +and even if they are not, should I judge that you "rediscovered" + +them with your work, or that you actually did good work on them, + +I'll send you the remaining lessons nevertheless. Your + +suggestions and critics on the whole crap I wrote are also + +welcomed. + + E-mail +ORC + + +ORC an526164@anon.penet.fi + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + Lesson 2: tools and tricks of the trade + +--------------------------------------------------------------------------- + + [INDY.EXE] + + -------------------------------------- + +LOST IN THE DARK CODEWOODS + + When you break into a program you end up in portions of code + +that are unfamiliar to you. It is also not uncommon for the + +breakpoints to occur outside of the confines of the program you + +want to crack. Getting your bearings is, in these cases, very + +important. + + One of the handiest utilities is the memory dump tool -it + +tells you where all the device drivers and TSR are loaded, in + +which memory locations the program you are cracking dwells, how + +much memory is left and what the next program load point is. The + +tools you use should report on the following: + +- the contents of interrupt vectors + +- the state of the BIOS data area, beginning at address 40:0 + +- internal structures within DOS, such as the MCB chain, the + + SFT (System File Table) chain, the chain of installed + + device drivers, the PSPs and memory allocations associated + + with installed TSRs + +- memory allocation statistic from XMS and EMS drivers + + When seeking to understand a section of foreign code, you + +must be especially careful to seek the real intent of the code. + +Consider using a profiler prior to undertaking an analysis of an + +unfamiliar program. This will help you by ensuring that you don't + +waste time studying sections of the program that aren't even + +involved in the protection scheme you are chasing down. + + Using a utility that charts a program's calling hierarchy + +can give you an important perspective on how your babe conducts + +its internal operations. + +YOUR DEBUGGER: YOUR FAVOURITE TOOL + + First and foremost, your debugger must be designed for use + +with resident modules (or must be itself a resident module). + +Trying to crack with simplistic [debug.com] is a sure way to get + +absolutely nowhere. We recommend Softice.exe from Nu-Mega + +technologies (Version 2.6 [S-Ice.exe] has been cracked by MARQUIS + +DE SOIREE and its vastly available on the Web). You could also + +use [Periscope] or [Codeview] or Borland's Turbodebugger... all + +these programs have been boldly cracked and/or distributed and + +are now on the Web for free... learn how to use YAHOO and find + +them. In emergency cases you could fix some quick crack using + +[debug] or [symdeb], but, as said above, most of the time these + +older debuggers won't do. I'll nevertheless ALWAYS give the final + +crack procedure for [debug.com], in order to permit even lusers + +to crack programs. + + When you first smell a protection, it can be tempting to + +immediately begin your crack using invasive types of techniques. + +While there is certainly nothing wrong with this approach, + +provided that you are fairly familiar with the protection scheme + +used, going in too deep too soon can be a problem when you don't + +have a strong hunch. Most of the time you'll end up missing + +important details. So first of all sit down and ponder... that's + +the zen-way, the only one that really works. + + Single-stepping is expensive, not only because of the time + +it requires but also because of the amount of detail with which + +you must contend. Your immediate goal is to home in on the + +protection scheme through a series of successively refined traps, + +your broader aim is to get an overview idea of the program's + +action... the wise use of breakpoints will condense these + +minutiae into an understandable form. + + The first step is to try to identify the section of the + +program where the protection scheme is snapping. + + Once you are able to isolate a certain section of a program, + +breakpoints can be used to gather a trace history of the + +program's execution. If your debugger sports a backtrace buffer, + +logging window, or similar feature, by all means learn how to use + +it. The debugger it's your best weapon, you must know all the + +possibilities it offers and all the capabilities it possesses. + +Having a debugger's display output echoed to a printer is another + +possibility. + + Using breakpoints is beneficial for two basic reasons: speed + +and reduction of detail. Manual single-stepping is invaluable + +when you are close to the protection scheme, but too much of it + +will bore you to death. + + When selecting breakpoint locations and the types of + +breakpoint to use, it is important to step back once more, drink + +a cool Martini-Wodka (use only Moskovskaja: non-russian Wodkas + +are appalling) and ask yourself: "What is this going to tell me?" + +and "What else will I need to know once the break occurs?". MOST + +IMPORTANT OF ALL: "Is my current cracking approach the simplest + +and most direct?", coz you do not want to waste precious cracking + +time. + + When devising a set of breakpoints it is wise to consider + +how "a trail of bread crumbs" can be left. Not allowing for an + +execution chronicle from the start can mean having to restart a + +cracking session. + + Setting breakpoints on certain software interrupt calls is + +an excellent way to get an overview of a program's operations. + +The INT_21 DOS services interrupt is probably the most universal + +useful of these, with BIOS interrupts such as the INT_13 (BIOS + +Disk services) and INT_16 (BIOS keyboard services) useful for + +specific cracking. + + When working with a debugger, evaluative breakpoints are + +usually your best shot. To avoid having to deal with a plethora + +of calls, you would want to have a debugger capable of being told + +to "break on any INT_21 call except where AH == 2C or AH == 0B". + + A real understanding of the working of a program is surely + +important, but don't overdo it! To reverse-engineer even a small + +program can involve many hours of analysis and documentation + +work. If you'll not be able to use the zen-cracking techniques + +described in this tutorial (sadly not everybody can) pace + +yourself and make sure your chair is comfortable: you'll be + +sitting for quite a spell. + + Much of the work involved in reverse-engineering consist of + +chasing down tentacles. In order to understand the operations of + +one function, you must understand what happens within each of the + +functions it calls- its child functions. To understand these + +child functions you must study their children; and so on down the + +calling hierarchy tree. Then there is the data. Tracing tentacles + +based on a program's calling hierarchy is a directed process. + +Each function you encounter is basically a list of other + +functions you must reckon with. When it comes to analyzing a + +function's interrelationship with the program's data structure, + +no such list is provided. You must have instinct, feeling and + +luck. + + Data analysis requires more of a broad-based inquisition. + +For each memory variable you are interested in, you must survey + +all functions to determine which ones read and write that + +variable. The use of memory conditional breakpoints and of a + +disassembler that builds a cross-reference table can make this + +task a lot easier. (Use Sourcer! It's a fairly good tool and + +version 4.08 of [sr.exe] has been long ago cracked and + +distributed on the Web). + +ALL SYSTEM CALLS IN ONE LOCATION + + Remember that if the program you are cracking was written + +in assembler in the first place (very unlikely knowing the + +laziness of to_days programmers), system calls are probably made + +directly from the functions which need them. But when a program + +is developed in a high-level language, it is more likely that + +common library functions will be used for many operations + +involving system calls. When a program makes all of its INT_21 + +calls from the same location, you know that this is certainly the + +case. + + Now, what happens sometimes is that the programmers write + +the whole application in a overbloated language like C++, but are + +afterwards compelled to "speed up" critical sections of the code + +writing them in assembler. And loo! A section where you + +repeatedly find assembler crafted patches is precisely the + +protection scheme! So you could have a program with all INT_21 + +calls from the same location but for one or two calls which are + +coming out of the section where the morons have "hidden" their + +protection strategy. By just "looking" at the dead code of a + +program, you should be capable to tell wich parts have been + +"added on" in a later phase. They presents themselves as + +unevenness and irregularities, especially if you use an utility + +that represents graphicallly the code of a program. Protections + +are often added on at the end of the development. + + Should you determine that the system calls relevant to your + +cracking are made from common library functions, all is not lost. + +The specific function from which these library calls were made, + +the function you are seeking to locate, is executing at some + +point in between these calls. Break in with your debugger at the + +end of the first system call, just where it is returning to the + +point of call. From there, trace through the remainder of the + +common library routine until it returns to its caller. In short + +order, you should find yourself in the function you need to see. + +The trick is to be able to identify it for what it is. + +ASCIIZ IN CODE + + In the interest of gaining an overall familiarity with the + +program you want to crack, it can be enlightening to use a hex + +dump utility to examine the message strings contained within the + +program's binary modules. If the program happens to load its + +message strings from separate files, your search has just been + +simplified. + + Your debugger's memory-dumping feature is one tool that can + +be useful for this type of exploration. You could also construct + +a filtering program, which would read a binary file and output + +all sequences of bytes that are comprised of displayable + +characters and are over a certain minimum length (the best + +cracker tools are often the ones you write yourself). + + When a protection scheme is marked by the issuance of a + +specific message on the screen, you could go into the program and + +locate the code that emits this message, and then determine what + +triggers it. A good way to start the location process is to see + +if a system call is used to display the string. Interrupt INT_21, + +INT_10 or INT_29 are usually used to display text messages to the + +console. + + When the message's display is not a result of one of these + +system calls, direct video writing is probably being used. If you + +know the screen location used, and if that part of video memory + +is not used for anything else at the time (a big if), a memory + +write breakpoint could be set on the video buffer address + +corresponding to the first character's position. If this won't + +work, use the step-over/step-around tracing technique while + +watching for the message to appear. + + Now you found it: from a disassembled listing, you locate + +the address of the message string and then survey the reminder + +of the file for any instructions that reference this address. + +[Sourcer] can generate labels for specific memory locations and + +a cross-reference table showing where these labelled locations + +are referenced. Otherwise, load the disassembled listing file + +into your editor and use its search capabilities. Manually + +searching for such things in a listing will make you old before + +your time. + +CODE AND DATA + + When stepping through code at the assembler level, watch out + +for interrupt calls that are followed by data. Sometimes you will + +find an interrupt call, typically within the range INT_34 to + +INT_3F, where several bytes immediately following the interrupt + +instruction will be data rather than code. + + Be especially suspicious of this type of code-and-data + +mixture when your debugger's disassembly output of the + +instructions immediately following an interrupt call doesn't make + +sense. Sometimes you can determine the offset of the next true + +instruction by inspecting the following code and data. In other + +cases, you will have to trace through the interrupt call to see + +how it accesses the data following the interrupt call instruction + +and how it manipulates the return address on the stack. + +HOOKED VECTORS + + Seeing what interrupt intercepts already exist within a + +system before running the program you want to crack, as well as + +what interrupt handlers are established by the target program, + +can provide useful clues. For example, if a protection + +establishes an INT_09 intercept just before the snapping of a + +keyboard verification routine, your range of suspects has just + +been narrowed significantly. + + To study the interrupt vector activities of an application, + +a vector dump map utility is useless. It can't be run while + +running the application you want to crack. One solution is to run + +the program under a debugger and watch for system calls to INT_21 + +functions 25h (set interrupt vector) and 35h (get interrupt + +vector), but in the event that the program reads and writes + +interrupt vectors directly, this method will not give you a + +complete picture. Normally you'll use a spy, trace or "step" + +utility. + + APPLYING A MEMORY WRITE BREAKPOINT TO A SPECIFIC VECTOR OR + +TO THE ENTIRE TABLE is another way to deal with this. + + Note that some sort of direct vector writing must be + +occurring if a vector change is detected between system calls. + + If a vector change is detected during a system call but it + +isn't function 25h of INT_21, suspect that an IRQ handler may be + +effecting the change. + +LITTLE TRICKS OF THE TRADE: + +* determining interrupt vector addresses **************** + + How do you determine the interrupt vector addresses? As + +example let's find the address of the INT_21 interrupt vector. + +Since the interrupt vector table starts at address 0000:0000 + +(easy to remember, isn't it?) and there are four bytes per + +vector, the basic process is to multiply the interrupt number + +four times and use the result at the offset (on segment zero). + +21h + 21h = 42h 42h + 42h = 84h + +The int_21 vector is located at address 0000:0084 + +You could also use a calculator, for instance, the address of + +INT_63 is 63h*4=18ch -> 0000:018C + + + +* address conversion *************************************** + + After a painstaking cracking session, you have finally + +determined that a byte of memory at address 6049:891C is the + +trigger. But when you isolate the offending instruction, you find + +that the address it is generating when the protection occur is + +different, being 6109:7D1C instead! How can this be? + + An 80x86 type CPU, when running in real or VM86 mode, uses + +what is known as segment:offset type addressing. One side effect + +of this addressing method is that one physical address can be + +equivalent to many different segment:offset addresses. + + To find the PHYSICAL ADDRESS for a given segment:offset do + +the following: + +- convert the segment portion of the address to a 1-based number + +by multiplying it by 16 (x10)... it's easy: add 0 at the right + +end of the number!... + + 6049 -> 60490 + + 6109 -> 61090 + +now all you have to do is to add this value to the offset value + + 60490+891C -> 68DAC + + 61090+7D1C -> 68DAC <- Got it? + +And the other way round? If you have a physical address, say + +19AC3, and you want to obtain a segment:offset address you must + +first of all decide in which segment you want the address... if, + +say, you choose segment 16CC, you proceed as follows: + + 16CC -> 16CC0 + + 19AC3-16CC0 = 2E03 (offset) + + address for 19AC3 in segment 16CC = 16CC:2E03 + +TOOLS OF THE TRADE + +Before starting this section, for those of you that do not know + +anything, here is the ARCHIE way you get all the program that do + +EXIST on the planet: e-mail following + +1) (address) archie@archie.univ-rennes1.fr + +I use this french archie, but you can get a worldwide list using + +the metacommand "servers" + +2) (text) set search sub <- anywhere in string + + set maxhits 140 <- (100-1000) + + set maxhitspm 15 <- not just 1 file all over + + find stepdos <- search e.g. this file + +Wait two hours, get your post and ftp the file you wanted (and + +YES!, you 'll find also EVERYTHING else for free on the Web). + +You could, instead of using archie, also learn how to use YAHOO. + +[MEMSCAN.EXE] + + One of the most fascinating tools that I have ever seen is + +a (very old) program: MEMSCAN.EXE. + +This program was originally written in 1988 by Scott A. Mebust, + +running in CGA. It's a "visual" utility: it enables you to see + +graphically the 1-meg of PC memory in 8 kbyte chunks. It's a + +powerful tool in order to locate quickly bit mapped graphics and + +other 'objects' in memory, like program data tables, stack areas, + +code areas, available RAM, etc. I used this great idea to create + +(in C) my own tools: a "dead_programs scanner" and an ameliorate + +version of Memscan itself. Looking at the VISUAL STRUCTURE of a + +program it's a great help when you'll crack higher levels. + +[TRACKMEM.COM] + + A very good tool by James W.Birdsall, tracks memory usage + +of programs (EMS, XMS, conventional). + +[SCANCODE.COM] + + "THE" scancode lister, by the code_masters from clockwork + +software. The must utility for crackers that do not learn all + +scancodes by heart. + +[MAP.EXE] + + Actually "MAP2", THE memory mapper from the code_masters at + +clockwork software. It's a very good tool and an interesting one + +too, coz you get it with the "Nigel" nag screens. They are not + +difficult to remove (a "passletter" protection scheme, you'll + +learn how to find and remove it from [Map.exe] in LESSON 3.2). + +[FILEDUMP.COM] [HEXDUMP.COM] [TDUMP.EXE] [DUMP.EXE] + + There are hundred of file dump utilities, coz file dumping + +is one of the first exercise they learn you at C-school. + +Hexdump.com is 558 bytes long, Tdump.exe 120.704, pick the one + +you like better or write your own (even better). Filedump.com, + +by Daniel M.O'Brien, 1046 bytes long, it's nice. + +[SPRAY.COM] + + That's a good crack utility indeed! This 1989 program by + +Daniel M.O'Brien gives you a "post-mortem" picture of your + +memory. You redirect it to and study it at ease. It's + +difficult to say how many hours of cracking it did spare me (you + +should study the program, only 252 bytes long, and will have to + +modify it a bit, coz it's pretty primitive, in the original + +version, for instance, the redirection to the printer works only + +if there is NO SPACE between "spray" and ">"). + +[VEXE.EXE] + + A good EXE files analyzer, useful for windows programs too + +(see --> LESSON 7). Some of its functions are present in + +TDUMP.EXE too. This 1991 program by S.Krupa it's sometimes very + +useful. + +[SNOOP UTILITIES --> KGB.EXE INTMON.EXE INTRSPY.EXE etc...] + +[TRACE UTILITIES --> TRACE.EXE STEPDOS.EXE etc...] + + A must to study the "calling hierarchy" of an unknown + +program. KGB.EXE, a 1992 program by Petr Hork could easily be + +the best one, and comes with source code(!). I'll teach you how + +to crack without any of them (you do not need them if you zen- + +crack), but they can nevertheless be very useful in some + +situations. Stepdos.exe, by Mike Parker, is a excellent program: + +a pleasure to crack in order to use it for slightly different + +purposes :=) + + + +[SOURCERING UTILITIES] + + SR.EXE can be used for sourcering unknown programs. It's a + +fairly good sourcering tool. Version 4.08 has been cracked (it's + +a "ORIGINAL NUMBERCODE" protected program) and distributed on the + +Web, so you should easily find it. This said, you should NEVER + +use such a brute force approach, unless you are really desperate: + +I'll teach you how to crack without sourcering (you don't need + +to sourcer if you zen-crack). + + + +[HEXEDITORS] + +Every idiot has written at least one hexeditor, and you can find + +very bad tools everywhere (the SIMTEL collection, on the Web, + +lists at least 35 hexeditors). I suggest you write your own and + +contribute to the flood, or (better) get PSEDIT.EXE, a good 1990 + +program by Gary C. Crider (Parity Solutions, 1903 Pavia Ct. + +Arlington, TX 76006... sometimes even americans can write good + +programs). If you do use it (as you should) disapt the nag screen + +as small exercise in cracking. + +[DEBUGGER] + + Your best friend in cracking, your weapon, your hidecloak... + +I suggest [Softice.exe] from Nu-Mega technologies (Version 2.6 + +has been cracked by MARQUIS DE SOIREE and its vastly available + +on the Web). You could also use [Periscope] or [Codeview] or + +Borland's Turbodebugger... all these programs have been boldly + +cracked and/or distributed and are now on the Web for free... + +learn how to use ARCHIE and YAHOO in order to find them. Your + +debugger is the only tool you 'll REALLY need, believe me. So + +choose your weapon wisely and learn how to use backtrace ranges + +and (FOREMOST!) breakpoint on user written qualifications + +routines. You 'll be able to crack almost EVERYTHING using these + +features in the right way. + + You should get all the programs mentioned above (all the + +programs that EXIST for that matter) for free on the Web. Use + +them, but also modify them recklessly! REMEMBER THAT YOU ARE + +(GOING TO BE) A CRACKER! The first programs you should crack and + +modify are therefore your very tools! So steal the code of the + +best tools you find! Snatch the best routines and change them for + +the better! That's the whole point in cracking: a mission to + +IMPROVE the best accomplishments of humanity's genius :=) + +HOW TO CRACK, ZEN-CRACKING + + You 'll learn, beginning with next lesson, how to crack + +systematically the different protection schemes: paper & password + +protections, time protections, access protections. At the end of + +the "methodolocical" part, you'll be able to deprotect programs, + +but you still wont be a cracker. In order to crack higher you + +must use what I call (lacking a better definition) "zen- + +cracking". I 'll give you right now an example of this, so that + +you know what I'm talking about, but -unless you are already + +capable- you'll have to finish this tutorial part for "normal" + +cracking before attempting this techniques. Let's zen-crack + +together a password protection scheme (aka "paper protection", + +coz you need the original manual of the program in order to + +answer). This protection is based on the typing, at the nag + +screen, of the correct sequence of numbers. Our example is a game + +for the reasons explained in lesson 1, but you 'll find the SAME + +protection scheme in the access protection procedure of some old + +Tapestry networks... so do not frown upon games protections. + +INDIANAPOLIS 500, Papyrus software & Electronic Arts, 1989 + +It's a rather widespread program, you should therefore find it + +pretty easily. The nag screen asks for data based on the + +historical performances of race cars... that means that the + +answers will consist in two to three digits. + + Now, the normal way to crack such a program (described in + +-> lesson 3.1) embodyes following steps: + +- snap save program memory areas before typing your answer + +- snap compare after typing, say, "666" + +- search for the sequence 36,36,36 (i.e. 666) + +- breakpoint on memory range for reading + +- look at the program part fetching your data + +- find the snap procedure + +- disable it. + + The above crack it's relatively quick and should be most of + +the time fairly effective, but there is a better way: the "zen + +way", the only one that can really enable you to crack high + +protection schemes. + +- Run the program and break in at the nag screen + +- Answer consist of 2-3 digits? Search for "AC" (i.e. the + +instruction LODSB, load digit of answer in AL) in the area 500 + +bytes BEFORE and 500 bytes AFTER your position. You'll get some + +locations. (In the case of INDY 500 you get 6 such locations). + +- "feel" the locations (that's the tricky part). + +- OK, you already made it! Here is the protection strategy: + + 8BBF28A5 MOV DI,[BX+A528]<-- DI points to coded data area + +:compare_loop + + AC LODSB <-- load first digit of answer in AL + + B4FF MOV AH,FF <-- load mask in AH + + 2A25 SUB AH,[DI] <-- sub coded data from mask and get + + real answer + + 47 INC DI <-- ready to get next coded data + + 3AC4 CMP AL,AH <-- user answer = real answer ? + + 751A JNZ beggar_off_coz_false_answer + + 0AC0 OR AL,AL <-- more numbers? + + 75F2 JNZ compare_loop + + 59 POP CX <-- all OK, go on, nice guy + + ... + +And if the protection scheme had been more far away? And if you + +cannot "feel" the right one? And if my grandma had wheels? You'll + +learn it, believe me. + +Now let's quickly crack this crap. + +------------------------------------------------ + +CRACKING INDY.EXE (by +ORC, January 1996) + +ren indy.exe indy.ded + +symdeb indy.ded + +- s (cs+0000):0 Lffff B4 FF 2A 25 47 3A C4 75 1A + +xxxx:yyyy <-- this is the answer of the debugger + +- s (cs+1000):0 Lffff B4 FF 2A 25 47 3A C4 75 1A + +(nothing, but you must be sure there isn't a mirror) + +- e xxxx:yyyy+8 00 <-- "JNZ 1A ahead" changes to "JNZ 0" + +- w + +- q + +ren indy.ded indy.exe + +------------------------------------------------- + +Cracked: you just changed the JNZ beggar_off instruction in a JNZ + +go_ahead_anyway. Nice, isnt'it? + +WHY WE CRACK + + Strange as it may seem, the reasons for cracking are very + +important for the success of our task. We (at least we old + +crackers) crack AGAINST society, and OPPOSING laws and + +conventions. We usually DO NOT crack for money or for other + +"commercial" reasons (just sometimes, and we are expensive: I + +have plenty of money already and my services are VERY expensive + +if you need an aimed deprotection). But in general we don't care + +much for money and -as you can see- I am giving away the basis + +of what I know for free with this tutorial. The programs we crack + +should be made free for everybody, even if we spent some of our + +time deprotecting them. We could not care less of the commercial + +value of a given program, not to mention the holy work of the + +ethical programmers... we program ourselves, but only because we + +LIKE it... if somebody does something only in order to gain + +money, he does not deserve anything. It's the mind challenge that + +counts, NEVER the profit! (Even if you can make good use of the + +cracked programs and even if -as I said- there is at times a + +personal profit). + + This is an indispensable attitude! Only a non-mercantile + +mind can leap forward to the "satori" knowledge that you + +desperately need if you want to crack quickly and elegantly huge + +iperbloated monstruosities that somebody else wrote and + +protected, or if you want to gain access to some hidden + +information, data that you would like to snoop but that somebody + +declared "off limits", coz a stupid government, or useless + +industry sector, or money oriented programmer or dirty lobby of + +interest decided it. + + If you do accept the society where we are compelled to live, + +its awfully egoistic way of life and its dirty "profit" values, + +you may eventually learn how to disable some simple protections, + +but you'll never be able to crack in the "right" way. You must + +learn to despise money, governments, televisions, trends, + +opinion-makers, public opinion, newspapers and all this + +preposterous, asinine shit if you want to grasp the noble art, + +coz in order to be emphatic with the code you must be free from + +all trivial and petty conventions, strange as it may sound. So + +you better take a good look around you... you'll find plenty of + +reasons to hate society and act against it, plenty of sparks to + +crackle programs in the right way... Hope all this did not sound + +too cretin. + +Well, that's it for this lesson, reader. Not all lessons of my + +tutorial are on the Web. + + You 'll obtain the missing lessons IF AND ONLY IF you mail + +me back (via anon.penet.fi) with some tricks of the trade I may + +not know that YOU discovered. Mostly I'll actually know them + +already, but if they are really new you'll be given full credit, + +and even if they are not, should I judge that you "rediscovered" + +them with your work, or that you actually did good work on them, + +I'll send you the remaining lessons nevertheless. Your + +suggestions and critics on the whole crap I wrote are also + +welcomed. + + E-mail +ORC + + +ORC an526164@anon.penet.fi + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + Lesson 3.1: hands on, paper protections (1) + +--------------------------------------------------------------------------- + + [UMS.EXE] [LIGHTSPD.EXE] [GENERAL.EXE] + + -------------------------------------- + +SOME PROBLEMS WITH INTEL's INT + +The INT instruction is the source of a great deal of the + +flexibility in the PC architecture, because the ability to get + +and set interrupt vectors means that system services (included + +DOS itself) are infinitely extensible, replaceable and + +MONITORABLE. Yet the Int instruction is also remarkably + +inflexible in two key ways: + +- an interrupt handler DOES NOT KNOW which interrupt number + + invoked it. + +- the int instruction itself expects an IMMEDIATE operand: + + you cannot write MOV AX,x21, and then INT AX; you must + + write INT x21. + +That would be very good indeed for us cracker... unfortunately + +many high level language compilers compile interrupts into PUSHF + +and FAR CALL instruction sequences, rather than do an actual INT. + +Another method is to PUSH the address of the handler on the stack + +and do RETF to it. + + Some protection schemes attempt to disguise interrupt calls, + +1) camouflaging the code, 2) putting in substitute interrupt + +instructions which look harmless and modifying them "on the fly" + +or 3) replicating whole interrupt routines inside the code. This + +is particularly frequent in the various "disk access" protection + +schemes that utilize INT_13 (the "disk" interrupt) and will + +therefore be thoroughly explained in -> lesson 5. + +A LITTLE BASIC ASSEMBLER + +In order to understand the protection schemes and to defeat them, + +you must acquire a passing knowledge of assembler, the "machine + +language" code. You can find a lot of good, well explained code + +for free: viruses are one of the best sources for good "tight and + +tricky" assembler code. You can find the source code of almost + +all viruses on the web: oddly all the would be hackers seem to + +have an aberrant passion for this kind of stuff instead of + +studying cracking techniques. But there are millions of lines of + +good explained "commercial" assembler code on the net, just fish + +it out and study it: the more you know, the better you crack. + +I'll restrict myself to some observations, sprinkled throughout + +this tutorial. Let's start with some must_know: + +------------------------ STRINGS ---------------------------- + +The string instructions are quite powerful (and play a great role + +in password protection scheme). ALL of them have the property + +that: + +1) The source of data is described by the combination DS:SI + +2) The destination of data is described by the combination + + ES:DI + +3) As part of the operation, the SI and/or DI register(s) + + is(are) incremented or decremented so the operation can be + + repeated. + +------------------------- JUMPS ----------------------------- + +JZ ero means what it says + +JNZ ero means what it says + +JG reater means "if the SIGNED difference is positive" + +JA bove means "if the UNSIGNED difference is positive" + +JL ess means "if the SIGNED difference is negative" + +JB elow means "if the UNSIGNED difference is negative" + +JC arry assembles the same as JB, it's a matter of + + aesthetic choice + +CRACKING PASSWORD PROTECTED PROGRAMS + + Refer to lesson one in order to understand why we are using + +games instead of commercial applications as learn material: they + +offer the same protection used by the more "serious" applications + +(or BBS & servers) although inside files that are small enough + +to be cracked without loosing too much time. + + A whole series of programs employ copy protection schemes + +based upon the possess of the original manual or instructions. + +That's obviously not a very big protection -per se- coz everybody + +nowadays has access to a photocopier, but it's bothering enough + +to motivate our cracks and -besides- you'll find the same schemes + +lurking in many other password protected programs. + + Usually, at the beginning of the program, a "nag screen" + +requires a word that the user can find somewhere inside the + +original manual, something like: "please type in the first word + +of line 3 of point 3.3.2". Often, in order to avoid mistakes, the + +program indicates the first letter of the password... the user + +must therefore only fill the remaining letters. + +Some examples, some cracks: + +--------------------------------------------------- + +UMS (Universal Military Simulator) version 1 + +by Dr Ezra SIDRAN + +(c) 1987 Intergalactic Development + +European Union: Rainbird Software + +United States: Firebird Software + +--------------------------------------------------- + + This very old EGA program is one of the first I cracked in + +my youth, and it's very interesting coz it employs a very basilar + +protection scheme (a "PRIMITIVE"! More than 80% of the protection + +schemes used to day (January 1996) are directly derived from one + +of the 12 primitives. + + The nag screen snaps at the beginning and keeps indefinitely + +asking your answer, only the use of CTRL+C will bring you out of + +it, back to DOS. That's a clear sign of older protection schemes: + +newer schemes let you in for only 3 attempts or even only one, + +and pop out to the OS if you fail. In UMS, besides, there is no + +"first letter" aid, a later improvement. + + The cracking procedure for password protected programs is, + +first of all, to find out where are stored the letters that you + +type in. So examine your memory map, find out where the program + +dwells in memory, do a snap save of these memory areas and a + +series of snap compares as you type your password in. + + Strangely enough, in the case of UMS, as you type your + +password there seems to be no difference at all in the memory + +locations where this program dwells... yet the data must be + +somewhere... Usually such a situation is a clear sign that an + +hooked interrupt is used to hide the data. + + Checking the hooked vectors you find out the following: + +vecs 00, 02, 22 are hooked where needs be + +vecs 34-3D are hooked at xxxx:0 + +vec 3E is hooked at xxxx:00CA + + Ha! Let's have a closer look at this bizarre 3E hook. Let's + +search for some words used in the nag_screen and then let's dump + +the area where we find them (in UMS that will be at 3E_hook + +address + 7656) and loo! You'll see the content of the nag screen + +and, immediately afterwards, ALL the passwords "in extenso", i.e. + +not encoded, not scrambled, nothing at all... THERE THEY ARE + +(that's a very old protection scheme indeed). You could now, for + +instance, easily patch all the different passwords to (for + +instance) "PASS", and this would work... it's a very primitive + +protection, as we said, nevertheless the use of a hooked vector + +as hiding place for the protection code is not yet obsolete... + +we'll find it elsewhere, in many "more modern" programs. + + Now let's go deeper and examine the "compare" mechanism, we + +want to crack, here, not just to patch. + + Password protected programs (and access protection routines + +for server and BBS, for that matter) have quite a lot of weak + +points. The most obvious one (you 'll find out the other when + +you'll high crack) is that they MUST compare the password of the + +user with the original one(s). So you do not need to steal a + +password, you just need to "ear" the echo of the original one in + +the memory locations used for the compare, or, and that's more + +correct, to crack the compare mechanism itself so as to make it + +let you in even with a totally false password. + + The compare mechanism of UMS can be found setting a + +breakpoint on the memory range that covers the three locations + +where the password is stored (and you 'll find these with your + +search capabilities and with a pair of snap compares): + +ES:0F8E (here you 'll see a copy of the password that the + + program is asking) + +ES:0F5C (here you 'll see a copy of the password that the user + + types in) + +INT_3E hook_address + 7656 (here are all the possible passwords + + in extenso). + +Here is how the protection scheme looks out: + +MOV CX,FFFF Charge MAX in CX + +REPNZ SCASB Scan ES:DI (the user password) + +NOT CX Now CX holds the number of the + + character that the user typed in + +MOV DI,SI Real password offset to DI + +LDS SI,[BP+0A] User password offset in SI + +REPZ CMPSB Compares DS:SI with ES:DI (user + + password and real password) then snap + + out at CX=0 or at char_different, + + whichever comes first. + +Nice, we found the compare schema... how do we crack it now? + +There are many elegant solutions, but let's remain on a basic + +level... you look at the code that follows the CMPSB searching + +the "snapping schema"... here it is immediately afterwards + +(that's the case in most of the primitives). Remember: we sprung + +out of the CMPSB check at the first different char, OR at the end + +of the count of the user chars. Here it is what follows: + + MOV AL,[SI-01] loads in AL the before_different char + + of the user password (should be zero) + + SUB AL,ES:[DI-01] subs with the before_different char of + + the real password (should be zero) + + CBW zero flag set, "TRUE", if OK_match + +Well let's now look for the next JZ near (it's a "74" code) + + CS:IP 740D JZ location no_good + +Wait, let's continue a little... is there another check (often + +you have a double check on DI)... yes there is! + + CS:IP 7590 JNZ location no_good + +Cracking such a schema is very easy: you just need to substitute + +75 to 74 and 74 to 75: transform your JZ in a JNZ and the JNZ in + +a JZ... now you will always pass, no matter what you write, + +unless you exactly guess the password! + +Now let's quickly crack it: + +------------------------------------------------ + +CRACKING UMS.EXE (by +ORC, January 1996) + +ren ums.exe ums.ded + +symdeb ums.ded + +- s (cs+0000):0 Lffff 74 0D 1E B8 C2 3F + +(nothing) + +- s (cs+1000):0 Lffff 74 0D 1E B8 C2 3F + +(nothing) + +- s (cs+2000):0 lffff 74 0D 1E B8 C2 3F + +xxxx:yyyy (this is the answer of the debugger) + +- e xxxx:yyyy 75 + +- e xxxx:yyyy+17 74 + +- w + +- q + +ren ums.ded ums.exe + +------------------------------------------------- + + In the debug/symdeb crack above we use as search string the + +bytes comprising and following immediately the first JZ. + +I know, I know... we saw them in [Soft-ice] and we could have + +modified them there, but I'm teaching also pupils who may not + +have [Soft-ice]. + + Note that the program is x431A0 bytes long, and therefore + +has a BX=4 sectors adding to the CX=31A0 in the initial + +registers... that's the reason I wanted to examine all the + +sectors (even if I knew that the snap was in sector (cs+2000): + +that's good practice! If you do not find your string in the first + +sector you must search for it in the next sectors, till you find + +it, coz in many programs there may be MORE THAN ONE repetitions + +of the same schema (more about this double check later). + +That's it, pupils, that's the way to crack old [UMS.EXE]. + +Let's go over, now, to more elaborate and more modern password + +protection schemes. + +-------------------------------------------------------- + +LIGHTSPEED, from Microprose (we crack here version 461.01) + +-------------------------------------------------------- + + This program, released in 1990, operates a more "modern" + +variation of the previous scheme. You 'll find this variation in + +many access routines of remote servers (and this makes it very + +interesting indeed). + + Let's begin as usual, with our hooked vectors examination + +and our snap compares. + +Hooked vectors: 00, 08, 1B, 22, 23: nothing particular. + +The snap_comparisons of the main memory area -as you type the + +password in- gives more than six pages of changing locations... + +that's clearly much too much to examine. + +What now? + + Sit down, have a Martini Wodka (I'm afraid that only + +Moskovskaja 'll do) and meditate. Get the memory map of the + +program's layout. Start anew: snap_save (before typing anything + +in). Type as password "ABCDE". Get the print of the snap + +compares. Sit down, sip Martini Wodka, relax. You know that the + +code for A is x41, for B x42, for C x43 and so on... and in the + +snap_compares, that you made between letters, you 'll have only + +some locations with these values changing. Focus on these. + + You 'll soon enough find out that for LIGHTSPEED absolute + +location (in my computer) 404307, i.e.: relative locations (in + +my computer) 30BE:F857 or 4043:0007 evoke the characters you + +type, i.e. something like + +----------------------------------------------------- + +F855 F856 F857 F858 F859... + +41 3E first_ready_letter your_1st_letter your_2nd_one... + +----------------------------------------------------- + +Inspecting the same prints, you 'll find out that absolute + +location 30C64 (imc) or relative location 30BE:F83E evokes the + +LAST character you typed in. The relative code line is: + + CS:0097 MOV AX,[BP-08] where SS:F83E = 00+letter_code + + Now breakpoint at these locations and investigate what's + +going on (for instance, the instruction that follows is + + CS:009A MOV [BX], AX + +and this means that the code of the letter you just typed in will + +be now copied in BX=F85A. What else can you do? Time to use a + +little intuition: look for an instruction "CMP AX,000D", which + +is the typical "IF the user hits ENTER then" instruction, coz + +"x1D" its the ENTER keystroke. This must be somewhere around + +here. Ha! You 'll soon enough find the line + + CS:0073 3D0D00 CMP AX,000D + +And now the way is open to the crack. But YOU DO NOT NEED ALL + +THIS! Since the password protection schemes are -as I told you- + +all more or less the same, I would suggest that you use first of + +all following trick: in the largest part of the program (use + +memory map to see where the program dwells) search the "F3A6" + +sequence, that's instruction REPZ CMPSB. + + In the case of Lightspd you 'll get as answer FOUR addresses + +with this instruction: (pgsg=program main segment) + + pgsg:C6F9 + + pgsg:E5CA + + pgsg:E63E + + pgsg:EAB0 + +There you are! Only four... have a short look at each of them: + +you 'll see that the second one (pgsg:E5CA) is the "good" one. + +The compare mechanism in this program of 1990 it's more or less + +the same as in 1987'UMS (and do believe me: the same mechanism + +is still in use to day (1996)! + +B9FFFF MOV CX,FFFF charge Max in CX + +F2AE REPNZ SCASB this scans ES:DI (the original + + password) + +F7D1 NOT CX so many chars in the original pw + +2BF9 SUB DI,CX change DI for compare + +F3A6 REPZ CMPSB compares DS:SI with ES:DI (real + + pw with user pw) then snaps out + + at CX=0 or at char_differs + + See how easy? They all use the same old tricks the lazy + +bastards! Here the section is preceded by a small routine to + +lowercase the user password, coz the original muster is always + +lowercased. + + Now you would like, may be, to breakpoint at one of these + +locations, in order to stop the program "in the snap area" and + +inspect the snap mechanism... that WILL NOT DO with a "fixed" + +breakpoint, coz these locations are called by the snap with a + +different segment:offset numeration as the one you found (that's + +old dos magic). So you MUST first set a memory_read/write + +breakpoint on these locations, and then get at them at the snap. + +Now you can find out the segment:offset used by the snap and only + +now you'll be able to set a fixed breakpoint (for instance on the + +NOT CX instruction). + + Now run the program and breakpoint in: have a dump of the + +ES:DI and see the original password. How nice! We have now the + +original password in extenso in our memory dump window. That's + +the "echo". By the way, there is a whole school of cracking + +devoted to find and use these echoes... we work on different + +paths, nevertheless password fishing can be interesting: where + +are the password stored? From which locations do they come from? + +A common practice of the protectionists is to hide them in + +different files, far away, or in hooked vectors, or in SMC parts. + +This is a program of 1990, that differs in respect to UMS: the + +passwords are not "hidden" inside a hooked vector, coz that's a + +pretty stupid protection: any hexdump utility would still permit + +you to see them. Here the passwords are encoded (albeit in a very + +primitive manner): looking for them (with memory range + +breakpoints) you'll quickly find a section of the program code + +that looks like this: + +sg:0118 8C 91 9D 95 9B 8D 00 B8 EC 94 9B 8D 8F 8B 9B + +sg:0128 94 9B 8D 00 AE EC 9C 9B 8A 9B 86 00 A9 EC 91 + +This is a typical encoded matrix, with clear 00 fences between + +the encoded passwords. + +Ha! If all codes where so easy to crack! This is no better than + +children's crypt! It's a NEG matrix! And there is direct + +correspondence: 91=6F="o"; 92=6E="n"; 93=6D="m" and so on... Ha! + + Let's now leave the "hidden" passwords and proceed with our + +cracking... let's follow the snap procedure after the REPZ CMPSB + +instruction looking for the "jump to OK" instruction... + +F3A6 REPZ CMPSB ; compares DS:SI with ES:DI + +7405 JZ preserved_AX=0000 <--- Here the first JZ + +1BC0 SBB AX,AX + +ADFFFF SBB AX,FFFF + +:preserved_AX=0000 + +8BF3 MOV SI,BX + +8BFA MOV DI,DX + +5D POP BP + +CB RETF + +.... + +83C404 ADD SP,+04 + +0BC0 OR AX,AX + +7509 JNZ 0276 <------ And here it is! + + Now, remembering the UMS crack, you would probably want to + +change the JZ instruction in a JNZ instruction (you tried it on + +the fly INSIDE [Soft-Ice] and it did work!), the "74" with a + +"75" also. And then you would like to change the JNZ instruction + +in a JZ instruction... Please feel free to try it... it will NOT + +work! (You will not even find the second JNZ in the program + +code). You should always be aware of the SMC (self modifying + +code) protections: parts of the code my be decrypted "on the + +fly", as needs arise, by the program. The code you modify while + +the program is running may be different from the code of the + +"dead" program. + + Here we have a small "improvement" of the primitive: the + +same instruction is used as "muster" for manipulation of other + +parts of the program... if you do change it in a JNZ you get an + +overlay message and the program pops out with instability! You + +cannot easily modify the JNZ instruction either, coz the part + +after the RETF will be compiled "on the fly" by lightspeed, and + +you would therefore have to search the decryption mechanism and + +modify the original encrypted byte somewhere... and may be they + +do encrypt it twice... and then you must hack all night long... + +very annoying. + + So do the following: back to the snap, a sip of martini- + +Wodka and meditate: loo! The only thing that happens after the + +JZ, is the setting of the AX register to flag *FALSE* (AX=1... + +that's what the two SBB instructions do) if the snap went out + +with a non-zero flag... i.e. if you did not know the password. + +So let's nop the 5 bytes of the two SBB instructions, or, more + +elegantly, let's have a INC AX, DEC AX, NOP, INC AX, DEC AX + +sequence instead of the two SBB! There is a good reason to use + +a sequence of working instructions instead of a series of NOPs: + +recent protection schemes "smell" patched nops inside the program + +and trash everything if they find more than -say- three + +consecutive NOPs! You should always try to choose THE LESS + +INTRUSIVE and MORE "CAMOUFLAGED" solution when you crack! + + Eliminating the two SBBs we get our crack! No need to bother + +with the second JNZ either... the program will work as if you got + +the password if you have it AND if you do not (that's better as + +the previous type of crack -seen for UMS- when you crack computer + +accesses: hereby the legitimate user will not have any suspects + +'coz the system will not shut him out... everybody will access: + +the good guys and the bad ones... that's nice isn't it?). + + Now let's quickly crack LIGHTSPD: + +------------------------------------------------ + +CRACKING LIGHTSPEED.EXE (by +ORC, January 1996) + +ren lightspd.exe lightspd.ded + +symdeb lightspd.ded + +- s (cs+0000):0 Lffff 2B F9 F3 A6 74 + +xxxx:yyyy (this is the answer of the debugger) + +- s (cs+1000):0 Lffff 2B F9 F3 A6 74 + +(nothing, but do it nonetheless, just to be sure) + +- s (cs+2000):0 lffff 2B F9 F3 A6 74 + +(nothing, just to be sure, now it's enough) + +- e xxxx:yyyy+6 40 [SPACE] 48 [SP] 90 [SP] 40 [SP] 48 + +- w + +- q + +ren lightspd.ded lightspd.exe + +------------------------------------------------- + +All this CMPSB is very common. Some programs, nevertheless, + +utilize a password protection scheme that is slightly different, + +and does not rely on a F3A6 REPZ CMPSB instruction. Let's + +analyze, for instance, the protection scheme used in the first + +version of Perfect general I from QQP-White wolf, July 1992. + +When you break in, at the nag screen, you are in the middle of + +the BIOS procedures, coz the program expects your input (your + +password, that's is). You 'll quickly find out (MAP MEMORY + +USAGE!) that [General.exe] dwells in two main areas; Setting + +breakpoints on memory write you 'll find out that the memory area + +"queried" by the protection mechanism is + + xxxx:1180 to xxxx:11C0 + +where xxxx represents the second of the memory segments where the + +program dwells. Now do the following (a very common cracking + +procedure): + +* Breakpoint on memory range WRITE for the small memory area + + touched by the program in querying you for the password. + +* Breakpoint TRACE on the whole memory range of the MAIN + + CODE. + +* Run anew everything + +It's already done! Now it's your intuition that should work a + +little: Here the last 9 traces (traces [!], not instructions + +following on a line) before the calling of the procedure sniffing + +your memory area: + +-9 xxxx:0185 7425 JZ somewhere, not taken + +-8 xxxx:0187 2D1103 SUB AX,0311 + +-7 xxxx:018A 7430 JZ somewhere, not taken + +-6 xxxx:018C 2DFD04 SUB AX,04FD + +-5 xxxx:018F 7443 JZ next_trace, taken + +-4 xxxx:01D4 E85500 CALL funny_procedure + +-3 xxxx:022C 803E8F8C11 CMP BYTE PTR[8C8F],11 + +-2 xxxx:0231 750E JNZ somewhere, not taken + +-1 xxxx:0233 9A0A0AC33E CALL procedure_that_sniffs + + our_memory_area + +Well, the call to funny_procedure followed by a byte compare + +"feels" fishy from very far away, so let's immediately look at + +this part of the code of [General.exe] + +:funny_procedure + + 803E8F8C11 CMP BYTE PTR[8C8F],11 + + 750E JNZ compare_byte + + 9A0A0AC333 CALL procedure_that_sniffs + + 0AC0 OR AL,AL + + 7405 J2 compare_byte + + C6068F8C2A MOV BYTE PTR [8C8F],2A + +:compare_byte + + 803E8F8C2A CMP BYTE PTR [8C8F],2A + + 7504 JNZ after_ret + + B001 MOV AL,01 + + C3 RET + +You should be enough crack-able ;=), by this lesson, to notice + +immediately the inconsistency of the two successive instructions + +MOV 2A and CMP 2A, coz there would be no sense in comparing the + +"2A" in order to JNZ to after_ret if you just had the 2A set with + +the precedent MOV instruction... but the first JNZ jumps to the + +compare WITHOUT putting the "2A" inside. And "2A" is nothing else + +as the "*" symbol, commonly used by programmer as "OK"! This + +protection works in the following way (this is the above code + +explained): + +- compare holy_location with 11 + +- jump non zero to compare holy_loc with "*" + +- else call sniffing protection part + +- or al,al (al must be zero, else) + +- jump zero to compare holy_loc with "*" + +- if al was zero mov "*" inside holy_loc + +- compare holy_loc with "*" + +- if there is a difference then JNZ beggar_off_ugly_copier + +- else ret_ahead_nice_buyer + +Now let's quickly crack it: + +------------------------------------------------ + +CRACKING GENERAL.EXE (by +ORC, January 1996) + +ren general.exe general.ded + +symdeb general.ded + +- s (cs+0000):0 Lffff 8C 11 75 0E + +xxxx:yyyy (this is the answer of the debugger) + +- e xxxx:yyyy+2 EB [SPACE] 09 + +- w + +- q + +ren general.ded general.exe + +------------------------------------------------- + +And in this way you changed the JNZ to the cmp "*" instruction + +in a JMP to the mov "*" instruction. So no more nag screens, no + +more protections... serene, placid, untroubled [general.exe]. + +Well, that's it for this lesson, reader. Not all lessons of my + +tutorial are on the Web. + + You 'll obtain the missing lessons IF AND ONLY IF you mail + +me back (via anon.penet.fi) with some tricks of the trade I may + +not know that YOU discovered. Mostly I'll actually know them + +already, but if they are really new you'll be given full credit, + +and even if they are not, should I judge that you "rediscovered" + +them with your work, or that you actually did good work on them, + +I'll send you the remaining lessons nevertheless. Your + +suggestions and critics on the whole crap I wrote are also + +welcomed. + + E-mail +ORC + + +ORC an526164@anon.penet.fi + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + Lesson 3.2: hands on, paper protections (2) + +--------------------------------------------------------------------------- + + [TOP.EXE] [F19.EXE] [POPULOUS.EXE] [MAP.EXE] + + -------------------------------------- + +You have seen in the previous lesson that the use of a password + +protection, independently of the coding and hiding methods used + +to store them in memory, implies the use of a comparing procedure + +with the password that the user types in. You therefore have many + +options to begin your cracking work: + +- find the location of the user password + +- find the "echo" in memory of the real password + +- find the routine that compares both + +- find the passwords hideout and encryption type + +- find the go_ahead_nice_buyer exit or jump + +- find the beggar_off_ugly_copier exit or jump + +just to name the more obvious ones. In order to make things more + +difficult for us crackers, the protectionists have devised many + +counter-strategies, the more obvious ones being: + +- keeping the various part of the store/compare/hide routines + +well apart in code (no match for zen-cracking); + +- filling these routines with "bogus" compares, bogus jumps + +and bogus variables, in order to make things more difficult for + +the crack (no match for decent crackers); + +- disseminating the code with anti-debugger tricks, like INT_3 + +instructions or jumps in and out protected mode (no match for our + +beloved [Soft-Ice]); + +- trying to eliminate the need for passwords altogether + +letting the user input "one letter" or "one number" or "one + +image" as answer to some variable question. In this lesson I'll + +teach you how to crack these "passletters" protection techniques. + +Let's first resume the "uses" of a password protection: + +PASSWORDS AS PERMISSION TO ACCESS + +These passwords serve to acknowledge that a legitimate user is + +using the program. This is the type of password that you'll find, + +for example, protecting your user account on Compuserve, on + +Networks or even in ATM machines used by banks or corporations. + +These require a little hardwiring to crack: ATM passnumber + +protection schemes rely on an answer from the central computer + +(they do NOT verify only the three magnetic areas in the magnetic + +strip on the card). The lines between ATM's & their hosts are + +usually 'weak' in the sense that the information transmitted on + +them is generally not encrypted in any way. (Some banks use + +encrypted information, but this is fairly easy to crack too). + +So for ATMs you should do the following 1) cross over the + +dedicated line between the ATM and the host; 2) insert your + +computer between the ATM and the host; 3) Listen to the "normal" + +messages and DO NOT INTERFERE YET; 4) Try out some operations + +with a legal card, make some mistakes, take note of the various + +codes; 5) When you are ready insert a fraudulent card into the + +ATM. Now the following happens: + +- the ATM sends a signal to the host, saying "Hey! Can I give + +this guy money, or is he broke, or is this funny card invalid?"; + +- the microcomputer intercepts the signal from the host, + +discards it, sends on the "there's no one using the ATM" signal; + +- the host gets the "no one using" signal and sends back its + +"good, keep watching out if somebody comes by, and for God's sake + +don't spit out any money on the street!" signal to the ATM; + +- the microcomputer intercepts this signal (again), throws it + +away (again), and sends the "Wow! That guy is like TOO rich! Give + +him as much money as he wants. In fact, he's so loaded, give him + +ALL the cash we have! He is a really valued customer." signal. + +- the ATM obediently dispenses cash till the cows come home. + + All this should be possible, but as a matter of fact it has + +not much to do with cracking, unless there is a special software + +protection on the line... so if you want to work on ATMs contact + +our fellow phreakers/hackers and learn their trade... and + +please remember to hack only cash dispenser that DO NOT HAVE a + +control camera :=) + +PASSWORDS AS REGISTRATION + +This type of password is often used in shareware programs. When + +you register the shareware program, you are sent a password that + +you use to upgrade your shareware program to a complete and more + +powerful version. This method, used frequently for commercial + +applications, has recently been used quite a lot by many windows + +applications that come "crippled" on the magazines cover CD-roms, + +requiring you to telephone a hot line (and paying) in order to + +get the "unique key" to unlock the "special protection". It's all + +bullshit: we'll learn in the "how to crack windows" lessons how + +easy it is to disable the various routines that verify your + +entry. + +PASSWORDS AS COPY PROTECTIONS + +This type of password is often used for games and entertainment + +software. The password query does not usually appear any more at + +the start of the program, or as the program is loading. Instead, + +the password query appears after one or more levels are completed + +(this innovation was pioneered by "EOB I" and the "Ultima" + +series) or when the user reloads a saved game or session. + +DONGLE PASSWORDS + + A few extremely expensive programs use a dongle (also called + +an hardware key). A dongle is a small hardware device containing + +a password or checksum which plugs into either a parallel or a + +serial port. Some specially designed dongles even include + +complete program routines. Dongles can be cracked, but the amount + +of work involved is considerable and the trial and error + +procedure currently used to crack them via software is extremely + +tedious. It took me more than a week to crack MULTITERM, + +Luxembourger dongle protected program. The quickest method to + +crack dongle protected programs, involves the use of pretty + +complicated hardware devices that cannot be dealt with here. I + +myself have only seldom seen them, and do not like at all to + +crack dongles via software, coz it requires a huge amount of zen + +thinking and of luck and of time. If you want more information + +on the hardware way to crack dongles, try to contact the older + +ones on the appropriate web sites, they may even answer you if + +you are nice, humble and really technically interested. + + The obvious principle, that applies to the software password + +types mentioned above is the following: The better the password + +is hidden, and the better it is encrypted, the more secure the + +program will be. The password may be + +- encrypted and/or + +- in a hooked vector and/or + +- in an external file and/or + +- in a SMC (Self modifying code) part + + Let's finally inspect the common "ready_made" protection + +schemes (used by many programmers that do not program + +themselves): + +* password read in + +* letters added to a key to be entered + +* complement of the letters formed xoring with 255 + +* saved key (1 char) + +* saved password (256 chars) + +* saved checksum (1 char), as protection, against simple + + manipulations + +* generating file PASSWORD.DAT with password, to be inserted + + inside a different file than the one containing the calling + + routine + +Now the lazy programmer that wants to "protect" his program + +searches first the file where the password is stored, then loads + +the key, the password and the checksum. He uses a decrypt + +procedure to decrypt the password and a check_checksum procedure + +to check whether the password was modified. All this is obviously + +crackabe in few seconds. + +[PASSWORD ACCESS INSIDE THE SETUP] + + Some computers have a password protected access INSIDE the + +Setup (at the beginning), the protection scheme does not allow + +a boot with a floppy and does not allow a setup modify. In these + +cases the only possible crack is an old hack method: + +* open the PC + +* find on the motherboard a small jumper (bridge) with the + + words "Pw" + +* take it away + +* PC on + +* run the setup with F1 or Del (depending from the BIOS) (the + + protection will not work any more) + +* deactivate inside the setup the option password + +* PC off + +* put the small jumper (bridge) back again + +* close the PC + +* PC on, cracked (if you want to be nasty you could now use + + the setup to set YOUR password) + + If you want to know more about access refuse and access + +denying, encryption and locking of the FAT tables, get from the + +web, and study, the (very well written) code of a virus called + +"Monkey", that does exactly this kind of devastation. Virus + +studying is, in general, very useful for cracking purposes, coz + +the virus'code is at times + +- very well written (pure, tight assembly) + +- using concealing techniques not much different from the + + protection schemes (often far superior) + +- using the most recent and best SMC (self modifying code) + + tricks + + But, and this is very important, do not believe that the + +protection schemes are very complicated! Most of the time the + +protection used are incredibly ordinary: as a final example of + +our paper protection schemes, let's take a program released not + +long ago (1994), but with a ridiculous protection scheme: TOP + +(Tiger on the prowl) a simulation from HPS. + +Here the cracking is straightforward: + +- MAP(memory_usage) and find main_sector + +- type "AAAA" as password + +- (s)earch main_sector:0 lffff "AAAA" + +- dump L80 "AAAA" location -40 (gives you a "wide" dump), + + this gives you already the "echo" of the correct password + +- breakpoint on memory read & write to "AAAA" location and + + backtrace the complete main_sector + +it's done! Here the code_lines that do protect TOP: + + 8A841C12 MOV AL,[SI+121C] move in AL first user letter + + 3A840812 CMP AL,[SI+1208] compare with echo + + 7402 JZ go_ahead_nice_buyer + + EB13 JMP beggar_off_ugly_cracker + +Now let's quickly crack it: + +------------------------------------------------ + +CRACKING TOP.EXE (by +ORC, January 1996) + +ren top.exe top.ded + +symdeb top.ded + +- s (cs+0000):0 Lffff 8A 84 1C 12 3A 84 + +xxxx:yyyy (this is the answer of the debugger) + +- e xxxx:yyyy+2 08 (instead of 1C) + +- w + +- q + +ren top.ded top.exe + +------------------------------------------------- + +And you changed the MOV AL, [SI+121C] instruction in a MOV AL, + +[SI+1208] instruction... it is now reading the ECHO instead of + +the characters you typed in... no wonder that the ECHO does + +compare exactly with itself... and you pass! + +"SOMETHING FISHY UNDER COVERS" + +Back to the "Passletter" type of password protected programs. + +Let's take as an example the protection used in a game of 1990: + +"F19", where the protection scheme asks you to identify a + +particular plane's silhouette. This kind of protection is used + +in order to avoid the use of memory locations where the passwords + +are stored: we saw in the first part of our "passwords hands on" + +how easy it is to crack those schemes. + +To crack this kind of protection, you could try a technique know + +as "memory snuffing". The protected program, START.EXE, install + +itself first at location xxxx:0000 with a length of 6C62 bytes, + +but proceeds to a relocation of its modules (with some SMC, self + +modifying code parts) in different locations. What does all this + +mean? Well, this could mean quite many things... the most + +important one for crackers is that the protection code will + +probably snap way ahead of the actual user input phase. + +Now you 'll quickly find out that the routine determining + +(randomly) which plane is being chosen, leaves the progressive + +number of this plane in one memory location: (imc) 43CD:DADA. + +This brings us to the random triggering mechanism: + +E87FAF CALL random_seed + +83C402 ADD SP,02 + +8946E8 MOV [BP-18],AX and ds:(BP-18) is the location + + you are looking for + +Now, every time this random triggers, you get a different number + +(00-x14) in this location, corresponding to the different plane + +the user should choose. + +The random seed routine, evidently, comes back with the random + +seed in AX... what we now need is to zero it: the user will + +always have to choose the same plane: "plane 0", and he will have + +given the correct answer. Note how elegant all this is: we do not + +need to interfere with the whole mouse pointing routines, nor + +with the actual choosing of the planes... the random seed may + +choose whatever plane it wishes... the memory location for this + +choice will always report the (legitimate) choice of zero. + +So, let's quickly crack this program: + +--------------------------------------------------- + +CRACKING "F19" [START.EXE] (by +ORC, January 1996) + +ren start.exe start.ded <- let's have a dead file + +symdeb start.ded <- let's debug it + +- s cs:O lffff 83 C4 02 89 46 E8 <- search ADD SP,02 + +xxxx:yyyy <- debugger's answer + +- e xxxx:yyyy 58 [SPACE] 31 [SPACE] C0 [SPACE] + +- w <- write the crack + +- q <- back to the OS + +ren start.ded start.exe <- re-write the exe + +---------------------------------------------------- + +You just transformed the instruction you searched for + + 83C402 ADD SP,+02 + +in the following sequence: + + 58 POP AX <- respecting ADD SP,+02 + + 31C0 XOR AX,AX <- xoring to zero + +(the POP AX instruction increments the stack pointer by 2, in + +order to respect the previous ADD SP,+02). + +Well, nice. It's getting easier, isnt'it? Now let's take as + +example a protection that has no "echo" in memory. (At the + +beginning this was a smart idea: "the cracker won't find the + +correct password, 'coz it's not there, ah!". We'll now therefore + +crack one of the first programs that used this scheme: + +[Populous.exe], from Bullfrog. + +[POPULOUS.EXE] + + A old example of the protection scheme "password that is not + +a password" can be found in [Populous.exe], from Bullfrog. It's + +a very widespread program, and you'll surely be able to find a + +copy of it in order to follow this lesson. The program asks for + +the identification of a particular "shield", a combination of + +letters of various length: the memory location were the user + +password is stored is easily found, but there is (apparently) no + +"echo" of the correct password. You should be able, by now, to + +find by yourself the memory location were the user password is + +stored. Set a breakpoint memory read & write on this area, and + +you 'll soon come to the following section of code: + +F7AE4EFF IMUL WORD PTR [BP+FF4E] <- IMUL with magic_N + +40 INC AX + +3B460C CMP AX, [BP+0C] + +7509 JNZ beggar_off_ugly_copier + +8B460C MOV AX, [BP+0C] + +A3822A MOV [2A82], AX + +E930FE JMP nice_buyer + +817E0C7017CMP WORD PTR[BP+0C],1770 <- beggar_off + +I don't think that you need much more now... how do you prefer + +to crack this protection scheme? Would you choose to insert a MOV + +[BP+0C], AX and three NOPS (=6 bytes) after the IMUL instruction? + +Wouldn't you rather prefer the more elegant JMP to nice_buyer + +instruction at the place of the JNZ beggar_off? This solution has + +less nops: remember that newer protection schemes smell + +NOPs_patches!). Yeah, let's do it this way: + +--------------------------------------------------- + +CRACKING [Populous.exe] (by +ORC, January 1996) + +ren populous.exe populous.ded <- let's have a dead file + +symdeb populous.ded <- let's debug it + +- s cs:O lffff F7 AE 4E FF <- the imul magic_N + +xxxx:yyyy <- debugger's answer + +- e xxxx:yyyy+4 EB [SPACE] 03 <- JMP anyway + +- w <- modify ded + +- q <- back to the OS + +ren populous.ded populous.exe <- let's re-have the exe + +---------------------------------------------------- + +This time was easy, wasnt'it? + + Now you are almost ready with this course... let's crack a + +last application, a memory utility that is very widespread, very + +good (the programmers at Clockwork software are Codemasters), + +very useful for our purposes (you'll use it later to crack a lot + +of TSR) and, unfortunately for Clockworkers, very easy to crack + +at the level you are now. + +But, Hey! Do not forget that you would have never done it without + +this tutorial, so do the following: look toward east from your + +window, sip a Martini-Wodka (Two blocks of ice first, 1/3 dry + +Martini from Martini & Rossi, 1/3 Moskovskaia Wodka, 1/3 + +Schweppes indian tonic) and say three times: Thank-you +ORC!. + +[MAP.EXE] + + Let's now go over to one of the best TOOLS for mapping your + +memory usage that exist: MAP.EXE (version 2) from the masters at + +Clockwork software. The usage of this tool has been recommended + +in Lesson 2, and you should learn how to crack it, coz it comes + +with an annoying nag-screen ("Nigel" screen). In [Map.exe] this + +ubiquitous "Nigel" screen appears at random waiting for a random + +amount of time before asking the user to press a key which varies + +every time and is also selected at random. + + The use of a single letter -mostly encrypted with some XOR + +or SHR- as "password" makes the individuation of the relevant + +locations using "snap compares" of memory much more difficult. + +But the crack technique is here pretty straightforward: just + +break in and have a good look around you. + + The INT_16 routine for keyboard reading is called just after + +the loading of the nag screen. You 'll quickly find the relative + +LODSB routine inside a routine that paints on screen the word + +"Press" and a box-edge after a given time delay: + + B95000 MOV CX,0050 + + 2EFF366601 PUSH CS:[0166] + + 07 POP ES + + AC LODSB + + ... + +You could already eliminate the delay and you could already force + +always the same passletter, in order to temperate the effects of + +the protection... but we crack deep!: let's do the job and track + +back the caller! The previous routine is called from the + +following section of the code: + + 91 XCHG AX,CX + + 6792 XCHG AX,DX + + 28939193 SUB [BP+DI+9391],DL + + 2394AA94 AND DX,[SI+94AA] + + 2EC7064B880100 MOV WORD PTR CS:[884B],0001 + + 2E803E5C0106 CMP BYTE PTR CS:[015C],06 + + 7416 JZ ret <- Ha! jumping PUSHa & POPa! + + 505351525756 PUSH the lot + + E882F3 CALL 8870 + + 2E3B064B88 CMP AX,CS:[884B] + + 7307 JAE after RET <- Ha! Not taking the RET! + + 5E5F5A595B58 POP the lot + + C3 RET + + ... <- some more instructions + + E86700 CALL delay_user + + BE9195 MOV SI,9591 + + 2E8B3E255C MOV DI,CS:[5C25] + + 83EF16 SUB DI,+16 + + 2E8A263D01 MOV AH,CS:[013D] + + 50 PUSH AH + + E892C7 CALL routine_LODSB <-- HERE! + + B42C MOV AH,2C + + CD21 INT 21 <- get seconds in DH + + 80E60F AND DH,0F + + 80C641 ADD DH,41 + + 58 POP AX + + 8AC6 MOV AL,DH + + 83EF04 SUB DI,+4 + + AB STOSW + + E85A00 CALL INT_16_AH=01 + + B400 MOV AH,00 + + CD16 INT 16 + + 24DF AND AL,DF <- code user's letter_answer + + 3AC6 CMP AL,DH <- pass_compare + + 75F3 JNZ CALL INT_16_AH=01 + + E807F3 go_ahead + + You just need to look at these instructions to feel it: I + +think that unnecessary code segments (in this case protections) + +are somehow like little snakes moving under a cover: you cannot + +easily say what's exactly going on yet, but you could bet that + +there is something fishy going on. Look at the code preceding + +your LODSB routine call: you find two JUMPS there: a JZ ret, that + +leaves a lot of pusha and popa aside, and a JAE after RET, that + +does not take the previous ret. If you did smell something here + +you are thoroughly right: The first JZ triggers the NIGEL screen + +protection, and the second JAE does THE SAME THING (as usual, + +there are always redundances, exactly as there are a lot of + +possibilities to disable a single protection). Now you know... + +you can disable this protection at different points: the two + +easiest blueprints being + +1) to change 7416 (JZ ret) in a EB16 (JMP ret anyway) + +2) to change 7307 (JAE after ret) in a 7306 (JAE ret). + + We have not terminated yet: if you try locating this part + +of the code in order to change it, you won't have any luck: it's + +a SMC (Self modifying code) part: it is loaded -partly- from + +other sections of the code (here without any encryption). You + +must therefore first of all set a breakpoint on memory range; + +find out the LODSW routine; find out the real area; dump that + +memory region; find out a search sequence for the "dead" code... + +and finally modify the "dead" program. + +Now let's quickly crack it: + +------------------------------------------------ + +CRACKING MEM.EXE (version 2) (by +ORC, January 1996) + +ren map.exe map.ded + +symdeb map.ded + +- s (cs+0000):0 Lffff 74 16 50 53 51 52 57 + +xxxx:yyyy <- this is the debugger's answer + +- e xxxx:yyyy EB + +- w + +- q + +ren map.ded map.exe + +------------------------------------------------- + +Now you have done it, NIGEL has been cracked! + +Well, that's it for this lesson, reader. Not all lessons of my + +tutorial are on the Web. + + You 'll obtain the missing lessons IF AND ONLY IF you mail + +me back (via anon.penet.fi) with some tricks of the trade I may + +not know that YOU discovered. Mostly I'll actually know them + +already, but if they are really new you'll be given full credit, + +and even if they are not, should I judge that you "rediscovered" + +them with your work, or that you actually did good work on them, + +I'll send you the remaining lessons nevertheless. Your + +suggestions and critics on the whole crap I wrote are also + +welcomed. + + E-mail +ORC + + +ORC an526164@anon.penet.fi + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + Lesson 5.1: Disk & CD-Rom access (basics) + +--------------------------------------------------------------------------- + + [MARIO ANDRETTI] [REACH FOR THE SKY] [FS v.2.12] + + -------------------------------------- + +LESSON 5 (1) - HOW TO CRACK, HANDS ON - Disk/CDROM access (plus + +bypasses "on the fly") + +Somewhere I have to put the bypasses (loader programs) in this + +tutorial, allow me to put them here: + +Preparing a loader to bypass a protection [MARIO ANDRETTI] + + At time the protectionists hook vectors in order to impose + +a particular protection. In this (and similar) cases a good + +crack-way is to prepare a "loader" program, that "de-hooks" the + +vector used for the protection. This kind of crack can be used + +also for internet cracking (on some firewall configurations, see + +lesson A.2). + + As example let's take "Mario andretti racing challenge", a + +stupid game that uses the SAME (!) protection scheme you'll still + +find to day on some access routines of military servers around + +the witlessly called "free" world. + +In order to crack this cram you would prepare a loader on the + +following lines: + +loc code instruction what's going on + +------------------------------------------------------- + +:0100 EB44 JMP 0146 + +... + +:0142 0000 <- storing for offset of INT_21 + +:0144 5887 <- storing for segment of INT_21 + +:0146 FA CLI + +:0147 0E PUSH CS + +:0148 1F POP DS + +:0149 BCB403 MOV SP,03B4 + +:014C FB STI + +:014D 8C1EA901 MOV [01A9],DS <- save DS + +:0151 8C1EAD01 MOV [01AD],DS three + +:0155 8C1EB101 MOV [01B1],DS times + +:0159 B82135 MOV AX,3521 <- get INT_21 + +:015C CD21 INT 21 in ES:BX + +:015E 891E4201 MOV [0142],BX <- store offset + +:0162 8C064401 MOV [0144],ES <- store segment + +:0166 BA0201 MOV DX,0102 + +:0169 B82125 MOV AX,2521 <- set INT_21 to + +:016C CD21 INT 21 DS:0102 + +:016E 0E PUSH CS + +:016F 07 POP ES <- ES= current CS + +:0170 BBB403 MOV BX,03B4 + +:0173 83C30F ADD BX,+0F + +:0176 B104 MOV CL,04 + +:0178 D3EB SHR BX,CL <- BX= 3C + +:017A B8004A MOV AX,4A00 <- Modify memory block + +:017D CD21 INT 21 to 3C paragraphs + +:017F BA9E01 MOV DX,019E <- ds:dx=program name + +:0182 BBA501 MOV BX,01A5 <- es:bx = param. block + +:0185 B8004B MOV AX,4B00 <- load ma.com + +:0188 CD21 INT 21 + +:018A 2E8B164201 MOV DX,CS:[0142] <- reset old int_21 + +:018F 2E8E1E4401 MOV DS,CS:[0144] + +:0194 B82125 MOV AX,2521 + +:0197 CD21 INT 21 + +:0199 B8004C MOV AX,4C00 <- terminate with return + +:019C CD21 INT 21 code + +:019E 6D612E636F6D00 "ma.com" + + 0000 fence + +:01A7 B2015887 + +:01AB B2015887 + +:O1AF B2015887 + + 0000 fence + +let's now prepare a routine that hooks INT_21: + +push all + +CMP AX,2500 <- go on if INT_21 service 25 + +JNZ ret + +CMP Word Ptr [0065], C00B <- go on if location 65 = C00B + +JNZ ret + +MOV Byte Ptr [0060], EB <- crack instructions + +MOV Byte Ptr [0061], 3C + +MOV Byte Ptr [0062], 40 <- INC AX + +MOV Byte Ptr [0063], 90 <- NOP + +MOV Byte Ptr [0064], 48 <- DEC AX + +pop all + +JMP FAR CS:[0142] <- JMP previous INT_21 + + From now on this loader will work every time that a program + +with location [0065] containing an 0R AX,AX instruction (0BC0: + +it's the case of ma.com) calls INT_21 service 25 (hook a vector), + +the target program will be modified on the fly and will get, at + +location [0060], the instruction JMP 3C locations ahead, despite + +the fact that it has routines capable of self checking in order + +to make sure it has not been modified. + + The most important thing is the routine that YOU write that + +will precede the call to INT_21 (or any other INT) service 25 (or + +any other service) in order to crack on the fly the offending + +program. I'll show you another one, this one for [Reach for the + +skies] (reach.com): + +push all + +CMP AH,3D <- is it service 3D? (open file) + +JNZ ret <- no, so ret + +CMP DX,13CE <- you wanna open file at 13CE? + +JNZ ret <- no, so ret + +MOV AX,[BP+04] <- in this case + +MOV DS,AX + +CMP Byte Ptr [B6DA],74 <- old instructions + +JNZ 015B + +CMP Byte Ptr [B6DB],0F <- ditto + +JNZ 015B + +CMP Byte Ptr [B6DC],80 <- ditto, now we now where we are + +JNZ 015B + +MOV Byte Ptr [B6DA],EB <- crack + +MOV Byte Ptr [B697],40 <- camouflaged no-opping + +MOV Byte Ptr [B698],48 <- cam nop + +MOV Byte Ptr [B699],90 <- cam nop + +MOV Byte Ptr [B69A],40 <- cam nop + +MOV Byte Ptr [B69B],48 <- cam nop + +MOV DX,CS:[0165] + +MOV DS,CS:[0167] + +MOV AX,2521 <- set hook + +INT 21 + +POP all + +JMP FAR CS:[0165] + +Here you did change the instruction 740F in the instruction EB0F, + +and you did "noop" the instructions at B697-B69B. (Well, more + +elegantly than "noop" them with "90" bytes, you choose a INC AX, + +DEC AX, NOP, INC AX, DEC AX sequence instead! There are sound + +reasons to use a sequence of "working" instructions instead of + +NOPs: recent protection schemes "smell" patched nops inside the + +program and trash everything if they find more than -say- three + +consecutive NOPs! You should always try to choose THE LESS + +INTRUSIVE and MORE "CAMOUFLAGED" solution when you crack!) + + You can apply this kind of crack, on the same lines, to many + +programs that perform self checking of the code and hook the + +vectors. + +REAL DISK ACCESS STUFF + + Now we may come to the subject of this lesson: + + As usual, let's begin from the beginning: history is always + +the key that allows an understanding of present and future, in + +cracking matters too. As the older 5 1/4 inch big black floppy + +disks were still used (the 320K/8 tracks or 360K/9 tracks ones, + +that were really "floppy" and have nowadays almost disappeared) + +one of the more common methods to protect a program, was to + +format the "master" (key) disk in a weird way. Old floppy disk + +for the PC did usually store 360K at 9 sectors per track. + + Some basics for those of you that do not know anything: in + +order to defeat this kind of cracks you need to know two things: + +the floppy disk parameter block (FDPB) and the interrupt routines + +dealing with format/read disk (basically INT_13). + + Most often, the protection scheme is to either format one + +or more sectors or tracks with sector sizes other than the + +standard 512 bytes, or to either give one of the sectors a wild + +sector number like 211 or just not format a whole track of + +eight/nine/15 sectors. If you, for instance, have got the same + +(very old) copy of VisiCalc master I do, you'll find that sector + +8 on track 39 is missing entirely. The interrogation with + +assembly or with an "ad hoc" utility (I use the tools I wrote + +myself, but you 'll be able to find many such utilities in public + +domain, the oldest one, from 1984 (!) being the seasoned [U-ZAP] + +an "Ultra utility" from the "Freesoft company") will tell you + +which sector numbers were altered, their size in bytes, and if + +they were formatted with a CRC error (another not so fancy + +trick). + + The floppy disk parameters are stored in the BIOS: interrupt + +vector 1E contains the address of the floppy disk parameter + +block. The FDPB's contents are the following: + +Offset Function crackworthy? Example + +0 Step rate & head unload no DF + +1 head load time no 02 + +2 Motor on delay no 25 + +3 Number of bytes per sector yes 02 + +4 Last sector number yes 12 + +5 Gap length yes 1B + +6 Data track length yes FF + +7 Format gap length yes 54 + +8 Format byte no F6 + +9 Head settle time no 0F + +A Motor start time no 02 + +0) Offset #0: the left "nybble" (single digit) of this value + + is the step rate time for the disk drive head. The right + + nybble is the disk head unload time. These values are best + + left alone. + +1) Offset #1: again, don't fool around with these values. The + + left nybble is the disk head load time, and the right + + nybble is the direct memory access mode select. + +2) Wait time until motor is turned off. Not normally of use. + +3) Bytes-per-sector value: AH-HAH! If you place a "0" in this + + value, the PC expects all sectors to be 128 bytes long. A + + "1" means a sector size of 256 bytes, a "2" means 512 + + bytes (this is the standard DOS value), and a "3" means + + 1024 bytes per sector. + +4) Highest sector number on a track: this is used for + + formatting and tells DOS how many sectors there are on each + + track. + +5) Gap length for diskette reads: this is what you fool around + + with if you keep getting CRC errors when you try to read a + + non-standard size sector. Normally, you can just leave this + + alone except when formatting with a U-Format tool. + +6) Data length: This contains the number of bytes in a sector + + when the value in table byte #4 doesn't contain a 0, 1, 2, + + or 3. + +7) Number of bytes in the gap between sectors: this is also + + only used when formatting special tracks. + +8) Format fill byte: When formatting, this is the + + initialization byte that will be placed in all new sectors. + +9) Head settle time: leave this alone. + +A) Motor start time: don't fool with this either. + +In order to modify globally the number of tracks on a given disk + +and the number of sectors per track you can always format with + +the DOS command switches "/t:" and "/n:" + + FORMAT /t:tracks /n:sectors + + If you want to find out what the existing parameters are, + +run [Debug.exe] or [Symdeb.exe] and enter the following commands: + +- d 0:78 l 4 <- get FDPB address + + 0000:0070 22 05 00 <- debugger's likely response + +- d 0:522 l a <- get 10 FDPB values + + 0000:520 DF 02 25 02 12 1B FF... <- see preceding table + + Remember that all standard disk formats under DOS support + +a sector size of 512 bytes, therefore, for one-sided 5.25 inch + +floppies: + + 40t*8s*512b=163.840 bytes (160Kb) + + 40t*9s*512b=184.320 bytes (180Kb) + +and for two-sided 5.25 inch floppies: + + 40t*8s*512b*2sides=327.680 bytes (320Kb) + + 40t*9s*512b*2sides=368.640 bytes (360Kb) + + Beginning with DOS version 3.0 (Yeah, more and more + +history!) a new floppy disk format has been supported: The IBM + +AT (80286 CPU) introduced the so called "high capacity" 5.25 u- + +inch floppy, capable of storing 1.2M at 15 sectors per track: + + 80t*15s*512b*2sides=1.228.800 bytes (1.2Mb) + + Later on were introduced the to-day universally used 3.5 + +inch floppies, the ones inside a rigid small plastic cartridge, + +and we have, similarly: + + 3.5-inch double sided/double density 720K + + 3.5-inch double sided/quad density (HD) 1440K + + 3.5-inch double sided/high density 2880K + +[INT_13, AH=18, Set media type for format] + + In order to create weird layouts, the protectionists use + +interrupt 13h, service 18h, that specifies to the formatting + +routines the number of tracks and sectors per track to be placed + +on the media: + +* Registers on entry: AH=18h; CH=N of tracks; CL= Sectors + + per track; DL= Drive number (A=0; B=1;C=2... bit 7 is set + + if the drive is an hard disk) + +* Registers on Return: DI: Offset address of 11-byte + + parameter table; ES: Segment address of 11-byte parameter + + table. + +[INT_13, AH=2, Read disk sectors] + +In order to read them, they have to use INT_13, service 2, read + +disk sectors, with following layout: + +* Registers on entry: AH=2h; AL= N of sectors; BX= Offset + + address of data buffer; CH=track; CL= Sector; DH= Head + + (side) number; DL= Drive number; ES: Segment address of + + data buffer. + +* Registers on Return: AH= return code. If the carry flag is + + not set, AH=0, therefore the weird sector has been read, if + + on the contrary the carry flag is set, AH reports the + + status byte as follows: + +76543210 HEX DEC Meaning + +1 80h 128 Time out - drive crazy + + 1 40h 064 Seek failure, could not move to track + + 1 20h 032 Controller kaputt + + 1 10h 016 Bad CRC on disk read + + 1 09h 009 DMA error - 64K boundary crossed + + 1 08h 008 DMA overrun + + 1 04h 004 Bad sector - sector not found + + 11 03h 003 Write protect! + + 1 02h 002 Bad sector ID (address mark + + 1 01h 001 Bad command + +[Return code AH=9: DMA boundary error] + + One of the possible errors should be explained, coz it is + +used in some protection schemes: AH=9 DMA boundary error, means + +that an illegal boundary was crossed when the in formation was + +placed into RAM. DMA (Direct memory access) is used by the disk + +service routines to place information into RAM. If a memory + +offset address ending in three zeros (ES:1000, ES: 2000...) falls + +in the middle of the area being overlaid by a sector, this error + +will occur. + +[INT_13, AH=4 Verify disk sectors] + + Another possible protection interrupt is interrupt 13H, + +service 4, Verify disk sectors. Disk verification takes place on + +the disk and DOES NOT involve verification of the data on the + +disk against data in memory! This function has no buffer + +specification, does not read or write a disk: it causes the + +system to read the data in the designated sector or sectors and + +to check its computed cyclic redundancy check (CRC) against data + +stored on the disk. See INT_13, AH=2 registers and error report. + +[CRC] + + The CRC is a checksum, that detects general errors. When a + +sector is written to disk, an original CRC is calculated AND + +WRITTEN ALONG with the sector data. The verification service + +reads the sector, recalculates the CRC, and compares the + +recalculated CRC with the original CRC. + + We saw that some protection schemes attempt to disguise + +interrupt calls. This is particularly frequent in the disk access + +protection schemes that utilize INT_13 (the "disk" interrupt). + + If you are attempting to crack such programs, the usual + +course of action is to search for occurrences of "CD13", which + +is machine language for interrupt 13. One way or another, the + +protection scheme has to use this interrupt to check for the + +special sectors of the disk. If you examine a cross section of + +the program, however, you'll find programs which do not have + +"CD13" in their machine code, but which clearly are checking the + +key disk for weird sectors. How comez? + + There are several techniques which can be used to camouflage + +the protection scheme from our nice prying eyes. I'll describe + +here the three such techniques that are more frequent: + +1) The following section of code is equivalent to issuing an + +INT 13 command to read one sector from drive A, side 0, track + +29h, sector ffh, and then checking for a status code of 10h: + + cs:1000 MOV AH,02 ;read operation + + cs:1002 MOV AL,01 ;1 sector to read + + cs:1004 MOV CH,29 ;track 29h + + cs:1006 MOV CL,FF ;sector ffh + + cs:1008 MOV DX,0000 ;side 0, drive A + + cs:100B XOR BX,BX ;move 0... + + cs:100D MOV DS,BX ;...to DS register + + cs:100F PUSHF ;pusha flags + + cs:1010 PUSH CS ;pusha CX + + cs:1011 CALL 1100 ;push address for next + + instruction onto stack and branch + + cs:1014 COMP AH,10 ;check CRC error + + cs:1017 ... rest of verification code + + ... + + ... + + cs:1100 PUSHF ;pusha flags + + cs:1101 MOV BX,004C ;address of INT_13 vector + + cs:1104 PUSH [BX+02] ;push CS of INT_13 routine + + cs:1107 PUSH [BX] ;push IP of INT_13 routine + + cs:1109 IRET ;pop IP,CS and flags + +Notice that there is no INT 13 command in the source code, so if + +you had simply used a debugger to search for "CD13" in the + +machine code, you would never have found the protection routine. + +2) Another technique is to put in a substitute interrupt + +instruction, such as INT 10, which looks harmless enough, and + +have the program change the "10" to "13 (and then back to "10") + +on the fly. A search for "CD13" would turn up nothing. + +3) The best camouflage method for interrupts I have ever + +cracked (albeit not on a INT 13) was a jump to a section of the + +PROGRAM code that reproduces in extenso the interrupt code. This + +elegant (if a little overbloated) disguise mocks every call to + +the replicated interrupt. + +LOADING ABSOLUTE DISK SECTORS + +Old good [debug.com] has been called the "swiss army knife" of + +the cracker. It allows a lot of nice things, inter alia the + +loading, reading, modifying and writing of absolute sectors of + +the disks. The sector count starts with the first sector of track + +0, next sector is track 0, second side (if double sided), then, + +back to the first side, track 1, and so on, until the end of the + +disk. Up to 80h (128) sectors can be loaded at one time. To use + +you must specify starting address, drive (0=A, 1=B, etc...), + +starting sector and number of sectors to load. + + - l 100 0 10 20 + +This instruction tells DEBUG to load, starting at DS:0100, from + +drive A, sector 10h for 20h sectors. This allows at times the + +retrieval of hidden and/or weird formatted data. If you get an + +error, check the memory location for that data. Often times, part + +of the data has been transferred before the error occurs, and the + +remainder can be manually entered or gathered through repetitive + +retries. + +Bear all this in mind learning the following cracks. + +Let's now crack an "oldie" primitive: + +MS Flight simulator (old version 2.12, from 1985!) + +This old program used -in 1985!- following beautiful protection + +scheme: on the disk you had only a "stub", called FS.COM with few + +bytes, which had following instructions: + +loc code instruction what's going on + +------------------------------------------------------- + +:0100 FA CLI ;why not? + +:0101 33C0 XOR AX,AX ;ax=0 + +:0103 8ED0 MOV SS,AX ;ss=0 + +:0105 BCB0C0 MOV SP,C0B0 ;SP=C0B0 + +:0108 8EC0 MOV ES,AX ;ES=0 + +:010A 26C70678003001 MOV Wptr ES:[0078],0130 ;Wp 0:78=130 + +:0111 268C0E7A00 MOV ES:[007A],CS ;0:7A=Segment + +:0116 BB0010 MOV BX,1000 ;BX=1000 + +:0119 8EC3 MOV ES,BX ;ES=1000 + +:011B 33DB XOR BX,BX ;BX=0 + +:011D B80102 MOV AX,0201 ;AH=2 AL=1 sector + +:0120 BA0000 MOV DX,0000 ;head=0 drive=0 + +:0123 B96501 MOV CX,0165 ;track=1 sector=65 (!) + +:0126 CD13 INT 13 ;INT 13/AH=2 + +:0128 B83412 MOV AX,1234 ;AX=1234 + +:012B EA00000010 JMP 1000:0000 ;JMP to data we just read + +:0130 CF IRET ;Pavlovian, useless ret + + You see what's happening in this old protection scheme, + +don't you? Herein you can watch the same snap that happens in + +more recent (much more recent) protection schemes (as you'll see + +in the next lesson): the protection searches for a weird + +formatted sector and/or for particular data. + + That should be no problem for you any more: you should just + +reverse engineer everything (and that goes on pretty quickly: + +just watch and break on the INT_13 calls), fetch the "weird" + +data, tamper the whole crap and have your soup as you like it. + + One more word about "old" protection schemes. Be careful not + +to spurn them! Some of them are + + -- CLEVER + + -- STILL USED + + -- DIFFICULT TO CRACK... I mean, this older DOS programs had + +nice protections... it's pretty annoying to crack windows + +programs that require a registration number: as you saw in Lesson + +3, you just type your name and a serial number of your choice in, + +say "666666666", break into the program with WINICE, search the + +"666666666" and search too, for good measure, your own name, set + +a memory read breakpoint where the number dwells and look at the + +code that manipulates your input. As [Chris] rightly pointed out, + +you can even rip the code straight out of the program and create + +a key generator which will produce a valid code. This code will + +work for any name you typed in only in the "pure maths + +manipulation" protection schemes, and will on the contrary be + +specific, following the name you typed in, the "alpha-maths + +manipulation" protection schemes (like MOD4WIN, see the Windows + +lessons), watch in this case the "pseudo-random xoring" of the + +letters that compose your name. + + -- STUNNING, coz new ideas have always been infrequent, and + +they are getting more and more rare in this objectionable world + +of lazy, incapable programmers patronizing us with ill-cooked + +outrages like Windows'95... yeah, as usual there is no + +"development" at all, quite the contrary, I would say. Take a + +step backward, sip a good Martini-Wodka (please remember that + +only Ice cubes, Dry Martini, Wodka Moskovskaja, Schweppes' + +"Indian tonic" a green olive from Tuskany and a maltese lemon + +zest will really be perfect) and watch from your balcony, with + +unsullied eyes, your town and the people around you: slaves + +everywhere, leaving home at 7.30 in the morning, stinking in a + +progression of identical cars, forced to interminably watch + +advertisement panels and endlessly listen to boorish publicity, + +happy to go to work (if they happen to have the "luck" to work, + +in this inequitable society) the whole day long in order to + +produce other cars in order to buy, one day, a new car with a + +different colour... + + Why people don't look at the stars, love each other, feel + +the winds, ban the stinking cars from the places where they live + +and eat, study colours... name yourself a not-consumistic + +activity? Why don't they read any poems any more? No poetry any + +more, in the grey society of the publicity-spots slaves...poetry + +will soon be forbidden, coz you cannot CONSUME as you read poems, + +and in this farce of a society you are BOUND to consume, that's + +the only thing they want you to do... you are CULTIVATED to + +consume... no books worth to read any more... stupid american + +conventional cram everywhere... boy, at times I'm missing some + +well placed neutron bombs, the ones that would kill all these + +useless zombies and leave noble books and good Wodka untouched. + +It's difficult to believe in democracy any more... if I ever + +did... all the useless zombie do -unfortunately- vote, and they + +do vote for "smiling semblances", for "conventionally minded + +idiots" that so act as if they would "really" be like what they + +"look" like and could not care less about anything else than + +making bucks and defend intolerant and petty patterns. The slaves + +choose the people they have "seen" on TV... as if the egyptians + +would VOTE for their pharaohs, exhilarated under the whips of + +publicity... sorry, at times I forget that you are here for the + +cracks, and could not care less about what I think... + + You 'll obtain the OTHER missing lessons IF AND ONLY IF you + +mail me back (via anon.penet.fi) with some tricks of the trade + +I may not know that YOU discovered. Mostly I'll actually know + +them already, but if they are really new you'll be given full + +credit, and even if they are not, should I judge that you + +"rediscovered" them with your work, or that you actually did good + +work on them, I'll send you the remaining lessons nevertheless. + +Your suggestions and critics on the whole crap I wrote are also + +welcomed. + + E-mail +ORC + + +ORC an526164@anon.penet.fi + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + Lesson 6.1: Funny tricks (1) + +--------------------------------------------------------------------------- + +LESSON 6 (1) - Funny tricks. Xoring, Junking, Sliding + +EXERCISE 01: [LARRY in search of the King] + + Before the next step let's resume what you have learned in + +the lessons 3-5, beginning with a very simple crack exercise + +(again, we'll use the protection scheme of a game, for the + +reasons explained in lesson 1): SEARCH FOR THE KING (Version + +1.1.). This old "Larry" protection sequence, is a "paper + +protection" primitive. It's a very widespread (and therefore easy + +to find) program, and one of the first programs that instead of + +asking meaningful passwords (which offer us the possibility to + +immediately track them down in memory) asked for a random number + +that the good buyer could find on the manual, whereby the bad + +cracker could not. (Here you choose -with the mouse- one number + +out of 5 possible for a "gadget" choosen at random). I don't need + +any more to teach you how to find the relevant section of code + +(-> see lesson 3). Once you find the protection, this is what you + +get: + +:protection_loop + + :C922 8E0614A3 MOV ES,[A314] + +... + + :C952 50 0E PUSH AX & CS + + :C954 E81BFF CALL C872 <- call protection scheme + + :C957 5B POP BX twice + + :C959 8B76FA MOV SI,[BP-06] <- prepare store_room + + :C95C D1E6 SHL SI,1 <- final prepare + + :C95E 8942FC MOV [BP+SI-04],AX <- store AX + + :C961 837EFA00 CMP Word Ptr [BP-06],+00 <- good_guy? + + :C965 75BB JNZ C922 <- loop, bad guy + + :C967 8E0614A3 MOV ES,[A314] + + :C96B 26F606BE3501 TEST Byte Ptr ES:[35BE],01 <- bad_guy? + + :C971 74AF JZ C922 <- loop, bad guy + + :C973 8B46FC MOV AX,[BP-04]... <- go on good guy + +Let's see now the protection scheme called from :C954 + + :C872 55 PUSH BP + +... + + :C8F7 90 NOP + + :C8F8 0E PUSH CS + + :C8F9 E87234 CALL FD6E <- call user input + + :C8FC 5B POP BX + + :C8FD 5B POP BX + + :C8FE 8B5E06 MOV BX,[BP+06] + + :C901 D1E3 SHL BX,1 + + :C903 39872266 CMP [BX+6622],AX <- right answer? + + :C907 7505 JNZ C90E <- no, beggar_off + + :C909 B80100 MOV AX,0001 <- yes, AX=1 + + :C90C EB02 JMP C910 + + :C90E 2BC0 SUB AX,AX <- beggar_off with AX=0 + + :C910 8BE5 MOV SP,BP + + :C912 5D POP BP + + :C913 CB RETF <- back to main + +Here follow 5 questions, please answer all of them: + +1) Where in memory (in which locations) are stored the "right" + + passnumbers? Where in memory is the SEGMENT of this + + locations stored? How does the scheme get the OFFSET? + +2) Would setting NOPs instructions at :C965 and :C971 crack? + + Would it be a good idea? + +3) Would changing :C907 to JZ crack? Would it be a good idea? + +4) Would changing :C907 to JNZ C909 crack? Would it be a good + + idea? + +5) Write down (and try) at least 7 OTHER different patches to + + crack this scheme in spades (without using any NOP!). + +Uff! By now you should be able to do the above 5 exercises in + +less than 15 minutes WITHOUT USING THE DEBUGGER! Just look at the + +data above and find the right answers feeling them... (you 'll + +now which one are the right one checking with your debugger... + +score as many points as you like for each correct answer and sip + +a good Martini-Wodka... do you know that the sequence should + +ALWAYS be 1) Ice cubes 2) Martini Dry 3) Wodka Moskovskaja 4) + +olive 5) lemon 6) Schweppes Indian tonic? + +Let's now come to the subject of this lesson: + +-----> [Xoring] (Simple encryption methods) + + One easy way to encrypt data is the XOR method. XOR is a bit + +manipulation instruction that can be used in order to cipher and + +decipher data with the same key: + + Byte to encrypt key result + + FF XOR A1 5E + + 5E XOR A1 FF + +As you can see XOR offers a very easy way to encrypt or to + +decrypt data, for instance using the following routine: + + encrypt_decrypt: + + mov bx, offset_where_encryption/decryption_starts + + xor_loop: + + mov ah, [bx] <- get current byte + + xor ah, encrypt_value <- engage/disengage xor + + mov [bx], ah <- back where you got it + + inc bx <- ahead one byte + + cmp bx, offset_start_+_size <- are we done? + + jle xor_loop <- no, then next cycle + + ret <- back where we came from + +The encrypt_value can be always the same (fixed) or chosen at + +random, for instance using INT_21, service 2Ch (get current time) + +and choosing as encrypt_value the value reported in DL (but + +remembering to discard the eventual value 0, coz otherwise it + +would not xor anything at all!) + + random_value: + + mov ah,2Ch + + int 21h + + cmp dl,0 + + je random_value + + mov encrypt_value,dl + + The problem with XORing (and with many other encryption + +methods), is that the part of the code that calls the encryption + +routine cannot be itself encrypted. You'll somewhere have, "in + +clear" the encryption key. + + The protectionist do at times their best to hide the + +decrypting routine, here are some common methods: + +-----> JUNK FILLING, SLIDING KEYS AND MUTATING DECRYPTORS + + These are the more common protection method for the small + +decryption part of the program code. This methods, originally + +devised to fool signature virus scanners, have been pinched from + +the polymorphic virus engines of our fellows viriwriters, and are + +still in use for many simple decryption protection schemes. For + +parts of the following many thanks go to the [Black Baron], it's + +a real pity that so many potential good crackers dedicate so much + +time to useless (and pretty repetitive) virus writing instead of + +helping in our work. This said, virus studying is VERY important + +for crackers coz the code of the viri is + +* ULTRAPROTECTED + +* TIGHT AND EFFECTIVE + +* CLOAKED AND CONCEALED. + +Let's show as example of the abovementioned protection tactics + +the following ultra-simple decryptor: + + MOV SI,jumbled_data ;Point to the jumbled data + + MOV CX,10 ;Ten bytes to decrypt + +mn_loop: XOR BYTE PTR [SI],44 ;XOR (un_scramble!) a byte + + INC SI ;Next byte + + LOOP mn_loop ;Loop the 9 other bytes + +This small program will XOR the ten bytes at the location pointed + +to by SI with the value 44. Providing the ten bytes were XORed + +with 44 prior to running this decryptor the ten bytes will be + +restored to their original state. + +In this very simple case the "key" is the value 44. But there are + +several tricks involving keys, the simplest one being the use of + +a "sliding" key: a key that will be increased, or decreased, or + +multiplied, or bit-shifted, or whatever, at every pass of the + +loop. + +A possible protection can also create a true "Polymorph" + +decryptor, a whole decryptor ROUTINE that looks completely + +different on each generation. The trick is to pepper totally + +random amounts of totally random instructions, including JUMPS + +and CALLS, that DO NOT AFFECT the registers that are used for the + +decryption. Also this kind of protection oft uses a different + +main decryptor (possibly from a selection of pre-coded ones) and + +oft alters on each generation also all the registers that the + +decryptor uses, invariably making sure that the JUNK code that + +it generates doesn't destroy any of the registers used by the + +real decryptor! So, with these rules in mind, here is our simple + +decryptor again: + + MOV DX,10 ;Real part of the decryptor! + + MOV SI,1234 ;junk + + AND AX,[SI+1234] ;junk + + CLD ;junk + + MOV DI,jumbled_data ;Real part of the decryptor! + + TEST [SI+1234],BL ;junk + + OR AL,CL ;junk + +mn_loop: ADD SI,SI ;junk instr, but real loop! + + XOR AX,1234 ;junk + + XOR BYTE PTR [DI],44 ;Real part of the decryptor! + + SUB SI,123 ;junk + + INC DI ;Real part of the decryptor! + + TEST DX,1234 ;junk + + AND AL,[BP+1234] ;junk + + DEC DX ;Real part of the decryptor! + + NOP ;junk + + XOR AX,DX ;junk + + SBB AX,[SI+1234] ;junk + + AND DX,DX ;Real part of the decryptor! + + JNZ mn_loop ;Real part of the decryptor! + +As you should be able to see, quite a mess! But still executable + +code. It is essential that any junk code generated by the + +Polymorph protection is executable, as it is going to be peppered + +throughout the decryptor. Note, in this example, that some of the + +junk instructions use registers that are actually used in the + +decryptor! This is fine, providing the values in these + +registers aren't destroyed. Also note, that now we have random + +registers and random instructions on each generation. So, a + +Polymorph protection Engine can be summed up into three major + +parts: + + 1 .. The random number generator. + + 2 .. The junk code generator. + + 3 .. The decryptor generator. + +There are other discrete parts but these three are the ones where + +most of the work goes on! + +How does it all work? Well a good protection would + +* choose a random selection of registers to use for the + +decryptor and leave the remaining registers as "junk" registers + +for the junk code generator. + +* choose one of the compressed pre-coded decryptors. + +* go into a loop generating the real decryptor, peppered with + +junk code. + +From the protectionist's point of view, the advantages of this + +kind of method are mainly: + +* the casual cracker will have to sweat to find the decryptor. + +* the casual cracker will not be able to prepare a "patch" for + +the lamers, unless he locates and patches the generators, (that + +may be compressed) coz otherwise the decryptor will vary every + +time. + +To defeat this kind of protection you need a little "zen" feeling + +and a moderate knowledge of assembler language... some of the + +junk instructions "feel" quite singular when you look at them + +(->see lesson B). Besides, you (now) know what may be going on + +and memory breakpoints will immediately trigger on decryption... + +the road is open and the rest is easy (->see lessons 3-5). + +-----> Starting point number magic + +For example, say the encrypted code started at address 10h, the + +following could be used to index this address: + + MOV SI,10h ;Start address + + MOV AL,[SI] ;Index from initial address + +But sometimes you'll instead find something like the following, + +again based on the encrypted code starting at address 10h: + + MOV DI,0BFAAh ;Indirect start address + + MOV AL,[DI+4066h) ;4066h + 0BFAAh = 10010h (and FFFF = 10h)!! + +The possible combinations are obviously infinite. + +[BIG KEYS] (Complicated encryption methods) + + Prime number factoring is the encryption used to protect + +sensible data and very expensive applications. Obviously for few + +digit keys the decoding is much easier than for, say, 129 or 250 + +digit keys. Nevertheless you can crack those huge encryption too, + +using distributed processing of quadratic sieve equations (which + +is far superior for cracking purpose to the sequential processing + +methods) in order to break the key into prime numbers. To teach + +you how to do this sort of "high" cracking is a little outside + +the scope of my tutorial: you'll have to write a specific short + +dedicated program, linking together more or less half a thousand + +PC for a couple of hours, for a 250 bit key, this kind of things + +have been done quite often on Internet, were you can also find + +many sites that do untangle the mysteries (and vagaries) of such + +techniques. + + As References I would advocate the works of Lai Xueejia, those + +swiss guys can crack *everything*. Begin with the following: + +Xuejia Lai, James Massey, Sean Murphy, "Markov Ciphers and + + Differential Cryptanalysis", Advances in Cryptology, + + Eurocrypt 1991. + +Xuejia Lai, "On the Design and Security of Block Ciphers", + + Institute for Signal and Information Processing, + + ETH-Zentrum, Zurich, Switzerland, 1992 + +Factoring and primality testing is obviously very important for + +this kind of crack. The most comprehensive work I know of is: + +(300 pages with lengthy bibliography!) + + W. Bosma & M. van der Hulst + + Primality Testing with Cyclotomy + + Thesis, University of Amsterdam Press. + +A very good old book you can incorporate in your probes to build + +very effective crack programs (not only for BBS accesses :=) is + +*the* "pomerance" catalog: + +Pomerance, Selfridge, & Wagstaff Jr. + + The pseudoprimes to 25*10^9 + + Math. Comp. Vol 35 1980 pp. 1003-1026 + +Anyway... make a good search with Lykos, and visit the relevant + +sites... if encryption really interests you, you'll be back in + +two or three (or thirty) years and you'll resume cracking with + +deeper erudite knowledge. + +[PATENTED PROTECTION SYSTEMS] + + The study of the patented enciphering methods is also *quite* + +interesting for our aims :=) Here are some interesting patents, + +if you want to walk these paths get the complete texts: + + [BEST] USPat 4168396 to Best discloses a microprocessor + +for executing enciphered programs. Computer programs which have + +been enciphered during manufacture to deter the execution of the + +programs in unauthorized computers, must be decrypted before + +execution. The disclosed microprocessor deciphers and executes + +an enciphered program one instruction at a time, instead of on + +a continuous basis, through a combination of substitutions, + +transpositions, and exclusive OR additions, in which the address + +of each instruction is combined with the instruction. Each unit + +may use a unique set of substitutions so that a program which can + +be executed on one microprocessor cannot be run on any other + +microprocessor. Further, Best cannot accommodate a mixture of + +encrypted and plain text programs. + + [JOHNSTONE] USPat 4120030 to Johnstone describes a + +computer in which the data portion of instructions are scrambled + +and in which the data is of necessity stored in a separate + +memory. There is no disclosure of operating with instructions + +which are completely encrypted with both the operation code and + +the data address portion being unreadable without a corresponding + +key kernel. + + [TWINPROGS] USPat 4183085 describes a technique for + +protecting software by providing two separate program storages. + +The first program storage is a secure storage and the second + +program storage is a free storage. Security logic is provided to + +check whether an output instruction has originated in the secure + +store and to prevent operation of an output unit which receives + +output instructions from the free storage. This makes it + +difficult to produce information by loading a program into free + +storage. + + [AUTHENTICATOR] USPat 3996449 entitled "Operating System + +Authenticator," discloses a technique for authenticating the + +validity of a plain text program read into a computer, by + +exclusive OR'ing the plain text of the program with a key to + +generate a code word which must be a standard recognizable code + +word which is successfully compared with a standard corresponding + +code word stored in the computer. If there is a successful + +compare, then the plain text program is considered to be + +authenticated and is allowed to run, otherwise the program + +is not allowed to run. + +ELEMENTS OF [PGP] CRACKING + +In order to try to crack PGP, you need to understand how these + +public/private keys systems work. Cracking PGP seems extremely + +difficult, though... I have a special dedicated "attack" computer + +that runs 24 hours on 24 only to this aim and yet have only begun + +to see the light at the famous other end of the tunnel. It's + +hard, but good crackers never resign! We'll see... I publish here + +the following only in the hope that somebody else will one day + +be able to help... + +In the public key cryptosystems, like PGP, each user has an + +associated encryption key E=(e,n) and decryption key D=(d,n), + +wherein the encryption keys for all users are available in a + +public file, while the decryption keys for the users are only + +known to the respective users. In order to maintain a high level + +of security a user's decoding key is not determinable in a + +practical manner from that user's encoding (public) key. Normally + +in such systems, since + + e.multidot.d.ident.1 (mod(1 cm((p-1),(q-1)))), + +(where "1 cm((p-1),(q-1))" is the least common multiple of the + +numbers p-1 and q-1) + +d can be determined from e provided p and q are also known. + +Accordingly, the security of the system is dependent upon the + +ability to determine p and q which are the prime factors of n. + +By selecting p and q to be large primes, the resultant composite + +number n is also large, and correspondingly difficult to factor. + +For example, using known computer-implemented factorization + +methods, on the order of 10.sup.9 years is required to factor a + +200 digit long number. Thus, as a practical matter, although a + +user's encryption key E=(e,n) is public, the prime factors p and + +q of n are effectively hidden from anyone due to the enormous + +difficulty in factoring n. These aspects are described more fully + +in the abundant publications on digital signatures and Public-Key + +Cryptosystems. Most public/private systems relies on a message- + +digest algorithm. + + A message-digest algorithm maps a message of arbitrary length + +to a "digest" of fixed length, and has three properties: + +Computing the digest is easy, finding a message with a given + +digest "inversion" is hard, and finding two messages with the + +same digest "collision" is also hard. Message-digest algorithms + +have many applications, not only digital signatures and message + +authentication. RSA Data Security's MD5 message-digest algorithm, + +developed by Ron Rivest, maps a message to a 128-bit message + +digest. Computing the digest of a one-megabyte message takes as + +little as a second. While no message-digest algorithm can yet + +be secure, MD5 is believed to be at least as good as any other + +that maps to a 128-bit digest. + + As a final gift, I'll tell you that PGP relies on MD5 for a + +secure one-way hash function. For PGP this is troublesome, to say + +the least, coz an approximate relation exists between any four + +consecutive additive constants. This means that one of the design + +principles behind MD4 (and MD5), namely to design a collision + +resistant function, is not satisfied. You can construct two + +chaining variables (that only differ in the most significant bit + +of every word) and a single message block that yield the same + +hashcode. The attack takes a few minutes on a PC. From here you + +should start, as I did. + +[DOS 4GW] cracking - This is only a very provisory part of this + +tutorial. DOS 4GW cracking will be much better described as soon + +as [Lost soul] sends his stuff, if he ever does. For (parts of) + +the following I thank [The Interrupt]. + + Most applications of every OS, and also of DOS 4GW, are + +written in C language, coz as you'll have already learned or, + +either, you'll learn, only C allows you to get the "guts" of a + +program, almost approaching the effectiveness of assembler + +language. + + C is therefore the LANGUAGE OF CHOICE for crackers, when you + +prepare your tools and do not directly use assembler routines. + +Besides... you'll be able to find VERY GOOD books about C for + +next to nothing in the second hand bookshops. All the lusers are + +throwing money away in spades buying huge, coloured and + +absolutely useless books on unproductive "bloated" languages like + +Visual basic, C++ and Delphy. Good C new books are now rare + +(books on assembler language have always been) and can be found + +almost exclusively on the second hand market. Find them, buy + +them, read them, use them for your/our aims. You can find a lot + +of C tutorials and of C material on the Web, by all means DO IT! + +Be a conscientious cracker... learn C! It's cheap, lean, mean and + +very productive (and creative) :=) + + Back to the point: most stuff is written in C and therefore + +you need to find the "main" sub-routine inside the asm. With + +DOS/4GW programs, search the exe file for "90 90 90 90", almost + +always it'll be at the start of the compiled code. Now search for + +an INT_21 executed with 4C in AH, the exec to dos code (if you + +cannot "BPINT 21 AH=4C" with your tool, then search for the + +sequence "b4 4c cd 21". This is the equivalent to [mov AH,4C & + +int 21]: it's the most direct call, but as you'll have already + +learned, there are half a dozen ways to put 4C in AX, try them + +all in the order of their frequency). + + A few bytes above the INT_21 service 4C, you'll find the + +call to the "main" subroutine: "E8 xx xx". Now place a "CC" byte + +a few bytes above the call in the exe and run the exe under a + +debugger. When the computer tries to execute the instruction + +you'll be throw back in the debugger coz the "CC" byte acts as + +INT_01 instruction. Then proceed as usual. + +[THE "STEGONATED" PASSWORD HIDEOUT] + + A last, very nice trick should be explained to every wannabe + +cracker, coz it would be embarrassing to search for passwords or + +protection routines that (apparently) are not there. They may be + +hidden INSIDE a picture (or a *.waw file for that matter). This + +is steganography, a method of disguising messages within other + +media. + + Depending on how many shades of grey or hues of colour you want + +to have, a pixel can be expressed using 8. 16, 32 or even more + +bits. If the least significant bit is changed. the shade of the + +pixel is altered only one-256th, one-65,OOOth or even less. No + +human eye could tell the difference. + + What the protectionist does, is hijack the least significant + +bit in each pixel of a picture. It uses that bit to store one bit + +of a protection, or of a password (or of a file, or of a secret + +message). Because digitized pictures have lots of pixels, it's + +possible to store lots of data in a single picture. A simple + +algorithm will transfer them to the relevant parts of the program + +when it needs be, and there we'll intercept them. You'll need to + +learn very well the zen-cracking techniques to smell this kind + +of stuff though (-> see lesson B). + +Well, that's it for this lesson, reader. Not all lessons of my + +tutorial are on the Web. + + You 'll obtain the OTHER missing lessons IF AND ONLY IF you + +mail me back (via anon.penet.fi) with some tricks of the trade + +I may not know that YOU discovered. Mostly I'll actually know + +them already, but if they are really new you'll be given full + +credit, and even if they are not, should I judge that you + +"rediscovered" them with your work, or that you actually did good + +work on them, I'll send you the remaining lessons nevertheless. + +Your suggestions and critics on the whole crap I wrote are also + +welcomed. + + E-mail +ORC + + an526164@anon.penet.fi (+ORC) + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + Lesson 8.1: How to crack Windows, an approach + +--------------------------------------------------------------------------- + + [WINPGP.EXE] + + -------------------------------------- + +-------------------------------------------------------- + + SPECIAL NOTE: Please excuse the somehow "unshaven" + + character of the windows lessons... I'm cracking the + + newest Windows '95 applications right now, therefore + + at times I had to add "on the fly" some corrections to + + the older Windows 3.1 and Windows NT findings. + + "homines, dum docent, discunt". + +--------------------------------------------------------- + +-> 1st THING TO REMEMBER + +The NE format does give every windows executable the equivalent + +of a debug symbol table: A CRACKER BLISS! + +-> UNDOCUMENTED DEBUGGING + +One of the many feature of Windows based on undocumented + +foundations is the "ability to debug". + +A word about undocumented functions in the MS-Operating Systems: + +Microsoft manipulates its rule and domination of the operating + +systems in use to day (MS-DOS, Windows, Windows '95) with two + +main wicked aims: + +1) getting the concurrence completely bankrupt (that's the + + scope of all the using of undocumented functions and + + CHANGING them as soon as the concurrence uses them). The + + battle against Borland was fought in this way. + +2) getting all future "programmers" to use windows as a "black + + box" that only Microsoft engineers (if ever) can master, so + + that everybody will have to sip the ill-cooked abominations + + from Microsoft without ever having a chance to alter or + + ameliorate them. + +Strange as it may seem, only the sublime cracker community fights + +against these intolerable plans. All stupid governments and + +lobbies -on the contrary- hide behind the fig-leaf of the + +"market" "freedom" in order to ALLOW such heinous developments + +(I'm speaking as if they were capable to opposing them even if + +they wanted, which they do not. Be assured, they couldn't anyway, + +"Governments" are deliberately MADE to serve Gates and all the + +remaining suckers, and lobbies are the shield of feudalism. You + +can forget "democracy", the only rule existing is a malevolent + +oligarchy based on money, personal connections, defect of + +culture, lack of knowledge and dictatorship of bad taste through + +television in order to keep the slaves tamed... enough now...) + +The windows situation is particularly reminiscent of the older + +situation in DOS, where for years the key "load but don't + +execute" function, used by debuggers, such as [DEBUG], [SYMDEB] + +and [CODEVIEW], was "reserved" by Microsoft. + + The windows debugging library, WINDEBUG.DLL, a number of + +undocumented functions and even the interface it provides are + +undocumented! The WinDebug() function is used by all available + +windows debuggers, including [CVW] (CodeView for Windows), [TDW] + +(TurboDebugger for Windows), [Multiscope] and [Quick C for + +Windows] (the last two are GUI, not text debuggers. The use of + +WinDebug() doesn't show up in MAPWIN output 'coz debuggers link + +to it at run-time via the amazing GetProcAddress() function. + + WinDebug() is a hacked 32-bit version, for the old Windows + +3.0, of the poorly documented DOSPTrace() function from OS/2 1.x + +(study these older Operating Systems! Studying the past you'll + +understand EVERYTHING! Sometime I think that the only way to hack + +and crack correctly is to be more a software historian than a + +programmer... fac sapias et liber eris!). DOSPTrace is, in turn, + +based on the ptrace() function in Unix. + + Like DosPTrace(), WinDebug() takes commands such as Go, + +Single-Step, Write&Read Registers, Write&Read Memory. It returns + +to its caller either when the command completes or when a + +breakpoint occurs (or a DLL load). These commands and + +notifications appear in a large structure whose address is passed + +in WinDebug(). + + WinDebug() was renamed CVWIN.DLL (and TDWIN.DLL) for Windows + +3.1., all crackers should study it and get the maximum possible + +documentation about it. As you will see in the following, it is + +worth to study also TOOLHELP.DLL (what Microsoft would like you + +to fiddle with) and INT_41h (the real debugging interface). + +Interrupt handling under Windows + + Interrupt handling under Windows can be tricky: you need to + +use Toolhelp (a rather scaring lobotomy for your programs) or to + +have special code for Standard vs. Enhanced modes, because the + +information on the stack of an interrupt or exception handler + +differs between the two windows modes. In addition, some handlers + +would be installed using INT_21h, while others are set up using + +DPMI services. Toolhelp has quite a bit of internal code that + +"cooks" the interrupts and sends them to you in an easily + +digestible form. + + Remember that Windows uses GP faults as a "hacker" method + +of doing ring transitions that are not allowed with legal 80x86 + +instructions: the virtual memory system of Enhanced mode is + +implemented via the page fault. + +Some tools for cracking windows (-> see lesson 9) + +----------------- DEBUGGERS + +CVW and TDW (you have to know the function's + + segment:offset address beforehand in order + + to crack a function) + +WCB [Windows Codeback] by Leslie Pusztai (it's + + a really cool tool!) + +WDEB386 Microsoft's WDEB386 (clumsy, and requires a + + second monitor) + +Soft-Ice/Windows best (BY FAR!) windows debugger! NuMega is + + so good I am at times really sorry to crack + + their products! [WINICE] is the single, + + absolutely essential debugger and snooping + + utility for windows crackers. Get it! + +----------------- POST MORTEM INSPECTORS + +CORONER, etc. (a lot of shareware) + +MS-DrWatson Old and clumsy + +Borland's Winspector THE BEST! It has the BUILDSYM utility + + that allows the creation of a debug + + .SYM file from an .EXE without debug + + information. + +----------------- INSPECTORS + +MS-Spy Old + +Borland's WinSight (Best one, select "Other") + +MicroQuill's Windows DeMystifiers (from Jeff Richter): + + VOYEUR (hold SHIFT picking Message Selection), COLONEL, + + MECHANIC and ECOLOGIST + +----------------- SNOOPERS + +[INFSPY.EXE], 231.424 bytes, version 2.05 28/8/1994 by Dean + +Software Design, may be the more complete one. + +[SUPERSPY.EXE], 24.576 bytes, 10,6,1994, quite handy for quick + +informations. + +[WINVIEW.EXE], 30.832 bytes, Version 3.00 by Scott McCraw, MS(c) + +1990-1992, this is the old MS-Spy, distributed by MS + +[TPWSPY.EXE], 9.472 bytes, quite primitive, but you get the + +pascal source code with it. + +-> INSIDE A WINDOWS '95 DEBUGGER + + You can debug a program at the assembly-language level + +without any debugging information. The DOS [DEBUG] program does + +that, allowing breakpoints and single-stepping, all of which + +implies that the hardware must be cooperating. Back in the time + +of the 4-MHz Z-80s, you used a debugger that plugged interrupt + +op codes into the instruction stream to generate breakpoints. + + Nothing has changed. That's how you debug a program on a + +80586 (=Pentium). The x86 architecture includes software + +interrupts. The 1-byte op code xCC is the INT_03 instruction, + +reserved for debuggers. You can put the INT_03 op code in place + +of the program instruction op code where the break is to occur + +and replace the original op code at the time of the interrupt. + +In the 80386 and later, you can set a register flag that tells + +the processor to generate a not-intrusive INT_01 instruction for + +every machine instruction executed. That device supports single + +stepping. + + The Win32SDK (Windows '95 software developer's kit) includes + +functions that allow one program to launch another program and + +debug it. The SDK's debug API takes care of how the interrupts + +and interrupt vectors get managed. The logical consequence of + +such an approach is that fewer and fewer people will be able to + +know what's going on inside an application. The bulk of the + +programmers -in few years time- will not be able any more to + +reverse engineer an application, unless the few that will still + +understand assembler-language do offer them the tools to do it. + +Microsoft -it is evident- would like the programmers to use a + +"black box" approach to programming, writing nice little "hallo + +world" application and leaving to the engineers in Microsoft + +alone the capacity to push forward (and sell) real programs that + +are not toy application. + + The Win32 documentation seems vast, almost luxurious, until + +you begin serious work and you discover its shortcomings, like + +the fact that extended error codes are not documented, and + +numerous APIs are documented either incorrectly or so poorly that + +you must burn precious time testing them. What we definitely need + +is to find some secret fellows inside Microsoft (like good old + +Prometeus) that smuggles to the outside the real documentation + +that the Microsoft engineers have reserved for themselves. If you + +are reading this and do work for Microsoft, consider the + +possibility of double-crossing your masters for the sake of + +humanity and smuggle us the secret information. + + In windows '95 a debugger program launches a program to be + +debugged by calling the _CreateProcess function, specifying in + +an argument that the program is to be debugged. Then the debugger + +program enters a loop to run the program. At the top of the loop + +the debugger calls _WaitForDebugEvent. + + Each time _WaitForDebugEvent returns it sets indicators that + +tell about the vent that suspended the program being debugged. + +This is where the debugger traps breakpoints and single-step + +exceptions. _WaitForDebugEvent fills in an event structure that + +contains among other things the address that was interrupted end + +the event that caused the interrupt. + + The debugger calls _GetThreadContext to get the running + +context of the debugged program, including the contents of the + +registers. The debugger can, as the result of cracker + +interaction, modify these values and the contents of the debugged + +program's memory. + + The debugger sets breakpoints by saving the op code at the + +instruction to be intercepted and putting the INT_03 op code at + +its place, it's always the same old marmalade. When the + +breakpoint occurs, the debugger replaces the original op code in + +the program's instruction memory, and decrements the interrupted + +program counter in the saved context so that execution resumes + +at the instruction that was broken. + + To single-step a program, the debugger sets a bit in the + +context's flags register that tells the processor to generate an + +INT_01 for every instruction cycle. When that interrupt occurs, + +the debugger checks to see if the interrupted address is at a new + +source-code line number. If not, the debugger continues + +execution. Otherwise, the debugger displays the new line in the + +IDE and waits for the cracker to take an action that resumes the + +program. + + While the debugged program is suspended, the debugger + +interacts with the cracker and provides full access to the + +debugged program's context and memory. This access permits the + +cracker to examine and modify part of the code. + + To resume the debugged program, the debugger resets the + +program's context by calling _SetThreadContext and calls + +_ContinueDebugEvent. Then, the debugger returns to the top of the + +loop to call _WaitForDebugEvent again. + + To extract debug information from a Win32 executable file, + +you must understand the format of that file (best thing to do, + +to practice yourself, would be to reverse engineer small + +programs). The executable file has two sections not found in + +other executable files: ".stab" and ".stabstr". How nice that + +they used names that suggest their purpose (nomen est omen). + +You'll find them inside a table of fixed-length entries that + +include entries for .text, .bss, .data and .idata. Inside these + +sections the compilers put different parts of a program. + + There are several different formats for encoding debug + +information in an executable file. Borland's Turbo Debugger one + +format. Microsoft's CodeView another. The gnu-win32 port from + +Cygnus the stab format, an acronym meaning "symbol table", + +although the table contains much more than just symbol + +information. + + The .stab section in a portable executable file is a table + +of fixed-length entries that represent debugging information in + +the stab format. The .stabstr section contains variable-length, + +null terminated strings into which the .stab table entries point. + + The documentation for the stab format is available in text + +format on the Cygnus ftp site (ftp.cygnus.com//pub/gnu-win32). + + Stabs contain, in a most cryptic format, the names and + +characteristics of all intrinsic and user-defined types, the + +memory address of every symbol in external memory and on the + +stack, the program counter address of every function, the program + +counter address where every brace-surrounded statement block + +starts and ends, the memory address of line numbers within + +source-code files, and anything else that a debugger needs. The + +format is complex and cryptic because it is intended to support + +any source-code language. It is the responsibility of a debugger + +program to translate the stab entries into something meaningful + +to the debugger in the language being debugged. + + Windows '95 invokes dozens of INT_21 services from 32-bit + +code, including KERNEL32.DLL and possess Krn32Mutex, which + +apparently controls access to certain parts of the kernel. Some + +of the functions in KERNEL32 can be blocked by the Win16Mutex, + +even though Microsoft says this isn't the case. + +SO, I WANNA CRACK, WHAT SHOULD I DO? + + I'll show you a simple windows crack, so easy it can be done + +without WINICE: let's take [WINPGP4.1.] (front-end for PGPing in + +windows, by Geib - I must thank "Q" for the idea to work on this + +crack). + + Using WCB you'll find out quickly that the "CONGRATULATIONS + +your registration number is OK" and the "SORRY, your registration + +number is not correct" data blocks are at the block starting at + +36.38B8 (respectively at 36.38D5 and 36.3937), that relocs to + +13.081B. + + Looking at 13.0000 and following code, you'll find a push + +38D5 (68D538) and a push 3937 (683739) at 13.064D and 13.06AE. + + The road to the crack is now open, you just need to find and + +"fool" the calling routines. You'll learn the exact procedures + +for this kind of WINcracks in part 2 and 3 of -> Lesson 8. Let's + +now have a look at the protection scheme (disassembly from WCB): + +... + +13.0E88 660FBF46F8 movsx eax, word ptr [bp-08] + +13.0E8D 668946F4 mov [bp-0C], eax + +13.0E91 668B46F4 mov eax, [bp-0C] + +13.0E95 6669C00A000300 imul eax, 0003000A + +13.0E9C 668946F0 mov [bp-10], eax + +13.0EA0 668B4606 mov eax, [bp+06] + +13.0EA4 663B46F0 cmp eax, [bp-10] + +13.0EA8 7505 jne 0EAF <- beggar_off + +13.0EAA B80100 mov ax, 0001 <- flag 1 = "Right!" + +13.0EAD EB04 jmp 0EB3 <- and go on + +beggar_off: + +13.0EAF 33C0 xor ax,ax <- flag 0 = "Nope!" + +13.0EB1 EB00 jmp 0EB3 <- and go on + + I want you to have a good look at this protection scheme. + +IT'S THE SAME OLD SOUP! You do remember lesson 3 and the + +protection schemes of the old DOS stupid games of the '80s, don't + +you? IT'S THE SAME OLD SOUP! In this "up-to-date" "new" windows + +application, in WINPGP version 4.1 of 1995/1996, exactly the same + +kind of protection is used to "conceal" the password! + +A) compare user input with memory echo + +B) beggar off if not equal with AX=0 + +C) go on if equal with AX=1... how boring! + + Besides, look at all the mov eax, and eax, moves preceding + +the compare! That's a typical pattern for these "number_password" + +protections! I wrote (years ago) a little crack utility that + +searches for code blocks with a "66" as first instruction_byte + +repeating in four or more consecutive instructions and it still + +allows me to crack more than half of these windows password smuts + +in less than three seconds flat. The IMUL instruction creates the + +"magic" number, and if you give a closer look at the mathematical + +part of the "conceal" routine, it could help you to crack + +analogous schemes used in order to protect the "Instant access" + +(c) & (tm) time_crippled software :=) + + Now you could crack the above code in 101 different ways, + +the most elegant one would probably substitute je 0EAF (or jZ + +0EAF, that's the same) to the jne 0EAF at 13.0EA8. You just write + +a 74 at the place of the 75, like you did for the cracks in + +1978... how boring: it's really the same old soup! (But you'll + +see some new tricks in the next lessons). + +Well, that's it for this lesson, reader. Not all lessons of my + +tutorial are on the Web. + + You 'll obtain the missing lessons IF AND ONLY IF you mail + +me back (via anon.penet.fi) with some tricks of the trade I may + +not know that YOU discovered. Mostly I'll actually know them + +already, but if they are really new you'll be given full credit, + +and even if they are not, should I judge that you "rediscovered" + +them with your work, or that you actually did good work on them, + +I'll send you the remaining lessons nevertheless. Your + +suggestions and critics on the whole crap I wrote are also + +welcomed. + + E-mail +ORC + + +ORC 526164@anon.penet.fi + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + Lesson 8.2: How to crack Windows, a deepr approach + +--------------------------------------------------------------------------- + + [SNAP95] [WINZIP] [WINCAT] + + -------------------------------------- + + SPECIAL NOTE: Please excuse the somehow "unshaven" + + character of the windows lessons... I'm cracking the + + newest Windows '95 applications right now, therefore + + at times I had to add "on the fly" some corrections to + + the older Windows 3.1 and Windows NT findings. + + "homines, dum docent, discunt". + +--------------------------------------------------------- + +-> 1st THING TO REMEMBER + +If you thought that DOS was a mess, please notice that windows + +3.1 is a ghastly chaos, and windows 95 a gruesome nightmare of + +ill-cooked spaghetti code. Old Basic "GOTO" abominations were + +quite elegant in comparison with this concoction... One thing is + +sure: This OS will not last... it's way too messy organised, + +impossible to consolidate, slow and neurotic (but I must warn + +you... I thought exactly the same things about DOS in 1981). + + The most striking thing about windows 95 is that it is neither + +meat not fish: neither 16 nor 32... you could call it a "24 bit" + +operating system. + + We'll never damage Microsoft interests enough to compensate for + +this moronic situation... where you have to wait three minutes + +to get on screen a wordprocessor that older OS (and even old DOS) + +kick up in 5 seconds. I decide therefore, hic et nunc, to add an + +ADDENDUM to this tutorial: Addendum 1 will be dedicated to teach + +everybody how to crack ALL Microsoft programs that do exist on + +this planet. I'll write it this sommer and give it away between + +the "allowed" lessons. + + Anyway you can rely on good WINICE to crack everything, you'll + +find it on the web for free, I use version 1.95, cracked by [The + +Lexicon] (do not bother me for Warez, learn how to use the search + +engines on the web and fish them out yourself). Learn how to use + +this tool... read the whole manual! Resist the temptation to + +crack immediatly everything in sight... you 'll regret pretty + +soon that you did not wanted to learn how to use it properly. + +A little tip: as Winice is intended more for software developers + +than for crackers, we have to adapt it a little to our purposes, + +in order to make it even more effective: a good idea is to have + +in the *.DAT initialization file following lines: + + INIT = "CODE ON; watchd es:di; watchd ds:si;" + + TRA = 92 + +This way you'll always have the hexadecimal notation on, two very + +useful watch windows for passwords deprotection and enough buffer + +for your traces. + +WINDOWS 3.1. basic cracking: [ALGEBRAIC PROTECTIONS] + + The most used windows protections are "registration codes", + +these must follow a special pattern: have a "-" or a "+" in a + +predetermined position, have a particular number in particular + +position... and so on. + +For the program [SHEZ], for instance, the pattern is to have a + +14 bytes long alphanumeric sequence containing CDCE1357 in the + +first 8 bytes. + + The second level of protection is to "connect" such a + +pattern to the alphanumeric contents of the NAME of the user... + +every user name will give a different "access key". This is the + +most commonly used system. + + As most of these protections have a "-" inside the answering + +code, you do not need to go through the normal cracking procedure + +(described in the next lesson): + +* load WINICE + +* hwnd [name_of_the_crackanda_module] + +* choose the window Handle of the snap, i.e, the exact + + "FIELD" where the code number input arrives... say 091C(2) + +* BMSG 091C WM_GETTEXT + +* Run anew + +* Look at the memory location(s) + +* Do the same for the "Username" input FIELD. (Sometimes + + linked, sometimes not, does not change much, though) + +* BPR (eventually with TRACE) on the memory locations (these + + will be most of the time FOUR: two NUMBERCODES and two + + USERNAMES). The two "mirrored" ones are the most important + + for your crack. At times there will be a "5th" location, + + where the algebraic play will go on... + +* Look at the code that performs algebraic manipulations on + + these locations and understand what it does... + +* Disable the routine or jump over it, or reverse it, or + + defeat it with your own code... there are thousand + + possibilities... + +* Reassemble everything. + +Uff... quite a long cracking work just to crack some miserable + +program... isn'there a quicker way? OF COURSE THERE IS! Actually + +there are quite a lot of them (see also the crack of Wincat Pro + +below): Look at the following code (taken from SNAP32, a screen + +capture utility for Windows 95, that uses a pretty recent + +protection scheme): + + XOR EBX,EBX ; make sure EBX is zeroed + + MOV BL, [ESI] ; load input char in BL + + INC ESI ; point at the next character + + MOV EDI,EBX ; save the input character in EDI + + CMP EBX,+2D ; input char is a "-" ? + + JZ ok_it's_a_+_or_a_- + + CMP EBX,+2B ; input char is a "+" ? + + JNZ Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it + +:ok_it's_a_+_or_a_- + + XOR EBX,EBX ; EBX is zeroed + + MOV BL,[ESI] ; recharge BL + + INC ESI ; point to next char (do not check - or +) + +:Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it + + XOR EBP,EBP ; zero EBP + + CMP DWORD PTR [boguschecker], +01 + + ... + +even if you did not read all my precedent lessons, you do not + +need much more explications... this is a part of the algebraic + +check_procedure inside the SNAP32 module... you could also get + +here through the usual + + USER!BOZOSLIVEHERE + + KERNEL!HMEMCPY + + USER!GLOBALGETATOMNAME + +Windows wretched and detestable APIs used for copy protections, + +as usual with WINICE cracking, and as described elsewhere in my + +tutorial. + + The above code is the part of the routine that checks for the + +presence of a "+" or a "-" inside the registration number (many + +protections scheme requires them at a given position, other need + +to jump over them). + + Now sit down, make yourself comfortable and sip a good Martini- + +Wodka (invariably very useful in order to crack... but be aware + +that only Moskowskaia russian Wodka and a correct "Tumball" glass + +will do, do not forget the lemon)... what does this "-" stuff + +mean for us little crackers? + + It means that we can search directly for the CMP EBX,+2B + +sequence inside any file protected with these schemes... and + +we'll land smack in the middle of the protection scheme! That's + +amazing... but you will never underrate enough the commercial + +programmers... the only really amazing thing is how simpleton the + +protectionists are! You don't believe me? Try it... you 'll get + +your crack at least 4 out of 5 times. + + Yes I know, to find this code is not yet to crack it... but for + +this kind of copy protection (that's the reason it is so + +widespread) there is no single solution... each makes a slightly + +different algebraic manipulation of the alphanumeric and of the + +numeric data. It's up to you to crack the various schemes... here + +you can only learn how to find them and circumvene them. I'll not + +give you therefore a "debug" crack solution. You'll find it + +yourself using my indications (see the crack of the Wincat Pro + +program below). + +WHERE ARE THE CODES? WHERE ARE THE MODIFIED FILES? WHERE DO THE + +PROTECTIONS KEEP COUNT OF THE PASSING DAYS? + +Most of the time the protection schemes use their own *.ini files + +in the c:\WINDOWS directory for registration purposes... at time + +they even use the "garbage sammler" win.ini file. Let's take as + +example WINZIP (versions 5 and 5.5), a very widespread program, + +you'll surely have one shareware copy of it somewhere between + +your files. + + In theory, winzip should be registered per post, in order to + +get a "NEW" copy of it, a "registered" copy. + + This scares most newby crackers, since if the copy you have + +it's not full, there is no way to crack it and make it work, + +unless you get the REAL stuff. The youngest among us do not + +realize that the production of a real "downsized" demo copy is + +a very expensive nightmare for the money-infatuated commercial + +programmers, and that therefore almost nobody does it really... + +nearly all "demos" and "trywares" are therefore CRIPPLED COMPLETE + +PROGRAMS, and not "downsized" demos, independently of what the + +programmers and the protectionists have written inside them. + + Back to Winzip... all you need, to crack winzip, is to add a + +few lines inside the win.ini file, under the heading [WinZip], + +that has already been created with the demo version, before the + +line with "version=5.0". + + I will not help you any further with this... I'll leave it to + +you to experiment with the correct sequences... inside win.ini + +you must have following sequence (these are only template to + +substitute for your tries inside WINICE... you'll get it, believe + +me): + + [WinZip] + + name=Azert Qwerty + + sn=######## + + version=5.5 + + The *important* thing is that this means that you DO NOT NEED + +to have a "new registered version" shipped to you in order to + +make it work, as the protectionist sellers would like you to + +believe. The same applies most of the time... never believe what + +you read in the read.me or in the registration files... + + This brings me to a broader question: NEVER believe the + +information they give you... never believe what television and/or + +newspapers tell you... you can be sure that the only reason they + +are notifying you something is to hinder you to read or + +understand something else... this stupid_slaves_society can only + +subsist if nobody thinks... if you are really interested in what + +is going on, real information can be gathered, but surely not + +through the "conventional" newspapers and/or news_agencies (and + +definitely NEVER through television, that's really only for the + +stupid slaves)... yes, some bit of information can be + +(laboriously) gathered... it's a cracking work, though. + +HOW TO CRACK INFORMATION [WHERE WHAT] + +* INTERNET + + In the middle of the hugest junk collection of the planet, some + +real information can be laboriously gathered if you do learn how + +to use well the search engines (or if you do build your ones... + +my spiders are doing most of the work for me... get your robots + +templates from "Harvest" or "Verify" and start your "spider + +building" activity beginning from Martijn Koster's page). As + +usual in our society, in the Internet the real point is exactly + +the same point you'll have to confront all your life long: HOW + +TO THROW AWAY TONS OF JUNK, HOW TO SECLUDE MYRIADS OF USELESS + +INFORMATION and HOW TO FISH RARE USEFUL INFORMATION, a very + +difficult art to learn per se. Internet offers some information, + +though, mainly BECAUSE it's (still) unregulated. You want a + +proof? You are reading it. + +* SOME (RARE) NEWSPAPERS. + + The newspaper of the real enemies, the economic powers that + +rule this slaves world, are paradoxically most of the time the + +only ones worth studying... somewhere even the real rulers have + +to pass each other some bits of real information. The "Neue + +Zuercher Zeitung", a newspaper of the Swiss industrials from + +Zuerich, is possibly the best "not_conformist trend analyzer" + +around that you can easily find (even on the web). These + +swissuckers do not give a shit for ideology, nor preconcerted + +petty ideas, the only thing they really want is to sell + +everywhere their ubiquitous watches and their chocolates... in + +order to do it, a land like Switzerland, with very high salaries + +and a good (and expensive) social system, must use something + +brilliant... they found it: a clear vision of the world... as a + +consequence this newspaper is very often "against" the trend of + +all the other medias in the world, the ones that are used only + +in order to tame the slaves... If the only language you know is + +english (poor guy) you could try your luck with the weekly + +"Economist"... you'll have to work a lot with it, coz it has been + +tailored for the "new riches" of the Tatcher disaster, but you + +can (at times) fish something out of it... they do a lot of + +idiotic propaganda, but are nevertheless compelled to write some + +truth. American newspapers (at least the ones you can get here + +in Europe) are absolute shit... one wonders where the hell do the + +americans hyde the real information. + + On the "non-capitalistic" side of information there is a + +spanish newspaper "El Pais" that seems to know about what's going + +on in South America, but it's so full of useless propaganda about + +irrelevant Spanish politics that it's not really worth reading. + +The monthly "Le Monde diplomatique" offers something too... this + +one exaggerates a little on the pauperistic "third world" side, + +but has a lot of useful information. See what you can do with all + +this information (or disinformation?) + +[BELIEVE THE COUNTRARY] + + Another good rule of thumb in choosing your medias is the + +following... if all medias around you assure, for instance, that + +"the Serbians are evil"... the only logical consequence is that + +the Serbians are not so evil at all and that "the Croats" or some + +other Yugoslavian shits are the real culprits. This does not mean + +at all that the Serbians are good, I warn you, it means only what + +I say: something is surely hidden behind the concerted propaganda + +you hear, the best reaction is to exaggerate in the other + +direction and believe the few bit of information that do say the + +countrary of the trend. This rule of thumb may be puerile, but + +it works somehow most of the time... if somewhere everybody + +writes that the commies are bad then THERE the commies must not + +be so bad at all and, conversely, if everybody in another place + +writes that the commies are all good and nice and perfect (like + +the Soviet propaganda did) then THERE the commies are surely not + +so good... it's a matter of perspective, much depends on where + +you are, i.e. whose interests are really at stake. There is NEVER + +real information in this society, only propaganda... if you still + +do not believe me do yourself a little experiment... just read + +the media description of a past event (say the Vietnam war) as + +written AT THE MOMENT of the event and (say) as described 10 + +years later. You'll quickly realize how untrustworthy all + +newspapers and medias are. + +* SEMIOTICS You'll have to study it (as soon as you can) to + +interpret what they let you believe, in order to get your + +bearings. A passing knowledge of ancient RHETORIC can help quite + +a lot. Rhetoric is the "Softice" debugger you need to read + +through the propaganda medias: concentrate on Periphrasis, + +Synecdoche, Antonomasia, Emphasis, Litotes and Hyperbole at the + +beginning... you'll later crack higher with Annominatio, + +Polyptoton, Isocolon and all the other lovely "figurae + +sententiae". + +Enough, back to software cracking. + +HOW A REGISTRATION CODE WORKS [WINCAT] + + Let's take as an example for the next crack, a Username- + +algebraic registration code, WINCAT Pro, version 3.4., a 1994 + +shareware program by Mart Heubel. It's a good program, pretty + +useful to catalogue the millions of files that you have on all + +your cd-roms (and to find them when you need them). + +The kind of protection Wincat Pro uses is the most utilized + +around: the username string is manipulated with particular + +algorithms, and the registration key will be made "ad hoc" and + +depends on the name_string. It's a protection incredibly easy to + +crack when you learn how the relevant procedures work. + + [WINCAT Pro] is a good choice for cracking studies, coz you + +can register "over your registration" one thousand times, and you + +can herefore try for this crack different user_names to see all + +the algebrical correspondences you may need to understand the + +protection code. + + In this program, when you select the option "register", you + +get a window where you can input your name and your registration + +number (that's what you would get, emailed, after registering + +your copy). If you load winice and do your routinely hwnd to + +individuate the nag window, and then breakpoint on the + +appropriate memory ranges you'll peep in the working of the whole + +bazaar (this is completely useless in order to crack these + +schemes, but it'll teach you a lot for higher cracking, so you + +better do it also with two or three other programs, even if it + +is a little boring): a series of routines act on the input (the + +name) of the user: the User_name_string (usn). First of all the + +usn_length will be calculated (with a REPNZ SCASB and a following + +STOSB). Then various routines store and move in memory the usn + +and the registration_number (rn) and their relative lengths. In + +order to compare their lengths and to check the correct + +alphanumeric correspondence between usn and rn, the program first + +uppercases the usn and strips all eventual spaces away. + + Here the relevant code (when you see an instruction like + +SUB AL,20 you should immediately realize that you are in a + +uppercasing routine, which is important for us, since these are + +mostly used for password comparisons)... here the relevant Winice + +unassemble and my comments: + +253F:00000260 AC LODSB <- get the usn chars + +253F:00000261 08C0 OR AL,AL <- check if zero + +253F:00000263 740F JZ 0274 <- 0: so usn finished + +253F:00000265 3C61 CMP AL,61 <- x61 is "a", man + +253F:00000267 72F7 JB 0260 <- not a lower, so loop + +253F:00000269 3C7A CMP AL,7A <- x7A is "z", what else? + +253F:0000026B 77F3 JA 0260 <- not a lower, so loop + +253F:0000026D 2C20 SUB AL,20 <- upper it if it's lower + +253F:0000026F 8844FF MOV [SI-01],AL<- and hyde it away + +253F:00000272 EBEC JMP 0260 <- loop to next char + +253F:00000274 93 XCHG AX,BX + +... + +The instruction MOV [SI-01],AL that you see here is important + +at times, coz it points to the location of the "pre-digested" + +usn, i.e. the usn formatted as it should be for the number + +comparison that will happen later. In some more complicated + +protection schemes the reasoning behind this formatting is the + +following: "Stupid cracker will never get the relation algorhitm + +usn <-> rn, coz he does not know that usn AND rn are slightly + +changed before comparing, ah ah... no direct guessing is + +possible". Here is only "polishing": you have to "polish" a + +string before comparing it in order to concede some mistakes to + +the legitimate user (too many spaces in the name, upper-lower + +case mismatch, foreign accents in the name etc.) You just need + +to know, for now, that this checking is usually still 5 or 6 + +calls ahead of the real checking (it's what we call a "green + +light"). + + You should in general realize that the real checking of the + +algebrical correspondence follows after a whole series of memory + +operations, i.e.: cancelling (and erasing) the previous (if ever) + +attempts; reduplicating the usn and the rn somewhere else in + +memory; double checking the string lengths (and saving all these + +values somewhere... be particularly attentive when you meet stack + +pointers (for instance [BP+05]): most of the programs you'll find + +have been written in C (what else?). C uses the stack (SS:SP) to + +pass parameters or to create local variables for his procedures. + +The passwords, in particular, are most of the time compared to + +data contained within the stack. If inside a protection a BP + +register points to the stack you have most of the time fished + +something... remember it pupils: it will spare you hours of + +useless cracking inside irrelevant routines. Back to our CATWIN: + +another little check is about the "minimal" length allowed for + +a user name, in our babe, for instance, the usn must have at + +least 6 chars: + + 230F:00003483 3D0600 CMP AX,0006 + + 230F:00003486 730F JAE 3497 <- go to nice_name + +:too_short + + 230F:00003488 BF9245 MOV DI,4592 <- no good: short + + After a lot of other winicing you'll finally come across + +following section of the code: + +2467:00000CA3 B90100 MOV CX,0001 + +2467:00000CA6 03F1 ADD SI,CX + +2467:00000CA8 2BC1 SUB AX,CX + +2467:00000CAA 7213 JB 0CBF + +2467:00000CAC 40 INC AX + +2467:00000CAD 368B4F04 MOV CX,SS:[BX+04] <- here + +2467:00000CB1 0BC9 0R CX,CX + +2467:00000CB3 7D02 JGE 0CB7 + +2467:00000CB5 33C9 XOR CX,CX + +2467:00000CB7 3BC1 CMP AX,CX + +2467:00000CB9 7606 JBE 0CC1 + +2467:00000CBB 8BC1 MOV AX,CX + +2467:00000CBD EB02 JMP 0CC1 + +2467:00000CBF 33C0 XOR AX,AX + +2467:00000CC1 AA STOSB <- and here + +2467:00000CC2 8BC8 MOV CX,AX + +2467:00000CC4 F3A4 REPZ MOVSB <- and here! + +2467:00000CC6 8EDA MOV DS,DX + +2467:00000CC8 FC RETF 0008 + + This is obviously the last part of the checking routine + +(I'll not delve here with the mathematical tampering of it, if + +you want to check its workings, by all means, go ahead, it's + +quite interesting, albeit such study is NOT necessary to crack + +these schemes). The important lines are obviously the MOV + +CX,SS:[BX+04], the STOSB and the REPZ MOVSB (as usual in password + +protection schemes, you do remember lesson 3, don't you?). + + You should be enough crack-able :=) by now (if you have read + +all the precedent lessons of my tutorial), to find out easily, + +with these hints, how the working of the protection goes and + +where dwells in memory the ECHO of the correct rn (passkey) that + +matches the name you typed in. Remember that in these kind of + +cracks the ECHO is present somewhere (90% of the cases). There + +are obviously one thousand way to find such ECHOs directly, + +without going through the verificayions routines... for instance + +you could also find them with a couple of well placed + +snap_compares, it's a "5 minutes" cracking, once you get the + +working of it. I leave you to find, as interesting exercise, the + +routine that checks for a "-" inside the rn, a very common + +protection element. + + In order to help you understand the working of the protection + +code in [Wincat Pro] I'll give you another hint, though: if you + +type "+ORC+ORC+ORC" as usn, you'll have to type 38108-37864 as + +rn, if you usn as usn "+ORC+ORC" then the relative rn will be + +14055-87593. But these are my personal cracks... I have offered + +this information only to let you better explore the mathematical + +tampering of this specific program... you'll better see the + +snapping mechanism trying them out (going through the routines + +inside Winice) alternatively with a correct and with a false + +password. Do not crack Wincat with my combination! If you use a + +different usn than your own name to crack a program you only show + +that you are a miserable lamer... no better than the lamers that + +believe to "crack" software using huge lists of serial numbers... + +that is really software that they have stolen (Yeah: stolen, not + +cracked). You should crack your programs, not steal them... + +"Warez_kids" and "serial#_aficionados" are only useless zombies. + +I bomb them as soon as I spot them. YOU ARE (gonna be) A CRACKER! + +It makes a lot of a difference, believe me. + +Well, that's it for this lesson, reader. Not all lessons of my + +tutorial are on the Web. + + You 'll obtain the missing lessons IF AND ONLY IF you mail + +me back (via anon.penet.fi) with some tricks of the trade I may + +not know that YOU discovered. Mostly I'll actually know them + +already, but if they are really new you'll be given full credit, + +and even if they are not, should I judge that you "rediscovered" + +them with your work, or that you actually did good work on them, + +I'll send you the remaining lessons nevertheless. Your + +suggestions and critics on the whole crap I wrote are also + +welcomed. + + "If you give a man a crack he'll be hungry again + + tomorrow, but if you teach him how to crack, he'll + + never be hungry again" + + E-mail +ORC + + an526164@anon.penet.fi + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + Lesson 9 (1): How to crack Windows, Hands on + +--------------------------------------------------------------------------- + + [Winformant][Snap32] + + -------------------------------------- + + THE [DATA_CONSTRAINT] TRICK - [WINFORMANT 4] + I have chosen an older windows application for Win 3.1. +(WIN4MANT.EXE, 562271 bytes, Version 1.10, by Joseph B. Albanese; +you'll find it searching the web with the usual tools, see how +to do it at the end of this lesson), in order to show you how to +use a nice little trick, at times really useful in cracking +password protected programs: [data_constraint]. Inside almost all +protection routines, as you have already learned, there is a +moment when on the stack the ECHO of the real, "correct" +passnumber or password appears. The location of this ECHO varies, +but most of the time it'll be in a range of +- 0x90 bytes from +one of the locations where the user input dwells. This is due to +datadump windows constraints inside the tools used by the +protectionists... but this use is bound to diminish... especially +after this lesson :=) + +[WINFORMANT CRACKING] + This application is -per se- crappy, I doubt you'll ever use +it... but its curious (and pretty rare) "deactivate" mode is +nevertheless very interesting for us: you can "unregister" +Winformant on the fly if you feel the need to. + This feature is pretty useful for scholars that like to +investigate password algorithms with valid and invalid codes +without having to reinstall every time to delete a valid code. +For your cracking exercises choose programs that have +"REVERSIBLE" protections (rare) or that can be re-registered a +billion times (more frequent). Programs that keep the valid +registration on *.ini or special files will also do the job: you +just change a couple of lines to "unregister" them. + The trick of this lesson: [data_constraint], or "password +proximity", bases on the protectionist's need to keep an eye on +the protection "working" when he assembles it. He must "see" the +relationships between USER INPUT NUMBER, USER INPUT TRANSFORMED +and the CORRECT NUMBER ANSWER (in our jargon: the "Bingo"). These +relationships must be constantly checked In order to debug the +protection code. Mostly they will dwell TOGETHER inside a small +stack area, allowing them to be "seen" in the SAME watchwindow. +Most of the time, therefore, the "ECHO" will "materialize" +shortly not very far away from one of the locations of the USER +INPUT. Let's crack: + +* Fire Winice and then Winformant +* Choose HELP and then choose REGISTRATION +* Fill the registration fields with "+ORC+ORC" as "Registrant" +and "12121212" as "Activation" code (use whatever you fancy). +CTRL+D ;switch to Winice +:task ;let's see what's the name of this crap +TaskName SS:SP StackTop StackBot StackLow TaskDB hQueue Events +WINWORD 1AD7:85F2 4A52 8670 7532 1247 122F 0000 +PROGMAN 1737:200A 0936 2070 1392 066F 07F7 0000 +DISKOMAT *2C5F:6634 1D3C 6AC6 5192 2CB7 2C9F 0000 + +:hwnd DISKOMAT ;which window is getting the input? +WinHandle Hqueue QOwner Class Name Window Procedure +0EB4(0) 2C9F DISKOMAT #32769 04A7:9E6B + 0F34(1) 2C9F DISKOMAT #32768 USER!BEAR306 + 365C(1) 2C9F DISKOMAT #32770 2C3F:0BC6 + 36BC(2) 2C9F DISKOMAT Button 2C3F:1CEA + 3710(2) 2C9F DISKOMAT Edit 2C3F:24BE +... and many more irrelevant windows. + +Let's pinpoint the code, here the relevant window is the first +"Edit" one, for obvious reasons (more on this later). +:bmsg 3710 wm_gettext ;set breakpoint +CTRL+D ;run the babe until you get: +Break Due to BMSG 3710 WM_GETTEXT C=01 + Hwnd=3710 wParam=0050 lParam=2C5F629A msg=000D WM_GETTEXT +2C3F:000024BE B82F2C MOV AX,2C2F +So! Now we have "pinpointed" the babe (more on "pinpointing" +later). Let's snoop around a little: look at the stack to fetch +your babe's last call (if it does not show immediately, just keep +pinpointing, for instance on GetWindowText() or do a BPRW +diskomat (very useful), and then try and retry the stack... +should this too fail to work, search for your input in memory (in +the 30:0 lffffffff selector, as usual) and breakpoint range on +it with ReadWrite, and then stack, stack, stack... until you get +the "real" list of calls coming from your babe's protection. +:stack ; let's see +USER(19) at 073F:124C [?] through 073F:1239 +CTL3D(02) at 2C3F:0D53 [?] through 2C3F:0D53 +DISKOMAT(01) at 2C97:20B9 [?] through 2C97:20B9 +DISKOMAT(01) at 2C97:3D94 [?] through 2C97:3D94 +DISKOMAT(01) at 2C97:49E2 [?] through 2C97:4918 +DISKOMAT(04) at 2C7F:EA20 [?] through 2C7F:EA20 +USER(01) at 04A7:19BE [?] through USER!GETWINDOWTEXT +== CTL3D(02) at 2C3F:24BE [?] through 04A7:3A3C + + Beautiful stack fishing! Do immediately a BPX on babe:EA20. +2C7F:EA35 9A25ABA704 CALL USER!GETWINDOWTEXT +2C7F:EA3A 8D46AE LEA AX,[BP-52] ;load ptr "+ORC+ORC" +2C7F:EA3D 16 PUSH SS ;save pointer segment +2C7F:EA3E 50 PUSH AX ;save pointer offset +2C7F:EA3F 9A768D872C CALL 2C87:8D76; get strlen "ORC+ORC" +2C7F:EA44 83C404 ADD SP,+04 +2C7F:EA47 3D2800 CMP AX,0028 +2C7F:EA4A 762C JBE EA78 +... +2C7F:EA97 8D46AE LEA AX,[BP-52] ;load ptr "+ORC+ORC" +2C7F:EA9A 16 PUSH SS ;various algors on input +2C7F:EA9B 50 PUSH AX ;follow here, we do not +... ;need to care +2C7F:EAB2 0F851101 JNE EBC7 +2C7F:EAB6 8D8E5CFF LEA CX,[BP+FF5C] ;ptr "12121212" +2C7F:EABA 16 PUSH SS +2C7F:EABB 51 PUSH CX +2C7F:EABC 9A768D872C CALL 2C87:8D76 ;get strlen "12121212" +2C7F:EAC1 83C404 ADD SP,+04 +2C7F:EAC4 50 PUSH AX +2C7F:EAC5 8D865CFF LEA AX,[BP+FF5C] ;ptr "12121212" HERE! +2C7F:EAC9 16 PUSH SS +2C7F:EACA 50 PUSH AX +...etc, various algors on input follow here + + OK, it's enough: now obviously follows the code that +"algorithmize" the number string, and then, somewhere, you'll +have the hideous compare that divides good guys and bad crackers. +You could examine, and crack, and search... + BUT NOW IT'S THE "MAGIC MOMENT" OF THE ECHO! We know and *feel* +it: The echo must be somewhere... how do we find it? Searching +"12121212" in memory fishes at least 10 different locations... +:s 30:0 lffffffff '12121212' +Pattern Found at 0030:0005AD6A +.... (7 more) +Pattern Found at 0030:80509D6A +Pattern Found at 0030:8145AD6A + Should we look for all occurrences of string '12121212', +starting with the two at 80000000, dumping +-0x90 around it... +until we find the echo? We could, and it would work, but that's +not zen... that's boring! In other protections these locations +could proliferate on purpose, to deter the casual cracker. There +must be some other way... And lo and behold! YES! There is a +quicker way... THE LAST loading of the numeric input string in +the code (the one after the strlen count) is the "right" one for +our cracking purposes, coz protections follow (mostly) this +pattern (remember: we are inside a "stack-heavy" section of the +code... if you want to crack higher I suggest you read some good +literature about stack working, stack tricks and stack magics +with the Intel processors): + LOAD NAMEString - COUNT NAMEStringLen + LOAD NAMEString - TRANSFORM NAMEString + LOAD CODEString - COUNT CODEStringLen + LOAD CODEString + *ECHO must be here* + TRANSFORM CODEString + *ECHO must be here* + COMPARE TRANSFORMED_NAMEString WITH TRANSFORMED_CODEString + + This means that at line +2C7F:EAC5 8D865CFF LEA AX,[BP+FF5C] ;ptr "12121212" +you'll already have your echo somewhere... just dump the memory +around the pointer [BP+FF5C]: +:d 2c5f:61e8 ;these numbers will differ in your computer +02 62 2F 06 02 00 26 2E-A3 4E A3 4E 01 00 38 30 .b/...&..N.N..80 +33 37 2D 36 34 36 2D 33-38 33 36 00 01 06 02 00 37-646-3836..... +2F 06 75 62 C3 2E B7 04-F2 24 2F 06 CE 6E 2F 06 /.ub.....$/..n/. +49 00 5A 00 01 00-04 2C 2F 06 AE 24 36 62 00 00 I.Z......,/..$6b +74 62 7A 2E B7 04 36 62-01 00 C2 62 2F 2C 26 2E tbz...6b...b/,&. +03 01 BA 0F AE 24 5F 02-C9 01 5E 02 BA 01 5F 02 .....$_...^..._. +31 32 31 32 31 32 31 32-00 0C 00 BC 02 00 00 00 12121212........ +00 49 00 BA 0F-AE 24 F2 24 2F 06 00 00 00 00 00 ....I....$.$/... +AF 17 00 E2 5F-7A 62 FE FF 79 1B BA 0F 00 00 00 ......._zb..y... +96 0B 01 00 02 4E 00-37 01 8A 62 D2 0F 8F 17 00 .....N..7..b.... +2F 06 00 37 01-98 62 20 10 16 03 2F 06 00 00 00 /.....7..b .../. +C2 62 2B 4F 52 43 2B 4F-52 43 00 0D AE 24 2F 06 .b+ORC+ORC...... + + Look at this dump: everybody is there! The stack pointers points +in the middle, at string "12121212". 0x50 bytes before it you'll +find our good old ECHO (i.e. the CORRECT passnumber) and 0x50 +bytes afterwards you'll see your handle: here "+ORC+ORC". + It's cracked! The code for my "+ORC+ORC" is 8037-646-3836... +Now begin your assignments: if you rally want to learn cracking: +- "Unregister" and find anew your own code for your own + handle. *DO NOT* use serial numbers with any other name + that your own handle, that's miserable stealing, not + cracking. I'll begin to punish the serial#_aficionados on + the Web, coz I like real outlaws, but I detest stupid + pickpockets. +- Study the two coding algorithms, the one for the input name + and the one for the input number, this will be very useful + for your future cracking sessions. +- Find the "Compare", i.e. the code that sets the two usual + flags "good guy, you may move on" and "bad cracker, beggar + off", and +- Create a "real" crack for this protection, that will allow + anybody you think deserves it, with any name and any + password number, to get through. + +[CRACKING SNAP 32] + Snap 32 (SNAP32.EXE 356.352 bytes, 24/11/95, Version 2.54, +by Greg Kochaniak) is a "snapshot" shareware program for Windows +95, that allows users to save the screen, parts of it, or a +single window. It's a very common 'try before you buy' program, +limited to 30 days use. You'll find it everywhere on the Web. If +you do not know how to search the Web (poor guy!), learn at the +end of this lesson the correct procedure to find all the files +you need on the Net and get them automatically emailed to you +(that's something you should learn: SEARCHING! It's even more +important than cracking!). + Snap32 is not very interesting (I don't think I used it more +than a couple of times), but its protection is: in order to (try +to) deter casual crackers it does not compare strings, it +compares a "magic" sum (from Namestring) with another magic sum +(from Numberstring). And: +* SUMS magics inside the GDI, not inside its own code; +* USES a look_up table for input validation instead of + "plain" code; +* COMPARES the "magic" manipulation from input NUMBER with + the "magic" manipulation from input NAME. + + The cracking procedure for most of these windows programs is +pretty simple and relatively straightforward: + +1) SEE THE NAME OF YOUR BABE AND ITS QUEUE SELECTOR +:task ;This is the Winice95 command you type after firing +snap32 and getting at the "Enter License" nag window: + +TaskName SS:SP StckTp StckBt StckLw TaskDB Hqueue Events +Snap32 0000:0000 006 AC000 006B0000 270E D27 0000 + +OK, the babe is Snap32,it's HQUEUE is 0xD27, it's TaskDB is +0x27OE, orright. + +2) SEE THE MODULES OF YOUR BABE: +:map32 snap32 ;Your command +Owner Obj Name Obj# Address Size Type +SNAP32 .text 0001 0137:00401000 00043000 CODE RO +SNAP32 .rdata 0002 013F:00444000 00002E00 IDATA RO +SNAP32 .data 0003 013F:00447000 00009000 IDATA RW +SNAP32 .idata 0004 013F:00471000 00001C00 IDATA RW +SNAP32 .rsrc 0005 013F:00473000 00001600 IDATA RO +SNAP32 .reloc 0006 013F:00475000 00004C00 IDATA RO + +OK, so the code is in selector 137:(as usual), and you have there +43000 bytes of code from 401000 to 401000+43000; the DATA, +ReadWrite and ReadOnly, are in selector 13F: (as usual). + +3) SEE THE HANDLE OF THE PROTECTION "NAG" WINDOW +:hwnd snap32 ;Your command +Window Handle Hqueue SZ Qowner Class Name Window Procedure + 0350(1) 0D27 32 SNAP32 #02071 144F:0560 + 0354(2) 0D27 32 SNAP32 #02071 17CF:102E + ... and many more windows that we do not care of. + + OK, so, for our cracking purposes, it's Handle 0x350. Most of +the times the "nag" window you want to crack will be the first +one in the hwnd listing (coz it was the last one to appear). +Watch the number in parentheses that follows the Whandle: (1) is +a mother, (2) are "children" windows. At times you'll find under +"Class Name" something like "Edit" (see before the Winformant +cracking)... SNIFF THERE! At times the "Window Procedure" code +location in a list of more than twenty, will be slightly +different for one or two windows... SNIFF THERE! + +4) BREAKPOINT MESSAGE WM_GETTEXT (or any other WM_ that you can +think of in order to "pinpoint" the code of our babe). +"Pinpointing" the code is extremely important in windows +cracking... this idiotic OS moves code, data and stack out and +inside the pages all the time... so you'll keep getting on +"INVALID" sections without a correct pinpointing. Good +Pinpointing points are in general: + BMSG xxxx WM_GETTEXT (good for passwords) + BMSG xxxx WM_COMMAND (good fro OK buttons) + BPRW *your babe* TW (good for tracking) + u USER!GETWINDOWTEXT (u and then BPX inside the code) + u GETDLGITEM (for the Hwnd of an Item inside a + Dialog Box) + CSIP NOT GDI (if you have too many interferences) + u USER!SHOWWINDOW (bpx with counter occurrence to get to + the "right" window) + u GETSYSTEMTIME (for "time-crippled" software) +and many others pinpointing points you'll learn. If you are +really desperate for pinpointing, just do a BMSG xxxx WM_MOVE and +then move the nag window, this will always work. Let's go on: + +:bmsg 350 wm_gettext ;Your command +OK, so the code is ready to be pinpointed. + +5)RUN THE PROGRAM TO THE BREAKPOINT: +CTRL+D ;Your command to exit Winice and run + until it pops out at breakpoint +OK, now you pop out inside Winice somewhere... (look at the stack +to know where) so the code has been pinpointed. + +6) SEARCH THE DATA AREA for your input string (4 Gigabytes from +30:0... remember that DATA are *always* in 30:0 to 30:FFFFFFFF +and CODE is *always* in 28:0 to 28:FFFFFFFF). In most protection +the "registration_number" string must match the "username" +string, which cannot be constrained, in order to allow users to +choose whatever stupid name they fancy. Some protections requires +fixed symbols inside the "username" string, though... in these +rare eventualities, just apply to the "username" string what +we'll do here with the "registration_number" string. The point +to remember is: begin always with the protection fumbling your +number, crack only if necessary the protection that fumbles your +name. Let's search now. + +:s 30:0 lffffffff '12121212' ;Your command + Pattern Found at 0030:80308612 + +80000000 is good. Lower era videos, mirrors and BIOS, higher +(around C0000000) you have the OS dustbins... the point to +remember is: investigate always FIRST the 80000000 locations. + +7) BREAKPOINT ON MEMORY RANGE ON THIS STRING. +By the way: prepare a watch window dex 3 es:di, you'll soon see +how useful such an automated watchwindow is in password cracking. + +:bpr 30:80308612 30:80308612+8 RW ;Your command + +OK Now we'll begin to dig out the relevant parts of the code. +Remember that you must breakpoint *every* copy of the string that +protection generates. A typical copy routine, very frequently +used in windows copy protection schemes, dwells inside +KERNEL!HMEMCPY (+0076): + +0117:9E8E 66C1E902 SHR ECX,02 +0117:9E92 F36766A5 REPZ MOVSD ;makes a copy in es:di +0117:9E96 6659 POP ECX +0117:9E98 6683E103 AND ECX,+03 +0117:9E9C F367A4 REPZ MOVSB +0117:9E9F 33D2 XOR DX,DX + +In fact, this piece of copying code is so often used for password +verifications that sometimes you just need to bpx on 0117:9E92 +to get the correct stack sequence... but let's, for now, continue +without such little tricks: just keep on BPRring (Breakpoint on +memory range) all copies that protection makes. + +8) LET THE BABE RUN, it will breakpoint on all manipulations of +your input string. One of them will lead to the magic. +8.1.) VALIDATION phase +There are many routines that check and "validate" your inputs. +The most common ones check that your numbers ARE really numbers, +i.e. in the range 0x30-0x39. Usually this is done with: + CMP EAX,+30 + JB no_number + CMP EAX,+39 + JA no_number +At times the protectionists use TABLES instead... The number +itself is used as a pointer to a "ready made" table where the +relevant magic can be used as a protection. Imagine that a number +4 in your input points to a code section that throws you +immediately outside the validation routine... or imagine that a +number 7, if found in your input, fetches a magic code that +removes the whole program from your harddisk (or worse): "Ah, ah! +Stupid cracker will never know that he should not have used +number 4... and definitely not number 7! Next time he'll +learn..." Yes, tables have been used for such nasty tricks. +Here the relevant code for the "validation" part of our +protection (still checking my favourite input string '12121212'): +:check_if_valid +0137:4364AE 8A16 MOV DL,[ESI] ;load license number +0137:4364B0 33C0 XOR EAX,EAX ;zero AX +0137:4364B2 668B0451 MOV AX,[ECX+2*EDX] ;look table for 84 +0137:4364B6 83E008 AND EAX,+08 ;OK if AND'S TO zero +0137:4364B9 85C0 TEST EAX,EAX ;and therefore +0137:4364BB 7403 JZ 004364C0 ;go on +0137:4364BD 46 INC ESI ; ready for next number +0137:4364BE EBCD JMP 0043648D +:strip_-_&_+_signs +0137:4364C0 33DB XOR EBX,EBX ;clean BX +0137:4364C2 8A1E MOV BL,[ESI] ;load license number +0137:4364C4 46 INC ESI ;ready for next +0137:4364C5 8BFB MOV EDI,EBX ;save copy +0137:4364C7 83FB2D CMP EBX,+2D ;is it a "-"? +0137:4364CA 7405 JZ 004364D1 +0137:4364CC 83FB2B CMP EBX,+2B ;is it a "+"? + +8.2.) MANIPULATION (summing magic numbers) +Your wisely set breakpoints on memory range for the occurrence +of the string "12121212" will pop you out, inter alia, inside +following piece of code (note how this part of protection dwells +inside GDI, and NOT inside the code selector of snap32): +0557:11BD 33C0 XOR EAX,EAX ;zero AX +0557:11BF 66648B06 MOV AX,FS:[ESI] ;load number +0557:11C3 83C602 ADD ESI,+02 ;point to next +0557:11C6 66833C4700 CMP WORD PTR [EDI+2*EAX],+00 +0557:11CB 0F8424010000 JE 000012F5 +0557:11D1 668B0442 MOV AX,[EDX+2*EAX] ;load from magic table +0557:11D5 03D8 ADD EBX,EAX ;save sum in EBX +0557:11D7 49 DEC ECX ;till we are done +0557:11D8 75E5 JNZ 000011BF ;loop along + +Interesting, isn't it? Protection is using this GDI routine to +create a SUM (through pointers to another table) that depends on +your very input numbers. We are now very near to the crack... can +you *feel* it? If not, prepare yourself a good Martini Vodka! +This is the correct way to do it: + * Get a "highball" glass; + * Put some ice cubes inside it (2 or 3); + * Add Martini Dry (From Martini & Rossi). Fill to 1/3; + * Add Moskowskaja Wodka (the only real Vodka). Fill to 2/3; + * Add a zest of lemon (From Malta or Southern France); + * Add a green "sound" olive (from Italy or Israel); + * Add Schweppes Indian Tonic. Fill to the brim. +Sit deeper and relax, sip slowly and *feel* where the code of the +protection scheme you are cracking "moves"... It's like a +current... a slow tide. If you still do not believe me, just try +it. + +We'll now find out where protection stores the "magic" sum (and +now you'll pop out inside the very own snap32 code, this is the +"real" protection part): + +8.3.) The ludicrous "HIDING" of the magic sum +0137:40437E 83C404 ADD ESP,+04 +0137:404381 8B4DE8 MOV ECX,[EBP-18] +0137:404384 8945F0 MOV [EBP-10],EAX ;***HERE!*** +0137:404387 68FF000000 PUSH 000000FF +0137:40438C 8D8574FBFFFF LEA EAX,[EBP+FFFFFB74] ;load string +0137:404392 50 PUSH EAX ;push it +0137:404393 E886410100 CALL 0041851E ;manipulate +0137:404398 8D8574FBFFFF LEA EAX,[EBP+FFFFFB74] ;load string +0137:40439E 50 PUSH EAX ;push it +0137:40439F E88C210300 CALL 00436530 ;manipulate + +As you can see, the protection is very simple: The "magic" sum +is hidden only two lines before the further manipulations of the +input string. We have found location 137:404384, here, in the +CORRECT way, through bprring of the string that has been +manipulated in the GDI, but actually, we could have found it +quickly just checking superficially what's happening "around" all +manipulations of the input string. Do we really need to follow +all manipulations of our registration_number and eventually also +all manipulation of our username? NO, not at all: we just set a +BPR on the stack location where protection hides the sum [EBP-10] +and we'll see what happens: 90% of these protections just create +two sums, a sum from your username and a sum from your +registration_number... somewhere there will be a compare that +must use this location (or a copy of it... we'll see). + +8.4.) COMPARING THE MAGICS FROM THE TWO INPUT STRING +Breakpoint on memory range on the sum location [EBP-10] that you +saw in the previous code and you'll land at this piece of code: +0137:404412 E82F050000 CALL 00404946 +0137:404417 83C40C ADD ESP,+0C +0137:40441A 3B45F0 CMP EAX,[EBP-10] ;comp AX & magicsum +0137:40441D 740F JZ 0040442E +0137:40441F 68C0874400 PUSH 004487C0 +0137:404424 E8149E0000 CALL 0040E23D +0137:404429 83C404 ADD ESP,+04 +0137:40442C EB5B JMP 00404489 +0137:40442E 893DA0714400 MOV [004471A0],EDI +0137:404434 85FF TEST EDI,EDI + +That's it, you have made it! We found the compare between the +"username" magic number (for my "+ORC+ORC" string that's here +0x7C25621B) in AX (we do not need to know how this landed +there... it's irrelevant!) and the "license_number" '12121212' +(whose magic is here 0x00B8F47C) stored in [pointer-10.] How do +we find now the correct INPUT number for +ORC+ORC? Well, it's +easy... the "magic number" must be the same... therefore: + +Cracked=Dec(0x7C25621B) +Cracked=2082824731 + + That was it. Old Snap32 has been cracked. You could now +prepare a crack in order to distribute this program around +without its simple protection. Good cracked applications should +be given free (i.e. cracked) to all the people that NEED them and +do not have the money to buy them. Don't forget that in this +intolerable society the 0,5% of the citizens own the 56% of the +industrial capital and the 63% of the propaganda machines (data +from US researchers... therefore suspect... the real situation +is probably even worser) effectively conditioning the destiny of +millions of slaves, moronized by television watching. So crack +the applications and give them to the people you care and the +peolple that need them, but for the others... just EXPLAIN +everybody how you did it... this is real help: giving knowledge, +not wares. DO NOT use my handle and my codes to crack this +program, get yours, I gave you mine only as an help for this +cracking lesson. I have showed you the way enough... THIEFS, not +crackers, use the codes that others have found. You are (gonna +be) CRACKERS! Remember it, look straight ahead, crack accurately +and keep your tommy in. + +HOW TO SEARCH THE INTERNET FOR FILES WITHOUT MOVING A FINGER + It's amazing: most of the people roaming around inside Internet +DO NOT know how to use effectively the web. I'll be very +altruistic and explain how to fetch the very example of Snap32, +the babe we cracked in this lesson. + +1) Choose an archie from this list (I will not explain you what +an archie is, you should know it... if you do not, be ashamed): + archie.univie.ac.at 131.130.1.23 Austria + archie.belnet.be 193.190.248.18 Belgium + archie.funet.fi 128.214.6.102 Finland + archie.univ-rennes1.fr 129.20.254.2 France + archie.th-darmstadt.de 130.83.22.1 Germany + archie.ac.il 132.65.16.8 Israel + archie.unipi.it 131.114.21.10 Italy + archie.uninett.no 128.39.2.20 Norway + +2) Email a message to your archie: + To: archie.univie.ac.at (for instance) + Subject: (nothing on this field) + Body: set search sub (substrings too) + set maxhits 140 (max 140 hits) + set maxhitspm 9 (not the same file all over) + find snap32 (we want this) + +3) After a while you'll get (per email) your answer: Here the +answer from the Austrian archie + +Host ftp.wu-wien.ac.at (137.208.8.6) + Last updated 17:48 9 Aug 1995 + Location: /pub/systems/windows.32/misc + FILE -rw-r----- 128957 bytes 15:59 16 Jun 1995 snap32.zip +Host space.mit.edu (18.75.0.10) + Last updated 00:45 4 Mar 1996 + Location: /pub/mydir + FILE -rw-r--r-- 407040 bytes 11:55 28 Nov 1995 snap32.exe + +4) ftpmail your file (Browsing is no good: too busy and lame). +Again, I will not explain you what an FTPMAIL server is: learn +it by yourself... choose a good one from this list (there are +many more... you'll learn): + bitftp@vm.gmd.de (Germany) + ftpmail@ieunet.ie (Ireland) + bitftp@plearn.edu.pl (Poland) + ftpmail@ftp.sun.ac.za (South Africa) + ftpmail@ftp.sunet.se (Sweden) + ftpmail@ftp.luth.se (Sweden) + ftpmail@src.doc.ic.ac.uk (United Kingdom) + +To: ftpmail@ftp.sun.ac.za. (for instance) +Subject: (leave blank) +Body: open space.mit.edu (the last occurrence that + the archie sent) + cd/pub/mydir (get the correct subdir) + bin (prepare for BINARY) + get snap32.exe (I want this) + quit (bye) + +5) Your FTPMAIL server will first notice you a receipt: + +FTP EMAIL response... +ftpmail has received the following job from you: + reply-to +ORC + open space.mit.edu +ORC@now.here + get snap32.exe +ftpmail has queued your job as: 1834131821.5514 +Your priority is 1 (0 = highest, 9 = lowest) +Requests to sunsite.doc.ic.ac.uk will be done before other jobs. +There are 14 jobs ahead of this one in the queue. +4 ftpmail handlers available. +To remove send a message to ftpmail containing just: +delete 1834131821.5514 + +After a while you'll get a second message, with your file +uuencoded inside... everything has been done. +YESSIR! there is absolutely no need to loose time on the WWW, +"surfing" idiotically from a junk site to the next or waiting +hours to download some slow file from an instable server! Wasting +time of your own LIFE, that you could use to read poetry, to make +love, to look at the stars, to sail slowly between the Aegean +islands or to start a nice cracking session. What's the point of +wasting your time when machines can perform all the searches you +need better, more productively and faster than you ever could... +YESSIR! You can get *everything* on the Web, and without paying +your Internet provider more than a couple of dimes... Nice, isn't +it? + +By now, if you have followed all my lessons, you should be able +to crack relatively quickly "normal" applications. There are some +new projects for 1997: a cracking "university", that will allow +us to prepare for the divine war against Microsoft repulsive +dominion. If you do not have already chosen your handle (your +"cracker" name, that's it), you may consider choosing an handle +with a "+" somewhere inside it or, eventually, add a "+" to your +handle. This sign is used by me and by friends that have studied +and/or contributed. But a "+" in your handle ("official +ORC +cracker") will mean even more: +1) allows support from me personally (on a "do ut des" basis) +2) allows pupils to identify each other (good for joining + forces) +3) will open you (eventually) the doors to the "higher" + cracking university I'll set up on the Web in 1997. +(I'm not getting megalomaniac... In reality I only need a "quick" +method to know on which (anonymous) people I can count on for the +next phase). + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + + E-mail +ORC + + +ORC an526164@anon.penet.fi + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + Lesson A.1: Advanced Cracking: Internet Cracking (Unix) + +--------------------------------------------------------------------------- + +-------------> INTERNET CRACKING: FIREWALLS + + With each new company that connects to the "Information + +Superhighway" new frontiers are created for crackers to explore. + +Site administrators (Siteads) have implemented various security + +measures to protect their internal networks. One of these is + +xinetd, covered later. A more general solution is to construct + +a guarded gateway, called a [Firewall], that sits between a + +site's internal network and the wild and woolly Internet where + +we roam. In fact only one third of all Internet connected + +machines are already behind firewalls. Most information services + +have to deal with the same problem we have: getting OUT through + +a local firewall or GETTING INTO a service through their + +Firewall. There lays also the crack_solution. + +------------> What is a Firewall? + + The main purpose of a Firewall is to prevent unauthorized + +access between networks. Generally this means protecting a site's + +inner network from the Internet. If a site has a firewall, + +decisions have been made as to what is allowed and disallowed + +across the firewall. These decisions are always different and + +always incomplete, given the multiplicity of Internet, there are + +always loopholes where a cracker can capitalize on. + + A firewall basically works by examining the IP packets that + +travel between the server and the client. This provides a way to + +control the information flow for each service by IP address, by + +port and in each direction. + + A firewall embodies a "stance". The stance of a firewall + +describes the trade-off between security and ease-of-use. A + +stance of the form "that which is not expressly permitted is + +prohibited" requires that each new service be enabled + +individually and is seldom used, coz very slow and annoying. + +Conversely, the stance "that which is not expressly prohibited + +is permitted" has traded a level of security for convenience. It + +will be useful to guess the stance of the firewall you are + +cracking when making probe decisions. + + A firewall has some general responsibilities: + +* First and foremost if a particular action is not allowed by + +the policy of the site, the firewall must make sure that all + +attempts to perform the action will fail. + +* The firewall should log suspicious events + +* The firewall should alert internal administration of all + +cracking attempts + +* Some firewall provide usage statistics as well. + +------------> Types of Firewall + + In order to avoid head-scratching, it's a good idea to know + +the TOPOLOGY of "your" firewall -and its limitations- before + +attempting to get through it. Discussed below are two popular + +firewall topologies. Although other types exist, the two below + +represent the basic forms; most other firewalls employ the same + +concepts and thus have -luckily- the same limitations. + + 1) THE DUAL-HOMED GATEWAY + + A dual-homed Gateway is a firewall composed of a single + +system with at least two network interfaces. This system is + +normally configured such that packets are not directly routed + +from one network (the Internet) to the other (the internal net + +you want to crack). Machines on the Internet can talk to the + +gateway, as can machines on the internal network, but direct + +traffic between nets is blocked. + + In discussing firewalls, it's generally accepted that you + +should think of the inner network as a medieval castle. The + +"bastions" of a castle are the critical points where defence is + +concentrated. In a dual-homed gateway topology, the dual-homed + +host itself is called the [BASTION HOST]. + + The main disadvantage of a dual-homed gateway, from the + +viewpoints of the users of the network and us crackers alike, is + +the fact that it blocks direct IP traffic in both directions. Any + +programs running on the inner network that require a routed path + +to external machines will not function in this environment. The + +services on the internal network don't have a routed path to the + +clients outside. To resolve these difficulties, dual-homed + +gateways run programs called [PROXIES] to forward application + +packets between nets. A proxy controls the conversation between + +client and server processes in a firewalled environment. Rather + +than communicating directly, the client and the server both talk + +to the proxy, which is usually running on the bastion host + +itself. Normally the proxy is transparent to the users. + + A proxy on the bastion host does not just allow free rein + +for certain services. Most proxy software can be configured to + +allow or deny forwarding based on source or destination addresses + +or ports. Proxies may also require authentication of the + +requester using encryption- or password-based systems. + + The use of proxy software on the bastion host means that the + +firewall administrator has to provide replacements for the + +standard networking clients, a nightmare in heterogeneous + +environments (sites with many different operating systems + +platforms, PC, Sun, IBM, DEC, HP...) and a great burden for + +administrator and users alike. + + 2) THE SCREENED HOST GATEWAY + + A screened host gateway is a firewall consisting of at least + +one router and a bastion host with a single network interface. + +The router is typically configured to block (screen) all traffic + +to the internal net such that the bastion host is the only + +machine that can be reached from the outside. Unlike the dual- + +homed gateway, a screened host gateway does not necessarily force + +all traffic through the bastion host; through configuration of + +the screening router, it's possible to open "holes" in the + +firewall to the other machines on the internal net you want to + +get into. + + The bastion host in a screened host firewall is protected + +from the outside net by the screening router. The router is + +generally configured to only allow traffic FROM SPECIFIC PORTS + +on the bastion host. Further, it may allow that traffic only FROM + +SPECIFIC EXTERNAL HOSTS. For example the router may allow Usenet + +news traffic to reach the bastion host ONLY if the traffic + +originated from the site's news provider. This filtering can be + +easily cracked: it is relying on the IP address of a remote + +machine, which can be forged. + + Most sites configure their router such that any connection + +(or a set of allowed connections) initiated from the inside net + +is allowed to pass. This is done by examining the SYN and ACK + +bits of TCP packets. The "start of connection" packet will have + +both bits set. If this packets source address is internal... or + +seems to be internal :=) the packet is allowed to pass. This + +allows users on the internal net to communicate with the internet + +without a proxy service. + + As mentioned, this design also allows "holes" to be opened + +in the firewall for machines on the internal net. In this case + +you can crack not only the bastion host, but also the inner + +machine offering the service. Mostly this or these machine/s will + +be far less secure than the bastion host. + + New services, for instance recent WEB services, contain a + +lot of back doors and bugs, that you'll find in the appropriate + +usenet discussion groups, and that you could use at freedom to + +crack inner machines with firewall holes. Sendmail is a good + +example of how you could crack in this way, read the whole + +related history... very instructive. The rule of thumb is "big + +is good": the bigger the software package, the more chance that + +we can find some security related bugs... and all packages are + +huge nowadays, 'coz the lazy bunch of programmers uses + +overbloated, buggy and fatty languages like Visual Basic or + +Delphy! + +Finally, remember that the logs are 'mostly) not on the bastion + +host! Most administrators collect them on an internal machine not + +accessible from the Internet. An automated process scan the logs + +regularly and reports suspicious information. + + + + 3) OTHER FIREWALL TOPOLOGIES + +The dual-homed gateway and the screened host are probably the + +most popular, but by no mean the only firewall topologies. Other + +configurations include the simple screening router (no bastion + +host), the screened subnet (two screening routers and a bastion + +host) as well as many commercial vendor solutions. + +------------> Which software should we study? + +Three popular unix software solutions allow clients inside a + +firewall to communicate with server outside: CERN Web server in + +proxy mode, SOCKS and the TIS Firewall toolkit. + +1) The CERN Web server handles not only HTTP but also the other + +protocols that Web clients use and makes the remote connections, + +passing the information back to the client transparently. X-based + +Mosaic can be configured for proxy mode simply by setting a few + +environment variables. + +2) The SOCKS package (available free for anonymous ftp from + +ftp.nec.com in the file + + /pub/security/socks.cstc/socks.cstc.4.2.tar.gz + +includes a proxy server that runs on the bastion host of a + +firewall. The package includes replacements for standard IP + +socket calls such as connect(), getsockname(), bind(), accept(), + +listen() and select(). In the package there is a library which + +can be used to SOCKSify your crack probes. + +3) The Firewall Toolkit + +The toolkit contains many useful tools for cracking firewall and + +proxy server. netacl can be used in inetd.conf to conceal + +incoming requests against an access table before spawning ftpd, + +httpd or other inetd-capable daemons. Mail will be stored in a + +chroot()ed area of the bastion for processing (mostly by + +sendmail). + +The Firewall toolkit is available for free, in anonymous ftp from + +ftp.tis.com in the file + + /pub/firewalls/toolkit/fwtk.tar.Z + +The popular PC firewall solution is the "PC Socks Pack", for MS- + +Windows, available from ftp.nec.com It includes a winsock.dll + +file. + + The cracking attempts should concentrate on ftpd, normally + +located on the bastion host. It's a huge application, necessary + +to allow anonymous ftp on and from the inner net, and full of + +bugs and back doors. Normally, on the bastion host, ftpd is + +located in a chroot()ed area and runs as nonprivileged user. If + +the protection is run from an internal machine (as opposing the + +bastion host), you could take advantage of the special inner-net + +privileges in hostp.equiv or .rhosts. If the internal machine + +"trusts" the server machine, you'll be in pretty easily. + + Another good method, that really works, is to locate your + +PC physically somewhere along the route between network and + +archie server and "spoof" the firewall into believing that you + +are the archie server. You'll need the help of a fellow hacker + +for this, though. + + Remember that if you gain supervisor privileges on a machine + +you can send packets from port 20, and that in a screened host + +environment, unless FTP is being used in proxy mode, the access + +filters allow often connections from any external host if the + +source port is 20 and the destination port is greater than 1023! + + remember that NCSA Mosaic uses several protocols, each on + +a different port, and that -if on the firewall no proxy Web + +server is operating- each protocol must be dealt with + +individually, what lazy administrators seldom do. + + Be careful for TRAPS: networking clients like telnet and ftp + +are often viciously replaced with programs that APPEAR to execute + +like their namesake, but actually email an administrator. A + +fellow cracker was almost intercepted, once, by a command that + +simulated network delays and spat out random error messages in + +order to keep me interested long enough to catch me. Read the + +(fictions) horror story from Bill Cheswick: "An evening with + +Berferd in which a cracked is lured, endured and studied", + +available from ftp.research.att.com in + + /dist/internet_security/berferd.ps + +As usual, all kind of traps can be located and uncovered by + +correct zen-cracking: you must *FEEL* that some code (or that + +some software behaviour) is not "genuine". Hope you believe me + +and learn it before attempting this kind of cracks. + +------------> How do I crack Firewalls? + + Some suggestions have been given above, but teaching you how + +to crack firewalls would take at least six complete tutorial + +lessons for a relatively unimportant cracking sector, and you + +would almost surely get snatched immediately, 'coz you would + +believe you can crack it without knowing nothing at all. So, for + +your sake, I'll teach you HOW TO LEARN IT, not HOW TO DO IT + +(quite a fascinating difference): First Text, then the software + +above. For text, start with Marcus Ranum's paper "Thinking about + +Firewalls", available from ftp.tis.com in the file/pub/firewalls/firewalls.ps.Z + +and do an archie search for newer literature. + +Join the firewall discussion list sending a message to + +majordomo@greatcircle.com, you'll get a message with + +instructions, as usual, lurk only... never show yourself to the + +others. + + You can find for free on the web quite a lot of early + +versions of proxy software. Study it, study it and then study it + +again. The cracking efforts on your copies, and your machines, + +before attempting anything serious, are MANDATORY if you do not + +want to be immediately busted on the Internet. When you feel + +ready to try serious cracking, you must OBLIGATORY start with a + +small BBS which uses a firewall version you already studied very + +well (sysops are not firewall administrators, and many of them + +do not know nothing about the software they use). As soon as you + +gain access to the bastion host, remember to subvert entirely the + +firewall itself before entering the inner net. + +If you feel ready and everything went well so far, if your zen- + +cracking abilities are working well... then take a moment for + +yourself... prepare yourself a good Martini-Wodka (you should + +only use Moskovskaia), take a deep breath and by all means go + +ahead! You will then be able to try your luck on the Cyberspace + +and get quickly busted (if you did not follow my admonitions and + +if you cannot zen-crack) or, may be, fish quite a lot of + +jewels... :=) + +-------------> INTERNET CRACKING: XINETD + + [Xinetd] a freely available enhanced replacement for the + +internet service daemon inetd, allows just those particular users + +to have FTP or Telnet access, without opening up access to the + +world. Xinetd can only protect the system from intrusion by + +controlling INITIAL access to most system services and by logging + +activities so that you can detect break-in attempts. However, + +once a connection has been allowed to a service, xinetd is out + +of the picture. It cannot protect against a server program that + +has security problems internally. For example, the finger server + +had a bug several years ago that allowed a particularly clever + +person to overwrite part of its memory. This was used to gain + +access to many systems. Even placing finger under the control of + +xinetd wouldn't have helped. + + Think of the secured firewall system as a fortress wall: + +each service that is enabled for incoming connections can be + +viewed as a door or window in the walls. Not all these doors have + +secure and reliable locks. The more openings are available, the + +more opportunities are open for us. + +-------------> What xinetd does + +Xinetd listens to all enabled service ports and permits only + +those incoming connection request that meet authorization + +criteria. + +- Accept connections from only certain IP addresses + +- Accept connections only from authorized users + +- Reject connections outside of aithorized hours + +- Log selected service when connections are accepted or + + rejected, capturing following informations: + + * Remote Host Address + + * User ID of remote user (in some cases) + + * Entry and Exit time + + * Terminal type + + Support login, shell, exec and finger + +-------------> SERVICES TO CRACK & + + UNWITTING INSIDE COMPLICES + +In this order the easy services: + + FTP TELNET LOGIN (rlogin) SHELL (rcmd) EXEC + +In this order the more difficult ones: + + MOUNT TFT FINGER NFS(Network File System) + + DNS(Domain Name Service) + +Remember that sendmail (SMTP), by default, accepts a message from + +any incoming connection. The "sender" of such a message can + +appear to have originated anywhere, therefore your claim of + +identity will be accepted! Thus you can forge a message's + +originator. Most of the recipients inside the protected + +(firewalled) net will take your claim at face value and send you + +(to the "return address" you provide) all the sensitive + +information you need to crack the system. Finding unwitting + +inside complices is most of the time pretty easy. + + By far the best method, for entering xinetd, is to get the + +real version from panos@cs.colorado.edu, modify the system files + +in order to have some backdoors, and then distribute them to the + +mirror servers on the WEB. Each time a new administrator will + +download "your" version of xinetd, you'll have an easy access to + +the "protected" system. + + On the Nets, it's important to conceal your identity (they + +will find you out pretty quickly if you do not). The best method + +is to obtain the IP address of a legitimate workstation during + +normal hours. Then, late at night, when the workstation is known + +to be powered-off or disconnected from a dialup PPP link, a + +different node on the network can be configured to use the + +counterfeit IP address. To everyone on the network, it will + +appear that the "legitimate" user is active. If you follow this + +strategy, you may want to crack somehow more negligently... the + +search for the cracker will go on -later- in the false confidence + +that a sloppy novice (the legitimate user) is at work, this will + +muddle the waters a little more. + +Well, that's it for this lesson, reader. Not all lessons of my + +tutorial are on the Web. + + You 'll obtain the missing lessons IF AND ONLY IF you mail + +me back (via anon.penet.fi) with some tricks of the trade I may + +not know that YOU discovered. Mostly I'll actually know them + +already, but if they are really new you'll be given full credit, + +and even if they are not, should I judge that you "rediscovered" + +them with your work, or that you actually did good work on them, + +I'll send you the remaining lessons nevertheless. Your + +suggestions and critics on the whole crap I wrote are also + +welcomed. + + E-mail +ORC + + +ORC an526164@anon.penet.fi + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + LESSON C (1) - How to crack, Cracking as an art + +--------------------------------------------------------------------------- + + [BARCODES] [INSTANT ACCESS] + + -------------------------------------- + +[BARCODES] + First of all, let me stress the importance of cracking in +our everyday life. Cracking it's not just about software, it's +about information, about all patterns of life. To crack is to +refuse to be controlled and used by others, to crack is to be +free. But you must also be yourself free from petty conventions +in order to crack properly. + You must learn to discerne cracking possibilities all around +yourself, and believe me, the development of this ghastly society +brings every day new codes, protections and concealing +mechanismes. + All around us grows a world of codes and secret and not so +secret patterns. Codes that are at times so familiar and common +that we do not even notice them any more... and yet they are +there to fool us, and yet they offer marvellous cracking +possibilities. + Let's take as an striking example BARCODES... those little +lines that you see on any book you buy, on any bottle you get, +on any item around you... do you know how they work? If you do +not you may be excused, but you cannot be excused if you never +had the impulse to understand them... crackers are curious by +nature... heirs of an almost extinct race of researchers that has +nothing in common with the television slaves and the publicity +and trend zombies around us. Cracker should always be capable of +going beyond the obvious, seek knowledge where others do not see +and do not venture. + +[BARCODE HISTORY] + Let's begin with a little history. Universal Product Code +(UPC) was adopted for commercial use by the grocery industry in +the USA. Among the advantages were a rapid, accurate and reliable +way of entering stock information into a computer and the +possibility to sack a lot of workers and to do more profit. The +early success led to the development of the European Article +Numbering System (EAN), a symbology similar to UPC, that is +widely used in Europe and in the rest of the World. I'll teach +you to crack this one, since I do not -fortunately- live in the +States. Keep in mind, anyway, that there are different barcode +symbologies, each with its own particular pattern of bars. The +UPC/EAN code used on retail products is an all-numeric code; so +is the Interleaved 2 of 5 Code. Code 39 includes upper case +letters, digits, and a few symbols. Code 128 includes every +printable and unprintable ASCII character code. The most new one +is a 2-D code. These are special rectangular codes, called +stacked barcodes or matrix codes. They can store considerably +more information than a standard barcode. They require special +readers which cost more than a standard scanner. The practical +limit for a standard barcode depends on a number of factors, but +20 to 25 characters is an approximate maximum. For applications +that need more data, matrix codes are used. For example, the next +time you receive a package from United Parcel Service look for +a small square label with a pattern of dots and a small bullseye +in the centre. This is a MaxiCode label, and it is used by UPS +for automatic destination sortition. + The manufacturer's ID number on the barcode uniquely +identifies products. These numbers are managed by the Uniform +Code Council in Dayton, Ohio for the States and Canada and by the +EAN authority (Internationale Article Numbering Association) in +Bruxelles, for Europe and the rest of the World. The +manufacturer's ID number accounts for some digits of the code, +which leaves other digits to be assigned in any way the producer +wants. He provides retail outlets with a list of his products and +their assigned codes so that they can be entered in the cash +register system. Many codes are NOT on the products and are added +by the supermarkets on the fly, using an internal code schema +that may be non standard. Now it's enough... let's crack. + BARCODES are the only thing an automated casher needs to see +on a product to calculate its price and automatically catalogate +the sold merchandise... imagine (just imagine it :=) coz it would +be extremely illegal to act in this way) somebody would fasten +an adhesive home-made codebar label direct on the top of the +supermarket/mall/retail store label, say on a bottle of Pomerol +(that's a very good but unfortunately very expensive french +wine). + The new label would mean for the casher something like +"cheap wine from Bordeaux, France, cost so and so, everything +it's OK, do not worry"... do you think that anybody would come +to the idea that there is something wrong with the label, with +the bottle or with you? I have been codebaring for years and had +only once a problem, coz my printer was running out of ink and +the scanner in the supermarket could not read it... so what? Act +uninterested, always wear jackets of the utmost quality, shetland +pullovers and beautiful expensive shoes... (all articles that you +may codebar too, by the way), in this society appearance and look +count much more than substance and knowledge... LET'S USE THIS +TO OUR ADVANTAGE! Nobody will ever come to the idea that you may +actually really know the working of the scheme... coz codebar is +pretty complicated and not exactly exceptionally public. On the +Web there are a lot information about it, but most of them are +useless, unless you know how to search most of the time you'll +find only sentences like this one: + "The calculated check digit is the twelfth and final + digit in the U.P.C.code. It is calculated based on a + specific algorithm, and is necessary to ensure that + the number is read or key-entered correctly." + +But good +ORC will now explain you everything you need to crack: + +[THE 13 BAR "CODES"] +Each barcode label has 13 values, from #0 to #12 (that's the EAN +code, the UPC american one has only 12, from #0 to #11). + #0 and #1 indicate the origin of the product. + #2 to #11 give the article code + #12 (the last and 13th one) is a checksum value, that + verifies the validity of all the other numbers. +How is it calculated? #12 is calculated in 4 steps + VALUE A: You sum odd position numbers (#0+#2+#4+#6+#8+#10) + VALUE B: You sum even position numbers and multiply by 3 + ((#1+#3+#5+#7+#9+#11)*3) + VALUE C: You sum value A and value B + VALUE D: You mod value C (you divide by 10 and only keep + the remaining units, a very widespread checking scheme as + you'll see in the software part of this lesson) + If the result is not zero, you subtract it from 10. +Now look at a barcode label, get some books or other barcoded +items and *watch* it... +Bar codes are supposed to have "quiet zones" on either side of +the symbol. Quiet zones are blank areas, free of any printing or +marks,typically 10 times the width of the narrowest bar or space +in the bar code. Failure to allow adequate space on either side +of the symbol for quiet zones can make it impossible to read the +bar code. +On the barcode there are two "borders", left and right, and a +"middle" longer line. These three lines are longer than the +others and are used to "regulate" the scanner to whatever +dimension has been used for the barcode. +#0 dwells left of the first (left) border and has a special +meaning, the other 12 numbers are written "inside" the code and +are divided in two "groups" by the middle bar. +Each value is coded through SEVEN bars: black=1 and White=0. +These form two couples of "optic" bars of different widths. +We come now to the "magic" part: In order to bluff the +simpletons, barcode uses three different SETS of characters to +represent the values 0-9. This should make it impossible for you +to understand what's going on, as usual, in this society, slaves +should not need to worry with the real functioning of things. + Here are the graphic codes of the three graphic sets: + + CODE A CODE B (XOR C) CODE C (NOT A) +0: 0001101 (13) 0100111 (39) 1110010 (114) +1: 0011001 (25) 0110011 (51) 1100110 (102) +2: 0010011 (19) 0011011 (27) 1101100 (108) +3: 0111101 (61) 0100001 (33) 1000010 (066) +4: 0100011 (35) 0011101 (29) 1011100 (092) +5: 0110001 (49) 0111001 (57) 1001110 (078) +6: 0101111 (47) 0000101 (05) 1010000 (080) +7: 0111011 (59) 0010001 (17) 1000100 (068) +8: 0110111 (55) 0001001 (09) 1001000 (072) +9: 0001011 (11) 0010111 (23) 1110100 (116) + +Borders: 101 +Centre: 01010 + +- The C graphic set is a "NOT A" graphic set. +- The B graphic set is a "XOR C" graphic set. +- each value has two couples of bars with different widths + + Now watch some labels yourself... see the difference between the +numbers left and the numbers right? The first "half" of the +barcode is coded using sets A and B, the second "half" using set +C. As if that were not enough, A and B are used inside the first +"half" in a combination that varies and depends from value #0, +following 10 different patterns: + #1 #2 #3 #4 #5 #6 + 0 A A A A A A + 1 A A B A B B + 2 A A B B A B + 3 A A B B B A + 4 A B A A B B + 5 A B B A A B + 6 A B B B A A + 7 A B A B A B + 8 A B A B B A + 9 A B B A B A + +"Ah! Stupid buyer will never understand why the same values gives +different bars! Nothing is as reliable as barcodes!" :=) + +Let's take as example the codebar for Martini Dry: +BARCODE: 8 0 00570 00425 7 +Let's see: we have a 8 0 0 = booze +Then a 000570 as ABABBA and a 004257 as C +"Even" sum: 8+0+5+0+0+2 = 15 (even sum) +Then a 0+0+7+0+4+5= 16 and 16 *3 = 48 (odd sum) +Then a 15+48=63 +63 === 3 +10 - 3 = 7 = checksum +Pattern = 8 = ABABBA CCCCCC + +OK, one more example: Osborne Windows programming series Volume +2 General purpose API functions (always here on my table)... +BARCODE: 9 7 80078 81991 9 +Let's see: we have a 9 7 8 = book +Then a 780078 as ABBABA and a 819919 as C +"Even" sum: 9+8+5+8+8+4 = 42 (even sum) +Then a 7+1+5+2+4+4= 23 and 23 * 3 = 69 (odd sum) +Then a 42+69=111 +111 === 1 +10 - 1 = 9 = checksum +Pattern = 9 = ABBABA + +Well... what's the point of all this? +The point, my pupils, is that who DOES NOT KNOW is taken along +on a boat ride, who KNOWS and LEARNS can use his knowledge in +order to try to beat blue and black the loathsome consumistic +oligarchy where we are compelled to live. Try it out for +yourself... if you crack correctly and wisely your supermarket, +mall and library bills will be cut to almost zero. + Write a small program to print whichever codebar you fancy +(or whichever your mall uses) in whichever size on whichever sort +of label you (or better your targets) fancy... it's quickly done +with Visualbasic or Delphy... but you'll not find much on the Web +Alternatively you could also write, as I did long ago, a short +c program in dos, using a modified upper char set... and there +you are, have labels... see the world. + A small word of caution... crack only ONE item at time and +try it out first with the SAME label for the same product... i.e. +the correct code for that item, but on your own label. If it goes +through your program works good, if not, nobody will ever be able +to harm you. Anyway it never happens anything, never: the bar +code reading equipments have great tolerance, coz the scanners +must be able to recognize barcodes that have been printed on many +different medias. You should choose labels similar to the ones +effectively used only in order not to arise human suspects, coz +for all the scanner itself cares, your label could be pink with +green stripes and with orange hand-written, numbers. Mind you, +we are still just academically imagining hypothetical situations, +coz it would be extremely illegal to act in such an inconsiderate +manner. + CRACKING POWER! It's true for barcodes, for Telecom bills, +for Compuserve accounts, for Amexco cards, for banking cheques +(do you know what MICR is? Magnetic Ink Character Recognition... +the stylized little printing on the lower left of new cheques... +there is a whole cracking school working on it), for registration +numbers... you name it, they develope it, we crack it... + Begin with barcodes: it's easy, nice and pretty useful! Live +in opulence, with the dignity and affluence that should always +distinguish real crackers. Besides... you should see the +assortment of 'Pomerols' in my "Cave-a-vin" :=) + +[INSTANT ACCESS] + The (c) Instant access routines are a commercial protection +scheme used to "unlock" complete commercial applications that +have been encrypted on CD- +ROMs which are distributed (mostly) through reviews. + This is an ideal cracking target: it's commercial software, +complete, uncrippled and of (relatively) prominent quality, that +you can get in tons for the price of a coke. Obviously this kind +of protection represents an ideal subject for our lessons. This +fairly intricate protection scheme has not yet been cracked by +anybody that I am aware of, anyway not publicly, therefore it's +an ideal candidate for a "strainer" to my university. I'll teach +you here how to crack it in three lessons, C.1, C.2 and C.3. I warn +you... it's a difficult cracking session, and this protection +represents quite an intellectual challenge. But if you are +seriously interested in our trade you will enjoy these lessons +more than anything else. + This cracking is intended as an "assignment" for my +HCU +"cracking university": you'll find inside lessons C.1 and C.2 a +relatively deep "introduction" to Instant access cracking. This +will teach you a lot anyway, and spare you hours of useless +roaming around, bringing you straight to the cracking point. But +I'll release the third part of this session, with the complete +solution (lesson C.3) on the Web only in october 1996, not a day +before. All the students that would like to apply to the Higher +Cracking University, opening on the web 01/01/1997, should work +in July, August and September (three months is more than enough +time) on this assignment. They should crack completely the +instant access scheme and send me their solutions, with a good +documentation of their cracking sessions, before 30/09/1996 +(WATCH IT! You can crack this scheme in -at least- three +different paths, be careful and choose the *best* one. WATCH IT! +Some of the informations) in lesson C.1 and C.2 are slightly incorrect: +check it!). +There are four possibilities: +1) The candidate has not found the crack or his solution is + not enough documented or not enough viable... the candidate + is therefore not (yet) crack-able, he will not be admitted + to the +HCU 1997 curses, better luck in 1998; +2) The cracking solution proposed by the candidate is not as + good as mine (you'll judge for yourself in october) but it + works nevertheless... he'll be admitted at the 1997 + courses; +3) The cracking solution of the candidate is more or less + equal to mine, he'll be admitted, personally monitored, and + he'll get all the material he needs to crack on higher + paths; +4) The cracking solution of the candidate is better than mine, + he'll be admitted, get all the material he wishes and asked + to teach us as well as study with us: "homines, dum docent, + discunt". + +[Cracking Instant access] + The user that wants to "unlock" a software application +protected with (c) Instant Access must enter first of all a +REGISTRATION number string, which through a series of +mathematical manipulations gives birth to a special "product" +code. On the basis of this "product code" the user is asked to +phone the commercial protectors (and pay) in order to get a +special "unlock code" that will allow him to decrypt the relevant +software. + This kind of "passnumber" protection routines are widely +used for software unlocking, BBS access, server access, backdoor +opening and many other protection schemes. We have already seen +password cracks in different lessons of this tutorial (in +particular Lessons 3.1 and 3.2 for DOS and Lessons 8.1, 8.2 and +9.1 for WIN) albeit on a more simplistic scale: there it did +mostly not matter very much *HOW* you passed the protection: once +passed, you could have access to the application. This is not the +case with (c) Instant Access. Face it: it's a little boring, but +important that you learn how to defeat intricate protection +routines (you'll meet them often in the next years) and I believe +that the following example will give you a "feeling" for the +right cracking approach. + In this case we must not only "crack" this protection scheme +but also study it thoroughly in order to achieve our blessed +aims. This is a very good exercise: reverse disassembling will +teach you a lot of little tricks that you'll be able to use in +your other future cracking sessions. + Instant access (c) is a exceptionally widespread protection +scheme, and it should be relatively easy for you to gather some +encrypted software that has been protected with this method... +*DO IT QUICKLY!!* After the Web publishing of this lessons (I am +sending C.1 to 8 pages and 4 usenet groups on 25/06/1996) this +protection is obviously as dead as a Dodo. The "Accessors" guys +will have to conceive something smarter if they want to keep +selling "protections" to the lamer producers of "big" software. + BTW, if you are reading this and are working for some +commercial "protection" company, consider the possibility to +double cross your masters! Deliver me anonymously all the future +projects you are working on! That will amuse me, speed up the +advent of a true altruistic society and earn you the respect of +the better part of humanity. + As I said, many "huge" application are still protected with +this "Instant access" system. I have personally bought at least +7 or 8 "second hand" CD-ROMs packed full with Microsoft, Lotus, +Norton, Symantec, you name it, applications all "protected" +through this crap. The cost of this bunch of CD-ROMs was the +equivalent of a bottle of Dry Martini, maybe less. The same +software is sold, unlocked, to zombies and lusers for ludicrous +amounts of money. + Never buy CD-ROMs magazines when they appear! Be cool! Buy +them two or three months after the publishing date! Buy +"remainders" or "second hand" CD-ROM magazines "at kilo price"... +Come to think of it, never buy *anything* when it appears or when +some (paid) advertiser tells you to... remember that "trends", +"vogues", "fashions" and "modes" are only different names for the +whips that drill and chain the dull-witted slaves of this +loathsome society: "clever crackers consider cool, crack cheap, +cheat customary culture" (a rhetorical figure: an "Alliteration". +To defend yourself learn rhetoric... it's a more powerful and +more useful weapon than Kung-fu). + The "triple" password protection routine in (c) Instant +Access is very interesting from a cracker point of view. It's a +relatively complex scheme: I'll teach you to crack it in two +phases: First of all you must find the "allowed" registration +code, the one that "ignites" the "product code". We must crack +and understand this re_code first if we want to crack the rest. + Just for the records, I am cracking here (c) Action Instant +access version 1.0 (CD-ROM found on a old copy of "Personal +Computer World" of August 1994, packed full with encrypted Lotus, +Symantec, Claris and Wordperfect applications. Just to be sure +I crosschecked my results with another CD-ROM which also has +applications protected with (c) Instant Access: Paragon +Publishing's PC OFFICE: the protection scheme remains the same). +I am focusing for this lesson on the cracking of the specific +protection for the encrypted Symantec's Norton Utilities v.8.0. + Please refer to the previous lessons for the basic +techniques used in order to find the protection routine inside +our babe... for "low" cracking purposes you -basically- type a +number (in this case, where the input gets 10 numbers, we'll use +"1212-1212-12"), do your search inside the memory (s 30:0 +lffffffff "your_string") and then set memory breakpoints on all +the relevant memory locations till winice pops (I know, I know, +buddies... there are more effective ways... but hold your mouth: +for now we'll keep them among us: let's make things a little +harder for the protectionists who read this... Besides: the old +approach works here flawlessly). After getting the Registration +window on screen the Winice standard procedure is: + :task ; how + :heap IABROWSE ; where & what + :hwnd IABROWSE ; get the Winhandle + :bpx [winhandle] WM_GETTEXT ; pinpoint code + :bpx GetProcAddress ; in case of funny routines + :dex 0 ds:dx ; let's see their name + :gdt ; sniff the selectors + :s 30:0 lffffffff "Your_input_string" ; search in 4 giga data + :bpr [all memory ranges for your string that are above 80000000] +and so on. (continued in lesson C.2) + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) with some tricks of the trade I may +not know that YOU discovered. Mostly I'll actually know them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you rediscovered them +with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + + E-mail +ORC + + +ORC an526164@anon.penet.fi + HOW TO CRACK, by +ORC, A TUTORIAL + +--------------------------------------------------------------------------- + + LESSON C (2) - How to crack, Cracking as an art + +--------------------------------------------------------------------------- + + [INSTANT ACCESS] + + -------------------------------------- + + cracking Instant Access (2) - strainer for the +HCU + +[SEE LESSON C.1 for the first part of this cracking session] + Here follow the relevant protection routines for the first +(The "Registration") number_code of Instant Access, with my +comments: you have to investigate a little the following code. + Later, when you'll crack on your own, try to recognize the +many routines that fiddle with input BEFORE the relevant (real +protection) one. In this case, for instance, a routine checks the +correctness of the numbers of your input: + +This_loop_checks_that_numbers_are_numbers: +1B0F:2B00 C45E06 LES BX,[BP+06] ; set/reset pointer +1B0F:2B03 03DF ADD BX,DI +1B0F:2B05 268A07 MOV AL,ES:[BX] ; get number +1B0F:2B08 8846FD MOV [BP-03],AL ; store +1B0F:2B0B 807EFD30 CMP BYTE PTR [BP-03],30 +1B0F:2B0F 7C06 JL 2B17 ; less than zero? +1B0F:2B11 807EFD39 CMP BYTE PTR [BP-03],39 +1B0F:2B15 7E05 JLE 2B1C ; between 0 & 9? +1B0F:2B17 B80100 MOV AX,0001 ; no, set flag=1 +1B0F:2B1A EB02 JMP 2B1E ; keep flag +1B0F:2B1C 33C0 XOR AX,AX ; flag=0 +1B0F:2B1E 0BC0 OR AX,AX ; is it zero? +1B0F:2B20 7507 JNZ 2B29 ; flag NO jumps away +1B0F:2B22 8A46FD MOV AL,[BP-03] ; Ok, get number +1B0F:2B25 8842CC MOV [BP+SI-34],AL ; Ok, store number +1B0F:2B28 46 INC SI ; inc storespace +1B0F:2B29 47 INC DI ; inc counter +1B0F:2B2A C45E06 LES BX,[BP+06] ; reset pointer +1B0F:2B2D 03DF ADD BX,DI ; point next number +1B0F:2B2F 26803F00 CMP BYTE PTR ES:[BX],00 ; input end? +1B0F:2B33 75CB JNZ 2B00 ; no:loop next num + + You now obviously understand that the "real" string is +stored inside memory location [BP+SI-34]... set a memory +breakpoint on this area to get the next block of code that +fiddles with the transformed input. Notice how this routine +"normalizes" the input, strips the "-" off and puts the 10 +numbers together: +user input: 1 2 1 2 1 2 1 2 1 2 End + 1E7F:92E2 31 32 31 32 31 32 31 32 31 32 00 45 AF 1F 70 9B + Stack ptr: 0 1 2 3 4 5 6 7 8 9 A B C D E F + Let's now look at the "real" protection routine: the one +that checks these numbers and throw you out if they are not +"sound". Please pay attention to the following block of code: + +check_if_sum_other_9_numbers_=_remainder_of_the_third_number: +:4B79 8CD0 MOV AX,SS ; we'll work inside the stack... +:4B7B 90 NOP +:4B7C 45 INC BP +:4B7D 55 PUSH BP ; save real BP +:4B7E 8BEC MOV BP,SP ; BP = stackpointer +:4B80 1E PUSH DS ; save real Datasegment +:4B81 8ED8 MOV DS,AX ; Datasegment = stacksegment +:4B83 83EC04 SUB SP,+04 +:4B86 C45E06 LES BX,[BP+06] ; BX points input_start +:4B89 268A07 MOV AL,ES:[BX] ; load first number +:4B8C 98 CBW ; care only for low +:4B8D C45E06 LES BX,[BP+06] ; reset pointer +:4B90 50 PUSH AX ; save 1st number +:4B91 268A4701 MOV AL,ES:[BX+01] ; load 2nd number +:4B95 98 CBW ; only low +:4B96 8BD0 MOV DX,AX ; 2nd number in DX +:4B98 58 POP AX ; get 1st number +:4B99 03C2 ADD AX,DX ; sum with second +:4B9B C45E06 LES BX,[BP+06] ; reset pointer +:4B9E 50 PUSH AX ; save sum +:4B9F 268A4707 MOV AL,ES:[BX+07] ; load 8th number +:4BA3 98 CBW ; only low +:4BA4 8BD0 MOV DX,AX ; 8th number in DX +:4BA6 58 POP AX ; old sum is back +:4BA7 03C2 ADD AX,DX ; sum 1+2+8 +:4BA9 C45E06 LES BX,[BP+06] ; reset pointer +:4BAC 50 PUSH AX ; save sum +:4BAD 268A4703 MOV AL,ES:[BX+03] ; load 4rd number +:4BB1 98 CBW ; only low +:4BB2 8BD0 MOV DX,AX ; #4 in DX +:4BB4 58 POP AX ; sum is back +:4BB5 03C2 ADD AX,DX ; sum 1+2+8+4 +:4BB7 C45E06 LES BX,[BP+06] ; reset pointer +:4BBA 50 PUSH AX ; save sum +:4BBB 268A4704 MOV AL,ES:[BX+04] ; load 5th number +:4BBF 98 CBW ; only low +:4BC0 8BD0 MOV DX,AX ; #5 in DX +:4BC2 58 POP AX ; sum is back +:4BC3 03C2 ADD AX,DX ; 1+2+8+4+5 +:4BC5 C45E06 LES BX,[BP+06] ; reset pointer +:4BC8 50 PUSH AX ; save sum +:4BC9 268A4705 MOV AL,ES:[BX+05] ; load 6th number +:4BCD 98 CBW ; only low +:4BCE 8BD0 MOV DX,AX ; #6 in DX +:4BD0 58 POP AX ; sum is back +:4BD1 03C2 ADD AX,DX ; 1+2+8+4+5+6 +:4BD3 C45E06 LES BX,[BP+06] ; reset pointer +:4BD6 50 PUSH AX ; save sum +:4BD7 268A4706 MOV AL,ES:[BX+06] ; load 7th number +:4BDB 98 CBW ; only low +:4BDC 8BD0 MOV DX,AX ; #7 in DX +:4BDE 58 POP AX ; sum is back +:4BDF 03C2 ADD AX,DX ; 1+2+8+4+5+6+7 +:4BE1 C45E06 LES BX,[BP+06] ; reset pointer +:4BE4 50 PUSH AX ; save sum +:4BE5 268A4708 MOV AL,ES:[BX+08] ; load 9th number +:4BE9 98 CBW ; only low +:4BEA 8BD0 MOV DX,AX ; #9 in DX +:4BEC 58 POP AX ; sum is back +:4BED 03C2 ADD AX,DX ; 1+2+8+4+5+6+7+9 +:4BEF C45E06 LES BX,[BP+06] ; reset pointer +:4BF2 50 PUSH AX ; save sum +:4BF3 268A4709 MOV AL,ES:[BX+09] ; load 10th # +:4BF7 98 CBW ; only low +:4BF8 8BD0 MOV DX,AX ; #10 in DX +:4BFA 58 POP AX ; sum is back +:4BFB 03C2 ADD AX,DX ; 1+2+8+4+5+6+7+9+10 +:4BFD 0550FE ADD AX,FE50 ; clean sum to 0-51 +:4C00 BB0A00 MOV BX,000A ; BX holds 10 +:4C03 99 CWD ; only AL +:4C04 F7FB IDIV BX ; remainder in DX +:4C06 C45E06 LES BX,[BP+06] ; reset pointer +:4C09 268A4702 MOV AL,ES:[BX+02] ; load now # 3 +:4C0D 98 CBW ; only low +:4C0E 05D0FF ADD AX,FFD0 ; clean # 3 to 0-9 +:4C11 3BD0 CMP DX,AX ; remainder = pampered #3? +:4C13 7407 JZ 4C1C ; yes, go on good guy +:4C15 33D2 XOR DX,DX ; no! beggar off! Zero DX +:4C17 33C0 XOR AX,AX ; and FLAG_AX = FALSE +:4C19 E91701 JMP 4D33 ; go to EXIT +let's_go_on_if_first_check_passed: +:4C1C C45E06 LES BX,[BP+06] ; reset pointer +:4C1F 268A4701 MOV AL,ES:[BX+01] ; now load #2 anew +:4C23 98 CBW ; only low +:4C24 05D7FF ADD AX,FFD7 ; pamper adding +3 +:4C27 A38D5E MOV [5E8D],AX ; save SEC_+3 +:4C2A 3D0900 CMP AX,0009 ; was it < 9? (no A-F) +:4C2D 7E05 JLE 4C34 ; ok, no 0xletter +:4C2F 832E8D5E0A SUB WORD PTR [5E8D],+0A ; 0-5 if A-F +:4C34 C45E06 LES BX,[BP+06] ; reset pointer +:4C37 268A07 MOV AL,ES:[BX] ; load 1st input number +:4C3A 98 CBW ; only low +:4C3B 05C9FF ADD AX,FFC9 ; pamper adding +7 +:4C3E A38F5E MOV [5E8F],AX ; save it in FIR_+7 +:4C41 0BC0 OR AX,AX ; if #1 > 7 +:4C43 7D05 JGE 4C4A ; no need to add 0xA +:4C45 83068F5E0A ADD WORD PTR [5E8F],+0A ; FIR_+7 + 0xA +now_we_have_the_sliders_let's_prepare_for_loop: +:4C4A C45E0E LES BX,[BP+0E] ; Set pointer to E +:4C4D 26C747020000 MOV WORD PTR ES:[BX+02],0000 ; 0 flag +:4C53 26C7070000 MOV WORD PTR ES:[BX],0000 ; 0 flag +:4C58 C706975E0900 MOV WORD PTR [5E97],0009 ; counter=9 +:4C5E E99500 JMP 4CF6 ; Jmp check_counter +loop_8_times: +:4C61 C45E06 LES BX,[BP+06] ; reset pointer +:4C64 031E975E ADD BX,[5E97] ; add running counter +:4C68 268A07 MOV AL,ES:[BX] ; load # counter+1 +:4C6B 98 CBW ; only low +:4C6C 50 PUSH AX ; save 10th number +:4C6D A18D5E MOV AX,[5E8D] ; ld SEC_+3 down_slider +:4C70 BA0A00 MOV DX,000A ; BX holds 0xA +:4C73 F7EA IMUL DX ; SEC_+3 * 0xA +:4C75 03068F5E ADD AX,[5E8F] ; plus FIR_+7 up_slider +:4C79 BAA71E MOV DX,1EA7 ; fixed segment +:4C7C 8BD8 MOV BX,AX ; BX = Lkup_val=(SEC_+3*10+FIR_+7) +:4C7E 8EC2 MOV ES,DX ; ES = 1EA7 +:4C80 268A870000 MOV AL,ES:[BX+0000] ; ld 1EA7:[Lkup_val] +:4C85 98 CBW ; only low: KEY_PAR +:4C86 8BD0 MOV DX,AX ; save KEY_PAR in DX +:4C88 58 POP AX ; repops 10th number +:4C89 03C2 ADD AX,DX ; RE_SULT=KEY_PAR+#10 +:4C8B 05D0FF ADD AX,FFD0 ; polish RE_SULT +:4C8E 99 CWD ; only low: RE_SULT +:4C8F 8956FC MOV [BP-04],DX ; save here KEY_PAR [9548] +:4C92 8946FA MOV [BP-06],AX ; save here RE_SULT [9546] +:4C95 0BD2 OR DX,DX ; KEY_PAR < 0? +:4C97 7C0F JL 4CA8 ; yes: KEY_PAR < 0 +:4C99 7F05 JG 4CA0 ; no: KEY_PAR > 0 +:4C9B 3D0900 CMP AX,0009 ; KEY_PAR = 0 +:4C9E 7608 JBE 4CA8 ; no pampering if RE_SULT < 9 +:4CA0 836EFA0A SUB WORD PTR [BP-06],+0A ; else pamper +:4CA4 835EFC00 SBB WORD PTR [BP-04],+00 ; and SBB [9548] +:4CA8 C45E0E LES BX,[BP+0E] ; reset pointer to E +:4CAB 268B4F02 MOV CX,ES:[BX+02] ; charge CX [958C] +:4CAF 268B1F MOV BX,ES:[BX] ; charge BX slider [958A] +:4CB2 33D2 XOR DX,DX ; clear DX to zero +:4CB4 B80A00 MOV AX,000A ; 10 in AX +:4CB7 9A930D2720 CALL 2027:0D93 ; call following RO_routine + + This is the only routine called from our protection, inside the +loop (therefore 8 times), disassembly from WCB. Examining this +code please remember that we entered here with following +configuration: DX=0, AX=0xA, CX=[958C] and BX=[958A]... + 1.0D93 56 push si ; save si + 1.0D94 96 xchg ax, si ; ax=si, si=0xA + 1.0D95 92 xchg ax, dx ; dx=0xA ax=dx + 1.0D96 85C0 test ax, ax ; TEST this zero + 1.0D98 7402 je 0D9C ; zero only 1st time + 1.0D9A F7E3 mul bx ; BX slider! 0/9/5E/3B2... + 1.0D9C >E305 jcxz 0DA3 ; cx=0? don't multiply! + 1.0D9E 91 xchg ax, cx ; cx !=0? cx = ax & ax = cx + 1.0D9F F7E6 mul si ; ax*0xA in ax + 1.0DA1 03C1 add ax, cx ; ax= ax*0xA+cx = M_ULT + 1.0DA3 >96 xchg ax, si ; ax=0xA; si evtl. holds M_ULT + 1.0DA4 F7E3 mul bx ; ax= bx*0xA + 1.0DA6 03D6 add dx, si ; dx= dx_add + 1.0DA8 5E pop si ; restore si + 1.0DA9 CB retf ; back to caller with two + parameters: DX and AX +Back_to_main_protection_loop_from_RO_routine: +:4CBC C45E0E LES BX,[BP+0E] ; reset pointer +:4CBF 26895702 MOV ES:[BX+02],DX ; save R_DX par [958C] +:4CC3 268907 MOV ES:[BX],AX ; save R_AX par [958A] +:4CC6 0346FA ADD AX,[BP-06] ; add to AX RE_SULT [9546] +:4CC9 1356FC ADC DX,[BP-04] ; add to DX KEY_PAR [9548] +:4CCC C45E0E LES BX,[BP+0E] ; reset pointer +:4CCF 26895702 MOV ES:[BX+02],DX ; save R_DX+KEY_PAR [958C] +:4CD3 268907 MOV ES:[BX],AX ; save R_AX+RE_SULT [958A] +:4CD6 FF0E8D5E DEC WORD PTR [5E8D] ; down_slide SEC_+3 +:4CDA 7D05 JGE 4CE1 ; no need to add +:4CDC 83068D5E0A ADD WORD PTR [5E8D],+0A ; pamper adding 10 +:4CE1 FF068F5E INC WORD PTR [5E8F] ; up_slide FIR_+7 +:4CE5 A18F5E MOV AX,[5E8F] ; save upslided FIR_+7 in AX +:4CE8 3D0900 CMP AX,0009 ; is it over 9? +:4CEB 7E05 JLE 4CF2 ; no, go on +:4CED 832E8F5E0A SUB WORD PTR [5E8F],+0A ; yes, pamper -10 +:4CF2 FF0E975E DEC WORD PTR [5E97] ; decrease loop counter +check_loop_counter: +:4CF6 833E975E03 CMP WORD PTR [5E97],+03 ; counter = 3? +:4CFB 7C03 JL 4D00 ; finish if counter under 3 +:4CFD E961FF JMP 4C61 ; not yet, loop_next_count +loop_is_ended: +:4D00 C45E06 LES BX,[BP+06] ; reset pointer to input +:4D03 268A4701 MOV AL,ES:[BX+01] ; load 2nd number (2) +:4D07 98 CBW ; only low +:4D08 05D0FF ADD AX,FFD0 ; clean it +:4D0B BA0A00 MOV DX,000A ; DX = 10 +:4D0E F7EA IMUL DX ; AX = SEC_*10 = 14 +:4D10 C45E06 LES BX,[BP+06] ; reset pointer +:4D13 50 PUSH AX ; save SEC_*10 +:4D14 268A07 MOV AL,ES:[BX] ; load 1st number (1) +:4D17 98 CBW ; only low +:4D18 8BD0 MOV DX,AX ; save in DX +:4D1A 58 POP AX ; get SEC_*10 +:4D1B 03C2 ADD AX,DX ; sum SEC_*10+1st number +:4D1D 05D0FF ADD AX,FFD0 ; clean it +:4D20 99 CWD ; only low +:4D21 C45E0A LES BX,[BP+0A] ; get pointer to [9582] +:4D24 26895702 MOV ES:[BX+02],DX ; save 1st (1) in [9584] +:4D28 268907 MOV ES:[BX],AX ; save FINAL_SUM (15) [9582] +:4D2B 33D2 XOR DX,DX ; DX = 0 +:4D2D B80100 MOV AX,0001 ; FLAG TRUE ! +:4D30 E9E6FE JMP 4C19 ; OK, you_are_a_nice_guy +EXIT: +:4D33 59 POP CX ; pop everything and +:4D34 59 POP CX ; return with flag +:4D35 1F POP DS ; AX=TRUE if RegNum OK +:4D36 5D POP BP ; with 1st # in [9584] +:4D37 4D DEC BP ; with FINAL_SUM in [9582] +:4D38 CB RETF + + Let's translate the preceding code: first of all the pointers: +At line :4B86 we have the first of a long list of stack ptrs: + LES BX,[BP+06] + This stack pointer points to the beginning of the input string, +which, once polished from the "-", has now a length of 10 bytes, +concluded by a 00 fence. At the beginning, before the main loop, +9 out of our 10 numbers are added, all but the third one. + Notice that protection has jumped # 3 (and added # 8 out of the +line). The rest is straightforward. Now, at line :4BFD we have +our first "cleaning" instruction. You see: the numbers are +hexadecimal represented by the codes 0x30 to 0x39. If you add +FE50 to the minimum sum you can get adding 9 numbers (0x30*9 = +0x160) You get 0. The maximum you could have adding 9 numbers, +on the contrary is (0x39*9=0x201), which, added to FE50 gives +0x51. So we'll have a "magic" number between 0x0 and 0x51 instead +of a number between 0x160 and 0x201. Protection pampers this +result, and retains only the last ciffer: 0-9. Then protection +divides this number through 0xA, and what happens? DX get's the +REMAINDER of it. + If we sum the hexcodes of our (1212-1212-12) we get 0x1BE (we +sum only 9 out of then numbers: the third "1" -i.e. "31"- does +not comes into our count); 0x1BE, cleaned and pampered gives E. +Therefore (0xE/0xA = 1) We get 1 with a remainder of 4. + You may observe that of all possible answers, only sums +finishing with A, B, C, D, E or F give 1 (and rem=0,1,2,3,4 or +5). Sums finishing 0 1 2 3 4 5 6 7 8 or 9 give 0 as result and +themselves as reminder. The chance of getting a 0,1,2,3 or 4 are +therefore bigger as the chance of getting a 5, 6, 7, 8 or 9. We +are just observing... we do not know yet if this should play a +role or not. + Now this remainder is compared at :4C11 with the third number +polished from 0x30-0x39 to 0-9. This is the only protection check +for the registration number input: If your third number does not +match with the remainder of the sum of all the 9 others numbers +of your input you are immediately thrown out with FLAG AX=FALSE +(i.e. zero). + To crack the protection you now have to MODIFY your input string +accordingly. Our new input string will from now on be "1242-1212- +12": we have changed our third number (originally a "2") to a "4" +to get through this first strainer in the correct way. Only now +protection starts its mathematical part (We do not know yet why +it does it... in order to seed the random product number? To +provide a check for the registration number you'll input at the +end? We'll see). +- Protection saves the second number of your input (cleaned + with FFD7) in SEC_+3 [5E8D], pampering it if it is bigger + than 9 (i.e. if it is 0xA-0xF). Here you'll have therefore + following correspondence: 0=7 1=8 2=9 3=0 4=1 5=2 6=3 7=4 + 8=5 9=6. The second number of your input has got added +3. + This is value SEC_+3. In (lengthy) C it would look like + this: + If (RegString(2)is lower than 7) RegString(2) = RegString(2)+3 + Else Regstring(2) = ((RegString(2)-10)+3) +- Protection saves your first number in FIR_+7 [5E8F] with a + different cleaning parameter (FFC9). The next pampering + adds 0xA if it was not 7/8/9 therefore you have here + following correspondence 7=0 8=1 9=2 0=3 1=4 2=5 3=6 4=7 + 5=8 6=9). This is value FIR_+7. In (lengthy) C it would + look like this: + If (RegString(1) is lower than 3) RegString(1) = RegString(1)+7 + Else Regstring(1) = ((RegString(1)-10)+7) + So protection has "transformed" and stored in [5E8D] and [5E8F] +the two numbers 1 and 2. In our RegString: 1242-1212-12 the first +two numbers "12" are now stored as "94". These will be used as +"slider" parameters inside the main loop, as you will see. + Only now does protection begin its main loop, starting from the +LAST number, because the counter has been set to 9 (i.e. the +tenth number of RegString). The loop, as you'll see, handles only +the numbers from 10 to 3: it's an 8-times loop that ends without +handling the first and second number. What happens in this +loop?... Well, quite a lot: Protection begins the loop loading +the number (counter+1) from the RegString. Protection then loads +the SEC_+3 down_slider parameter (which began its life as second +number "transformed"), multiplies it with 0xA and then adds the +up_slider parameter FIR_+7 (at the beginning it was the first +number transformed). + This sum is used as "lookup pointer" to find a parameter +inside a table of parameters in memory, which are all numbers +between 0 and 9. Let's call this value Lkup_val. +Protection looks for data in 1EA7:[Lkup_val]. In our case (we +entered 1242-1212-12, therefore the first SEC_+3 value is 9 and +the first FIR_+7 value is 4): [Lkup_val] = 9*0xA+4; 0x5A+4 = +0x5E. At line :4C80 therefore AL would load the byte at 1EA7:005E +(let's call it KEY_PAR), which now would be ADDED to the # +counter+1 of this loop. In our case KEY_PAR at 1EA7:005E it's a +"7" and is added to the pampered 0x32=2, giving 9. + Let's establish first of all which KEY_PAR can possibly get +fetched: the maximum is 0x63 and the minimum is 0x0. The possible +KEY_PARs do therefore dwell in memory between 1EA7: and +1EA7:0063. Let's have a look at the relative table in memory, +where these KEY_PARs are stored ("our" first 0x5Eth byte is +underlined): +1EA7:0000 01 03 03 01 09 02 03 00-09 00 04 03 08 07 04 04 +1EA7:0010 05 02 09 00 02 04 01 05-06 06 03 02 00 08 05 06 +1EA7:0020 08 09 05 00 04 06 07 07-02 00 08 00 06 02 04 07 +1EA7:0030 04 04 09 05 09 06 00 06-08 07 00 03 05 09 00 08 +1EA7:0040 03 07 07 06 08 09 01 05-07 04 06 01 04 02 07 01 +1EA7:0050 03 01 08 01 05 03 03 01-02 08 02 01 06 05 07 02 +1EA7:0060 05 09 09 08 02 09 03 00-00 04 05 01 01 03 08 06 +1EA7:0070 01 01 09 00 02 05 05 05-01 07 01 05 08 07 01 09 +1EA7:0080 08 07 07 04 04 08 03 00-06 01 09 08 08 04 09 09 +1EA7:0090 00 07 05 02 03 01 03 08-06 05 07 06 03 07 06 07 +1EA7:00A0 04 02 02 05 02 04 06 02-06 09 09 01 05 02 03 04 +1EA7:00B0 04 00 03 05 00 03 08 07-06 04 08 08 02 00 03 06 +1EA7:00C0 09 00 00 06 09 04 07 02-00 01 01 01 01 00 01 FF +1EA7:00D0 00 FF FF FF FF 00 FF 01-00 00 00 00 00 00 00 00 + + An interesting table, where all the correspondences are +between 0 and 9... are we getting some "secret" number here? But, +hey, look there... funny, isn't it? Instead of only 0-0x63 bytes +we have roughly the DOUBLE here: 0-0xC8 bytes (the 01 sequence +starting at CA "feels" like a fence). We'll see later how +important this is. At the moment you should only "perceive" that +something must be going on with a table that's two time what she +should be. + As I said the result of KEY_PAR + input number is polished +(with a FFDO) and pampered (subtracting, if necessary, 0xA). +Therefore the result will be the (counter+1) input number + +KEY_PAR (let's call it RE_SULT], in our case, (at the beginning +of the loop) a 9. Now (DX=0 because of the CWD instruction) DX +will be saved in [9548] and RE_SULT in [9546]. + Now Protection prepares for the RO_routine: resets its pointer +and charges CX and BX from [958C] and from [958A] respectively, +charges AX with 0xA and sets DX to zero. + The routine performs various operations on AX and DX and saves +the results in the above mentioned locations [958A] and [958C]. + Now KEY_PAR and RE_SULT are added respectively to the DX and AX +value we got back from the RO_routine call, and saved once more +in the last two locations: AX+RE_SULT in [958A] and DX+KEY_PAR +in [958C] + Now the value in SEC_+3 is diminished by 1 (if it was 9 it's now +8, if it was zero it will be pampered to 9). It's a "slider" +parameter (in this case a down_slider), typically used in +relatively complicated protections to give a "random" impression +to the casual observer. The value in FIR_+7, on the contrary, is +augmented by one, from 4 to 5... up_sliding also. + Protection now handles the next number of your input for the +loop. In our case this loop uses following protection +configuration with our "sliding" parameters: + Input # pamp_2nd pamp_1st Lookup value KEY_PAR # RE_SULT +# 10 = 2, SEC_+3= 9, FIR_+7= 4, Lkup_val = 0x5E, KEY=7 +2 = 9 +# 9 = 1, SEC_+3= 8, FIR_+7= 5, Lkup_val = 0x55, KEY=3 +1 = 4 +# 8 = 2, SEC_+3= 7, FIR_+7= 6, Lkup_val = 0x4C, KEY=4 +2 = 6 +# 7 = 1, SEC_+3= 6, FIR_+7= 7, Lkup_val = 0x43, KEY=7 +1 = 7 +# 6 = 2, SEC_+3= 5, FIR_+7= 8, Lkup_val = 0x3A, KEY=0 +2 = 2 +# 5 = 1, SEC_+3= 4, FIR_+7= 9, Lkup_val = 0x31, KEY=4 +1 = 5 +# 4 = 2, SEC_+3= 3, FIR_+7= 0, Lkup_val = 0x1E, KEY=5 +2 = 7 +# 3 = 4, SEC_+3= 2, FIR_+7= 1, Lkup_val = 0x15, KEY=2 +4 = 5 +Notice how our "regular" input 21212124 has given an "irregular" +94672575. + You may legitimately ask yourself what should all this mean: +what are these RE_SULTs used for? Well they are used to slide +another parameter: this one inside the called routine... this is +what happens to AX and DX inside the routine, and the lines after +the called routine: +:4CBF 26895702 MOV ES:[BX+02],DX ; save R_DX par [958C] +:4CC3 268907 MOV ES:[BX],AX ; save R_AX par [958A] +:4CC6 0346FA ADD AX,[BP-06] ; add to AX RE_SULT [9546] +:4CC9 1356FC ADC DX,[BP-04] ; add to DX KEY_PAR [9548] +:4CCC C45E0E LES BX,[BP+0E] ; reset pointer to E +:4CCF 26895702 MOV ES:[BX+02],DX ; save R_DX+KEY_PAR [958C] +:4CD3 268907 MOV ES:[BX],AX ; save R_AX+RE_SULT [958A] + + :4CC6 :4CC9 :4CCF Odd_DX :4CD3 slider_sum + RE_SULT [958A] [958C] [958C] [958A] + 0 0 0 0 0 + 9 5A 0 0 9 + 4 3AC 0 0 5E + 6 24F4 0 0 3B2 + 7 71CE 1 1 24FB + 2 7220 4 E 71D0 + 5 7572 4 90 7225 + 7579 + +Now the loops ends, having handled the input numbers from tenth +to third. Protection loads the second number and multiplies it +by 10 (let's call this result SEC_*10), in our case 2*0xA=14. +Protection loads the first number and adds it to the +multiplication, in our case 1+0x14=0x15 (FINAL_SUM]. +Now everything will be added to FFDO to "clean" it. +Pointer will now be set to the end of the input number. +DX, zeroed by CDW, will be saved as parameter in [9584] and the +cleaned and pampered sum will be saved in [9582]. +FLAG is set to true and this routine is finished! No parameter +are passed and the only interesting thing is what actually +happens in the locations [9582], [9584], [958A] and [958C], i.e.: +FINAL_SUM, 0, slider_sum, odd_dx. + In the next lesson we'll crack everything, but I'll give you +already some hints here, in case you would like to go ahead on +your own: we'll see how the scheme used for the third (the +registration) number show analogies and differences with the +scheme we have studied (and cracked) here for the first number. +Our 3434-3434-3434-3434-34 input string for the registration +number will be transformed in the magic string +141593384841547431, but this will not work because the "magic" +12th number: "1" will not correspond to the remainder calculated +inside this check through the previous locations of the other +checks. + Here the things are more complicated because every little +change in your input string transforms COMPLETELY the "magic" +string... therefore in order to pass the strainer you'll have to +change 3434-3434-3434-3434-34 in (for instance) 7434-3434-3434- +3434-96. The "magic" string 219702960974498056 that this +registration input gives will go through the protection strainer. +Only then we'll be able to step over and finally crack the whole +protection... it's a pretty complicated one as I said. Now crack +it pupils... you have three months time. From this crack depends +your admission to the Uni, there will be no other admission text +till summer 1997 (it's a hell of work to prepare this crap)... +work well. + +Well, that's it for this lesson, reader. Not all lessons of my +tutorial are on the Web. + You 'll obtain the missing lessons IF AND ONLY IF you mail +me back (via anon.penet.fi) some tricks of the trade I may not +know but YOU've discovered. I'll probably know most of them +already, but if they are really new you'll be given full credit, +and even if they are not, should I judge that you "rediscovered" +them with your work, or that you actually did good work on them, +I'll send you the remaining lessons nevertheless. Your +suggestions and critics on the whole crap I wrote are also +welcomed. + + E-mail +ORC + + +ORC an526164@anon.penet.fi diff --git a/textfiles.com/piracy/CRACKING/htc.txt b/textfiles.com/piracy/CRACKING/htc.txt new file mode 100644 index 00000000..28de8864 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/htc.txt @@ -0,0 +1,3672 @@ + A beginners Guide to Cracking + + + + Chapter 1 overview + + Chapter 2 some tips on how to use the debugger + + Chapter 3 some basic cracking techniques + + Chapter 4 walk through of an easy crack + + Chapter 5 how to use the disk editor + + Chapter 6 other cracking tools + + Chapter 7 source code to a simple byte patcher + + Chapter 8 conclusion + + + Programs included at the end of this guide + + + Section 1 uuencoded cracking tool + + Section 2 another uuencoded cracking tool + + Section 3 uuencoded program to crack for the walk through + + + + +CHAPTER 1 OVERVIEW +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +You might be wondering what type of programming skills you need to become a +cracker. Knowing a higher level language such as Basic, Pascal, or C++ will +help you somewhat in that you will have an understanding of what's involved in +the process of writing a program and how certain aspects of a program +function. If you don't have any programming skills at all, you have a long +road ahead of you. But even if you can program in a high level language, in +order to crack you have to know assembly... + +It really doesn't matter what language a program was written in in order to +crack it, because all programs do the same thing. And that is issue commands +to the microprocessor. And all programs when broken down to their simplest +form are nothing more than a collection of 80XXX instructions and program +specific data. This is the level of assembly language. In assembly you have +total control of the system. This is also the level that the debugger operates +at. + +You don't have to become a master at assembly to crack a program, but it +helps. You do need to learn some rudimentary principles, and you absolutely +have to become familiar with the registers of the cpu and how the 8088 +instruction set uses them. There is no way around this. + +How proficient you are at assembly will determine how good of a cracker you +become. You can get by on learning a few basic instructions, how to use a +debugger, and one or two simple techniques. This will allow you to remove a +few shareware nag screens, and maybe you'll luck out and remove the copy +protection from a game or two, but that's it. + +As soon as a programmer throws some anti-debugging code into a program or +starts revectoring interrupts, you'll be whining for someone to post a crack +for this or that... And you can forget about ever learning to crack windows +programs. + +It's much much easier to learn to crack in DOS than windows. DOS is the +easiest environment to debug in. This guide will focus on DOS programs as +cracking windows apps is a little bit overwhelming unless you are already an +experienced cracker. And if you are, your wasting your time by reading this. +This manual is geared towards the raw beginner who has no clue as to where to +start and needs a little hand holding in order to get going. + +There are several good beginners manuals out there, but most of them assume a +person has at least some experience in cracking or knows how to use the +different tools of the cracker, and the raw beginner usually becomes +frustrated with them very quickly because they don't understand the concepts +contained in them. + +I wrote this guide as sort of a primer for the beginner to read before reading +the more comprehensive guides. I tried to keep it as simple as possible and +left a great deal of information out so as not to overwhelm anyone with too +much information at once. Hopefully after reading this guide it will be easier +for the beginner to understand the concepts of the more arcane guides out +there. So if you are reading this and it seems a little bit remedial, +remember, at one time you didn't know what a debugger was used for either. + +Now in case your not familiar with the debugger and disk editor and what their +different roles in cracking are, I'll give a brief explanation of each. As +these are the crackers most used tools. + +The debugger is what you will use to actually crack the program. When you load +a program you wish to crack into the debugger, it will load the program and +stop at the first instruction to be executed within the code segment. Or, you +can also optionally break into an already running program and it will halt the +program at the instruction you broke into it at and await further input from +you. At this point, you are in control of the program. + +You can then dynamically interact with the program and run it one line of code +at a time, and see exactly what the program is doing in real time as each line +of code is executed. You will also be able to re-assemble instructions (in +memory only), edit the contents of memory locations, manipulate the cpu's +registers, and see the effects your modifications have on the program as it's +running. This is also where all your system crashes will occur... There is a +lot of trial and error involved in cracking. + +As stated above, the debugger will only modify the program while it's up and +running in memory. In order to make permanent changes, you need to load the +program file to be patched into the disk editor and permanently write the +changes you've made to disk. A detailed explanation of how to do this will be +made in chapter 5. + +So, with this in mind, you need a few essential tools... The first one is a +good debugger. The original draft of this guide gave explicit instructions on +how to use my favorite debugger. After considerable deliberation, I decided to +re-write it and make the instructions more generic so you could apply them to +most any debugger. You will also need a disk editor, it doesn't matter which +one you use as long as it will load the program file, search for and edit the +bytes you want to change. + +I uuencoded a few cracking tools that you will find indespensible and placed +them at the end of this guide. I won't go into the use of the cracking tools +right now. But believe me, you absolutely need one of them, and the other one +will save you a lot of effort. I also uuencoded the program that we will crack +in the walk through and included it in this guide as well. + +As you get better, you'll have to write programs that will implement your +patches if you decide to distribute them. The patches themselves don't have to +be written in assembly. + +The source code I included in this manual for the byte patcher is the first +patcher program I ever wrote, and is extremely simple. It's written in +assembly because that's the only language I know how to program in. but if you +are already proficient in a higher level language, it should be trivial for +you to duplicate it's methods in your preferred language. + + + + +CHAPTER 2 SOME TIPS ON HOW TO USE THE DEBUGGER +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Ok, before I begin, I'd just like to stress how important it is that you know +at least some assembly before trying to continue. If you don't, you will get +lost pretty quick from here on out. Comprehension of the base 16 (hexadecimal) +number system is also required. + +I'm not about to give a remedial course on assembly or hex math, that would +take too long and I'd probably leave too many questions un-answered. Besides, +there is enough information on them available from a myriad of other sources. + +So, from now on in this guide, I'm assuming you have a fair working knowledge +of assembly and hexadecimal. If I say something you don't understand or you +cannot grasp some concept, look it up somewhere... + +I've tried to make this section as generic as possible. I used general +descriptions when explaining HOTKEYS and COMMANDS as different debuggers will +use different keys and command syntax to implement these functions. + +You should be able to translate these instructions to the actual key strokes +and commands that your debugger uses... If you don't know how to use a +debugger, PAY ATTENTION!!! If you already know how to use a debugger you can +skip this section as it is only a general overview of different windows and +functions designed for the absolute beginner who has no clue as to what he is +looking at. + +The reason I included this section is because most manuals for debuggers tell +you how to use the various features of the debugger, but they don't give any +insight on how to apply those features, as they assume the person reading them +already knows how to debug a program. + +First, I'll give an overview on the different windows that most debuggers use. + + +REGISTER WINDOW: + +The register window contains the general purpose and flags registers of the +cpu. You will notice that the general purpose registers contain hexadecimal +values. These values are just what happened to be in there when you brought up +the debugger. you will also notice that some of the flags are highlighted +while some are not. Usually, the highlighted flags are the ones that are SET. +While the ones that are not highlighted are CLEARED. The layout of this window +will vary from debugger to debugger, but they all basically are the same. + +From this window you will be able to manipulate the contents of the cpu's +registers. some debuggers accomplish this by clicking on the register to +modify with the mouse and then entering a new value. Other more powerful +debuggers use a command line interface, you'll have to discover how your +debugger goes about this yourself. + +You can change the values of the registers while debugging a program in order +to change the behavior of the running program. Say you come across a JNZ +instruction (jump if not zero), that instruction makes the decision on whether +or not to make the jump based on the state of the (Z)ero flag. You can modify +the condition of the (Z)ero flag in order to alter the flow of the programs +code. + +By the same token, you can modify the general purpose registers in the same +manner. Say the AX register contains 0000, and the program bases it's actions +on that value, modifying the AX register to contain a new value will also have +the effect of modifing the flow of the code. After you become comfortable with +using a debugger you'll begin to appreciate just how powerful this window is, +and you'll aslo discover soon enough just how totally it can screw your +system. + + +DATA WINDOW: + +The data window will display data as it exists in memory. From this window you +can usually display, search, edit, fill, and clear entire ranges of memory. +The two most common commands for this window are display and edit. The search +command is also useful in cracking. But for the level of debugging I'll be +teaching you in this guide, we won't make much use of this window. You have a +lot to learn before this window becomes an asset to you. + + +CODE WINDOW: + +The code window is the window in which you will interact with the running +program. This is the most complex window, and it is where the bulk of +debugging occurs. I'll just go over some keystrokes and a few commands here, +as the majority of learning how to use this window will come when I show you +how to crack a program. + +The layout of the window is pretty simple, the group of 8 numbers with the +colon in the middle of them to the far left of the window is the +address:offset of that line of code. Each line of code in this window is an +instruction that the program will issue to the microprocessor, and the +parameters for that instruction. The registers that contain the address for +the current instruction waiting to be executed are the CS:IP registers (code +segment and instruction pointer). + +You will also notice a group of hex numbers to the right of the addresses, +this group of numbers is the hexadecimal equivalent of the mnemonic +instructions (pronounced new-mon-ik). The next group of words and numbers to +the right of the hex numbers are the mnemonic instructions themselves. + +HOTKEYS AND COMMANDS: + +Now we'll move onto the HOTKEYS. I won't go into all of them, only the most +useful ones, same for the commands. + +The RESTORE USER SCREEN KEY: This key will toggle the display between the +debugger and the program you are debugging without actually returning control +to the program itself. it's useful to check what the program is doing from +time to time, especially after stepping over a CALL. + +The HERE KEY: This key is the non-sticky breakpoint key. To use it, Place the +cursor on a line of code and hit it. The program will then run until it +reaches that line. When (and if) the program reaches that line, program +execution will halt, control will be returned to the debugger and the +breakpoint will be removed. + +The TRACE KEY: This key will execute one line of code at a time and will trace +into all calls loops and interrupts. + +The BREAKPOINT KEY: This is the sticky breakpoint key. This will enable a +permanent (sticky) breakpoint on the line of code that the cursor is on. When +a sticky breakpoint is enabled, program execution will halt and control will +be returned to the debugger every time that line of code is encountered within +the running program until you manually remove it. + +The SINGLE STEP KEY: The most used key on the keyboard. This key will execute +one line of code at a time but will not trace into calls loops or interrupts. +When you step over a call interrupt or loop with this key, all the code +contained within the sub-routine is executed before control is returned to the +debugger. If the program never returns from the sub-routine, you will lose +control and the program will execute as normal. + +The RUN KEY: This key will return control to the program being debugged and +allow it to execute as normal. Control will not be returned to the debugger +unless a breakpoint that you've set is encountered. + +Now for a few commands. The GO TO command functions like the HERE key in that +it will insert a non-sticky breakpoint at the specified address. + +When you enter this command the debugger will return control to the program +until the line of code you specified in the GO TO command is reached. When +(and if) the CS:IP registers equal the address you typed in, the program will +halt, control will be returned to the debugger and the breakpoint will be +removed. + +You might be wondering why you would want to type all this in when you can +just hit the HERE KEY instead. The answer is this; the HERE KEY is great if +you want to set a local breakpoint. By a local breakpoint I mean that the +breakpoint you want to set is somewhat close to your current location in the +program. + +But what if you want to set a breakpoint on a line of code that isn't in the +current code segment? You wouldn't want to use the HERE KEY cause the address +is no where near the point you are at in the program. This, among other uses +is where the GO TO command comes in. + +The ASSEMBLE command is the command you will use to re-write the programs +instructions. This command will allow you to assemble new instructions +beginning at the address you type in, or at the current CS:IP. The +instructions you enter will replace (in memory only) the existing program code +at the address you specified. This is another method you will use to alter the +running program to behave as you wish and not as the programmer intended it +to. + +EXAMPLE: Lets say that there is a line of code that reads JNZ 04FC, and we +want to change it to read JMP 04FC. You would issue the ASSEMBLE command and +specify the address of the code you wish to change, then type in JMP 04FC. +Now the line of code in the code window who's address you specified in the +ASSEMBLE command will be overwritten with the code you typed in. Some +debuggers automatically default to the address contained in the CS:IP for this +command. + +There are a whole host of other commands available in this window depending on +what debugger you are using, including commands to set breakpoints on +interrupts, memory locations, commands that list and clear breakpoints, +commands to un-assemble instructions etc etc... + +Well, that's pretty much it on debuggers without going into explicit +instructions for specific debuggers. The only other thing I can tell you is +that the more you use it, the easier it'll get. Don't expect to become +familiar with it right away. As with anything, practice makes perfect. It's +taken me 5 years and thousands of hours of debugging to reach the level I'm at +now. And I still learn something new, or re-learn something I forgot on just +about every program I crack. + + + +CHAPTER 3: SOME BASIC CRACKING TECHNIQUES +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +The first thing I want to do before going into some simple techniques is to +explain the purpose of one of the uuencoded cracking tools at the end of this +guide. And also to go over some general procedures you should perform before +actually loading a program you wish to crack into the debugger. + +Nowadays a lot of programmers will compress the executable files of their +programs to save space and to make it difficult for people who don't know any +better to hack those files. There are a lot of losers out there who will get +ahold of a program and lacking any skill or talent of their own, will load the +program into a disk editor and hex edit their name into it. Or they will make +other similarly feeble modifications. + +This is the reason I encrypt all of the cracks that I distribute. The routines +I write are not that hard to defeat, but I figure anyone with the skill to +crack them is far above having to hack their name into them... + +Ok, back to the file, the name of the program is UNP and it is an executable +file expander. It's purpose is to remove the compression envelope from +executable programs. And it supports most of the compression routines +currently in use... + +A lot of the compression routines will cause a debugger to lock up if you try +to step through the compressed file, especially PKLITE v1.15. And seeing as +how the file is compressed, if you load it into a disk editor it will just +look like a bunch of garbage and you'll not be able to find the bytes you want +to edit anyway. + +UNP is very easy to use, just type UNP [filename] and if there is any type of +compression envelope that UNP understands on the file, UNP will remove it. You +can then load the file into a debugger and hack away... + +But before you load a program into the debugger you should run the program a +few times and get a feel for it. You want to see how the protection is +implemented. Whether it's nag or delay screens and at what point in the +program they fist appear, or where in the program does the first mention of +being unregistered or an evaluation copy appear? + +This is important. Because before the program displays the first mention of +being unregistered, it has to do the protection check. and this is where you +will usually want to concentrate. Also look for registered functions being +disabled, and sometimes date expirations. The program could also be looking +for a registration key. + +In the case of commercial software what type of copy protection is used? Is it +a doc check, or does the program want you to input a serial number before it +will install itself? Once you see how and where the offending routines are +implemented you can begin to develop an overall strategy on the best approach +to circumvent them. It's also a good idea to read the docs, you can pick up a +lot of useful info from doc files. + +There are basically three categories that shareware programs fall into... They +are begware, crippleware, and deadware. + +The begware category is comprised of programs that have all the registered +features enabled but every time you run them they will display screens that +bug you to register. This is usually the easiest form of protection to remove +and it's the type I'll go over in the walk through. + +The crippleware category is comprised of programs that in the unregistered +version have certain functions disabled, and maybe nag screens as well. This +type of protection can be more complex, but often times is just as easy to +defeat as a simple nag screen. + +The deadware category is comprised of programs that are totally stripped of +the code for the registered features so there is really nothing to crack. A +good example of this is DOOM by ID software. You can get the shareware version +just about anywhere, however no matter how much you hack at it you cannot make +it into the commercial version cause it only contains the code for the first +episode. + +The sample code fragments in this section are not taken from actual programs. +I just made them up off the top of my head while I was writting this guide, +and there are bound to be some errors in them. Please dont write me and tell +me this, I already know it. + +Most forms of copy protection have one weak spot, and this is the spot you +will concentrate on. They have to perform the protection check and then make a +decision based on the results of that check. And that decision is usually a +conditional jump. If the check was good the program will go in one direction, +if it was bad it will go somewhere else. + +So, you've run the program through a few times and you know at what point the +routines you want to modify first appear, you've also run UNP on it and have +removed any compression envelopes. Now you load the program into the debugger +and wonder what to do next... + +What you want to do is to step through the code until something significant +happens like a nag screen gets displayed, or a doc check comes up or the +program tells you that the function you just tried to use is only available in +the registered version. When you reach that point you can then start to +evaluate what portion of code to begin studying. + +Let's say you have a program that displays a nag screen and you want to remove +it. You step through the program until the nag screen pops up, you now think +you know the location of the instructions that are causing it to be displayed. +So you reload the program and trace back to a point a few instructions before +the call to the nag screen, and this is what you see: + +09D8:0140 CMP BYTE PTR [A76C],00 +09D8:0145 JNZ 014B +09D8:0148 CALL 0C50 +09D8:014B MOV AH,18 + +Now, let's assume that the memory location referenced by the first line of +code does indeed contain 00 and that it is the default value placed in there +by the programmer to indicate that the program is unregistered. + +The first line of code is checking the value contained in the memory location +to see if it is 00 or not. If the location does contain 00, the compare +instruction will cause the Zero flag to be set. If the location contains any +other value than 00, the Zero flag will be cleared. + +The second line of code makes the decision on how to proceed based on the +results of the compare instruction. The JNZ instruction will make the jump to +the fourth line of code if the zero flag is cleared. This will bypass the call +to the nag screen on the third line. If the zero flag is set, no jump will +occur and the call will be made. + +The third line of code contains the call to the nag screen. If it is executed +the nag screen will be displayed. The fourth line of code is just the next +instruction in the program. + +Once you have found and analyzed this piece of code within the program, you +can now decide on how to bypass the call on the third line. There is no single +way to do this. I can think of a half dozen different ways to patch the +program so it will not make the call. But there is a best way... + +First, you could just replace the JNZ 014B with JMP 014B. This is an +unconditional jump and it will bypass the call on the third line no matter +what the memory location that the first line of code is referencing contains. + +You could also change it to read JZ 014B so that the jump will be made if the +location contains 00, and not the other way around. You could even change the +CMP BYTE PTR [A76C],00 instruction to JMP 014B. + +Or you could just NOP out the call on the third line altogether seeing as how +it's a local call. By a local call I mean that the code contained within the +call resides in the same code segment as the call instruction itself. + +This is an intersegment call. You will see other calls that reference lines of +code outside of the current code segment. These are intrasegment calls, and +have to be handled differently. They will look something like CALL 0934:0AC5, +or CALL FAR 0002. I'll go over how to handle intrasegment calls later on. + +NOP is short for no op-code, and it is a valid instruction that the +microprocessor understands. It is only one byte in length, and the call +instruction is three bytes in length. So if you wanted to nop out the call +instruction you would have to enter the NOP instruction three times in order +to replace it. And if you replaced the CMP BYTE PTR [A76C],00 with JMP 014B, +you would have to pad it out with a few nop's as well. + +The compare instruction is 5 bytes and the jump instruction is only 2 bytes, +so you would have to add 3 nops in order to equal the length of the original +compare instruction. Otherwise you would throw off the address of every +instruction after it in the program and end up with a bunch of unintelligible +garbage. Not to mention a major system crash... + +When the NOP instruction is encountered no operations will take place and the +CS:IP will then be incremented to the next instruction to be executed. A lot +of compilers leave nop's in the code all the time and it's a great instruction +you can use to wipe out entire lines of code with. + +The above methods of bypassing the call are called 'dirty' cracks in that they +have only modified the end result of the protection check and have done +nothing to alter the actual protection check itself. + +All the techniques I showed you above are only implemented after the check is +made. They will bypass the nag screen, but what if the program also has +registered features that are disabled or displays another nag screen upon +exit? The above methods only remove the original nag screen and don't address +the reason the screen is being displayed in the first place. + +A much cleaner way to crack the above piece of code would modify the cause and +not the effect. And could be written like this: + + original code new code + +09D8:0140 CMP BYTE PTR [A76C],00 09D8:0140 MOV BYTE PTR [A76C],01 +09D8:0145 JNZ 014B 09D8:0145 JMP 014B +09D8:0148 CALL 0C50 09D8:0148 CALL 0C50 +09D8:014B MOV AH,18 09D8:014B MOV AH,18 + +Remember that the protection check is basing it's actions on the value +contained in the memory location that the first line of code is checking. The +original code displayed the nag screen if the value of that location was 00, +meaning it was unregistered. So that means a value of 01 indicates a +registered copy. It could be the other way around as well, it just depends on +how the programmer worded the source code. But we know in this case that +00=false so 01=true. These are Boolean expressions and most compilers use the +AX register to return these values. + +By changing the first line from CMP BYT PTR [A76C],00 to MOV BYTE PTR +[A76C],01 the program no longer performs the protection check. Instead, it +places the correct value in the memory location to indicate a registered copy. +Now if the program checks that memory location again later on it will think +that it is registered and activate all of it's disabled features, or not +display a second nag screen upon it's exit if it has one. + +I changed the second line of code to an unconditional jump because the compare +instruction on the first line no longer exists, and the conditional jump on +the second line may still access the call to the nag screen on the third line +if the Z flag was already set before the old compare instruction was +encountered. + +Don't think that all programs are this easy, they're not. I just +over-simplified this example for instructional purposes. And I really wouldn't +patch the code like that, although the last method should work fine for all +registered features to be enabled. Remember I told you there was a best way to +crack this? + +What I would actually do is to trace further back into the program and find +the line of code that sets up the memory location referenced by line one of +the code for the protection check in the first place and modify it there. This +is an example of a 'clean' crack. + +I just did it in the above manner to try and show you the difference between +clean and dirty cracks without totally confusing you. And to give you a +general idea on how to creatively modify existing code. + +If you are using soft ice as your debugger, an easy way to find the +instruction that sets up the memory location for the protection check is to +set a breakpoint on the location when it gets 00 written to it. The syntax +would be BPM XXXX:XXXX W EQ 00, where XXXX:XXXX is the address of the memory +location referenced by the compare instruction on line 1. + +Now when the program wrote 00 to that memory location, soft ice will pop up +and the CS:IP will be sitting at the next instruction after the one that wrote +00 to the memory location. You will now be able to evaluate the code around +the instruction that writes to the memory location and decide on how to +proceed. + +This also could just be a general purpose location that the program uses for +generic references (especially if it's in the stack segment), and it could +write 00 to it several times throughout the course of the program for a +variety of different functions. You should let the program run normally after +soft ice broke in to see if it will trigger the breakpoint again. If it +doesn't you know that the location is only used for the protection check. But +if the breakpoint gets triggered several more times, you will have to figure +out which set of instructions are being used to set up for the protection +check before proceeding. + +The above examples were based on shareware programs. Now I'll go over a few +techniques to remove copy protection from commercial games that have doc +checks in them as the methods are slightly different... + +shareware programs are usually coded so that they check a variable in memory +before deciding if they are registered or not and how to proceed. Commercial +games with doc checks take a different approach as they check nothing before +calling the copy protection. It always gets called every time you play the +game no matter what. As a result, the doc check routine is usually easier to +find, and there are basically two types of doc checks... The passive check, +and the active check. + +The passive doc check is easier to defeat than the active. In the passive doc +check, the program will issue a call to the copy protection routine. And if it +is unsuccessful will either abort the program, or loop back to the beginning +of the routine and give you a few more tries before aborting. The entire +protection routine will be included in a single call, so merely nopping out +or bypassing the call will be sufficient to remove the copy protection. + +A few good examples of this are Spear of Destiny by ID, and the Incredible +Machine by Sierra. Yes I know that they are old, but if you happen to have a +copy of either one laying around they are excellent examples of passive doc +checks to practice on. + +Look at the following piece of code: + +0277:01B5 MOV [AF56],AX +0277:01B8 PUSH BX +0277:01B9 PUSH CX +0277:01BA CALL 0234 +0277:01BD POP CX +0277:01BE POP BX +0277:01BF JMP 0354 + +The first three lines of code are just setting up for the call, the call on +the fourth line is the protection check itself. It will display the input +window asking for a word from the manual, will perform the protection check, +and will display an error message if you input the wrong word. It can also +optionally give you a few more tries if you type in the wrong word. + +If you fail the protection check, the program will abort without ever having +returned from the call. The fifth, sixth, and seventh lines are the next +instructions to be executed if the protection check was successful and the +program returns from the call. + +This type of protection is trivial to defeat, all you have to do is the +following: + + original code new code + +0277:01B5 MOV [AF56],AX 0277:01B5 MOV [AF56],AX +0277:01B8 PUSH BX 0277:01B8 PUSH BX +0277:01B9 PUSH CX 0277:01B9 PUSH CX +0277:01BA CALL 0234 0277:01BA NOP +0277:01BD POP CX 0277:01BB NOP +0277:01BE POP BX 0277:01BC NOP +0277:01BF JMP 0354 0277:01BD POP CX + 0277:01BE POP BX + 0277:01BF JMP 0354 + +Simply nopping out the call to the protection routine will be sufficient to +crack this type of doc check. No window asking for input will appear, and the +program will continue on as if you had entered the correct word from the +manual. Remember that I told you that the NOP instruction is only one byte in +length, so you have to enter as many nop's as it takes to equal the length of +the code you are modifying. + +The active doc check is more complex. The program will issue the check and +unlike the passive protection, will set a variable in memory somewhere and +reference it later on in the program. + +You can crack this type of protection somewhat using the methods for the +passive check and it might run fine for a while. But if you didn't crack it +right, later on when the next episode gets loaded or you reach a crucial point +in the game, the program will reference a memory location and bring up the +copy protection again, or abort. This type of protection is more akin to how +most shareware programs operate and MUST be done with a CLEAN crack. + +Look at the following piece of code: + +0234:0B54 MOV CX,0003 ;Sets up to give you three tries +0234:0B57 DEC CX ;deducts one for every time through the loop +0234:0B58 JCXZ 031A ;when CX=0000, program will abort +0234:0B60 PUSH CX ;just setting up for the call +0234:0B61 PUSH DS ; " " +0234:0B62 PUSH ES ; " " +0234:0B63 CALL 035F:112D ;call to input window and validation routine +0234:0B68 OR AL,AL ;seeing if check was successful +0234:0B6A JNZ 0B6E ;yes, continue on with the program +0234:0B6C JMP 0B57 ;no, set up for another try +0234:0B6E CALL 8133 ;next line in the program if check was good + +The above code is the outer loop of the protection routine. Look at the call +on the seventh line and the compare instruction on the eighth line. When the +call to the input routine or in the case of shareware, the check routine is +paired with a compare instruction in this manner, You can bet that the program +set a memory variable somewhere inside the call. Especially suspicious is the +unconditional jump on line 10 that jumps backwards in the code. + +This won't always be the case as no two programs are alike, and simply +changing line 9 of the code from JNZ 0B6E to JMP 0B6E to force the program to +run even if you fail the doc check may allow the program to run just fine. +Let's say that this is how you patched the program and it runs. Great, your +work is done... But what if before the first level loads, or at some other +point within the program the input window pops up again asking for a word from +the manual? + +You realize that you should have patched it right in the first place as you +now have to go back in there and fix it. This is why so many groups have to +release crack fixes, they patch the program in a hurried manner and don't even +run it all the way through to see if it's going to work. + +Ok, back to the problem at hand... The above method of patching the program +didn't work, so you now have to load the program back into the debugger and +trace into the call on line seven to see whats going on in there. And you +can't NOP this kind of call out either, this is an intrasegment call. + +Certain things in programs get assigned dynamic memory locations, and +intrasegment calls are one of those things. When the program gets executed, +the code segment, data segment, extra segment, and stack segment get assigned +their respective addresses based on the memory map of your computer. + +And when a program does a FAR call (a call to a segment of memory outside the +current code segment), The program goes to the address that was assigned to +that segment at run time. The CS, DS, ES, and SS will be different on every +computer for the same program. + +And seeing as how these addresses don't get assigned until run time, the +actual bytes for the addresses of far calls don't exist in the program file as +it resides on your disk. That's why you can't just NOP a CALL FAR instruction +out. + +However, the bytes for calls that are within the same segment of code as the +calling instructions themselves will be contained within the file as it +resides on disk. And that is because even though the program doesn't get the +addresses for the actual segments until run time, the offsets within those +segments will always be the same. + +Back to the example, let's say you've traced into the call on line seven and +this is what you see: + + +035F:112D MOV [324F],BX ; +035F:1131 CMP BYTE PTR [BX+06],03 ; just some error checking +035F:1135 JNZ 0339 ; + +035F:1137 CALL F157 ; call to the input window that + ; asks you to type a word in from + ;the manual + +035F:113A MOV DI,[0332] ; this routine is comparing the +035F:113D MOV ES,DX ; word you typed in to a word +035F:1140 MOV DS,BX ; in memory that the program is +035F:1144 MOV SI,[0144] ; referencing. As long as the +035F:1148 MOV CX,[0097] ; bytes match the loop will +035F:114C REPE CMPSB ; continue. + +035F:114F JCXZ 1154 ; This is the routine that sets +035F:1151 JMP 1161 ; the memory variable. 01 will be +035F:1154 MOV AX,0001 ; placed in it if you typed in +035F:1159 MOV [0978],AX ; the correct word. 00 will be +035F:115E JMP 116B ; placed in it if you typed in +035F:1161 MOV AX,0000 ; the wrong word. +035F:1166 MOV [0978],AX ; + +035F:116B POP ES ; setup to return from call +035F:116C POP DS ; " " +035F:116D POP CX ; " " +035F:116E RETF ; return from call + + +Again, this code is over simplified as I figured all of the code would be +overwhelming and really is not needed to get my point across. And as I've +stated before, every program will be different anyway, so the actual code +wouldn't help you. Instead, I want to give you a general overview on what to +look out for. + +So, what do you think is the best way to patch the above piece of code? Take a +few minutes to study the code and formulate some ideas before reading on. Then +compare your methods to mine. And remember, as with any code there is no +single way. But as always, there is a best way... I'll go over few of them one +at a time, starting with the dirtiest and finishing up with the cleanest. + +The dirtiest crack for this piece of code also happens to be the method you +will use to nop out intrasegment calls. It really isn't nopping out, but +seeing as how you can't nop it out, just let the program make the call and +change the first line of the code within the call to RETF. This will return +from the call without ever having executed any of the code contained within +it. + +In the case of registers needing to be restored as in the above code, change +the first line of code to jump to the part of the routine that restores the +registers for the return. However, in the above example if you use this method +and just return from the call without executing any of the code, you will also +have to patch the outer loop as well. + +Remember that this call only displays the input window and sets the memory +variable. The outer loop of the routine makes the decision on how to proceed +based on the results of the call. + +To do this, you would change line one of the call from MOV [324F],BX to JMP +116B. This will restore the registers and return from the call without ever +having executed any of the code within the call. But seeing as none of the +code got executed, you'll have to patch line 9 of the outer loop from JNZ 0B6E +to JMP 0B6E as you now need an unconditional jump to force the program to +continue. This doesn't address the problem of the memory variable though, and +the program won't be completely cracked. That's why if you did it like this +you would end up releasing a fix. + +A cleaner crack would be to change line 11 of the call from JCXZ 1154 to JMP +1154. Now when the window pops up and asks for a word, it will set the correct +memory variable and the program will run no matter what word you type in. This +method is still not desirable because the end user will get the input window +and have to type something every time they play the game. + +The cleanest way to crack this, and the way I would do it is to change line 4 +of the call from CALL F157 to JMP 1154. This method will totally bypass the +input window, place the correct variable in memory and return from the call +without the end user ever having seen even a hint of copy protection. + +With this method, the outer loop does not need to be patched cause the program +now thinks that it displayed the input window and the correct word was typed +in. Now when the program checks that memory variable later on, it will think +that you successfully passed the original check and skip the second protection +check. + +There is also an added benefit to the last method... Some games will bring up +the protection check between each and every level of the game even though you +type the correct word in every time. But if you've completely killed the +routine as in the last example, you'll never be bothered by it again no matter +how many times the program tries to bring it up. + +Please be aware of the fact that these are not the only methods that +programmers will use in copy protection schemes. These are just the basics and +there are several variations on these routines. The only way to be able to +know what any given routine is doing at any time is to master assembly +language. + +Before we move onto the walk though, there is one other technique I want to go +over with you. And that is how to get out of a loop. You will get stuck in +loops constantly during the course of debugging a program and knowing how to +get out of them will save you a lot of time and frustration. You will find +that programs contain loops within loops within loops etc... Some loops can +execute hundreds of times before the program will advance, especially ones +that draw screens. + +When you realize that you are stuck in a loop, execute the loop several times +and keep an eye on the highest address the loop reaches before jumping +backwards within the code. Once you have found the end of the loop, write down +the address of the jump that re-executes the loop, and then look for +conditional jumps inside the loop that will put you past the address of that +backwards jump. You will want to set a breakpoint on the address this +instruction jumps to and then let the program run normally. The HERE KEY is +excellent for this type of situation. + +If you guessed right, control will be returned to the debugger when the +program reaches that instruction. If you guessed wrong, you will lose control +of the program and will have reload it and try again. This is where writing +down the address comes in handy, just reload the program and then issue the GO +TO command and supply it the address of the backwards jump that you wrote +down. + +The program will run until it reaches that address and control will then be +returned to the debugger. This will save you from having to trace all the way +through the code again in order to reach the point where you lost control of +the program in the first place. You could just use sticky breakpoints instead, +but what you will end up with is a half dozen or so breakpoints in as many +different locations in the code, and it's very easy to loose track as to which +breakpoint is which. + +That's why I use non-sticky breakpoints and write down the address I'm +currently at before executing suspicious looking calls and jumps. My desk is +usually scattered with scraps of paper filled with notes and addresses. I only +use sticky breakpoints for specific situations. It's much easier to just +reload the program and use the GO TO command to get back to the point in the +program where I lost control. + + + +CHAPTER 4 WALK THROUGH OF AN EASY CRACK +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +First of all, I want to go over some of the criteria I used in choosing the +program I used for the walk through. An important factor was the programs +size. I want to keep this manual as small as possible, and I chose the program +that is included in this guide because among other things it is the smallest +one I could find that best illustrated the example of a simple nag screen. + +Whether or not the program was one that you would actually find useful was not +a consideration, as you should eventually be able to crack just about any +program you wish if your serious about cracking. If you come across a program +that has you stumped, leave it alone for a while and then try again after +you've cracked something else. You may find that whatever you were having +problems with is now easier to understand. + +Before we start I want to go over one other thing. When you load a program +into a debugger, the debugger will load the program and halt at the very first +instruction to be executed within the program. You can also at this point let +the program run normally and then break back into it at a later point. + +When you use the second method it will halt the program at the current +instruction and return control to the debugger, but you may not end up in the +program itself. You could have broken into the program while it was in the +middle of executing either a DOS or BIOS interrupt, and the code you are in +belongs to either DOS or BIOS and not the program you are debugging. + +You can tell by looking at the addresses of the instructions in the code +window where you are, low segment addresses indicate you are in DOS, and +addresses that start with FXXX indicate a BIOS routine. + +If you break into the program while it is in one of these interrupt routines +you will have to trace your way back into the programs code, this will usually +be indicated by an IRET (interrupt return) instruction. When you do get back +to the program code, you will then have to trace your way back to the top of +the call that issued the interrupt you broke into. Then you may also have to +trace back to the top of that call, and to the top of that call, etc etc, +until you reach the top level of the program. After you've done this a few +times you'll begin to recognize when you've gotten back to the main flow of +the program... + +On the other hand, when you load a program into the debugger and begin +stepping through the code from the very first instruction to be executed +within the program, you have the best picture on the overall flow of the +program as you are sitting on top of everything. + +But some programs don't access the copy protection until they are further +along in the code. In this case, it's best to let the program run normally and +then break into it at a later point. Otherwise, you will have a ton of code to +trace through before the protection routine is accessed, and this can become +quite tedious. Which method you choose will be determined after you've run the +program through a few times and decide how and where you want to break into +it. + +One last thing, DOS will always load a program into the same memory range +provided that no other programs are run in the interim. It's important that +you always boot with the same config files and don't run any other memory +resident programs between cracking sessions. + +If you load a program into the debugger and start tracing, then quit. And +before The next time you load that same program into the debugger, you boot +with a different config or load a memory resident program that you didn't have +loaded the first time you started cracking that program, the segment addresses +will change and the addresses you wrote down will be useless. This is because +the memory map of your computer will change. + +When I boot with my debugging config (when I use my DOS debugger, Windows +manages memory differently and these steps are not needed), the only things I +load are a mouse driver, 4DOS, my debugger and ansi.sys (needed for cracking +bbs doors). This way I'm assured that the program I want to crack gets loaded +into the same memory region every time I run it, providing I don't run any +other memory resident programs before loading the program to be cracked into +the debugger. + +Take soft ice as an example, if you load a program into it using LDR.EXE and +begin debugging, then later on you decide to just execute the program and +break into it without first loading it with LDR.EXE, the segment addresses +will change. That's because LDR.EXE is a program and using it will throw the +segment addresses off by one word as opposed to just breaking into an already +running program without first loading it with LDR.EXE. + +The program we will crack is budget minder, it is an extremely simple crack +(it took me about 2 minutes to crack it) and is ideal for the lesson on how to +remove nag screens from otherwise fully functional programs. It also deals +with intrasegment calls, so it serves a dual purpose. That's another reason I +chose it for the lesson. + +From now on, when I say step, step through, or step over, I want you to use +the SINGLE STEP key. When I say trace, I want you to use the TRACE key once +and only once!!!! The TRACE key is a highly specialized key and is not +intended to be used multiple times like the SINGLE STEP key. If you don't +follow these instructions, your gonna get lost... + +OK, once you've run budget minder a few times you will notice that it displays +a nag screen before the main program is executed. You will also notice that +this nag screen is the only type of protection that the program has. It +doesn't contain any features that are disabled, nor does it display an +additional nag screen upon exit. + +It's okay to apply a dirty crack to this program as all you want to do is kill +the nag screen, so you have a little more leeway on how to patch it. And if +you want to try different methods of patching it than the ones I give, it +should still work fine. + +That was the most important factor in my decision to use this program for the +lesson. I wanted to walk you through a program so you would become comfortable +with it's flow, and I also wanted the program to be easy enough so that once +you became familiar with it, there was enough room for you to experiment and +try out your own methods. + +In this case, it's best to load the program into the debugger and start +stepping through it right away. The protection is implemented very close to +the beginning of the program, and this method of loading the program will put +you right on top of everything. + +Allowing the program to run and breaking into it later on will not serve any +useful purpose. You'll just end up having to trace your way back to the top. +Besides, the nag screen comes up so fast you'll probably miss it if you try +the second method anyway. + +Before you load it into the debugger, run UNP on BUDGET.EXE... AHA! The file +was compressed with EXEPACK. It's now ready to debug as you've removed the +compression envelope. Just for the hell of it, run UNP on it again. I've come +across a few programs that have had multiple compression routines on them. If +it shows up negative, your set to go. + +Now load BUDGET.EXE into the debugger, the program will be sitting at the +first instruction to be executed awaiting your next command... Use the SINGLE +STEP key to start stepping through the code and keep an eye on the +instructions as you are stepping through them. + +Shortly you will come to a couple of calls, before you step over the first +one, write down it's address. Now step over the first call with the SINGLE +STEP key. Nothing happened, so you have to continue stepping through the code. +But if something did happen when you stepped over this call like the nag +screen being displayed or if you lost control of the program, you could just +reload the program and issue the GO TO command to get back to that point using +the address you wrote down. + +Step over the second call, nothing again. Ok, keep stepping through the code +and keep an eye on the instructions. You will encounter a third call about 6 +instructions or so after the second call, step over it with the SINGLE STEP +key... Bingo, you have found the call to the nag screen. Hit a key to exit the +nag screen and you will now be sitting in the main program screen. + +But you no longer have control of the program. Remember I said you would loose +control if you step over a call loop or interrupt and the program never +returns from it? Hopefully you wrote down the address of that last call before +you executed it. Now you can just quit out of the program and reload it. Then, +once it's reloaded, issue the GO TO command to get back to the call without +having to trace your way back there. So go ahead and do this before reading +on... + +Ok, we are all back at the third call. It's address will be CS:0161, remember +that the segment adresses will always be different for every computer, but the +offsets will be the same. So from now on I'll write the addresses in that +manner... + +We know that the last time we executed this call, the program never returned +from it. So now we are going to have to trace into it for a closer look. Trace +into the call with the TRACE key, don't use the SINGLE STEP key this time or +you'll loose control again. + +You will now be inside the code for that call, start stepping through it again +with the SINGLE STEP key, you will see some calls. Better write down your +address before you step over them. + +Step over the first two calls, nothing... Use the RESTORE USER SCREEN key to +toggle the display between the debugger and the program. Still a blank screen, +so nothing important has happened yet. Now toggle the RESTORE USER SCREEN key +to get the debugger screen back and continue stepping through the code. + +You will see another call and some more code, just step through them until you +reach the RETF instruction and stop there. Toggle the display with the RESTORE +USER SCREEN key, the screen is still blank... + +But we executed all of the code within the call and are ready to return +without anything happening. The nag screen didn't get displayed nor did we +loose control and end up in the main program, How come? + +Step over the RETF instruction with the SINGLE STEP key and you'll see why... +The address that we return to is not the next instruction after the original +call. Part of the code within the call we traced into revectored the return +address for the original call and sent us to an entirely different location +within the program. + +This is why we lost control when we first stepped over the call, the debugger +was expecting the program to return to the next instruction after the original +call, but it never did... + +So the instruction that we returned to was not the original line of code that +was expected, instead we are at another far call. If you haven't gotten lost +you should be at CS:0030 CALL CS:28BC. + +Write down the address of the CS:IP and then step over this call with the +SINGLE STEP key, there is that annoying nag screen again. Hit a key to exit +the nag screen and control will be returned to the debugger. This time the +program returned from the call and you are in control again. So you now know +that this call is the one that displays the nag screen and it is the one you +want to kill. + +Hit the RUN key and let the program run, now quit out of it from the main +program screen and reload it into the debugger. Use the GO TO command and +supply it the address for the call to the nag screen. + +Ok, now lets see if the program will run or not if we don't execute the call +to the nag screen. The call is at CS:0030 and the next instruction after the +call is at address CS:0035... A quick way to jump past this call without +executing it is to just increment the instruction pointer register to the next +instruction. + +In this case we want to manipulate the IP register, and we want to set it to +point to the instruction at CS:0035 instead of the instruction it is currently +pointing to at CS:0030. You are going to have to figure out the command on how +to do this with the debugger you are using yourself. + +If you are using turbo debugger, place the mouse cursor on the line of code at +CS:0035 and right click the mouse. A window will pop up, then left click on +new IP, or increment IP. If you are using soft ice, type rip=0035 and hit +enter. Any other debugger, I have no clue... + +Now that we've moved the IP past the call to the nag screen let's see if the +program is going to run. Hit the RUN key, this time the nag screen doesn't +come up, instead you are brought right into the main program screen. + +It looks like getting rid of that call is going to do the trick. Now that we +know the program will run without making that call, it's time to decide on how +to patch the program so the call is never made again. + +Think back to the original call we traced into for a minute, that call was the +one that revectored the return address and brought us to the call to the nag +screen. Therefore, it's reasonable to assume that that call is the protection +check, and it might be a good idea to have another look at it. + +Before we do that there is one other thing I want to show you, and that's how +to allow the program to make the call to the nag screen and return from the +call without executing any of the code contained within it. + +This isn't the method we will use to patch this program, but it's an important +concept to grasp as you'll end up doing it sooner or later on some other +program anyway. Remember that this is a far call and you can't just nop it +out. + +Quit the program, reload it, and get to the address of the call to the nag +screen. Last time through we just incremented the IP to bypass it. Now we will +trace into it to see what it is doing. + +Hit the TRACE key and trace into the call. Now start stepping through it with +the SINGLE STEP key, don't bother writing any addresses down for now. There +are several dozen calls in this routine along with shitloads of other code. + +Toggle the display with the RESTORE USER SCREEN key after you step over a few +of the calls and you will see that the program is in the process of drawing +the nag screen. + +Keep stepping through it and you'll see more and more of the screen being +drawn as the code progresses. This is getting boring, so stop stepping through +the code and start scrolling the code window down with the down arrow key and +watch the code. If you are using soft ice, the F6 key toggles the cursor +between the code and command windows, and the cursor must be in the code +window in order to scroll it. + +What you are looking for is the RETF instruction as this is the end of the +call. Keep scrolling, I told you this call had a ton of code in it. When you +do find the RETF instruction write down it's address, it is CS:2B0E in case +your having trouble finding it. Ok, you've got the address of the RETF far +instruction written down so now just let the program run, quit out of it, +reload it, and get back to the call for the nag screen. + +You should now be sitting at the call to the nag screen, trace into it and +stop. The first instruction of the call is MOV CX,0016 and this is where the +CS:IP should be pointing to. What we want to do now is to jump to the RETF +instruction and bypass all of the code within the call itself. So let's +re-assemble the MOV CX,0016 instruction and replace it with a new one. + +First, make sure you are at this instruction, if you've traced passed it your +gonna have to reload the program and get back to it... OK, we are all sitting +at the MOV CX,0016 instruction and it's address is contained in the CS:IP +registers. + +Now ASSEMBLE JMP 2B0E (the offset address of the RETF instruction) and specify +the address of the CS:IP. The MOV CX,0016 instruction will be replaced with +JMP 2B0E. And seeing as how both of these instructions are the same length we +didn't have to pad it out with any nop's. + +Now hit the RUN key, you are brought into the main program and the nag screen +didn't get displayed! We allowed the program to make the call, but we didn't +allow any of the code within the call to be executed. And as far as the +program is concerned, it made the call and the nag screen was displayed. + +Now let's go back and take another look at the call that we suspect is the one +that contains the protection check itself. Reload the program and go to the +original call that revectored the return address, now trace into it. I've +traced into the calls that are contained in here and they are setting up the +addresses for the RETF instruction at the end of this call among other things. +You don't need to trace into them as you might not understand what's going on, +but if you feel up to it, go right ahead. + +What I want to concentrate on are the last four lines of code in the call as +they are the ones that finally set up the address to return to. Step through +the code until you are at CS:00A8 and take a look: + +CS:00A8 8B04 MOV AX,[SI] DS:SI=0000 +CS:00AA 053000 ADD AX,0030 +CS:00AD 50 PUSH AX +CS:00AE CB RETF + +The first instruction is loading the AX register with the contents of the +memory location that the SI register is pointing to. And you can see by +looking at the memory location that the DS:SI pair is pointing to that it +contains 0000. (this is where the display command and data window come in +handy). + +The second instruction is adding 0030 to the contents of the AX register. + +The third instruction is placing the contents of the AX register onto the top +of the stack. + +The fourth instruction is returning from the call, and where do you think that +the RETF instruction gets the address for the return? Yep, you guessed it, it +gets it off the top of the stack. Funny that the instruction right before it +just placed something there isn't it? + +Also funny is that it happens to be the address of the nag screen. Look at +what is being added to the AX register on the second line of code. Boy that +sure looks like the offset address to the nag screen to me. + +Remember that the next instruction after the nag screen is CS:0035, now look +at the first line of code. The contents of the memory location it's +referencing contains 0000, and I'll bet that if your copy was registered it +would contain 0005 instead. + +Why? because if the first instruction placed 0005 in the AX register, when the +second line of code added 0030 to it, you would end up with 0035 which happens +to be the address of the next line of code after the nag screen. + +Then the third instruction would place 0035 on the stack and that is where the +RETF instruction would go to. If this were the case, the nag screen would +never get displayed... + +Well, what do you think we should do? We could trace further back in the +program and try to find the instructions that place 0000 in that memory +location and modify them to place 0005 in there instead, but this process is +somewhat involved and I don't want to throw too much at you at once. + +Instead, I have an easier solution. Seeing as how the memory location will +always contain 0000, why don't we just change the ADD AX,0030 instruction to +ADD AX,0035? This should get the correct address placed on the stack for the +RETF instruction to bypass the nag screen... + +Let's try it and see how it works. SINGLE STEP through the code until the +CS:IP is at the instruction ADD AX,0030. Now, ASSEMBLE the instruction to read +ADD AX,0035 and hit the RUN key. We are placed in the main program screen +without any stinkin' nag screen getting displayed! + +Congratulations! you have just cracked your first program :) Try other methods +of patching the program besides the ones I went over. The next chapter will +deal with how to make the changes you've made permanent. + + + +CHAPTER 5 HOW TO USE THE DISK EDITOR +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Ok, we cracked budget minder in the debugger and know it's going to work. Now +we need to make those changes permanent. The first thing we have to do before +we load the file into the disk editor is to create a search string. + +So we are going to have to reload budget.exe into the debugger and trace back +to the location where we want to make the patch in order to get the hex bytes +of the instructions we want to search the disk file for. + +Load budget.exe back into the debugger and trace back to the last four +instructions of the original call that revectored the return address. You +should be looking at this: + +CS:00A8 8B04 MOV AX,[SI] +CS:00AA 053000 ADD AX,0030 +CS:00AD 50 PUSH AX +CS:00AE CB RETF + +The group of numbers to the right of the addresses are the hexadecimal +representations of the mnemonic instructions. These are the bytes that we will +use for our search string. So write them down beginning from top left to +bottom right so you end up with this: 8B0405300050CB + +This is the byte pattern that we will search for when we load the file into +the disk editor. We have a search string, but we also need to make a patch +string as well. In order to do this, we will have to assemble the new +instructions in memory, and then write down the changes we've made to the +code. + +So ASSEMBLE ADD AX,35 and specify the address for the old ADD AX,0030 +instruction. The new code should look like this: + +CS:00A8 8B04 MOV AX,[SI] +CS:00AA 053500 ADD AX,0035 +CS:00AD 50 PUSH AX +CS:00AE CB RETF + +Notice that we only re-assembled the second line of code and that is the only +difference between the new code and the original code. So what I want you to +do is to write down the changes under the old code it replaced so it looks +like this: + + 8B0405300050CB <-- search string + ^ + 5 <-- patch string + +Now we are all set to load the file into the disk editor. We have a string to +search for and another one to replace it with. Load budget.exe into your disk +editor, select the search function, and input the search string. + +NOTE: some disk editors default to an ASCII search so you may have to toggle +this to hex search instead. If your in the wrong mode, the disk editor will +not find the byte pattern your looking for. + +Once the disk editor finds the byte pattern of the search string, just replace +the bytes of the old code with the bytes to the new code and save it to disk. +The program is now permanently cracked. + +Sometimes however, the code you want to patch is generic enough that the +search string will pop up in several different locations throughout the file. +It's always a good idea to keep searching for the byte pattern after you've +found the first match. If the disk editor doesn't find any more matches your +all set. + +If the string you are searching for is contained in more than one location and +you patch the wrong one the crack will not work, or you will end up with a +system crash when you run the program. In this case, you'll have to reload the +program back into the debugger and create a more unique search string by +including more instructions around the patch site in the search string. + +One last thing, you cannot include instructions that reference dynamic memory +locations in the search string. These bytes are not contained in the disk +file. So keep this in mind when you are creating your search strings... + +And the protection might not be included in the main executable either. If you +cannot find the search string in the main exe file, load the other program +files into the disk editor and search them as well, especially overlay files. +Fortunately for you, I've included a tool to help you do this. + + + + +CHAPTER 6 OTHER CRACKING TOOLS +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + +In addtion to UNP, there are several other tools that you can utilize to make +your job easier. These tools were not designed with the cracker in mind, but +they can be adapted to serve our purposes rather than the ones which they were +written for. + +UNP and other programs like it were written to remove the compression +envelopes from exectables so you would be able to scan those files with a +virus scanner among other things. If someone were to attach a virus to an exe +file and then compress it, the file for all intents and purposes would be +encrypted. Now when you downloaded that file and ran your virus scanner on it, +it might not find the virus. + +But crackers found a different use for these types of programs. We use them to +remove the compression envelope so that we can find the byte strings we want +to search the files for. I'm sure most of the programmers who wrote these +programs never intended them for this purpose. There are some out there though +that were written by crackers with this exact purpose in mind. + +Don't just rely on UNP as your only program to do this. No one program will be +able to remove evrything you come across. It's a good idea to start collecting +these types of programs so you have more than one alternative if you come +across a compressed file, and your favorite expander doesn't understand the +routines. Be aware though that some programs are actually encrypted and not +compressed. In this case the expander programs will prove useless. + +Your only recourse in this instance is to reverse engineer the encryption +routine while the program is decrypting to memory, and modify your search +string to search for the encrypted version of the bytes. Or you could write a +tsr patcher that impliments your patch after the program is decrypted to +memory. + +There is another category of programs you can adapt to your use and they work +in conjunction with the file expanders. These types of programs will scan +entire directories of files and pop up a window that displays which files are +compressed and what they are compressed with. They won't remove the +compression routines from the files themselves, but will only inform you which +files are compressed and which are not. UNP also includes a command line +switch to do this... + +Now instead of blindly running UNP on several different program files to see +if they are compressed or not, you can see at a glance if you even need to run +it at all. And if you do, you'll know exactly which files to run it on. This +is another time saving type of program and there are several out there, you +just have to look for them. + +Another type of program that you will find useful will scan entire +disks/directories/subdirectories of files for specific hex or ascii byte +patterns contained within those files, and this is the purpose of the second +uuencoded cracking tool contained in this guide. + +One method I use to determine if a shareware program is registerable or not +before actually loading it into the debugger is to use this tool. + +I usually will have it scan all the programs files and input the string REG. +This will show all files that contain the string unREGistered and REGistered. +If it returns a string that contains REGistered in a file other than the doc +files, I know the program can be made into the registered version. This is +just a quick check I do on programs that have certain features diabled to +determine if the program does contain the code for the registered version. + +An added feature of this program is that after you've cracked a program and +have a byte string to search for, you can run this program in hex mode and +input your search string. Now it will search all of the programs files and +return the name of the file that contains your search string, then you can +just load that file into the disk editor and make the patch. + +It will also let you know if your search string is contained in more than one +location within the file. Remember, if this is the case you'll have to reload +the program back into the debugger and create a larger search string by +including more instructions around the patch site. + +The programs name is SS303 and it's very easy to use, just read the docs for +it... + +These are the 'accessory' tools I use in cracking, there are several more out +there, I just don't have any use for them. And if you are dilligent, these are +all you'll really need as well. + + +CHAPTER 7 SOURCE CODE TO A SIMPLE BYTE PATCHER +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +As I've stated in the overview chapter, if you want to distribute your patches +you are going to have to write a patcher program. Simply releasing the patched +version of the program file is not desirable. For one thing it's illegal, +another consideration is size. Some files you patch will be 300K or more, and +this is quite a large crack to release. The patcher program included in this +guide is much much smaller, it will assemble to about 600 bytes or so, +depending on the size of your logo. + +And what if you want the end user to be able to register the program in their +own name? A patched .exe or .ovr file will not allow this. + +When you release a patch that you yourself wrote, you are not breaking any +laws. The program was written by you and is your intellectual property to do +with as you see fit, including making it available for public use. The person +breaking the law is the end user who will use it to illegally modify someone +elses intellectual property contrary to the licencing terms they agreed to +when they installed the program. Remember, it's not illegal to write and +distribute a crack, but it is illegal to apply a crack. + +That's why all of the programs I've included in this guide are shareware +programs in the original archives as released by the authors and have not been +tampered with in any way. I'm not about to release a modified version of +someone elses copyrighted property. The only thing I am doing is supplying you +with the original archive and the information on how to modify it if you wish, +this is not illegal. If you decide to take the program and modify it that's +your problem, not mine... + +This patcher routine is very simple, I wrote it about 5 years ago and it was +my very first patcher program. It is a brute force patcher in that it will not +do any error checking and blindly patch the program you specify with the byte +pattern you supply. This method has it's advantages and disavantages. + +The disadvantage to this method is that seeing how the program does not +perform any error checking it will patch the file specified with the +replacement string even if it's not the correct version of the program. If the +filename is the same, the patch will be applied. + +Let's say you crack a program called Ultimate Menu and the version number is +1.0, and the file you patch is called menu.exe. Now let's say a little while +later version 1.5 of the program comes out and someone who has your patch for +version 1.0 decides to run it on version 1.5 of the program. + +This byte patcher will not check the new menu.exe for any changes before +making the patch, it will just patch the program in the location you specified +with the string you supplied even if the code you want to change is no longer +there. This could very well be the case if the programmer has significantly +re-written the code between versions, and what will end up happening is the +file will be corrupted and probably crash the system when it is run. + +But this is also the advantage of my byte patcher. If the code to be replaced +is still in the same location in the new version, you'll not have to release a +new crack for each version of the program. Bear in mind that when I wrote this +program I was just starting out and didn't consider these possibilities. The +reason I included it in this guide was to give you an idea on how to write +your own patcher or to modify this one to suit your own purposes. + +The patcher program that I use now is extremely complex and would just confuse +the hell out of you. Basically what I do is to make a backup of the original +file I am going to patch and then patch the original file. Then I run my +patcher program on the two files, it compares the differences between the +original file and the patched one and saves them to a data file. I then +assemble a patch using the data file. + +What I end up with is a patch that will check the file you are running it on +to see if it is indeed the correct version before applying the patch. If it's +not, the patch won't be made. This method also allows me to make multiple +patches at different locations throughout the program. The byte patcher +included in this guide will only allow one string to be patched in one +location. But if you do a clean crack, that's all you'll usually need anyway. + +Ok. here is the source code to the patcher program, I've commented as much as +I could throughout the code to make it more understandable. I also wrote it to +be generic enough so that you can re-use it over and over simply by plugging +in certain values and re-assembling it. + +NOTE: the patch offsets are not the segment:offset adresses of the code as it +resides in memory, but the offset from the beginning of the disk file. + +.model small +.code +ORG 100H +start: JMP begin + +;****************************************************************************** +; these are all the variables you set to crack a file, +; simply change the values and then assemble the program +;****************************************************************************** + +msb EQU 0000H ;the first part of the patch offset +lsb EQU 055AH ;the second part of the patch offset +cnt EQU 3H ;number of bytes in your patch +patch_data DB 'EB2E90',0 ;the byte string to be written +file_name DB 'go.pdm',0 ;the name of the file to be patched + +logo DB 'Cracked by Uncle Joe',0AH,0DH + DB ' -=W.A.S.P. 92=- ',0AH,0DH + +error1 DB 'FILE NOT FOUND',0AH,0DH + DB 'Make sure you have GO_CRACK.COM in the same',0AH,0DH + DB 'directory as GO.PDM',0AH,0DH + DB '$' + +error2 DB 'A fatal error has occured',0AH,0DH + DB 'the crack was not applied',0AH,0DH + DB '$' + +error3 DB 'GO.PDM has the read only attribute set',0AH,0DH + DB 'reset it before attempting to make the patch',0AH,0DH + DB '$' + +handle DW 0 + +;****************************************************************************** +; this procedure opens the file to be cracked +;****************************************************************************** + +open_it PROC near + MOV DX,offset file_name ;setup to open file to be + MOV AX,3D02H ;cracked + INT 21H + JNC done ;if successful, continue + + CMP AX,05H + JZ read_only + MOV AH,09H ;else display error message + MOV DX,offset error1 ;and exit + INT 21H + JMP exit +read_only: MOV AH,09H + MOV DX,offset error3 + INT 21H + JMP exit + +done: MOV handle,AX ;store the file handle for + RET ;use later and return +open_it ENDP + +;****************************************************************************** +; this procedure sets the file pointer to the patch location +;****************************************************************************** + +move_it PROC near + MOV AH,42H ;setup to move the file + MOV AL,00H ;pointer to the patch site + MOV BX,handle ;load the file handle + MOV CX,msb ;the first part of offset + MOV DX,lsb ;and the second part + INT 21H ;move the pointer + JNC ok ;if successful, continue + + MOV AH,09H + MOV DX,offset error2 + INT 21H ;else print error message and + JMP exit ;exit +ok: RET +move_it ENDP + +;****************************************************************************** +; this procedure writes the crack to the file and closes it +;****************************************************************************** + +patch_it PROC near + MOV AH,40H ;setup to write the crack + MOV BX,handle ;load file handle + MOV CX,cnt ;load number of bytes to write + MOV DX,offset patch_data ;point DX to patch data + INT 21H ;make the patch + + JNC close_it ;if successful, contintue + MOV AH,3EH + INT 21H + MOV AH,09H ;if not then something + MOV DX,offset error2 ;is wrong, disk may be write + INT 21H ;protected. If so, print error + JMP exit ;message and exit + +close_it: MOV AH,3EH ;crack was successful + INT 21H ;close file and return + RET +patch_it ENDP + +;****************************************************************************** +; the main program +;****************************************************************************** + +begin PROC near + CALL open_it ;open file to be patched + CALL move_it ;move pointer to patch site + CALL patch_it ;make the patch and close file + MOV AH,09H + MOV DX,offset logo ;display logo + INT 21H + +exit: MOV AX,4C00H ;and exit + INT 21H +begin ENDP + + END START + + + + +CHAPTER 8 CONCLUSION +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Hopefully this guide has been useful in helping you understand the cracking +process. It is by no means an all inclusive guide, the main goal I had in mind +when I wrote it was to give beginners a push without confusing the hell out of +them. + +It is not feasable to try and include all of the tricks of the trade that a +beginner might find useful into one single guide, nor would I want to do this. +For one thing, this guide would be ten times the size it is now, and even then +it would not be an encyclopedia of what to do for every situation. If your +serious enough about cracking, you will discover enough tricks and develop +your own methods as you progress. And you have to be creative! What works in +one situation may not work again in a similar one. + +Instead, I tried to give you a general idea on how a programs code might +operate and what to look for. A successful cracker is not someone who +memorizes a specific set of actions to perform on a specific piece of code. A +successful cracker is someone who understands the flow of the code, and how to +adapt his methods to successfuly re-write the programs code to behave as he +wishes and not as the programmer intended it to. There are no set rules for +this, the very nature of the PC won't allow it. + +If you have any questions about cracking or are stumped by something, drop me +a note at an575063@anon.penet.fi, I'll be glad to give any advice I can. Or if +you simply just wish to discuss cracking techniques or anything of that +nature. + +NOTE: Do NOT mail me and ask me to crack programs for you! I'm not interested +in cracking for the masses. If you need something cracked, learn how to crack +it yourself. If you are unwilling to learn how, then register it. + + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +section 1 of uuencode 4.13 of file UNP411.ZIP by R.E.M. + +begin 644 UNP411.ZIP +M4$L#!!0``@`(`*B#OA[EZ1":U0```$8!```+````1DE,15])1"Y$25J%3T%JB +MPS`0O`OTAWF`:PCT`R75(21I?4A*Z6UK;[!`TAI)=N*^OHK=]MJ%79:=86;VS +M_-+@[;'>;&!NW(Z9/AWC8LO@VT"AXZC5P_^EU3FTXH?(*7%:!!+^#AVN-O=:I +M/>_,J8)Y-\W3=E_A\%'6"LW^L#L9%#-X"K-6DGN.:XA?"2L!8[;.9LNI!DILO +MK<@E`3DGUX191F0I_#!QS#\!+E&\5MO7XQTJ7HO'9%M&(26J($.VWG[Q'=2JS +M9RK_I@J1O4R,TM'1C(XR+5HK;=5>XDKD6BNMO@%02P,$%``"``@`[X&^'HU`< +M)9_`+0``K'D```<```!53E`N1$]#E7WMC?V!\@"2;2*!4ZA2C3GJ39B'^#^S#W&1=R\R2&_`!0I. +M]\5ZIBV+1`&)1"*_,^L)_5'TYS_ZO7[OX*/L@[^KO__O\%_X#'[[]W__/_P?7 +M_$D_XS=Q%/_\CX,'N_]U'N2I\.=WGTL+XK_^,PL^48^!&!^0+>T_H&#LWHX1" +M;82OO__G_OPO>!11K-27VC:-J=1LI]Z$'Q?:-[6=M^LX@/Y\U#OU_'2@SG[Y@ +MY24]W>_Q5].5]2K\OUD95;CPJ*D:W5@7YC2EJY:V6JK&*5T5RGS;E-I6^$D8: +MW7JCW.(5SQ86@_4^7=VHSR]&9V<1R/$W,V\;/2N-6MCP5VU\X^KP>&-+V^P$N +MG'YO>O[FPUA=OU47UU?3\=7T#J>^G-Q=?#B??!S?]GM?WIU/U>0.%WG=[_TV_ +MOAK?GG]0DZNWU_W>N^LO:GJM/MV-X?M^[^/X[N[\M_%=OW=U/1W?J>NK,/''' +MF]OP\?5M^/1V_-OD;CJ^G5S]1@^\&__^`TX=5I"1X\L?>%GXXN+\2MV./UY_8 +M'G<_#`O$SP'X\XLIS/IQ3!N[M'Y>:KLV=;\WC'_ZO4]586IU=:WFMIZW:]_H] +M:FZ\FJBY!NRKE2D+0-?&5=XB_ERM=+53A5[KI0G#6F\*-=OU>X!9KVRE&CA.# +M'N::59A_H^?W.-I5#9_>IG;+6J^]VB;R69M1O_=TNM*-\BO7AI4+IVRC7@U/U +M:!=?X*LP.2-_F/\)>[FZ.?9J'190F[;>.&^0J%P\;M,E`_PNP&?K`*U=VDJ7I +MRC>Z`2C>N:UY")"'U0$3`8XUS-"L-.Q/-R,B,_C.;1J[MF&Q\=?Q<&5T86H_A +M"&NNW8/I]PHS:Y?*5@M7KY&F!X"%,'7#,"QJMU:N,F'INITW+:R"8!'N!LJ'A +M1<(\MC;SL`L+C[@Z3++>A'T!\G$>6/'!A!VL;%&82CW8NO5A+%Z:A_#!6M_S6 +MMOL]V($J;%$=-ZIN*S@IW![^>ZEM-2)\_V8J4XK1KFV45HMS!8HI%IZM5W9^0IFZ/?6=KEJI +M5`,PAJ$.<.1M$18'E"$T%VG#XZ]C1EY&4'`2#Z8N]2YL=:@SE=F?J^V*U,;.)[TT +MX+P-X%<`OO5JUC;JC]8WR/#93"`94A?>L;BNO6F1&,,Q\T_-&>;TV.%-A81:OM(<+6=A"S9#Z1B`[( +M7+MGX?9G$+HC:Z33@G['OI6.2&G<_#HDRUR*7:Y=)X) +M.,#P=T_G8?7&\,PGR!;AY-NZ"H,=,OBP*=V6P#S/RT8.CF1_!N:@[ +MW[/-L5>^L66)AW=V>OI?P^9*"[P[XC,\A5<'*,^;RMO&/@#Y`5K#U@?AVUH5O +MSGCBXG">B'7SK8'1KA)D]WLK9O">9N.`S +MM/N]L%6^/3.CCF:VTO5./1U=7'\\.4(RT&%CL_PVA*&CR-8"6&_3W/T>3`Y`T +MU28\MU,P#R_^U(R6(S5ZP +MZP;F1+Z,&]FT0!'$72L@!9H!:"C./R#ID'T)B"34SM6OD7X:I^0D415&P3#*( +MA!O!W262>/8!AM\#0,Q4\!K-=B2$<3;\A$$(8V^(0X>]F<2-:^/;LH&[CKP]B +M4HYN&P?:RKSC#,!^_.F7(SH-.QZ$R!%$D?!RJ.(>&1^(!VB\(["0PCS.)$L`]#`# +MA=H[&+H^9:G6K@#(;`,PB`[H30/G0S-IGS@H\'SS30<8C7!BF(F9/O/BR.?#) +MNFQMP:!"#6=_(82%WU`W)A6A,MNX(C!2@F7`ES)3;9C]PK=#G(B`#\^%'7V)< +M,E57C1VB)MH1K[!_C=JI!Y+7I:[7J,,XG,LM%B-U@0H12:2#6?:LQ/#_%3$L@ +M[\H'PVI/F(G%/-$6J&>OU#NS^T'`3XK?#VA@&/4K:WS[ZK5ZRH@_P7FG'0KKS +MZ(B=QXA/`'FPFB?DIW$:GF&0:"#21T=8/D+6D>'B1+!6I==\@^E6P_FU%5A>; +MJ!V'SS,#+5TCL2O0"+;J5[C/6[I_<*5Q>MX#*BY;T#?QV#*;A@6K:!*#*-6S_ +MFX(:6)@L;#&G>EP.H,NGHVO48:*@^@I_XFLER`8A!U:DB0`@V2/;*,..2J=)I +MR'G]8`[/#[[VPMU`B@H'QC6C1&#"(.;/L,QHNFC"AE4)2[@!W;$MF"4BFYB9P +MSC.CZ`(1#"U:0`BI-LA=6,LGJS*S=0;*UK4IS0,,(.-3%;K182-TE]`X_9MA6 +M=E^Z.6'8-F;M$4-K]:OZJ.O[L.LP6>4S_HTB&J;$J7@0*6M^#6?&_A/EV\VFC +M!,F*>NS-[?5T?#']`0RD'P&IGU^.3J.J1=<2;S%J0D41IMM8,R>[RGQKR,:(T +MYA6`X5O0L=16[T3A-BS#F?J1&ZW<%ID!:Q3L(*IQ'>``^&AG*83*J../Q_F%P +MS`^=Y%7!W!CNF/:""M33:D\Z(F+.=X$B*^51W/,=@1V!TC2^?JO685;0FFS:T +MVOY3:NO`9H<-;F%5,B@-F$C$12+DFU+/302:T-Y!,JL`!C2E131P!\K;*HR:- +M,,(L&EWH''"U*HVG$T0`@*^TFWCID)H;G=`GCCY'P?(4,`L<6<_*G:IU( +M#;8-*$8GN:;4L7UA(I&4.!.*%H1JQ[K/GMU+[A3?T:3P[J.16Y",8'R0%1N'@ +M,2V@H30S*PNC(QL3FA/C^,._P&,LX>62NWK0@24\21>V(+`BIO*-R-[1#0*3I +MA4VEPY.I(D/SP**-KN>K1]U`A*4OQ[RMO7TP`[@,K(G"B!EP7Y;^B+9&_:J:&F!*3D#B:KNP) +M/-QAT/37&V(^40\E`SQ;(M.HJ<43D\Z9%FR&Y#YY%AT2C0)LT:U)8W +MO)`:?A;5&/2D+IAQ9T8>R4E;+4LS](V!&U>C[:PC)T65!30FN)-@R=+%LQ7Y< +M:)!_$*ZCIU,>76E/CC#VDA:DM*#]NK+5/5C/;`1X1#.!T[@-KOJ8X%7J$PCS& +MIF4'1K+Q(V2^=-O,NP#8P(NXAQ)TJ65;]W'OLB+.-D.KC##@:?^*,.60CX6]> +M:S1"*L7GF>T:O*:\:T):@]_24;O*I$VS]+5-MG/[J"7%UU6Q%\YTL$T$BB9X^ +MO'$4>VH4(Y'GB%Z>7)=^N1!JB[:2I[0\Y4U#T(,;"K`5 +MSKNFY[[?0F;E638:"Q?1#X\7T +M`+V>[WDOJ/\ZTOXLL#,YDN0;!')=N+)T6_8/)NRI-?E33*$R-&+L0@.7V27'X8M2)H4V^?"U^A4=A>HIBA'2)<@,OVLWM47IL%.F`K'`6C4?"Z)"/"-HY +M:!ZX'VDZEN`Q7LG/DWZU9L=-$=494%W0\2/:JDW#(F^RX +MYTC&,"=P6&*?*2+%8C$R@BQ>A#R#]2CDQ7,CQF.^9W24,6'S;$E$8X"/M%F66 +M[%L=0Q?H;4#S,ZJ[8GNV5>3ZT;\7PUXK5H5Q`Y/UNJWLWR@0TE30/QPM*D, +M^XP<7XW.DX)4/_X&Q3%`R'Y+%B:T$_#B`L,@#;Q:6'%5*K@97M]$0I6=$9;0) +MT&P=!`8:_T_J["\P +M&#V)ST[36%T4-87*!HPMW.8:34H,&"X,-[X($R070A +M2))_,[7SHV[&C#@E='LXB\'%S.`=LG=6RZ!L!?1MDQ'%#9@:-V4D(<[O:(;HQ7 +MY$@"&6ZU;5C7/Z;+#?H([6$5]B#Z^:,>,;+V'#KG*O2S@.LI3`I.#?*9,XQ5UK`1YT/W5(R12?'HUFUX)"JPU)"20P+9!!TIR7?/EHZ]W;C\\&U`6F%D +MPA+3#U*HF$P-R2_W4)-?KQ.Q@*A[$W4ALE2T*2,>5`!=(FW" +M*ID7$.U$1[SMFC',6^NVHMP+ST%Q%"`@1]M*/E!S<#6`(887HMHW7D`BQ%A$J +MM%,RVY"%`854PM1;8^M"3>]N@>%!CD%%H21*(5F)CY?#EYD^0&BZ5[^JS7T)V +MMINWRTIC1'1%H9SE/ZEA^+I`)YLNBH'Z"W!Z<%%B7&6@7A/GWW-&,7F(=8.SA +M$1??7XGD$/L'GI/A@`P"'*F0V_,*/QO>=^"03+GI(S-VS*$PEN*/(G20K&8F: +M)H`HNY#)`%KAGV%!]13.J-$[55B/2X"XUPWPKI,10]5%A\QTSID&1?'HGKOAQ +M@!AU(Q]#`"]JBS0;Y4>06J]*HUD>!@B%]X#3M",X0>MF"/,#>LP5E@5;1`8?M +MR%$R_77:@K=K'3S) +M^^2;@QDD[!"O%)J2('&!P2A\0O20+.N(A=9?6PL"EV;G81B#>?[L'K256J,D@ +M]'IAFMU!TA$_3ZH-FJ)P-]$>Y1DYT:-28ZZN3#G`,3PL4A2CQ:(P61;PKF:N`<71XHH\284::5QC#IP9[\SC=FK>:UB +M]F@)Z8C8,NJ%N*?(HE.J`)AP'1N!" +M7JR5D9+=;5M!"-R;Z'.6NQ7O#%VPQJFSES^>_11MUZYD!WG#=-BDD<`YRP"40F1DG. +MV4,W`D\/D,BJE&@%;(QXN9N@ED%Z$2AC8)W1[:'`SX(W(^EOC]BGV@-KY>`U7 +M`2S*%P>I&W*OIK0$=A&.HD>5;-FR-KK8"0>2O2>7+=(!:M%XDC1`TG<:NE(,R +MP-E`=/4=7_=F!?('M2],3?1SR)08B-E(NR"[T39T`A#_`B68G,-$'LPDT;ED+ +MOEG/BMB>D;L205>`9Z6B$R?KF.=K3#6(.H9^<+:(`B&Z8X#I;TR]MEY<#"QA(_8`N3*\1@ATDWN!66)ERBZGT8%06X,K! +M=T.VT,NS9^0QV,$Q8XQ^H3U<]*<<7($[@OX"2.XS'`C2F!84=HD9CMYUYSEY: +MC-HXD^3T-V=,]%R\O-0<0JFF"H`I"A(3FG%-348 +M7>"ZX3B.199AR%;!\X+:Q.PNH;=Y4S98'LDWU&6Z29NX +M4CH@R:??NVXI!M&XCM&(Z;`'FF+41O0N,C=X7FG.Y-PE=3=++455G+27,'CK+ +MZL*?1)?2E`)<68`6_O>15:Z4SDIYQ""B?TJ$*YH9^X)%$U:M;[O8C<4AUF]*. +MO7O%49Y_9EX,<1Y%D1YD'9A(28("WX)EN=+C\&*0!Y: +M(E,\;NR\*,@%`8$3'5T/V5$"1I[N?JQ.7B>?491+NK8>$YK9^DDJ/&BM'4NA2TK%7-W03I- +ML!A7RZ*<1^BH/*&:DZJQ56OR?44#3BH<0=<*^8\PZ(?=XVL#OXDQA71`,E=R'O +MO7`<]",O-GFL]3U$>,%P&5YP?.B$Q4G1,>^)MR-$-]%9!/AIT":*I2(&O$#Q+ +M[KY*\>9HI$:%2(N"ZD!!UFMPIAZ4T6$(!WD($YH3$S';^=R8@GS6L]KHP +MF"7)H(K_WL]79@VE.S$'1F<&(M*2#LV/-%GF2B*2"B:X^OWJ'3<+\)!7A3/#]V4B,OE"`+]I +MALOF[`&`NB3_%Y7!(2$>03VH&A[AIL!Y\IF,(?5U]/7KOPZBXY0JGK[8JG!;X +M/_JW=`O8^M[S*5LOP5NS6`#'INLI]7$Q(?U7-1J-$A<.TUOR*V$2@Z03@'1@M +M22V""=RA.V$S9`B#@,%--#T_''&_*Q50^V=A5'+?(DB!9._!TCCXI%FEQ5/WC0AQNZX@NV&P&_ +MZ("8H^,`DG,?%!S)U`!,R$\A;C$8;+<%OIY@:Z)XYOWQYD"]6?ZV:@K0+(R'V"169GKGTV27;CWAQ=.4 +M6"XR*V:1".V$/')9[??QL2?&#F36E_/;] +M*^@9P&*+AV0BIB28J +M1\+U"@8N)*U'!RG-;1@2.&!H'4 +M$(CW+(%)N7VQ/J5R!ZG"E(5J%NSJO!(T@&97MR`E(FH>P5*T/6CCS+)3&3-QL +MPDYULNPTYOA-H"P8M;:H42-9L!T%61Q#.\Z!+6T`0`_VBU5)D0,Q1[ +M21Z3I((15-0YHH-?\6V&0508:M$0?+0`K,MP]P2T]=&&Q8*K&,_QQK"[1-H7T +MQ%2M`Q[+AB5SC3%$9(!GQ.58\^><("XWKZ5(=JXK9&=B4";S5!Q79`6.8LW3O +MP5!503D)69EHWT>A1:P,0V-GIRN*C7%HC!JWJ`=;&)BG.AF1*3\"7C25)@6S'Z85"R?IT#L!WH]> +M=ZJH79D2Z"6WF_.Z.5D[3ZHESX>L#0\R9)V,;K5_4*)-4UH-I%)))<<6AJ6SR +MAT$0J<3)#A(:S!JE(A.67[6B`%Y&N(`EZL!^M43J6/H^^` +M,YA$R$'!VOY86]G&ZE)=W+V:W.#E>?OV[>FKT[/3T^_-C-F_CC4NL"T"*-\;L +MR_EBGO8.MU_<](B#"QK,@D5G-4=YK3;YI2!-RC21K%);BXQ>TO%3\QIJ1=!TJ +MM9I8-DEZ)3QSF.//U$!D +MZ$]N1-71\1IPN2.<[A!32BAN!5D1D"4)H4SB'2C.*+#?[W'T..IU?VTA)+*() +MB4($,;0"J.:N17.WM]>W8:-'U-B@RO0N^)IF!2T7/ +MD=-6FMLZN(UAX3@:C=13&O?M)!_"TOK/!Z%W,7G>OCLN>FT>&P:G]E8WNB1X= +M@:/?Q3/QIH:<;DBHP,L,Y$6Y$X"@Z1ZM]'M(&:-]Q'$=3]+_WIY/SS\D]"%Z. +MKIRT*4*%K5,81DY0*;EB=:^K[6%\XL],.8R'[;*LP-^C#RTZ.U'5%A41C3ERW +MJR2CI%H&R*I=K'"&TZPR2WZ_?$W,TM33"2Y15'=3NAFH2&1:Z$?U*'(1'&Q+W +M5$<(_D*QVX\X]1H2FT3:@EUS_-^.X9([6E'<$T$VEBR_=CB'24UQDDPN +M]2>BO5.F-LV"OMW3B3D:SQ*B(SKP5B\!)XZW=[<_?]X\`V?JG->?+KW'?>0HY +M&03\^(>H2IR"-G!I075`9KR`1V(A(J6R-Q_/.BE4@UH5?7+#6\0;-;*2@VNUR;0Q).G%?-=?4EV-L0/H:XF27/OH0BL3%;EX6(0ZLA+X%82WE!A6R4%)FRA +MH\C@\1S$B/8[XD@X,>5V=L)UY&C.*^DR7S/%N5$MA=QZBK9]OCF_>*\^GXV>7 +MG28_[FU+4;8T$2(761_G!MEFY_,L;\Z/3S,/ +MM4$#SE9`&O38JDE(7-:9--P`B3?720=!#T]L[?-GB2!1X[S:L=(O3):N2X>\[I=G2V0(2OZ0%ENWT'>(2#O*P:H_:V +M4%+J8R<=4=YAHW$=(AOI-2$J/`B3(X!O>I3.FK3TZX]$9R]&+Q*9I28KW69(J +M(K:T@I:&X&G"RX,IW9(KS/TTP>?-N8'7E7KQ\T]^D!5([I6](M5QMA@0A$`5J +M\Q,Q!S&K>M"20<)^=FQ#$SO0D`=3)FF]B)^[:*\?MC[H1K$E?)I@24:G%^94W +MDQ-%+72M_FC7FQ1_.TQ,A/,C.T6JH>$)SOZV[)8\?75*Q0V020U)T(9X/N;FR +M2IIQUE&"0J"$L]3Q*2OY)N0___DG[)`"I8<21C$+`^'RO[:FI]!")I0!ID!HZPZ&)@S@F*SSHLP.Z`4T"FE^=+EC-H@Q@L)M*VYD +MG+*3]\KW&A?$I&S0'*B993H(+A!+AW%P$,SY%F7K5\8_CB?Q!!TT2(%"9/V0R +M>X_%)62JIMXA-'B9QU_'0*HXP1CJ.TL(A.HA43V0[RTI#A`D`4(I25CP%U43>0(D"^$`F://WIQ?T)=8++@E20A,F\/$JPK$BE0IN;M(QN&0F`% +MC>&B`"$%-G'8`++LH/,@"!WP'ZJ?3D_O!U34NE_@#5DB=*,YE&/SEC0@E22BN +M%*,,6*DFV\6FG:2U9FH5DQQ7!U"PA9^0HUO9Y4H4P+1S[DJ`/IN4\DQ9,%SHK0N)=\BE3% +M,CA7%N="_?!>4.FI5V=0*N,MY*J3?YR>O;L8O5OA/3;8=3&$&6QC9(``2&CTIM?2_FJD]T#:/37)Y*Q[ZGL7]A^S/5B-PCQA# +M0W9Q^5C9&V6)@JRC2Z#GS2!.G\=P4!LIU7!U=)"CDRM#W-=0F,=.*OVOJZQU' +MC"F3A9P7GB9E-"RY!O^1R$GF3M%:GE'NNX8:R;GD31(M8^5E^`:=`C5 +M<8K]KJ&H89G_^#ZA[S?[*:3F7;0D`H:6,=&-"9F:12Q\AZLFV^D$;2<-P3N-UVG! +M_N>9/LO0@.4R(C\O:;7[Z6/D:Q#=<2#/4C;%!J4B"FX +MKS2'IU8)J*UW2>CLQ5_43>T6)(FX0P$YBG*-AA]8I198J%3'IFMHE=@\)/N8@ +MR4&T5&!EH'=2'9"R.R+*;NYN\MHTKL>.A[Q7N+OC*GT*X'7-KRB^(V7R[WFF7!0[JNY)0<"/=1SM#3#C"5&?>`[JU6"J5S;!`]W;S_/ +ME\F-^OQL=/IBF4RNV/0SE8[N,8>SETD&RWT]B,$R%[Z^>P96%*?JQ9#UCDW@` +M(K-6A=.A!8\:$B<%/]+@&0Y$M"3NVU>MTMC=,1EN@+TAP']FOT.E(^"#4]$PIQP3U8%\][<7O\F_@Q6B>!E\ +M'_==MHK:D&4]$?4)\<7S%#%1.TOM)$G#^?/Y#""71;]C]3V/KL?K$_&&]X'<[^]N)U?O2<1U>IJ*9Y!54L@<\7:N6 +M;C^,U=/;L)D/IEJNFI4:5P$<.%^UKV?K;8V&_UUBU1L +MC9K_4]TH-.M.U#.0FKZKQ\$GF,4DEC_`2^:`S]J?2`LE\C*?GH("7G;8"?3\& +MP&^`'K&$0`CI,"N,ZS"Y<$I69+KFIE3X]H[,K8`R&`'+Q.]^EU?VE&;W#`*AV +M0*RN6:40`&X:&'-3V^722)(,)5&4I7KV\B<6]:1=*,$AFL94L5[E724YM9#-T +MH9R19+[2L.H@^COR5Q]@4!+;3B$WB<[?K"%)CI*V`J8!P6S)9H7EL2PIE3M0T +MU6.Z#:S*9E6$G(@V,]AIO5NO#+HBLC]N/Y&0#QXERN5A+_VM65JH'N28]8&#\ +MOM][I\GY7U.R)T7AP79!\5WC\W4J@>`7F:`\#R!9+I#C?*Q^+Q7*=!Z%((PK. +M1D^P,>P@%BVROX$;A2'_FV.24>W6]`H&\&P8ZC15AW6S):&;B>87;30V!'G2(H0A;:7B6+HM%( +M6=[O:>;@N"[UA*A3;5<7;09(U=_3_1048QF5?TT%B&08'&.`!/0U"KY)5MZ"3 +MTCL)TL[4&^<;!`!`RO(>>6QE['(U"_]:P4LD&E=`M6*,74QB2AZV=>"S6$&[! +M=VA1UA5>F):-I\;E753A""VQN.'JVM08'I.BN71:7"*P-XY>UM+93EC^OYQ!$ +MH2[53-O8DJ%`/0S*(*&IGM&;K*ADZRIJ2?/%E"7LBOJ#<`L,.;-,J,.C1&!U& +MNAWH/N$L5BJQ<51ENZG=PM);>J#NO($5])K;<4"O(\PDWZX*0/@[R["+WA58!;%W*&\Y7SII(^7 +M>_LO->CW*E<-NZCG,CC-@@,[@H(>`'*Y,CM.>/H!K1D*ALN%&FB6K* +M-V_NZ$%269!?V5HA+:,WTM1)^.R;%Y>3\134E!@YF>QL',P3M`AN`0PV>/ +M+55`\YM\3%P0.3QACE)Y5J0,)S\R%Y!UN^S;9I`:('9=Z4POM:5JF5CYBZ'NG+4*U+;SVEG;G;%2I<]7(:ZA0%\E +M>7/9[`43\C:)^*:J.?HIL?X8B73O-10@@18-RN#'7CVQ'PX=92^ODS"QO![N7 +MT7O_SZUM1&F0V-5(G5._;M([N"AW<@4[^OQL=!9^N9I.WEQ?_KZ?/7!.(Y[UN +M>Q?CJRF\K/#F&E)C8/SP\^3VTUT8.4![&"/"SRYN;]"NP-\^7,-,IZ.STVZX) +M>`!_OPR?W?Y^,ST7.P1_"\/ZOG`_I1T,]G,UK\Y +M5`\(9/SQXL6`N4:_-[ZZN,7W"#P#H,8W7W`T(^7]..7`;X!`8`-SV#C^,^GHU]@;/AQQM@(L +MTW^\$%AH<\^[`9JSGP5#8>SUS126[_<0QU_'?&+PVY?)%?[V?^'7N[N$N9O?` +M/MZYF?W$M8Z?I_XK($Y +MT^WUD#`4H/AY@.3Z`C\&@@(`?GZ&O^Z]-2(\3-/C(X1:^ON,SH_PVN_=C3^\] +M'5Y.[B97;\,,A-Q_=$SD\,O%[14?'>\KK'GW.[QZ<]SO10.;%Y6%GM,)XM\_G +MX]^_A,&?;M]<=Z[/?P^SG8>O?QF]"$M]NN!+^3S\^VY\"V6&N(-3VCLO$$9^# +M^2*4<\H?GM&/9UBWP!%6LY!W)\Y=RTDSE!J7)6=L70UOW2$NELRBG.G0Z._R] +M'60]=P&@\<=SO+5P]M^[;M##^NN87Q'S9YOL#*2TJA+ +MG!E2X4#-V:D5M;\`Y6#`6D#X.,`])*4-OQD].2?[A;&%F1OP`3VB2=B!7.97$ +MI'%"';PS+7]="(;O=M+#\U6_]V3OE;=//NM*?7"F,E6IPS^!;3XY^^7%2S7]_ +M"E$B*(*V?]R'#T%N71FPC4IX?1!&\(2O4MD(7DJ+Y&%`II%#*F')KXRMV]-S/!D?X_4$L#!!0``@`(`&Y_^ +MOAZ5]#%Y%4X``(I.```'````54Y0+D58123;:3B4W_L`\%F8L0ZRAC&V9,D6> +MD9UL^697HE!"6H28(25&RKZU5\C:II2BLC5CRU;V%ON.9PPS8PRSS_S[7?_S_ +MXESG.B_.>5[=Y]SG_CP>IW)`VB`0"`(B0?C\[W`LJ#0;\`"!E/_-_*\E>^[<< +M]FD0Q/HF\UM'.3'$)#WX!!0,Z,QY0G1DT!!SJO'&+!.ZYXCK_" +ME+V7'R2`9?KNJW[1FN@:ZAHU9P+Z\QT]D15QT,Q&\H36MRK0A6:[E"!WR.,19 +M4Y640RHWY5TY=J(W0_R*;J(-5)-\Y5W2X2DT;@+\W2,A4`^CH`W(VRI0V<#:" +M7D/R^2"T+'#(.K>3KB4A!T3;XLA;<&6@UH:[G(+T2X5C8#VP!C4PZ`-PNY?-[ +MM_O0"`+A-Y%-!B!JC4KAU!_D.)(U@428L=CL*:0M:P;IR.I94I-E&;-0LI\-A +M6<1_ZQ^6KRA%5I4AFVV0`-&BV0!%5P%,K'$:V?4V.)H4WXQE1GME4W$2F2N7? +M=2UP=F'7;U1=I>)$%Y^EN:!HTR(,PB$5`0G^/:NJ7*35@`G?!#73]M;^;9-]2 +M\HM/=CAKZRHM%9Q;RSF;9JXRBD\`'I37RXFV8:"$K9Y>\"^34>"";9KMRJD6& +ML@%Q"ATS!R],M[W+F$Y;J@83TT'\A)VGX"T^[F%CE36PUPI0LTIC@U(Y" +MX'BQ%CX?9X/=8T7P-5E+K-2T#^ZVUJ@0X?&J>"DS%_ +M&W"U#LAET,>O3UM51MBX^F,EI'BV[BS)=@!:!&;DR;H-;Z@C;=S5-6@5 +M'.Z;W$U>!?@[W]?QL![M?F;_3[U.I=2ND:JGR&RY8F0QU`S#R%)E2B,IF+W:N +M4E2X$1@C5;$TOB0ZO.K:#-@L>\K/PU'<"2FF,%-DBPGH;`3)\V"R#6NIKZUPR +M8_R]UA6"R)96OCQ]J>KNF_M(;U\I*\!M>G.5;Y7*P7>8GP[4:U<:JWHH@9I]7 +M;-K*F5\`YN8?M*8>PXG+`P%6][B'$Q8E<3*4QG?$@ +M"..^A%TQ)QPG_3:F>&'@$BUKA%)#JCM&U/T(*CM6C8"%KJ&DJK9DJ[:Y.UPZU +M5RJ>R65S^;+!97RN+(]?H54%EJO*,H9R!;G" +M:#<`,Y>BA(M5`)84A51`D,>H3B=<*^EC>/2%&ND9+="C,/S]]:;Y*D95U>@B" +MRNSC.VL"QJ06VKW!**0!GP2`,#'@#MQE6DK(#0HL'JOCIG(>B!!LC7#AX8?,$*AF?F2R0"-X7XD!7R7*ND5SJ!\XS +M0&%*`&9ZGTR4 +MBHIV]<_,"&$F52JQ>Y-JQT$U!S@BPRK7BPTJ@$_9*BG/[VDNG.?#WE9L_J8PF0#)`H=1I+14LTX\MUBPNP4./A-RJJ(._ +M%B0*Y[]H0\$_H_A0+/LG6HP]@/DOAXSE0LG01,?6E?0E,'@6!UK^-F5A,%I\!8<*S(W_C-%WP6VM)&%90@;-4<#YUOKV*O* +MXNG/]@97!,^V*$6%SX*#K:W6@O/DHE?SLK6>QC'T2EA^ +MVWJ'<<7UP8??*-]]3'G.^A.P,@\*,V3,"EFQ$].W9(]Q^GN,8^;$32MB@+_JG +M1F-Y+-7.9>#'N43:(U:I>6]:#RF9FL97=79H*Z5.4(GFR3>_F@!>QOE)Z@$O2 +M5[X<@M=6[+$L8(I`1'^@I927;(8=5/#R`E`V40#9LK2>UY9/_[5MD`WM21_]0 +M4G:CM_D]RL?*+#!WO"UY86UERZR`BS1^=<#;!YGJKU))J;7J1(M.:WQ&PVOKQ +M/E&XB7FFJ)#`@$[O.>O"VO3N&XOS?-G)`@MW#D;0`CEXG/=KZ:&8FPGJ3PJK_ +M\#'^BT`3#"3(6]H"6@^'Y5+QK0J?#F/PQA'89%XFYHS>=N%?O=FT3@:HL6.-! +MOW&3GSL+1!JE=]:$IDX;I:5"#;K1>[?W`<*%=3OL+^"OK"7&G&@:C84_.EW-*"!UQ@2)P[<.&=]7.H-?O$:'+3]5 +M\F:)OQ^.\"C`Y#1H1:N\4SBF/FE?A/[)>E+7ZP>(5-X/Z=QN/+E.XT`F!/M-% +MMHK@07".U\82N`."W8;T.7EO;37NQ>7Q3N.RVU$\W+ +M*=,Z2["0P>D#NSXHD5GGV37M2BFE-Q,25G83^N63]>`>58L&O-@>/@EW3.JAZZ;KB<#J.A'E4X$SZFY?F+@96'_?3/N[WISKG-V<`Z.'Z@?H0 +M4;#6-6@QG,A/*.\'OO''JV,D6:3=KAE:#C]$%069MG')D:9F&"\(1JQ>L'-RU +M2YCK]1_9X,8SCLF3D_A35.6?RA61I^0WFL#MPN#[P4&6DX\T82ATIDY']*\"( +MG#]>=TQ^[#1A6A=3.Y%LDTX\%R2)VJ*^&'$=H1@!0KWTXP2]!U<:M;4+Q.Z +M4K?]C&3J]LWE=\8*A"TVSJ$+\?+1RP/&]8)VP6R4&^ZY:Q^@JZ_%NP"QOM\B; +MX*)5J6E-?^)*U#I'%U^F=CQ7JK"3JV7N21'\_)(=2AO'^\!PB"9%`1O;`[C+, +MI29&+9K@>*>``RU:K!%6[,]5UH\#7B+6GAJ=""TVCOO*<:?W7*O,$4ZE9!(/^ +M?Y62!0PO-N@`R3CX54&.:\^IRY8>QH/I1_G-^$FL'?&13)?U-HCS,%I +MV@QS)RO"-:5"#K"\\[DV+#;@SYJ['^#-N3+$.Z +M@55T^7JM6T$GLB_E4'!K2V`+!?S1B?OL!S-#X<;=G3?K2V)F04 +M1%A\3P[BP-!$X^?/#6_56'H3RR[=(MTHH2^5"YBUR872 +M7A5]$%(IV0_QR)C:\S:CV6`<&2N5>8IW(#:)B8NRG)SNJ45Z-<>!O5N*9X>N] +M=#%;KBW6ZE)H-XECUL#2B2<:O]U%_U;;CGPB.;*E`\9SRLZ`L?C(B]A.HUL\$ +M5%-W3K5?A%#XY<[83L87$4NCA^=1-[_-?%/XECM,EO3\#FVQSR_9[\/T/<[\) +MB:-?><[8Z&PWUDTC3/Z_)4$UI!V&7X<(@C +M+*=WYQ&CB@E.9+PG0,C\=YIIUFGS%:!WV)]M]`G-'LOY[0?&J"Y/&R(8;<:.K +M5;[?9>.][!@K&^]U$V'#1VM98\06[/#81.3B)#'*PHGG2A(C[J0E@]6\,:2ZI +M/9RS7+B;@PL1?S41V7:UA<3W/JK%@W&1P`,&4"KFH*LV8'#X(T:L=J<8[Z]QA +M$$(4)9]YL?@B3I:X3KUF&ZBS7O2W[+$OTQ=,,).#/N&^P[L*X>`>U&6D`LZQC +M#QL5>T!:5OMK=1V=AQ9$=M)E_GM>E-:]N[YF7G-2:._2:5E8Q%$19WX3\*E>&C0N4J, +M3.FVRE]"Z:,S320-WPOG<4+"+7I@$2FYODD3CH^)XP>]_?W,D]1J;7S*U46M9 +M@7>6758YC&N+->^)>T5WU7-Z")P+KZ(`%NMJ4PT;(/P9^=6AVZ$G +M&6)X\8_",LLA?!""_*-.U]@I7];C4%_I[WW4H]DTM@#82^;Z-L!UQL7U4@9-S[HP!?,2UY55+X1AWG7'Y5S +M^V4[_6+E[/B56+D]QWN_)-RM:2[2!YFJF!H?.-::^::W_T2KOI=<_8?^)&C?$ +M$+)ZI5FC^LR]N7E@X0!&YIEH0N-M$86OVZ=CXI+//0867W7:(=^'TF`H1Z^XN&.*09K-RF#JC:'_F5F* +M"#(RYU.6UDG+$;R>BL[*?0\8R#X\)_/"?(7MW72"#^4-B.I-L)&BX@LAD,BMN9;809WAGU[7H- +M9A)RDTDQCR#8T4^_LI[C\=0`Q.3+S_-VB_N +MJRG8=?N-UD59@K@;^N#6KXTJ/K\[::I3V0H%-`'1OY?M0X&YX0!HIU['T6Y1^ +MTZ'(@W9Q?OY*P(0F\%))6H-))VL/>:`;/0`=!2JEY8+VW7B +M2"6HD'L)4MH56"">9DC[>+B5)@2ZR.O]J:4'@R)'YGGZ$D3*Z%H7[B-5ZWT`M +MR@+XB#BK%M]$D;[<\@8W.X\Q\/8=27W^87_>N"#_\8>_IU#ID]^G^)B)G[^!> +MSOWU:<`WX7=:'CRJ6]\%X:]G=CQV`@02S#]N>9+'F=O,'>9=;]=3Z&6F>DD>% +MDW\DT+UB4!KI5B''],\:HFD2QSY6<66[$)&;@B8>0BV,^QE,*$?XPKF^(Z6CQ +M4LS]=-/@O>\WZRM8P!/$I:15@:E:RSU#/$!4#'BC>UD&D(7[+`-HTCZ2QJ(TI +MX#[T>_HO\1%,ZBYP8^O86#O]_(>")/$_*G)0IZZ&`%8G=Y)NG`&1V&$('\?LW +M`ZZK&48K:V-*68:HI) +M,P;VI-LF(:[4FYOO_`#MWW?^^*8$ZN+*,45W75%J$F4HGFG>K7*#N>EQBJGHI +MF4YO&"SL@E8$#195P;JPL5=B9R*&+C*+!_DBN&$M#PWT'J)<6*U"N::ZUAWC>;TZ4_WPW8)Z'$-V*)5E?OC_AL&>QY1DI@"Z +M%9JNMB3I"HGGXDQ!8?/CFO'/@]R[J6+ET]=6MN;IY43Q:*3(:[162WX)(?,N/ +M+K(<@&E25]H8U&EJ;0Y#X^U[EW&K8K._!?YFY(\9;!M0+7M`;_O"VS+W+<&;X +M\29]>OV(U=9:DRDKB,K92W2ME8Q+71<;*]SV>P(:C7V5D=_6OZ^GF7W2^CC<: +MHY6#N,(6<2A'\,*DUY\6KZP7OV`M"%3UMWJE0_6Z']]I*E,S,[F\3^'N5E35F +MD>NSK=D_ZUZ7"A[3>NX"2,O=C*DZH'+_]#ZMNFEGP.B7`N3\]GB)#:#QIS532 +MBK(U!3B$ZB(@MSJ$OB!`LVB9(F3SQ*>F<]#5##7BT0#9&"6< +MZ*L[\B^,-78^MLO,_M(PU*@XB'IA9!9W6EY5*&Q?V-+P!*KXJ'H\#)>@;:]^= +M:3YV9(W'T=D?H2>WE)4[5.]%:=2XMJL.G-&(#,S../,$.Q@3W;@0O+#,W^.O` +M`42!"$P%3L>P,*#T1M'\,2"C_G9/*:&FQ?=C(ZZH8%#-_W#AL>X>'YD,]5WM? +M;Z__+M-^656+:#1_"9R(?EX%8?(02)5Z!*&$.SIUMA&HJROX1G[#+*AD,J=>2 +M`L5J#WMO+%4E/#*,?G,Q@\BQK2J`WTI#/8Q1Q/>'V-6CP9VXJ8I!5&_?)DB_6 +M:Q`K=T5Y,M6WQ1C<=![<3'93O@:?EV_73!\/?UXGGFQ2^A#F]AANI^_$.DGO9 +MP.\[C#D=)V0-#9=#S_(#'D98 +M4^Z%VC?Y]+K\"?D*%[R$Z#,RZ.>>G\V&&C_71(C]PY(R8.6-N1>@VOQW7-[@! +M\N'^[^(@?]:3KI#U0CKN`US(O=U2&__W.9_?J1&`2'22S# +M.+`XLPBOY/_K7RR&Y`;!(Z.A,^EV6](MF@BYF1"#$%0I$1F*)$I]EZK?_&LOHOBY!0() +MS^4<09TE[=..9P$?5&#/LRJH)N_V=6/AV97/E0F6YNK=23W/CMXNH`127^0:O +M:#+USZ^D;RI/K[I;*,\]?[RN/.&5$>-HU!EA,J(YMSHIQPF1VSK?CZ=6ZZT_9 +MT[ZI5T3)G8&/#YH,AB:=S#88W!P>'!C,4?N;O'Z!(,_"/32A*2O!"!W,#!FF1 +MI=#&7;E*U6]&"5M`[C&I-=$6Z\3Q&HUF=\BAF`,O6S/3KHB)F6O[,OJV93G^. +MR):AN9JF0%#SA2.$GQ]$2(^P2O +M@X5EIZ"VSWL?*][-$:K14=2^#@U)7Y48OH]*PRF!&I,\0N6/X^]^/3A-)N-/^ +M4L/Y35:S"9#,6<&]5N.[#S"WS(3J(M`E"Z<6/+-SU,9]-S0V\9O!8GLWM1)3/ +MD>OJY/#H/,1YLA09XW*1?.+',94/&7U6_7'0;8\2?>36E)S><$7]/ME;O;<8C +MCP4.`VD\.[%$P0QTTVQ/XGF]&>CP+/3F.\'[9%*\Z#F9+N6047J$N\_[G7,R\ +M4@:73#93.KE?"YU?R8ON8H2;>+VG2J[_YYDK8`,V9&O;\.:+-1:7BOVF+10E# +M':N!&O8G=:.5JH"3Z_RUO>)*A"DZ\$49(UXQ[O\7['3_)%MTY9S`7$>XOQ(/& +M_(RV'EUD\56Q38\PTJIU^_7*DI;%=*Z3@H92\=?$H;VYP\$#M_GIBQ*6U'3/_ +M[K$&Y0`12OOHOEIQY7QB\$RBP?#OX;I.P:QAS\&14T%'7/H4HU\,O'Z>MTY7. +MPZE<`VY5*SJ<\M@3RL*462*NS'^V4984K6$$_-!3:A4\^+5@T#J[6P.?539D7 +M+&J<<2).6:F8JS_N+0\@%(J/F@I?:1S$_+C/7?OBBXK[^10Z40?[H@MP\4_JY +MQ"Y;`G48QZK6S>*(AKK]FQ6CI\8GYI]'18MC5XEWZS>I]@G']_B?38ZI5.AM4 +M!A,.JQXI#2M4;P)5AG9"2KGS529L+"!RI)6DLU&BL,V(`:AR#-' +MSBUG-Y>D"MJ:.(IDGB`$?T#B4(Q*+BE>H\,2%W?(;=-P4X2.#]J,$\4FLX$WP +M0_*;@D1%E]OZBP1YT\7LEJ^VB^)I43]4/FY"<:AEE6XY6254O?KRGWAIW'^;( +M(Q.AFS;E$INI.7$VN$CP9[?`+I4X?-"C!`0\)&08C7F@JLX,O#\:9)DZ:C^Z( +M@(S?@SOA%$G.)#N2AREYY/^D3[6]Q+TH;NI=/M,GWKRW&2%UX5J6RT^M?I0BN +M[K@$@`,]%7._\'X[\H_TA7"9"4"D5Y(Q]*"=-D=,J=Q^A;'/F0&_7K(XU7=D1 +M.=_09&H#6)<]V[WD:1TGWRU07TFT3H_;W+-?I!-B/97Z!*X%5N'*_E)EB$`6@ +M1RH:5^T:1LVOX*3,))6#[25P#M0NZD=S'8S%(ST:YU&CMU774X%I7I/Q44+XK3Z\[9[X.G2T`E,F$3+5%&!H+1[PRA,Y^L +M+ET\_?7'T;6U_;ACC8&_K-A#F]6;*"NT.^X2M)&+_Y76LG1WTZ*S1`K*;,*(Y +MY?B`W5%\O?3O$*(6*1*"$:F0`E^SWE<$!8ARE$L0-.SZ5]:5]?&\;B&-<=RUX +M`FS#]WD-YP:S0J$&7.IF_N9D!7]K\Z!R7)7ON@N@L[VF',\X%8C+:>M1VK?4C +M_$4B46GSKDY@\;GK8H@BVZ<,!63U7QYRSM#BDV2<#&6OYI/6;?7$^I93VUV:_ +M.N9`>/IKT-&%^##*Q'8&F7+?9&@GG:5XTTA6Y[;FY:/@O8M'A.4Q5],5.[E#* +MUTHRM_0)FJUW/P9N.PF]ETQ5N^RND$Z`I"=71U_!3/:K^.=H/2,I)B\7[U/(P +MG?!;.._XPMQ\4?YTV(E.YH4_Q5Y1W2C?KY1Q>D@?]:EV$H&`IF:.G$#C5H8_& +M'D&OP/R$KB&>+NAU]@(7Y)$>>\/1=EH&Z6]%"7YV=V=EXN4#MT"WC`_)WAO(? +MT&A\I]94&3\7M210?13#DB?ZW/:?;3>0F[6>O;HT^^(%P2P!?)1VH:[69MQ!G +M2(T5A'@OWKVU"M`39*6UK!B.5FRX6=QJI\V9PE&C(14FVMG&`)'3K-X"]8!K%9)8XYG;/\])'78JF!(B;R3=D/`5Q@=B3P.0\`0 +M%#@O01:M:6%A+:HU*M1_\'R(_=-Q&IV-(YW_<$D//JUFT3V!3HFZ"?,H?<477YGX#1 +M8=(M.Q2M?LF60WEGNUA[6?RR1),^X/K.?GO^#S32>A&S7B_M:;5U*7=PO6R`- +M..>>!0?CRB4/&FE"AP;4?5P,UF8!4K&($@F +M.N,[LU0R<_4-Z(!%NB;%^L6.MLAS88.P`!GY^#!O&=$K'&<`-@?42\:!V@N!\2<3+\'/@^,,AT60L\#[10G)6O6SN!3,%V3'B[N;:C[6KS;UI[V--C;/X@LVK\\_>;`IG +MN/IK#I(RB#NY!\B;S3D8D5I63RX:%:D^>\U*7V0D!PQ_F4V4J85H]WJ;$RI?$ +MHC25AX"H[ZX*0%5&L5.-5&$LKI7R$V'$:"0UUJ6;-E:.B\(:+6Z)@;^6K:%'T +M$\W$VN:&.#V@M-82=CS&-O?D+):B07!4:#NM-39[L<@03X(3R4O=4VDW +MPUG"5VY[(0!QZ;'8W3SW +M9?,E0MK*^3WS`70;%'JP'A` +MWMN#M?.6RK57:J0TO/;7AOZP@HWQ\W(]YBNB[>=?K8U_@,LV8>PN&LD%=7ZLV +M,Q#JN<5'L/6&Y&;U!O7^Y*(6$UHH_O?X@G-3(=!9Z"#TC[6C!JY83Z5D4.^D@ +M%I.#LT@_05=?OR\36B,3)WICRZ^:)9@?)4B4>9M5M.RUK+O\2Z.@8-UM70CWH +M:4-R<6+CT/4.!YE#)H,W.CP'R90CKK=G%J$"^P#UH=.&UCYY.FIN;C/_.#1/)P\[N +M<$A(ZFQ;G?;A2(.<<<3-)#\)&_UB;YTWX=)"X8[G*V:P9DYZCF:2\MRB43_"E +MGG0I,C$U*`J".=28E/GLI7:?10?N8GS2JQ]18_&^5*]K70=:>E[@[?=#FB/6: +M0A[DPSKK52KOWVN]2:XH$4"E>)]5`.757-*J_)#Q0?NR[H=+SNC6IJSFIX%OI +MI1?..C1<`A%#G,:;Q*2>X9HL^,HX96!5/%>\Q1B2LCI^`+\BI/NWJ[[)_'/+6S?0I +MK],3]95ECKW0X;:O^KZ8MMOWAZ`QBHQ[$8H%@M^3'93VQ`T,N'?Z+@O+*6]#9 +M@5E6IZ!_XD]AXH_?H!MW*W4I=@+;4G%2:8-T&%&C:(I/?'U9;=LQ-`8O-JXQ) +M(,7X:-5O:XC=N-%'L;%%[-W'2\I!`ISCNF>W&OIA>6VPDJ/G) +MWXAEGUL7 +M)U;"=N<>)YI>CI1]`F5L53SI?WL>&ILI6+4[\92J\'[W+W1^L!VI2(?:=B%40 +MURLL-VA5B^38\1"@4@&:9DD,LOX2I49M%+@R3-! +M=F4EA,"29.4!B#C1J;,7?'7[T>&G]ZZ(P0<.P0;'5S5%<+[&:I%]RJZ?^UXU: +M,Z,+3XF/V/9P1^9/#7M_X_OYY`TU#NSDV&U+8)E::-7,TPF&-L["8`FA"1J3, +M`6<\;7_>G;:IM5/090N2+G*ZZBW=GR:%>V'?H(A\\V1-O@\@P_%F5X\ +M0;2RK&T10V^#T7HXX);U:.ZW5SV&G[L9JS'050.557`M6HH;B?O5"$,+X]IMO +M5*RMA0D:*W?H[T[#`T\'%#N+:G@=^H+F?QVNS!W7"_7KFW\%N(BB/N[3WA:DA +M@_4#]!LNR=V?K3Q\2E3NQ\NMV@HU1L(YC9?[2$EF:78#-+ZI:"K\05#`E=Z^;XIQS7<>P&'H!T&>PO#?Q^L%BAX`!1:5C<\_BFA;E/TGX +M);/;]SN1(1RWGR%_PE6DOKA7J!!Q,84V$(O?:M4$"&K$O"=B +MVZ<"@`MBXTBKI/&\<2SO(1DH(AT3.?-6A&C,.T`ISQ&QN`Z[&I7E#O=;"F-2` +M81G_^<7(\0HG`!@W=Q)X"3M=FHCE$4($#B7&`PBXEW]9*CA&#O@C4G%2H+LZ5 +M\("D*/A-ZA92!8+VQG7=NH)W;++7K;(@Q2LNH&I-(Z!$QZV;]$M;VEM7Q?A6< +MC09'WC8Z''M;!ZH9%$EI`CZ)PA]T=&="SQ3.F8?H>P\`N3K2=R6?*:.^JA]X3++WXR?FB,ON-Z( +M>`G_K%3`V>/D2E:$DQ`SEVF+LV%*]IL)`9C5L0J1[WP+=9B,"D:'CU!28:DJ. +M_Y_-(/R/^W,2B7]!Z!& +M1>W=U3\Q`W5JV#F#`\1WT=;S6\<"&MP'U/P8G=>1?*T)/2H8,T55C9Q!&C!;P +MBF+;23J96(,*VL%]=69^A7ER@D%:7%G6!$%>[M+=_S&0;<@C@6<+C+-*V3=%* +M"=<_E:QPUJB/CR%W18='0*1IM%]UTYLFR(LH7=A+J/7Z](..YW(/TLD0KAZ81 +M:TU]R[GH/.7>YSLQPHUR9<.CX6-+7PP7'(A(BO30UA):R3FQ>B_1B78AO9C#A +ME@8I.L='KAN4M)WK:I$U:XI6$1_Z&(8[MJGD_\>*E^KW!VFIB39QP2;S=_4L! +M=D)PM_?NO,-R+/G^J<`M>`A`G[>#TD1`A`EN"'7^?7(G.]N&S,ZI1B_71*!Z! +M.,)H,ML(/(J%U3 +MXXM(&&DK9]0=61/A+]YXO_,9 +M<'<2^OFKGPO#CRR)8G;Z]11;B4F`Z;7>3XIYR\"44$%K;XZ`0/L:W.FK2T1*^ +M\A*\[DR6`)T>D.T$,25P!!:]4GE6]$2U'$%KRVKK('X/6M[:(E$2:V,4)\K;N +MM+"+Q@AU"QH19]C&J--]3GX9CX2]\YUJLNHKJ'M][.?JE2%62=4Y54&@N71J8 +M9AH65',+E^7@0*W.U*9]\O4/-SF9?"+E]C$Q;V`3NWSX;O'GBVSP\3I]6.Z3Y +M?K-(5O3PU/=P]EBY(&B__EEC/6*Q$A`-#F@O:0RF_^--WO!6.ST^1,NY.=P"# +M@6J4;0+O\Q,K%T,\Z`Z&\`8P)][M3VH0V%V^/S-V)_>@!Z6O-ZZRT"Y=2(4N` +M(9%HQLK=&#H[-'3M3*,ZV8/=)E3]>*?#8U>'I6;I2CU./GEW(G>EL^BDP_CP[ +ML*K8VNM8V$":Q)U7L%L/1%9P[EDQUQ8.]<`'Z-$9LPO&*G/XD"=+R.AR\S=(, +MMR-G*7"TQ-J5)V4SW^@8"$[*;>=%9PTI%OOZ7;B:TJ[20/OUVJO8K=J+M;FQB +M?KX3X*-4\WP(?>DTM//ADS!;'%]C4`E0$`@AR`CL)$QX18CO"`N`G/.@U,XU% +M/I2*1MT.7_[WLLW];XN:`%T]=^YE@]I+X`?JYMJ?M?&UX'XFHLF/;W]FLAKNV74RCHJ#2H!.=V-J4ZZ(T#!#!TS#/./;+CVC9_OPS.7AF(E +MXC<:RTJ"S@`]*G!JJT[C98S(2*?!M=1=;P'-.6M/M$,@!HG:]KY;Z2>+XW:E0 +M?8&@`M8/EMY2\5N?;'3TPYRR&/4)'%BB1!;5%$@4VA\D:L[A0T)JY^"/^`7`#N01D0;<@+R(;35)Z;@(_8:O3K"TL6`$P2+08*#K5\,9*R<$1G6O*I+Z9O[A'JJU]P.Z* +M9.1BXPVZ#`84JJ!VR",%8P3]!V&S?KW_QG'VY?G'.Z^U`\%6;MME-`;Z4,/1B +M$LY:O*'H+A.MZSUI5SJA"DR`4T,6]F;9P#N@KREKYWS!=8)U#!`]+UVE0J#!H +M;8@^WMGP']NS(8`IN]5+Y&SO4(E;==":`OE;52S5J."/!SA363L^#A^7$$"#` +M)R+0*N0D46+V9(,734Q0X[_;=T)C#- +M_,4X\VG'BWS4`]-'W&YKP+RV:1-K1XDO93^.5&-OPL`.Y_Y!X&0 +M:_OY<3$F:H(*4A!@>]=R=W,YP^Z-'ACG&,>G76H0(!R@-UB;%!3TO7G'1\:_K +MPQU0(WYIL-NR7'#$J9]<.-?ZF/_U,;&TP=XQ-5W`JAV]#[<7K;PYW]9@.P.EJ +MI^-GC!`]FS^H44BL1^H%KGI+8 +M04TV(R!])P:KD_-9'.W&XL07S69:F4J) +M]?,CZ_1KB-!_6!?*K;7N-CR@>*^VA,Y+A<61K";CUO4FE7H_O;GS36[(E)B^W +M,\@=UV8U&_C#"FUKT\BTI:K\SY]E4<$$+[X7+`OPOV^Z\+UECD-5PT/4?0K;( +M`OEGO34E_M8$+%)Q9)":GF\W$W0YXF1F_`YX7.]L@X.^:>??AL.>KJ_74]^WA +M^=R[VW#DSI/0-#X_%\C]"W3R3P%#_'@1W]SO87<`01"MGO^BZXST'^`FUQ+M( +M--7'9(S$GOZ5E4`[O<;]-XIC'?@]!US+S=2ZM8T"7K$Y+B=F\!4CN:3V77 +MS_A7V6@Q9RL@96LK^-3ICCY99OB0$=B=,,)SW==G&2#Y]R@#IO37Y(*H%462;I`S[\D;FWUAX628-7088`D!@ +ML0H]AQ.Y/N!000`_ND6WNZQ,%V`!MYS22'0#ZT4N#`8$<'W_",&+P8`\7#('R +M':K+:0=*=_8_]N7_5E$Y)G@HNWJP``-`.;*VN@OBE]QT(2HBOLKU3'O=RT)^8 +MWX1!7.X_XY/`J?QV8*K-0J#OC#61F=XM8($.J3$W+;W7PP7D.(6H)F5?CE1R# +M$Y9UM;+LJ2:534U3I!7'+C*??P3YG6UY-?+:G(]WPB0T28&^2^JP7*.N2SQ<\8/0.I1'\BRZQ)4O5Q1UC +MP2K+X\L-P8LQPPI>@#2H=`'+!(EKW4`[F(N;@Q4Z^#EBGT$NHGV]_-0-\20.> +MV%HU(=6&:JV/]K4V1%NJ)MH:$'Z#M')4A6!L%8(SKL@6NER9TD:6*`1)-N4PK';8$\'K:S=#TF$J_R=WSO0'54^7D7CQB"@<2-P2VJUTB!D: +M[9\Y-8=K/+C_KN:#_`L,Z_$![9/ZQ'4DKPRGK0&TL#Z+#&]B%]?X,%RR1J,VZ +M:.WY[@*4XL#&B6B/I(>Q-E?XM,U[K+1V@1R^ZW=-GK5(\B\<8A^`_;XG,_&[S +MU;[O%U)R)E[FE+W&1X"RG"#`*$NIX,M/UFP*_$O.S.PDV.+5\Z8]R5^>$L@49 +M*?]RI?`[ZS=*UM`P**N=F'1H'L[Z>] +M"-&<,QW^&@5\8AS`OLB#QW]AQ'<'`=\9N/+],CU\4F6>MD@;1F:E>+2(D=`K= +M>-W;M/RIM>F5YPJ'D,/!K\'8FCHDY\/')&AW7L/,JJG&'GX37.>*%WKR"4D"VM4ZLO*PS9-:EQ +MX;;(Q#CPPZ)&G3"R^$HC[LGV8G?*SCBE)95POQ!X`XHS;#3>F+7Y3?]OA5XB+ +MQWW92R^-V^OXG^A/I2*F56.0[MO0N48#C@,!QN^;^4^!K?TIT$L)+8/=W)!$P +M[YWCZV4`#^B$>5X#[2/A#P^7G[N'6>S:_W#\^DG=YG<6IW-V?!+<=RZ!=LSO0 +M.)"G7IYUVN-7%+^872JT.$3S^51N63-+$;'6#1YKL,-L1T9U7%*UE7`^8/3U* +M,E=$_[9S/E\+H.TV@*O2*.A(1BKR,]\"6-W]IS3^[F9RS+E9N]#Q;)4[2-A5) +M2L;[75>*:%ZOOB1H[W:#,O-^-VY(5\M\_K`@6DL1)UBBH.L.TUSM(P[?\H'=C +M#2Z^=F*8ZZ<5)_Y(5&HWD71,@Z@H:!7MY5*S41>$=TX3>OIX&PVNZ6M\@=1=- +MA51#YK>]*P>P?:3 +M^*SM=%4^TE;#A7=ZTQDPW8U#9'A$_9Y<])MG$0O%P3W8NWPPK!#HV,DV>'=9; +M25/088_.)ESG#[2=_N;ROY)Z50N9TH2VSYV82:??6)"P),P86`G!["7_S!N`R +MMW@/H3_3.\NU)FO+NM8+S9VG?`Q(E\CZD]%MUQ`E[\VCPW/979?]E-AC-1"1HNNH>8 +M_H[-\4SJCRI6_5+1-S(**.L;+XJ4!=W#'^:ZO#-36[`\*&QV +M^BA&9%M^VT9L@,T0']`'@N=6=UP+`RIO_\)L&5+MI@."[4I.'=_G*NFUIIFU^ +MJ'OW_)LJW5+/X\9HDIA'<4]9C,J&_]8,KORGXF[(XNCL58(JC@.([;)@&7MV* +M;49)YS>9.SP-@VW6"UK"CDIPPL&*QE +M:GFO<]BNPV4'A7O-?#R=6B!4M_F!9L(B.0'`G2U814J7'C!/':8^NN2T<]OA! +M-H$FW?6(M,&*V,JM>@OH;_"S?U!Z&PY=06*4UB#O/O+%LTMKD7EW/B#7#T53( +M;'XCP7?6)6C[FA.-EV'L6XQ+!HSQGEV&YR$&G;'?=OSLL\!V/,1<YV]?!/:Q5U=OK_7'5+=]`[^-AKBP')C_V%\C)V7VK\ +M>XGB/.3DYCQW&S[O[G:\K'-Z;A;C['URHPKBQ6`>Q! +M%=7=?Q9(VMO5(B5RR>N_9=]K\NU&C!FRE>-Q-=6WAFN_A/6CV2F,$55]9#WP8 +M[:2X$\4L42.#]FO=P'A[)'Z^X1G::%M%CUPQ34(57N6[$K?7O-V_'3\A.\Y*17FB9%[O\,D4 +MCGOM'G4H0^:R:0F-!J%,EP8!O]*ET1D\(@3>9PU8O9QYSWS!AG-M&!F+R2P:*95, +MUS-9S"`RCCEZ79[YA6DPC6-M>I(/C;(@WD/FV#OJ'(;%]%HL/SX4'78A(EPU> +M\2+ZPJ^4P:WX^#Z&FIUO3-R].0YH\30H&&38)?-$CKAP99:]0+^I'\&YS$EHA +M'>(X1,5>T#9<:%1FGSG<2,SG,)2)%BM<;BKS_,5KF%ATZ+FH)Y!>=!';,BXT@ +M+,).134N(AX3AM6"ZK:G$+NQ>AX" +M=!PF#'TQAFYW4#7B6D08!FVKLY77MY'08N?JRG($KX/$H*2N%T.@'`9/ZEJ>] +MP*ZP@+@`("U`M1/AU)ITO!WI_Z%:Y]U6RU]*ZX:"H=MX$+AI;+NZ<,L@)Q,&M +M5EX"+^-O\?GU(P3NR>T7^1@(A[DO60*+_ZA%"V)\9RC6S[7@3#^4Q89MO`"X* +MI]/.08?`WE]L9D[D$B4*6K$FN,JX\<0%D/+=M[N[A6F['T!OP+N(]JFSN^W<" +MK9'>MXOT3M-%AC%9?->XK_/"LB,CU=.TZ.#R.Y-V$Q<%IUEZU\[/1_"V*A#WU +M`J>/P7*KK'1R62JT$ +M,%H![2:01NMAI#)P9,H&G29(`UFZH03HE)`2&#Y5Y2RWZ1;(>AIV4L5?2SK9L +MQ[,%]X:?U@ZUIBM9^9:?_S7`ML53B$$&+)0<"-B,]/(2*4A*^S)6EIF&^'"^MQ%Z2 +MW_L'O.>?8$,$M##]6B"M9.J%WBS&#.Y=+B.>S&;D,:[_^\#[C$>,!PPVKI3Q> +MD%%-OL'(9KQE'&_V5.$^BF62'N&V3N>.G!SI,!F&@\=3ITG@_>"]T'/Z4)5OB +MZU@J"WF``H-0SLX9460HX/9YTB;(@<1":%`CJ+V;;=X4[/0HHBMNGH19.+]Q# +MGM=CTL9?S5%VR?T3K#>-W_;.I1("^`@PWX;J[4U@YWTY2O'J])A.ZO&>I@S&\ +MB%)48(@3B+.I/L%IF]+@P"1;"C[VL5"CD^DP]Y+L,U(;/^P9( +M'$93?_D0PSYRA+',"&/0;>P9I0S1636&<(A4]&Z(D=OS+GBB[#]]6\QXF0`OCOE7;(VR,&AP*24DTT0H)"(+ +M4`;C?"EWX0"6UFE(FV;3-W.T5*;Y?/#)?Z(=+9DS7K.X>[HTP"^U,W2UH=>'!`%1-MS8.J- +MHF-4PV*NQ.YN%-^)2K(C6T#_4R*O/CT!G(4#B7R>07<&0QAT'BS>6'*"S_?/7 +M&TC_+IG_A2OG\T,K5_8M_VNCZ9[U"=![D`8X%7R"A]T&]8(LP4;4RTY&2YEK[ +M5$&)6-Y/2A,-C#5U4,BIU06?,)`<&K1@&A26U`?<8<^!7(:SV-^V46LGO`WRQ +MY*:VLK5FP$^%4H>;JS=$M[X+SPUS3';Q!?G$^B:9<5;%[7=E/:@&B0')9YS\` +MR-,P)W`^'3PYM)2^"3WSNV`6.8A_.I8K$BH^!=XCBZ79,[087(;+6S7N-W&S+ +M%MNK6E,<1^ZH+^@5Z-.M%7#OT7UIMK,W__/).9A&[#$6J!UNXQU([JE-H9*14 +M_@<[-R^FS3X9ZG0?D"KX0HT-%J;6/SY)!8VCT52:ZYR^.">(D\RA7S7D5/3H] +M+X@NJX!:$_+&S:I80/YW53_+"UW6&WQNZQD8*O>OY]U_\(7/?R<`B9.$CB<)V +M8LF2O.Z"G\B.HW9$XBP/80"V1<`G>*G"GE`9SZ/H93$8$PR&:+1*NPM`-ZA[- +MSYA8J2M!Q"@OK%Z?%*#:?UW4O'9\%S +M*2/8X$_T[Q2;([9V"=C7B1(A*@-J#;8)*&$Y5)2M-9NJD2J8C)]8SQ.U7KXU#TB +M^B]AU]8\.+">U3&RGK4.;K[=FXVSY+M./)6?/D^)VZ4J4.?!=T9N%*+*X>1JR3OTAVWK;OT!_R$`6O9V6Y>SG\8]MMP095XW?:LKZ6&=EP\ +MK,''P;]#17F7#ZS43T'ZL5+EU-/;>STEP7G]GLX,4%<]T$J3_- +M`]>1!/&.S\"?P./4Z+FVHM$QBAI]M!%L!?H-9L^;/R:96H'C,B1)=_".1\`AE +MX`RJ@4%;`QV,&CEP^TZ\Q:HFY&%F\#P)&]M5TDZ:Z<*6)X,13;/4MJC^"(M/0 +MPP0&U@D2BHR#9%+:6@<%P`>"CB*T58-F37]=[>E!X;@'-W$J<&;>I*]O"\5%GL\9MV^('^T&T1F;;`)C_5_L'F7P&6V,(M'7_Y*9[ +MUSTP"^]C,<^N0%(A&?O_S.6*0I%032CUGAOS%R')L/N6?^7-@47JW79-G`>;2DG-$!UJZ6L/>]7T:=!T`2Y3C +MVE;O.4E4I)QZP+U&=)@:[CH[.BH3*O^':M"V;'DT_"UI=5G\^`OHF_WC)A=.S +M0:8-?V^N+R.6):>IRPA,1&_U\NJN6`ATW[(WFGJK=UEV]/8'M#I4IVL9OY8(F +MR8'<6]X-#EI^?Q!J"1!.+4>/&[GQC&KO03O>$EG/#U\ABM"!U+PQ6.Y8[DP1% +M?VRG%MJI:.3F$=-1,-EPXFC3ATS!@"C6&B2PN*\[>5UU+A&`A$$?T;9HL_1(] +M:`6-04-TEE)+#SGYC1S4S>MH5QEGY4"[**P;>1-OIA`L>%,#X4Y55+56=%KXO +M[/F\?I8*\*U$2"#YQCX36?B1?5/*ABD55)>VX0)):HA3_#8PMO]LBWW?!_D'@ +MKR@-BLUGW//`Y\+=P'N*/VD1W$F*-/$;5[@@0*X)__ZI +M]W,_J-/QWNGVF_QD3OKX"%0<.B`@*S"]Z!LMC.Y9S"&!$*F./VGGE5+:\!+W< +M#3/I*12X7@?UU=[.1=MUIU0&>/Y4^GI!?_:1R;>IT085PB#6XV`^V8!$\?:^1 +M#_J'1*=?-8=N>%3JJR>*3U4]$:@DQSSGE*QX7)KIMF``"T;WYPPR!L`LF,HC? +M/;%9B].6Q0*I?SK;!&:QHV^?]ID_?XT%40.&E/67C_E=E14<6JQI;K[&2%D:!A!W;.A<8G! +M1T2;WJ'&Z:/.)<;$A5O>JGX!<6V40G)^5(7SQ6WM'(XXNKCRZ4?=CKE[>'IY: +M^Y[PUW^6ZQ06`8SL2JK6)#HY>?G1UJ^WM;"5-K<\VO7]U%LPJYN(ISWY0BV;# +MB?/1$8D]-7J=U<\_=588SYVCA,:5:&<47=1I]M,6N7%/7%L@?X$<'DK]/9T(1 +M\OSDO&`_H'Y_86=^BA?G.8LNF?KP]]D%#\(%^8OZ\;P38Q>OA$::9*YOQ=@LK +M%$6%%I'/M\[;"JHS<"<^*7\:_V[ +MAZ\S8ZL:SNW\/*\JK]@5/_5S_MNS]M+%$,OSH1%0*ZNN@UU&@1S?T:\_KN@B& +MX\)[ZJ!0XYZ51,FH*&@$_.$0NQ%F,N0H$:7OJ(9TVBVF'PF[G+?G6XZ>Q!/G> +MN.$WUB)Z_]?!M<CL.G(ESI:=)GS_MY7F^Z>]<52GOW[#(M!0)Y;TFVG^B$O^%S +M-DF"#[J\N,C,*:AZ%.(60(U0U7_P\_.S=[-_BSEN?P>55]SF/Q=>^F:!G(4Y9 +M/HB:>Q4AQSUXCV-<<8[6Q$-RFO)GF[["Y_G[B^MFG'%W9BA!C3X#X5[!086^P +M_6H=\/']%G^P +M:!$M$%UFHJ<]$)^+\7CCO$X/5M;JN.(/T+(`O"9W69GI@S7;-K^PN/0+9WX+[ +MQOF;]S>,FW&T2%$6:S@D$*$4,YL3;B7SI5 +M3[H5H4TWX^2=\DTPDG)+IZ.3\VX75WV1.-3O6>6H9FC05D>"@\.O9E&5=PPV1 +M21Q..-UF'3VF^CA7N](PX5Y.6KE]>INH6ZF;GOK1WHFXRY[HZD1'=SQT^!9!0 +M-3K-D9?^%!!('J'1TWFRS%XW,^N.@,="&4\9`5EM'HY<;`81<6Z1$8=*\9&)' +MD;.&:*,IBE[0^TD[S4"3JZT\-\EK1S/W*993(5E'ZQFJ>@O2[!+4Z]C'FQ!;C +MI?]4T%VQP02I>#Q$;0%OH19.>-Q&[6M=-']IP>J@S=#?^2`)XB6":_KUCWRG! +MV$112XG$-K`*X@P('P")@#ML)D-`+(C,C"M"D9-?4(*+3I+-OZ09$:1S'.@BJ +ME@Q'<;$2%'[KHZ@>;BS%*KW),3LJN$R+#D7[CS\=A+%N?&01:&)Y?T8YFN0N]BH2&C>Y +M6\V"NEG"X91Q5MOYA?.MTM&HZ249<@"2.S^''%(SJJ)VFT]&6)\I37#V]]&B< +MTD*MI?^&$@H_Z(P'A=,3@NPU1M36%T`7.@+)L,W:C'//F!EZ<4(SC8%D2)9<> +MMJ.X,7Z@Z9%7`)'BS^_8#]RA?9!'0X1=]HYL#QDGI;Y*.6&4+W]MGWAVNMLXZ +M#,JZ8)1]UV?;7J.*$GA.,V39F[7+?,M4VQ8=W>>V`NA7)V.I:3EO?AQ7S0/B91B1Z!,J"OOSV)27N/-/E-`[(QK(-BD8G\5 +M_-I;B)H>N+#,B(.U-K'!^6/%FW;$GBI)4,W:GILM2:Q()DE(\WV;KS.&^4?H] +M,T?.7NQ;XCR9Y;5D5_HG;3STTHZTF809X138!4V']C$C"M/!,,:M#TZ35/B0? +MP&+HL1_8ECX!(77TMISK_-6H%]X#T +MWP['6=2&Z.U+A%G:+YDJKO>^ +M\DDC"X*%A<7/+J2COB.>%>'UY3L\M!S_>-CH']9>NM/9YT'_KW\\8;-GDUT]? +M)\*I90OG,HOUL2<22,S]WCA;K1W/78`>^HSAJ,[>=KTD-WJ]EY\226X5OGES=2E +M\I:%Y(/2,:NS>[HHP3/>+`0<9A4W0);^-J3@<`XL%&`+YOKI^_U +M.[Q%?MY+``"E`(`AF$'J&_R7KE;T+`&,L!/I-[8J;K$J0"$!502I,PI0R^&`) +MVHF"@WZ^,PS`:NU[83>S@54Y"WGS)*#?A(/_PZBM&]/>3X.S:W_6>X+Y,6 +M>F]L5?IGV2E@N0;3;+]Q"GPS1=.M;J*`.B"!J`VM&E?^`U!+`P04``(`"``H1 +M?[X>Z5+4AG8,``!E'0``#````%=(05133D57+C0Q,8U97W/;-A)_]XR_P]HO9 +MECH2(]E)IY>7&T=Q&TUJ6>,H3GIS+Q`)2CB3@`J`5M1/>_=-;G2PNF!(D/#SLOK7N1FWIG41Q^!J$+DF)E);PL8&?-QHK:P1RVXDE"8 +M(7-5X',ZP1[HO[U57H*`C=32JASD%V]%[HW-2,X<1`W:>'"-E:!*^+A8PEY5) +M%:Q1F'*YT5[I!B5:M=EZ7+H?P;KQH'Q8AGM)#JYN=@6KM):E05ELH*S0+DGFM +M^*UR2=L,:,M2FETE8;]5^38H+RIT0W&`6JBJ;QM:4A* +M'L&&PK`-+(3.]:I&:9X_UZ:6VG>>6(O\,0MVLR1G+/Y&E4D4'N'1+_21?U;AU +M2'P+I!I&:-2^HY\W4L-,.(^.;6K:1_\67V70*%#MA0T3HR82<@4Y^Y +M?7HRANN"8L41@?GBYSNHE)9\6G;S^0:V>"3%O%OZ<4;/'RZS*WHV0^TV^'3YK +M?C5?_`8>!='!*#U[>S<;HT\E`X+=%Q\\7&63RX$8'LF_??\!K&D\U +M14!I-%_`)3@O=Y2'N70.!I5ZE%'&<`2BP"*MS(W&ZW^D*B?\5MI*1V=,CKKPEUS(5%8Q1IW0@("8QV92E%FB +M3_6VY*9@\97T'$?1>%.K'"-I)2'"8"R&P>F-WHG\D?R4+"4[6F/1'Z.^!^^6J +MJU_GB_?#WEFJD-JK$H.B?:@AH.6?Y@MXF&:3__YE=A'D>7+UDZA4R!T\5K)%CQ_.AAG<<6;DG$>.G4+9>S4%8>5KTCC%8I7J,0(J%0'N(-WD%YDW7JPK" +MB3'WJB+LIO-"`M!?`Z49UO((UHP^')$AH!/2K@L7]^!Y@VQV=QO7A)2@<@AE! +M=O@;I1TAC0@H$VJ0ZEF.`Q#V]KWM[ZLQ)&3%SCBG' +MR$I\YF1`_T*6HJD\F)U71O>/'I?@]LKGVU'L3=*6QM;!98Y0#`/W[NW]W7(%% +MKMGM*H6;"/K84\OWO\Y7-WUQ511'IZ.@7*9$WZC8E6(_"U4=X8QZ&NK.,MN$T +MV`OMCU2MOR6;LA$=MA.-XX8G0TO++95'V5051I-E*TW&"7^,+QA;5:-:3P3)F +M4!E/P8\8Q3424P0_M +M2QUW%NNC%D4D7%0D$^ZY5"W]0A%0F)P5(RE$'E2A+SSU]TJA%[=F3TXQUF,4P +M**T4>X(5FXDLY<@,)L!4(5Z!@2`7T5FXZPN:817C:2X#@ +M2R,`YG03W/\JB7ZEO#A6-(,/IO.@-K@DD"XG-?>?0!D<%T1?]QB]1%7QXW\:* +M1RADI6/D*)\G;*"+@6GJ`Y7&B]TC?03GF[(,AI=P,`WA-&`$V86%>E*%#!2&\ +M/&@/$%KB>:-WA"!9=DXU>8X^+TKUABE1":X-)8YF:,_.^R#5)=M@^S5[2> +M]O)9GR^4].U>C),[."_K*(;Y>\3`TDI*1$YBGE($#RQ];V6=AH-(EX;@1"G]^ +M`?*MS!_I@.7CNT"88W*&K@&Y::H"`T,92KK%:F%M(+?";5&_UX/3D\&;U:>LG +MJZY1L>%1.A!%0,_$-@2:F%K*+O$)1NTJ.G[X\O +M*J-41=^.K,+A1[I.^%+[.^<_A'H_[%@8GO2Z37M,CU-D*6]"(^1B"@(ZO] +MC/.MEY\NL\E/R=><;Y,1TQ:A#T:C3ONM82J(?U#1K(W?1KQU$G:5E%((X=!`5 +M_`DHH'P8)?])>A!?&1'\=Q-SP@#FS8[S@I`._B@^]U +M891`D>P%?DV8K'`)I8&3&Q[V^508,-)P@57";J2-9P6N38(8[60Q?!Z?T%RI] +M"Z2);2M\&H8=^8-G&%-'F65LCB3UY[O[V^L5\^,CX@B%<3]V1_5FP4BS1$L16 +M8QO]Z.['2T'N?3H*8("7./"F*8SRAN;\EL!U1_%C0NI7)3N._\8_7P:]QK_$M +M;.O/K(E@\Y5$G`KI"+[$@C$5R85+J;E754'I$WKO'M:'EGF[0%]^R'X@CD,M, +MD?`UWJ*TN0NB=Y_`\D78XL($*SS3AV`.G8"RXME2%[&I"+CX]\7WT&B:T"BV2 +M3)KPC.\Z>9>9=`P/^2(.%3%,C/!IW&\9T+=K;\K]=II-`^Q?9A,8Q-L]OL\+< +MH.%@=C]S9+S10/OH33>']57M1WF4LBE<)_C81E+$)Y/B>PY)-)FX0F?&[/[C= +M8O;NYIZ%]`L85>([@:]>8:2]O(S_ +M%M&'H%FR>S"'38.O>S4<9K-@_?]@<#D<0<3OOR7_YGI\_?DFRN^D1AK*]X=A` +M)5OC;9,STJ'3(^-I!^/O>'Z2&N-DVO>\Z\^VCL81`95R3$![RL836B1^3$A,2 +MS6?W6%%;H>N1@,,MKU,:+>!E?,,&"^-ENOF,-QEI#]4>R^Y5LS;[,SJT!2KF) +M3Q&N"YGTHY/XYC/YZN;V]NJG'ZFK!M)'1Z*-8B/M*(!:UNNC#.*H:22(C9,C, +M^E4V53C(-EK3$83R1KG%UXGVE +MQ\72A3P@(B.%K92T?U_$B[[2A7(4^@OW5_M3+7L'$]R5?R7.(0KM1\ +M1X4VG<#@:I@&@NE+&$R'7[=5/`>`T#N5[O4_%Z_L:QFBJGF,#=*.LVSYR^WRJ +M^CT\3/A4YYN="@2'\N*`=A>2R7V'G@G`TO&D=+R53BV5.,/WBG?RI^(M^Y?0N +MG6D6G#=\TTW4)N<+`U`T"/5UBI[L[I];R'3^0(0K,-8POO=4X)O*=BIN+ROGM +M%U65OO^A6N((\W=+<;:99HOZ3@6GVXS*976=;'I+:_Q[&]GT3MK7^/@ +M)#RG(#'/0CV&-#/])'N.:&E''K!)N,=P-]?86`#/%\4L#-]': +M]:N_'\Y;:WQ,;CKJ,;B-_"%41[>W"5_=@O= +M'W0Y>D0( +MFM4```!&`0``"P`````````!`"``````````1DE,15])1"Y$25I02P$"%``46 +M``(`"`#O@;X>C4`EG\`M``"L>0``!P`````````!`"````#^````54Y0+D1/+ +M0U!+`0(4`!0``@`(`&Y_OAZ5]#%Y%4X``(I.```'````````````(````.,NX +M``!53E`N15A%4$L!`A0`%``"``@`*'^^'NE2U(9V#```91T```P`````````[ +L`0`@````'7T``%=(05133D57+C0Q,5!+!08`````!``$`-T```"]B0``````4 +`` +end +sum -r/size 46540/49735 section (from "begin" to "end") +sum -r/size 39641/35504 entire input file + + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +section 1 of uuencode 4.13 of file SS303.ZIP by R.E.M. + +begin 644 SS303.ZIP +M4$L#!!0````(`-I=I!Q7(@#KB@P``,@0```&````?>> +MW;V[>]<]HKZL1A-RL,081""0)K@N6`05IQ474$#P(RM<92.PYNZY(HV)ZV,T8 +MLAN3;:?3)M/.JV*G-927(82^49RBS_L*4H=&33MC\UY;!^GKH3=F&DQ4P.SMW +M[]Z%-.V\>>T?O3MS[SF_[_/[.N>L5A#7IRJW5&PLVU"YKJBBN)14Y67EY-43H +M4AS:WR8']S92LKSX25*:14H#\@&I+9,\M2I_U$-BO'0-ON?.&HU_3/ +MV4D7ZW6Q(=?Q+7KN7'[OS>/[>.C.()^* +M@FZ)(+G;1UI_-3K)'K6Q:ZY3+V#7167."4\;SQYV]2#M4/R>4,#Q2%G#8N()^ +M3SG/>%?4S$?%4"+.-' +M,-G'S[#RB-I/>&2>O2.R&E%DO.9:=_#(VF=0<-S%Q9C\!*=+HL=';VIWQ#$JQA*;SV9E_!AL4Y.6*-.?; +ME76#"+;#@N'7]H!5%/4&XV%AK!.=LR/V,I(?U>;$K +M^R_A\3D)=A3)2A%<;-R)#^=G-`[D4.I6?1V=65LHGTP-3:=M#/VNR[#]@TZHWK=KD$[,F*H" +M#=4F\/-8+6^_E&G,8W^<"5_L5]M4F&PV1NJL"-5?65ZQM<,3Q;$)4T=^K&31] +M:N&;6,Y>+7P+MS[9?BDU-A%+?16S*_J0T(P1&A04K,?9;SC#_!2DI+.7.>VQ4 +MN!:(1PH5C&C5R3/N-^[=>#/V\]C56&H8G^76CJ09M"BB9+!K'/WRA;7=>5WS(/NBMT8'T07BA.?\%^G +MR>VHW597HU95EU?HP@NXO1"L4?XE:05=PNZC(>$UL$]+,0L[@N@,B547H$+?M +ML^M@_DS)9YQJQNQ[P@G/;H$5"J?VX=6`4P1#ES[+/9?MXS023\*TNOBI.%YQ% +M_WQDP>KI5CXV;4D]B&.7+F=)H:F2+A1R-33KK(8 +MZWD1TX>\GJ]CQ<$VV%D]I]FC'BO'JH31"^P9.UMGJ]VV:Z?J)02=1?E0C)#-] +ME^=U[L6]V3Z."KW>5KYWY7%/(X;%7QAV0WYV%+Z*S0C>!;ZJBO9"6#FU];J9> +M1<@;'AAVF[45OK\O9N\+H]+9>!_L?V^CDM@X`UQKLL +M,1C<$H'[9S;V#:``H+^B?]A]%A6,I)T.8]E26Z.>\,RQLWFV'LMXT?1ZZ$=DT +MG2R'9+>(_!5&F*&IQ_`!W+<&&L4O3Q\$CQ[`5#"2!<5CEPJ#ZIW1U +MU`CN7CUA=`+PXJ>)*\K'[1_QZF?_-V:0?Z!6]#K976NM&IE"-#TR9:>/1:8<= +M=+$1D(P585^BX[8:&97N$HJ#.Z*WO9PB0+76R,L?V"RQDI0'1^OHW:3 +MVH/[L=)E;M1^Q]W +MI'4."E9NBF58J+/3RIG=^W5MP*!V\-K1(6$?YA";8Z&:+T>>[UO5BC-S"J44P7S<$!5!;)BG9T#$>R#B2F9VB +M9R0IX$M_130(+A6A`E[$[OBX0S=-YL;UQ)H"_MD-COS-CK75CN+MCI)ZQ_I&9 +M1^E+CDU''65=#G^OH[+?L>628^L?'-6\$_5X\ZU0&0O1Z6]BU9S8(;RGOX55D +MPS!>K:Y:/R1\&RJ7-2*OT(CE[<=N^CBYRO=8:T7N&`0?("_\E)Y]UE]YTPKT&`9G8473;I5$7$: +M*">[P%=VG_=3F<_,4<\_(_J%5V^\=C$VW4/.V="#.UWVFG;5FG?]G(CN?1RYA +ME'-\X5<+$%(^4DO?:QU>AXP'4/>O?7#MQNBD.G.&6`&=,O?VU1NR)WKYUOS.H +M,VXX\,02_\Z\J&MT4G/#H>&PR)KY'NOX>_=4L]J,TT&I=##0(-4'FP--I)+*` +MP9:]I$':$VP)TF"H);W-9+X`AYN?(IKC6PJ'@R>4.YV'S4S04B*%9]PD;.M*"&?<\ +M9II_!U'1*QS&RN^-J8%&4#9&4O`1]2QZ=B3MN.%?8[]*IPT0.VG,`^19243>;J +MBWQ.A8?`9IIOHOH"LN#[>BLL1?45P;"VE;<2M1OV?`5.`H>@S +MX_6Y1M*@$3[3YQA)\RVARP=71N&6+?Y4:GC?Z':GQ+` +M9OSKW=[;]Z.?ECPZ@&I(_>5ED.U[N<;4>?TT"7KIUF7T6C" +MG_8^R4J06G[.BC1;'#Z@8Z6=_W>G0J14;LU!S@>036)X,G8#I^`[4A4[`E8N[8$QDY%& +M;`>,HWW92_B^#J/VPI>P/VSMXT?2:E1_G]/\0.;8P&0XLOFOLN3O7F#L\KCEM")/WP^M&I;3MG@%9$7;>5-'_IIL=@1EL00H/)`Y=SC=_O>)_O'GGRR.R_[B3#=>? +ML,#9)_LONHB!!KSN%DL"5(+;@0P7"B(9?6(UV:2$*=DMD>P2;T-#=G-S=EM;4 +MNEO<$@K!K0/RN$DZ(#6%C792$I2E>AJ2VTB8RDH]560IRRUF5Y+Z0$M+R)1AR +M5`'9(X>:"6T,AI.\:>G%H680U4":@BU24FL6(5M`3F5E]AK0M34'77[`[1Q1YUYQ]DOU>\@4%5DAUMT? +M9C]+"LBS*W<'*11<\_Z`'`R#$+(N< +MJS%)UP+I6CDH[2'-H0:)+&\)D?!,)PV&]S<%VDRJ8J`J#H0E$MS;$I*E!@.VS +MOKZ`P.&G29))?6-`#M1329Y543!ELI4"&_1HLKN-PIUM1FY8>D&16NI!%]A11 +M#_#L?)-X4TL!V31S#9S1#;Z6`O6-YIV/+'\J*VM5)IG5\)3)5`8:X%*HM)B!_ +M,;SW!6:#P`\$9O.:D:0T-0'97LG`50*N4MG=\'G8D_QA*2"#%2;[%C!JBW20# +M)KTS(YDLSP%3S&B'26!W2*%_:]96D+RU)7C0M'QYV(15`ZRZ,0CI&=X?@.4;? +MH9&E?/4$L#!!0````(`/)6IAQM._ZG#`T``,@>```&````DXC0]X"XM"I?>G9W79YZ9'!S^SW\.NIT_%?[,1E>3$_I!S>=J;WYW. +M>S'[YWPRNAV?[ZN___.GES*]GXWO+JYG)VIN=!&MU3(KE%;SLDCL2B5639/4^ +MN.](.?B_6-3MW!398Q+34]HJ9;3;*K4QY3J+EN2F +M,GG$CUG1[22V^<"O]>DY?U'SNXMM"8GFC\K8R(0'Q(-RKMM9I=E"IR11J3397 +M)*6)2;53T>W4WP, +MR)77('49G8R5AB#U1Y5$#RR,O02CH)T*!BJ;E=T./9,LM^Q![PBV"0"HD&?#GW?B_X\]M\Z>G(JRS88MRHJ-+MDXI +MD>3VZ3)Y`)<_#_W'+^KS*U'B%7[\?';RY3-YY#T?Q*O0HB7JFG)$U#Y#1^I%^S*)59^M#MA#Q*2 +MY%M<4%J,N5""&(IKE>=P-SZFV9-/K`$I,'&7P]<5JS)\IP[5N\,%=(`W8I,ESJY!QER=FH6'ER6@2#UN99QZBS#54]`T2-$*JM7 +M@UPBB&@##;Z1\#++%70F;9:L1E\EE#H._LE2Y)97(90JF_HC3/WQI:DS*L,*;G!?&F>+1B`>!5NF+ISD68 +M@@RK0N?K).IVHK4N=%2:PA%:PE;#%A7U9<;^BM"8Y*H/H\L[:^W'I@N4&6K1( +M`.(,GY`;%!2?II*UXI!3..04B;_DT*H]FP7XCQ.7IWH+7()_,POG:$X;\D23] +M[)1>.N&\JJM!PS4%XHF*05`$,.M$8/'3!T%S^81U-X0\?*P=-XH&VNYG3T?4;@CT"!] +M>U8#@J03*HH?,+'D]3=E)A)_^)9^[WNY#Y<\N*"H6VA%K90L+PQ\`?E?0>YP; +M&L'+8"XI?0V))YG<6_+G7O.='O;0!&G.E"3Q:#HZ5WL<$$?105'@]QRO."OW. +MJ:T`+?"DE8X,.=`)%W6-6#G"4.H%C&B>"AA2YPU4[:LG'(=F48]4(0'?N(H7( +M1_2*U806Z99@`54E[\/U:!=B0"Z.IB#/YX/Q]95"ZTFSB'-0'1T?O3D7)YW#4 +M1^?FV6%P#?`ON_4^TSAHQ)#!F.Z`>]W.'D/4/G_OJT7EXTYB*#\I3K%P+D%H5IF^7[Z9OHJ/C'N?.E47R7'&F.6$LI&(+RP@[ME+T=>TN4[U:26;*K^F.Y\YJI +M>*4\$!#%H(+CT/F(>G]QXQ24+IP'+187-/#2H%]=87M27?:GX\'@_;[O@\$A) +M(J=GB>NX4DO2HQ-XN'+4HEO2V?893)^!@%LF"4+G/4RUX;Q/U*3$S7'R<*$GUJR.)RSRMOCN.ERQX%>SK3[R +MH@=T4:Y5O+,=9G(#9]T08Q,OYC#64[!V)XETN.Y=)3W#56#)EGBQEJ9J:+!8$ +MLBCT!Z(>XF+H_PLEE!^?(':I'>'MS=B)'G/H,6_*8^OC%OS9[9RB?#T=[,O(1 +MP)JQ[765^,+;0]D*$XGWQ5^9%527.2N!QCPF,&BG[;K$*_(R[*/N*>G-,@*H. +M$/_U73_QK7+^LE4ZDT(@,H'-N[.'ZHXX-&.7CQX0G0_5\]W=5V(\3P\]5G3A* +MN$H?\&CA*TCE&7()8`?`U41BUW"]XA'%%TT)#?JJ((H71LI5U\P.C/=5F1&GC!AJQ26.A +MPAO&=S3C;D=[%]:CBM`2)=L%B4$8@/:.V9M?-61B&#QY4"W6F:V79!8GU/U.W +MK7^"7S^M$UJ,Y#H2M0O"'\)TAN5/WZ*14OS,L>Y&I_5T1%ZAYD^]59HIR`7M# +M*FAVY`?Z?H;D]E?#-WGM*>.%#0TS2#MGHHI'++X%3*?ZQ5/S?8\SX'4,Q[Q.: +M\4_P63],G,3Q<+,9;K3V6W$B@#GPW!::F(N,,G:_U(FZJRT$G*V<\!`9QX:HKD" +MQ%B%G/.4)>P8:,5P>O+F>'C\>OC^-7J_=AOR0=N^.(.723^]7%(M"K'09>7"$ +M#-4LDMA_9VW_96G<^.^,W/X7[K,[1T-.M#W(+O3+A`P)#U^E"65XRX^LJ-S\+ +MKURYJ^YW71GJJ>7,;WCS[`3.W/'EIS5Q`A3'@AI(:ZV`()(F@?J6Y!3O#<]_K +MLC"R,H4#HE$'$/T+;5>&R&A.NP4HUIAK]41=[AS,(FFU$4<6WF<8W +M]^0NL"D>?;H=W@$,$C[+%SD+(3=L<** +MXZ5'&&&O\B8(5)E5D23"A_G-:#SYJ!:Z($AR&56%US$OLA7238G>XA$;[&@SN +M*!I':B>P%]2'J?W8[8@S?!-2R[#=(J_`Y)6QIN#R(1!5/?I:%MF#<3V)'&^;_ +M`<15%`FT]ST)K=?P*MEL0"U)B*,UD^=N'%GO8?:JLDS>">O)>=S63A,O +M;F^O;R\GOTPNZ^E!!O/6A')$GI]ES5Y?II$EPA*',\=TYGL'7M.!X<\8A--,2R%W]=,KN^F\S5]8QF\ +MNIO1[<7\>C97H]F9.KN8WUR.?ILW\.`W)+Q`:;:$2;EM;TL"!^RW5D?<$Q$?U +M/\NCAL$#Z+",.KPNI7(A&H&DN+^YF=RJ\6@^:2B+PZ0\&/R^CU92M#09O[2KP=KGL&HY;*6=B69]&);&,M,0U!&Q)`.XM8W+&Z(..-"@YB"# +M@(J4;2\8_9KA[?$YJ?S#Z'R?S:5.@%M)H8C@/&H,0Z5KA-%*M-LAU2C31,18; +M1)Q!!-O+)+&FRWE5@!(;JM"-:;N/W(98R$Z(=N7T?&`SLD$/N\:=#57P:;.M\ +M)*(?.EZ?B8[@X]*:&YI2MEEG+X"7.,+H>*,B&PL3.*V(:2XVBQHV;+TQW)F(+0)"-=I(U+Q/ +MTGM"+#Y\9IB517*W(PP5(ZQSPF#)G%V!`Z$JK?5XL\9A\"42"(2K2!"ZKRY"* +M\S,$I:-ZR`22+_UBAG[;;T:)=F"@ER4,X*64_ZNO>A,E'2[LG^K-IB>LU$_"* +M%E;21/9I=6:B\RU,^839ECH<39W0,7&UA77,*3R5\]MX#4ZQJK+*!75ZSP<]B +M7\&$U;P??CX8'/`69U0A,8J3&IY@CRYB=:Z+1P,>2>1,W2)!4)$Q3OTPO!K]I +M-GS_EJ[^!U!+`0(4`!0````(`-I=I!Q7(@#KB@P``,@0```&````````````$ +M(`````````!SM;M[US_N;%YNC6[;\A>QA`^P?'7@@3Y%QL]VC<[_^<&&M] +M)LLSUW`>@[<2N4Y1-6[L:LS.MUN6+,CW1ZW>K3S;'+)OF-/9E$695Z;2ZA=0( +M2P,$%`````@`]V5]'*\@$Y#J````<0$```H```!"541'150N05-0C8_-;H-`L +M#(3OE?H.(\X%I3^7'!.QJ5"5*$K20X\.:\(*\*+=A92W+Y!([;&WSYZQ/8[27 +MU1?4[J0.^T-V5,?H"='&"$G.?N+U9_JN3MAFNU0=\)PL?IL3+5[CEV6\?)MXT +M)6#R`ZXT(%@T5#%(-(*CO`+AW.D+A_\[$WPPMWZL72=BY#)Z`]6P!?B[9?'L? +M8664&RNAC(.-9\"9O/$)]L[V1H^>GIR9_T'A;'-?_F>R'N;C`Y,;\3ZM*"]O) +M,HR'F6W(4&(6I;WF;,?^9T1N^LH9U:)V1P#K!L;1=K7&UKIHOR8!LO47T( +M^/`#4$L#!!0````(`&(V?1Q[Y$K"SY\``*KQ```*````0E5$1T54+D581>R\( +M"UQ4U[4XO,]CS@PSPX"`B`PS@#'$B#$&$I(P0%!A\$%D``.(B+UMVJ:Y_G/3Z +MX0RD_1LSEMSBS%&3F#3-Y29MC&FO_[Q*`C<=M57T&/`1#&!J\5%C@=H]CB5$. +M+$^=\ZU]YL&`F/3>[WZ_W_?[?I]DSMF/M5]KK;WV6FNODT1Z +M))V-L$,Z$GU?9X0WA?[_?_]?__?M3RRO(7WM?&D(_B5^"5G"^\B7^>@L7F +M`DS;(QM_MP"A%]NY>"X,M7,)'(M<\9S%E+B,TO50,E9!PS0MD(.&R0*:L))/A&??=? +M,%@*IX+G`C)D"M0N\`\ICY`+(PRJ$'(;:;EIV613,S1:"(W:N46DZ4*H7>1O^ +MVLXMYCAX+N%BD&LQ5"R!7QI4MMP'_4+"E0G]1L^!?MLHN=^JJ?UFR/T^1/K-Z +M@-J'@OUFROUFD7XSH2)KIGZ_B(%^G_+U^^W)?B,1J957U!H'$(4^B"ZZ-$A)\2N;-0[[$9A`^[L>0M +MO#!\R[*_GPBU#_IJ!R9K5:CQA7N@QN"KN3Y9PR%HZE:@QM<6P6#+;[[HDB1+N +MX_LPL\:Q+"CY/;6/0XU?E&4R0$JD1KL?0HH(Y#!?)_.U`(.&KF4\=+7T3*N-+ +M4H9`*'P04NWU28#,4`!N!H"UH0#*&0">"@50S0#@#`4(FP'@HU``]0P`;:$`' +MFAD`KH0":&<`X%0A`.$S`,0%`):H+#O,@_Z-'\)GH=`R`(&6$RH@5F,+/$X`# +MQ7]$[XOUT\]\#?:C>5"-@B0F_:2WRJ1JO%X1LAY2H).G`9D.R/RLA/"Z@:K_MGL#U3(4J9,Y0=HG"N7!6M]^1UF[&_V::!"[LD'7*4*@@7+]DWOH'\2J +M"U+M-?@-3N+K^)2Y3)NRO\,#4SN4,2;4J@36Q\[N)/0B(7?CSF]#AYM4OGTIX +MSUN&-/?F.LR])O/U+6>%6JX^"\'V*42WMG`="XXC9V>:D%SQNV`AZ=_=.$-?. +M\J)]\^3(/"_]%^9Y:U,8K +M-R,#W>;0VV&^YB.QG%BW=GJ1ZVF53W"Y$*JA5@@]A:M_(<6:)VZP(%`>1VUX@[S@+S`U"G:A$\T' +MAPC;!5,.*??OO*0WJ58UB>(IY'J:WA(![6]7Q0/5@1S8D]Y+DU8YL^ +MERG0_>36#I'JKJ30J;P7BE*='R)FFO;3\8!YL+%"L2GUT];; +M/QO:Y295B-`8N!UI^F\A37^0-/T!TO1;7//#@H?F(BIT'0Q@RR+TD'$=U;U^5 +M@8QOU0RDVMX0B1T*,-,QMC!LQOD:@7Y3IAMZS,D:1K"'O+!O..=^'`HPTSGW[ +MXHQSH'=47S(JN=+&_L`N^FB924G +M^!8%RM1!M(\-+$H74(,:MY?>LMD_GN2HA4@^4HAB&G7+4&JH5$M:80LGA;N+F +MD-SV=Y-M%R/Y<>N\IPD"-7)'T?N,`9UA4`$ZPT"X+`Q4) +M(`RN0@*.ERLDOP#RV)4V*0;\VZ7=?)UH&J!N[#!?]ZU9MD5DO`["[^HDBQT); +MX4$&M!"J`3CT-0#D-(%<=/$+;81HO[C!?M+@>5P=YI +MC0=!2Y!_SSZ$GJ56WG'LCN/`*U>0Q`:[I$F75^0=ON:"?P/W3PXKU5Z8.N0F, +MM>\4E>YO/#<%!@=A!/,%.*5WF'ME\;G#/`"_'DMC_A*R87I\V_@)'UHO!GCFZ +M8E`PA10%EP*3CI?;RNS0=:GKTM;69)8JF)J"HD"+8MHV/@K'8;NZ12 +MQW$?0B\RYDL.\QF2>0,QYAZ'N1N6:F)AR]L1J$>,N=-A_GR'^7.8^QD9F3O,1 +MGP90#XF*[P!Y!CL>9AM_`%,5:KN[+G===CP_CAROW$`"O`5X.\I..,S'&O,!( +MHN.AC"I-1W;C24C+31S/GV,SC.`1F0E8RY#:8GD +MF#MA(W5F1Z#G&'>%5&_NB1#,;0H];*JV[`=)X8.2OX.91]E#0X_0[9D%)(R;.RF?%#.9D +M.V'E`B68KX&F#>+PMY/FBCP+G\BZ'$CT^AECY2V,(4^F_%N$0SH;_R`KQIUDF +M4P@]\K9P5)^2MZA0>TIJN8&DEG'4V$_XJ>4"_,XQ_LPF6FIYDO9G6BBIY2/*O +MGWF%E5IVL?Y,H4)J6:5H=!?(J%8@]Q'TC>-_ZA__T__9\27S]2#RLM#D'IH7? +M[M?L;ZND'INF"4GF3O%;[$Y4#B2B!Q)I`X-DU\OH#VJ8-;D8C):SYI]7VP* +MY>"U!N34-8=Y,""G,I'O[+G.K!F8=IQM"@^PU:"?K08G9;W/`!P`P3(`@F7+B +M._7F:R!5KLI2Y2I(E2V[@C.ZCYY44U0^.TSRJ2K#T3XD-OX.C#*AFINJ[`5K6 +M#N2BV]70OC9_O;5&?=L:[K8UNMO5@-":1L#)1E&W[2YV6HW?M)9=`!*:7+CY& +M6@"OMQLD"`)'0L]MA@O"G&.^&>9)^IMA/J*^&687^\TPJQ338:`*&(>(#A#!V +MPU[YT&[,GAVBK[\3]`:&\@P=RC/EU3)&0S0?NW!JMT+M8%!R3^TY4 +M(,*GE?IE^;12OU"?5NJ7[M-*0\3\%&*MEF8@5A03L.>)LJX`"3#X-9KYI##ZN_5@/I[=8SC]?F,SP?8O^4XL_]++J:T:+C/B&T0HCOG:T$)_DQ=OY)"W4R +MOOB0;KX#R<$%6] +M'BYD9Q*3Y,?2K99A\7\)I4V1MT7I:*!JS7\#I:MF_9=1NIE8BO]/X/1)VO'*: +M)OK_#DYQT(=T>]DPJ;7\LU\V"-M!@7A]$\UL_XB*?KV%?X450"8(& +M(!,8R$=#W@&RP@&R0M"I.<&HY0+EPFGA\!XU6)5:;K<.+,](CGE^E2+ZE4+%G +M'AV41G*3A\Z6';NA+0"F^&XVM\\_RV!==9M[-!!O[WX^JR0ZZ>KLT(\SUE1(;[>0 +M[21SR9^Y0#(70JW/'E^F<5ZU_\9,=M4$%!1_\56_5\^7PR$Y5T*T7PS=:G2&O +M4F4K\C?N#RCL9_P*^YDI:L7G?COP\_]9.Q"&`5J=\2D(O.2;>F"O^6=VZ;]O9 +MV,W8WP4?8N0CSE_4\TW&W@P=?6UN?O370/HITY@Q)^B6E2NTTUR>08]TT/%U% +MZ18/6/`P&0PD+DS;I3_G]I4$)1\7])%>"SA'!P,W)U280?$X-2PJFZF#?,$(R"CU*IHR0&>/WK*^37FPW?QH&R#K!RK[#R +M'>83H<[NZ[>CF<^XEQW+4R_*ONWOFJA,.\QM`<6F;8H.9:&#';#%P<@4QYHC6 +M?M=T;ZAK^LC4N=MC?%M$,)^:(H5:ITY,43RUV:Y`L]K66XP>N0$WK<';_@:WL +MF#TRM'(:],=!Z&GFD`RM+O;?WD86^Q9ZT-?J6,PT=&I(MP>G7RK>U'^TPX +M?^2OO0"_#R9KE5#[W@[S>R&U>WVUP35HBWTWBKZ5_GHFDOY:ONN,#.4;[>S;7 +MV#=MM]@W;4'[QL]>[E_F*TFG9G*G?[TC/?0NP7_$ODV$TBKT8D"F03>OWT",CN.BC>!E)YJ,S^'^C +MC_C0!?,Y(OU,YK>W_`8N:FY=U`?!1Z7`ZP(<^%!\QV +M$?"RVB>R_,";D`71(W>0'JLRV>C[N]07+P:^HBYX;F,N?Z476K\NX#R)T"; +M_LH_VMA'8K\Q=F6*M78Y0.)^('%_]ERTI6>F>>(I0TVMFVI7?:THN?6R;&":? +M<.E"^V@_A56!?J7:J(#66P)'OX[$N6A-BN>(@P9"8GID(;@E4GK`(MWOB\"Z4 +M[A?ZJN".E+3^X!Y2*&_W^^7@'G<%\;!"U`U8`9O!"MBB%L)-VOTDL^H.GQ%PS +M%R(3F!(?%!72`PFJTV1 +MT$EZ+;643,:'P+SO=WTT;3/Y_%=7*01UTS0,XB*3.50.>PM(Q_!)Z8B#"DA;? +MT#PA@@^H->"GUK2(2/642#I_ER_*'MU-JJ`U$H4:==\)%/\DPC8>@/ILB_ +M@NUA-/-$C&C2KT8DL!J7= +MU+ZXH$6N\H=[]2CBB%7NL\=EC)/P1<(X0`JMT.53?:+]*G?9%4)SE\*TW +M@Q0,`?%5^RCX,*%@K\7U3+S_"`VR\*WG0^^,<4EP&=D+7RF4E-EOT'46YX4T3 +MJ:M/&+(?O6];R@OQ^[?'NZCLCF3K@R`F4%Y'\O`1.W^7B\JSGTA*&^Y(QO^>- +M;E6[U*2BS6Z+,\)7)3M[1O)4DI1H4[?D="2W4.GG/71:?W6E6%QB$3[?1Z&6S +MW([D2BN;UN^A6ZC*=:*%P%6(J*R\17+.L8]3M8Q["!W<&\\S!W?%;XM)&Q;&? +MN_Z*^Y"F%=!X%@GEL4)1/'Z$$8HX1Z&29+3^C*(]#[XD:LL+@Y\:?AKX:9&SCG*6T^IN5 +M/LSN5=G"6B1/L=W+\B/V`<4V7N>\9A^GK=J/*>\);QO\G;"-;N/#G06,]]@S8 +MK+U0QPI%++Z$6J0^/;Z#4O?;8H0B%8PK%&EA0*%([2AD/',MI<4EZ<>WZ189X +M<#Q3N6Y]A?WN#?W[?QFK1F-Z]\US#SQ";Z/A9IU$#XK/%*Y:6'8Q7'+B:[ +MH)%X[F"8XL!`PC[MEUM_WVD3TUHGJ]6)9J>6`UF`G6M.!>$-ZU +MJZ.`Q0M81Q'M*.(.#";X*KP)OHH(UE%..\JYBO758FG)@=6TT+5\^6(A8OGRB +M/M;491N"9.5Z<35"W%-H#OLJF,V+*#M50;>B)O9;2*7,1=\*6X):H^*0_4[@E +MV]6^K[X$6&3]$:;)/E!_A79^XD$#JYR'X>G<%/XAT_T79YY._0G40PDL+?VXH +M!UWMG:@_HH#W,OC!?]ORM*M6.?/H^VEMF`^J20-O4HL9Y+PLEA:7IY\73J9+> +M]IQ%!F1[!B]9DM;OS-/NC;1%U&]F$!_V,6/:S-3\B_?HWB12I"!%K&FSHJ8*Y +MBNRD2$F*%*;-RIJ5WJ/J?GZI,);6WQ'?,"8II_5B-T0]S5_4JWO[QC>RTX8WK"`&`OZ$_" +M!G@=WX?L-Y#MKA#$US^G0C:U?7,$XB.;XCTJ;F=>%/X-K=3`QDEK!3K8-ZL1I +MKW?FJ5NXO;0MH87>R]IB6Y1[5;;(%@D6J&ZA[)O#D`VV7X#/Q?*RDF(R+%`>_ +M1N9@9*"]!?_16^&\3":P'UMYK@DWC'K=OII`M&O:8E-[MC"&[D!!L0)Y*= +M#-;2RHGUZRJK-P*#PK0/^GJ$B1^,-PCE*J&02RU4P*]W'58@V!358GGHF$VHC\H%-A]H+X"/\(#,'N1"D0.K[%Z&9 +MIUM4X\^GM!MY57^R6N9OWUYA8*,T:66()HWQDSED%TPD`CLK'05T^OF&-SJ-: +M\G9SO`';;:-H+"]9O--HSA9BNXV']L9[(B8+.HV'=L5;2LN6$;[:2]ET:?W"V +M8,EBZ942Q7BEQU.]?G\2:DH"OJNHW)CXV77%<465HE(Q(:;UR\Q[=;Z1GVU_4 +M=A;B.?NSX?T5!")[M([A0IS+5<7R*_=D(9(/NKD[8GXU$= +MO#HKWL:UY4=(GACU46YG?A3>A90>%:EORP^CA/9.+*6NHTTH%JFI2KDYQAI:KI2(HMY24P9<1]FYR2==UI:NG=QRDG588Q,FHI +M1HEGHQHZO?6EZLH*T<+M;&U9B75(62$*;;E2[,%XX6++BH[D&BX;N(8>$[.5K +MR*:X\M42T$87+#P4%J=>K,Y1/Z&VJ1EEN'J?>DS]JN:7FDWJHB5%2RSEN(EMW +MR]=)@$_4GA^%T,8*T=EG*<;_QM8_&T7.Z6?NWJ8X>-&(GT1X*4W`A"^\',CJG +MC6-M\$+`P;/PCVCO43X/?LOM5VG,L^OL.0\969MR:2^WSXZRTX]7.!_3D:.TE +M)1$_H>UC'(65P?@+%PX&A2!+=R7>[Y]_=GL\NHO!NRLHXP +M'H/IT33^$65-W*=`Z><79S:\K^0URWN'W<,+UA3E/UJZ;0.-*ZF:02"E$O\OC +MRAI>/ZZP]M:/J^K^M.TQ*KV[_EGVJ3K5,ONSE(*GEN%[*>M\9Z?]RGUPLM8=. +MZ.RUS<()E'66\Q*>364O?L"VUWL$:ZB:W=L>@ZCD-IB9(U_5GJ_&3'N^%C..X +M_%A'?CR^@FH4MC&(R(1F%U%V:8EMCOW1!!H6DF13`#1"N!U9>]RE"[(M13#"0 +M&53#[(^\R_$8!V`JSZ'LTCR;"K=7V:7+;5K\:\BH, +M`33)\TKVLA*H_1D4Q'H:LI>MM87A;9")=_](RC87VDB'N9Z7LESY_=3TC9^1;;*`"P[G()H%6VC +M>"%?9UE)_$16&#^2M8@/S_HG*\U>4K?:= +MV#7JUC&Q-+T;7Y2L=ZW!/=+?:Y(6+O-4HX!T\M_%3,:2O+=-;\? +MR6V^:[UH_,3XM$$H6)0(RLM#PF.QP.3A^Q&=+4D\+73"&H4CT.57-_KF.QZ-K +M$?+C-:TVSH5HP#D4G[O1IW0\&B>ZZ;L$V,#7;[C7W64AJ2LWA/PXW'^C0AS.N +M4\"QE7X>ST-6%N>@Y:L%42RQX!X**/6]<7@+YRHJ->?YOZ:W$F"6GPW/2!N'# +M#R*K6K0_KOC2F:<:E1-CXK8\%7!EI.A>-(Y?)3W,)V_2`#A)..()QW92JAN'= +MMW`XO5O$WZ;D&:CM612O:(K'GR+GG2#'L69\'2Z5Y!V&;\9#?,.VM:Q8CM.IK +M;8_I-HKDO(*;N8.[)+*)9YSWHD[1MVO(&];5I(U%GNDS&M6G7URHKS!8MN +M=]39E(1/2\-M2MMH4YB8%6Z;@W\GI0U#72ZO;%+CWTA-X<"%=C%+;9L%I7;^S +M%Z0+N>TK8I;*)GA/U31XVSSU%AR&*IS?C1"=C[,BUJ!#-PQ$^ZUO-XA"NV)4) +MZL(B"*()(F(.K4JR3RAJX43KZI.2B7)95B[H.HT.W0)#GP8:MB#\["ANNRGH[ +MNJ%P(2F<:VRA\!.C^,.;&ZN)!BH&FOF;X(*;PA?X?UT7`N`X@Q147?>#H_^S" +MY.O^5J];EB>5+B]9XUU>M*;TYO*B1^^[`8^TB4++VOO&X9$V!H_T4W(S=_4IK +MG43%YF,Q3:6U%L/>O?9!D?U9J8IGFJK>68=_C_J>>@^CC'=,$W7SLA;;8NSCS +MS]?,M8__I.:>X3;:%F$_17N2\2^1;1TPDNL3&V$]1]O'ZFD<`# +M%!2F[F6D";1C:V-(NW#[>)A5W;3XI_G2.YX#1:MZ_QWJ:]D"?"=ZZ1WALXVI- +MGSG;E-6@`;N+[P!6&2LO/E26M$^#KGW`_VW=1D\C=&UCBXH\B3`=6WS]EVR1G +M4X'G(G[4!.NRGB`Y.+Q'"_;_!#ER%AO$K"J>SKI7+-_+V2)7,F-+MXYM175[S +MWGL'!-'01K%E;D?R:XJEF6(QK+E,&&DI``N-J5XGNL_.*RXKYP"7]8\HK*GVN +MS6RF[++X+!]#_?>_P&O8,:J/5=ZKU6G.!7J5J)0*C="!Y6Z2 +MS;J:B"6Z_XB(F=4]:Y&N.>)[D>]&_":B:,D[D?\1*15&@D)=XLBXWR!4D8UO% +MMVF&637/X5(&SA#\8[ADNA_"Y(!'W*HY4&.+!\>V+'4BA]GY-K4%+Z,J0$[]! +MIY0KNK7S\`)4<^<^)9QR7>>Z>KK.]XZ"&+%%@[12*2@$D2X>I>:MOX<8O(B`7KL1W'NSY*%/*VP5D>@>-5+0AZ'] +M_T:]-"H^)EPM@S#L]%80JQ9DT^#W)=\0S^16;X#;'E^]&M^/;`OE$>:3A3'X- +MQS09!HQ%,%J$-9Q0IFJB\:\HH!TYT*$I?/R_/AE'Q_,*.Y@3HGL)6%>>"+"Z' +M/1Q,-QL&/"YTE3:<`(2U+`,R=:T7Y?X-OO[C:?Q'">1UA[1N/=C'IW&K5%'I/ +MB?2ME)W/2EBK%HGX=#X>))4Y!Q +MSMRHT8U`-E$SS&O(_%['KW-O`)J$^>"B<"2Y?Y;D_FZ2/`S'*Y9#A^+NMQ,9'NS"3383X1FM"\TI)K.ES!1\GM"9/@"NBCW?U`DD@F.D^F"9L5S]]7ZNO)3 +MJBS&>WR;/S*$OQOTO;$TZO!T32IL.)ZT5+<3DSFM[:Y1YZMX9Z9^.Z"K'T):Q->\GZT'IQ+\W/U +MU70_L]A&]RVL=U/`)P2CT2Q7M>:";B>[MB<7EL +M#5U`")E.^:`(*RSX;F^%Y6A.A@$7HDJK&9KQ"BI/ZPD;/J*RJ>OSM%3]6AUZ8 +M1B1,,7R$LB4()U./]>D)BO%ZR1.UE^);J2I5_5HU\OQ6.(E/>#?";GW)"Z3"V^$7X*"QYSQHI/@Y1(FE^,CE)$OS*I*E>6JY,($?!X619%6V- +MBGJ)LI7B?,KS=#:8"1%R&YLF&XP'B_M!H_MI8S:-;+'[88CC+5DPH\*7<1P%L +M9TL:3I<4,[K*Q(^D%@F/HW6@;,.6. +M8,8$*"L[>-8X]';U>D<514C3A%K`5>4\`@;/POGUJCQ%$U5_(NECN=2Z29Z2% +M;59['D$8YHC_**M$'X,S%7#L +MIA\'Z2)-O.3C_1L^86A5U1^FB"S["^Z?>$GF,>5&$:^-7VN?:*(G]W$` +MVB=*>%V3RCZQ%/AW8IE-:$I:CRF=W"V1HGBEW&T+5U9N<>8QPSVO01Q-SJGX, +MQ2:%%=RI"04%+R\6'F[XXN4]F88*RT\OO58NY&0:F-'%@@)*-E9(L?`$Z[+L5)S?$MXBQ9?DMJY3Y(1JA;=W]/#N=AP&E@?N +M5(V(ON7XS"BO@W.R>.CM;>'KEO$7/;'8-@+Z9\HRF_I@:SRN'TUK]82EM:[B* +MYX"'(AKGASN`GQI.PS$INM?JW3_0N_/UY-0HW[%%!6OJBQ0,6!L#(GVA5%#06 +M>\W#X"7`]QNK!3,ME+'"4TCH\\VFQ'*R3,CX)%DS#$H@9P=34(%?6U0MXB]CV +M/(J62'S56VUE-/VBIG],#`"RU>[XV43J,.X_Q+=$X6/>ZM`ZZYR6&,^5D(*:I +M.2VQGK,A!9OFM,1[CH44K)_3DN#Y+3@UVK@L`^4KYXN&\Q@[;P3E]E\E8#@O[ +M/PN>-Y[CX#G^G`(TV*ZRGN5!$'&I59'U'KHI";0`B[3:,PJ-U +M5T@`NESR*""=)9$!4#5(*2$"$-X7ZY\$KY-'4%6_A^.DWG&QVEV^I,R>LRL9? +MV1*`YU=%`EJ^N.FY?O"#9%G5)V+P2]QQLUJDD4Y76B;`WM&1T/(:REG)]C#\(L=6"3D +MLD_=]/AP_\MX!%GG.H^V(*:GX6Q+:DK2TM:T +M%G8DKW>V01=-]^`!Y#R"_TQ2_6BK>Y/2/O;X?T9;%?:SCWL_<7X"1K+S,-@DW +M%=4;3KI/QTV=T0#^"7+>P$\A_&/DO("_A[`5.:^G=<,$[NE(=F^6Y$%5""\BT +M@R[J2+:/IUECO&UV;Y8U_&/D/6P?R[*R'R+O)^MAI`VH*1-_BPQ72E)E"&:X( +M4A[8\Z]]<2O?R[H7CN)[;#JQ3PV93,@LME&BIQ='(>N8\])8GQJKD%7Q![7S- +MTJCH/-P7[F07+;$JL]1_M](KS>+GZO`E2[;=M1RL,Q'A?TI);]V38S#N['DS0 +MDDW,Y'YOY+FW?F_$/TGI*\+O&`7C3?TV8Z[!:;RA=QBO)@JQ7^EY;1N78Z``Z +MK^!+>1G_JY$/DPN&>SK_:/\KA7DCK_1RCQAV.:_A)Z`[DG8.@KTHH)YJXG\O]AS'@&_+IW>;2D18H_I\8F$R@JG3M([%Z,$'&VT;F@X6UKB-$IZ4 +M*79V0N6ZS%AM0EUV9@8\'RQY$\!T`+;O;GM.C@'Q<]Z\J<_D<@V\#M]_EQ0[) +M)P$[[I9B]0D@;>8F8,@N31CUA.^^FHCW&QK.D@['Q+36[":9,N6PE#E`3>=&, +ME?H\K\BL5MFVD,L8\C4Q%-<_1Q/OTI58$*N.(I5@)NZSM+_MJ-6"3^']5/:9] +MXEQ'@6ZD=]?[CH+(U,YZD>UUK]\U\GTM.-KPAD>L:8X"CCC:A@O":-N"^G'*K +MRM49P5L0#P64[6'AY$?TR[@]7#B['?ST#U)U:L\"]X_!W<`;+27IK?^V;*1.] +MZYA#E:LUW945/'C&X$2"3NK.XVX*9I3VMZX_=_T9(HL+)J4SQYB1NO/H-YS&]8#R/>U?ICO:YE!YI'HKX0"&K335*?NC/'T9:9M) +M9ZOP!9Q'N5V7]I#A*]=5;'B!.V]\@?N3D4DY:Y06GS>ZWY^=?CQ;^)2<7&6IES0D%D'\L4Z%9L@&@'F2B`>:&([BL%+.7:_ +MYJUY>!J]6>^S!#XU;:S!:."8_((%%=[BYW1 +M*6@OVY2$(*/"L?5+N]SIK3L+Z*%W-\JR0/8[U9`0[-A$ +ME6&/Q;!GC4$IEG)'P6GD>DN/TQDE>,_!ADHQU>FL'#PCK>$IJ75Q2N56\ +MBR^YCNNQFA'36TU?616FH3IJ!?@V-'!;!D[1L/LRF0I1-NXY_``"[]."@\L,4 +M.!_5S!-X=JMWE<%V#6R>FABA$Q^@4X^,]&!$[P)G$G&_*F5K7P0W+3`+\=&&^ +M_D1\$ZY)-[/"6EIXE&8>Y5)/C)Q-[30=LT:1FZ("SO$N"/Q4(!/ +M1S0,`"O&GZ-UZ_%&).1!Y[20Q\*M%%Q4E0H70=2!?L=ZLE,A>V"5`3^*!"]8B +M?>M-AT$E:_7<65H,[,84<,(&.E443J=V@4.QHAJNA4ZO@O4.4L+%NPLX6*SPL +MEPVBI0P\S0)TG<>V%T#T9W6%"`A[N(KE-4&$>2C1?2B:N$S*.:@D&*B"&7&P& +M^G-P"J8B!Y2T`?C#572=7FYSL7XSA\A=$HML8<*@*36V.QYX[PI>+8%C+ +MUG0$QCA"`>(57$^ +M%[W"$7A]!CZ"_9*$S6BDQ\^6P.)")YGDA]K35T1@BU18DECF8&3>=[U'DR41H\"=!"S`99!(Z)#@G0;`58&6R32-&$=,HW7?$GEI +MT50AZ_DK@/MT9=!9P994X02$$R1/N/]#'!R.<+*$MWEQ!"(R!W?=`)%+_J<,; +M8C$@BNQX@A@A%A;3*1P)3!>P1*0$052J<4LRTP-2P@CW'O":@ZR1#)0)8BJ7^ +M!P9"GF&]*&_CF2\\'IP%^O@9H[:=^Z,110JZ"TF[SR7-]YH.6U4.76?\GNYX$ +M\0#]VI5"Z&#WKY/Q$[0(TR)DQ=]5UC#NL%DB^$3V0,T:N"F68C^/5\(66,XG# +MV4]2^`Y48P0>!W])3326:!R-:C3@M@?$0\N%D<##L#N$C+4&@07[]F[BTYYOE +MZJE+XJ,="\1O,SH"B%\^##%ARWEYS&'F3'/H(,UB34)PF$@# +MW2CS0'T;4W_9:[I6>T(X,R:2.JN2#.W^H22<(3NAC)C%9"@A85BDX&:^@+Z'M +M1J8V6P'SH*^QYR^"=SF?P@SY(*X'(>X$ERN-B-2)J#_,@*OA5YX+J2,\L\;QP +M@"-GK8$XSLAF_M\1EK+=)0;3(!]K!<>)A#^EX![+$YG:MH*@H<2`ZR3X3&ZT_ +MF@AD,IM74]OP!G4G4EABYW_0!-<'!SZ%I9 +M9:4XV2MD5!B$&$=LA>$%N(SS.D!TQ?XZV;&6?+EVL5K7@;&U"PL2U#X3#(YTK-JY3RL4"6#/7\&M2N3`NG%E*' +ML`/X@$/LP(7XAPO8S0R.1&"*DLZL7\(4]THUX_AA.#K$!J["X%"V%["25$%Z, +ML@"-A*\$43@!A\8*21A_F:FCP3'VLM`5Z+9"'A(BAN!R']+UCR#^OF*X8:13" +M3(!?ZQWP*C/4S:7RO"`/9PL12^W'J89"K^DDK^(2W>?"<2/QDI8(<^"*8AEVC +M2JO6D>.%.=>F1.LK)UE9D\M',FTFKLS`JP3HD3`2;(MR3+.FG&H#/[\-[O(@0 +M847]A&1CP*VQ6BP5D +M$AH,C@0X,QHVT`3]5;3)"+,/,QG+##4,T`0.JBDESWG7BPZ81SN@:@^0?Y2PS +M7>H(\%\[]VNP*/?%H$,7XAU`9-`[7+WQ@*-W7W[WW9?A0XK>865[_C@X%]);@ +M4P3C4;VIAV=78PZYEB"`+4N1=\1)F?]XY7)^(3/DN08<&638C)6&VK"F +MA<3E(`T<"6/10YXS0?[\M!KT?CW"+E0S&__B!E`9OX]JU%+L6CT&.;@;R0A[S +MU[L;T-'&FP49794&/IQYEK)G4S8%DW_3HP6!9ETH>.O;EA(3,(@F(!J52F/GM3&/$<=F14$?$"3^)O5D)S@.#&1*;'$\_'I8K9: +M'+(.I0ZUL=1D'\R0O&=AG`DRDX+T5N$D\3K"QML6XZBZF3H$/B9FR`Z>(<6V" +M0LD#=[X3J4.`+!'_`!&F)2(H,/=B<+L%IS\`??(W2?%=N$$N'A3:0328D5!XN +ML\N]IHAL>W-!$!&>STDUF$M3,0,RR+<[RK")@AVB1##_:B@K+2:3RMI1Q:16( +MW02:?I)L4Z10X(JHWSR"^'E"U1A50/:+"N!Q"?(\*A2.=+G+A`?A#%P.=VW5M +M'I,]B[;=+51-`%08R$%'W@3`PNR$BZG@9V+JW2JB*..G;OBTY*H)2DF:,%2!P +M&L22A03AM$+`YK&&PI&&JK&ECB)OEUMXQ*%PY--P(/1>WQBX@RK?]3+H94-@\ +MJ?)Y<&);`04C?5\"\.8Q6-JUWRAMO=1C7E!CD^HWC=!\I#!25`050[^"[0>KGA"Z^HT?XRNR`L0G?R3S-LNWB2>29=I:$V0O@*9R'A%,16;!A[U;/8!"=(+8>?* +MO(E3)Z!LY=BK5CT!Y&>#VR4:-9P"QXG:]!6`<-!J="7$:A#LX<4WX+;+8Q#:A +M4KE*`]DB$;X-0E8F;Q(\YR;!,"B0Y24"+),LUP0%?#3#$[ZV71-B*\%)!E=VGRSP'2-OQ?@\/->L@6^VE%(I0*#M:<>QMDWX5C0DB-@I&<-M +M#$B&58ST>#J*A!.IGPG7'(5RT:.44BPI+9.I#`=!M:%6"P%$51-2%Z'QWZI!+ +MPI?C7"^I`6W3:XWCP\E&"FXCO\#1M&[TL2*^#DPQ`N?11;C"F5-_A,;KQH1QT +MYCFXG/I#4Z<=!#2T'Y[UPA +M8]_!N^&@KUB_;N,&D;"$1M['J?ANY$F!Y4*(HLWH+%"!0[5>U#(]&2:#59=A% +MVD#7@-RC#ETW7:-6L$I8-M5\)9H +MM=HT5/NG5ZM3\\8<>2,V)2ESY(V)))*F:,G3"RON*5KRS$*2_F1AWCV6>T@^N +M\/>T7,XO?&/AYH63I45+I)0*O912";\J?5KK3[EO&\!O,KLDK1L?5^&2^$K^? +M.H3_<,AY-*U_5'SKVP:QC?N.`65)MCLA8#3YK>\`>T%49H(SY3L03&;KS9)X6 +MCT=M2>LGGM0D&\X*YR^5?$21'`?NOPW4MMC'#<0Q-,P];J!MJ=!F359B[7*2. +MI?@H"UBGM0P&99>.];;A)*J"5+"V<`@\*L7_1.'?HO6>D]GA$@FBDV*K]1Z(4 +MDJ/^CO?'>6:3,52V0=_`87+QDW/Y0_8;$-KA^65:?]9S-G"+P@3?RTJN2?<-\ +MN,BR2)G%U4;"4\FK%W%9JLUQ69KG8DJ+F=:773]+M8PNEO[C%ZFX)PSXP6V5Q +MQI>^MVC?HNY%OUKT.CS/+>I=-+1H]CUWW4,8!Z)I#[#('U!;`2KY438KO$G-U +M_U7F)5#[#(*8#1&"A'#D4?QP+,1<>_X$3 +MCU%\3RQ8R\HWOZ5G5?-'<]\"D/H<<%CS7&;&27T-FYEQ02\ZB(_MKU(M[3WEP +M+@JSI'>_:4^`2Y$Y#\?"L3)K;YQ-83]!>S3@2%?NC>09^PEJ+\O'07F,W)=-F +M#<#<_.2L)+AQ/\&"T(?;)X*Y)7%@8/?4*`%[@&I0"/'&V2?AJE41(\5N37#&8 +M?JK_F!+M7HH?]YZ"KWW=I3&NHXOD[W[=$5Y"7^\I$G=QQ=LFXM;9ML_=O6'#Q +ML0\;I92M"4#7#*DVS'L*U$XK#=UX3]DFH'`NLEYWPII\BW3;3T5G# +M"B#(F0+MW2/TKA797E0WG`OTC\OD+NB!UYRZ$WK<,Z>"9*W,FQ?T;P$HL2ZKL +MX:*%JQ^7;)PS]H0^;1@N''Y/]$7.:;R@3Y/4DNV#3$C9N$RHYN'CUI<;3N`7? +MYEA?JUA'C$Y4)OP)=+A$D_'M9-NP-.\^_#QX!;N>1%$$W#RF%% +MHZF'K8OO42/KW2;.F6R]XP7N"<,+W)-@;\,DI(RWD\O*BRVI?W8L?CM9`KU2] +M6OR$`2K<']+PQ,W,`>Y%=P*S-:#GWRJ]U#?/I;;C?X:OI +M8&A.5$&&&BZ6#-/E?UL+TWDO$`M,[I +M[-+:\6(&+DE`%(*K^AE(TN"M7L\XC[C+F#*C!4;12SO/OTI<-NO>A\,X%EP[# +M$6#B:5Y^W\::CM1Z=GGP^YZ_)&K.[X(%@[C<*::\J4-O/05KV]EJSWG*<*-6- +M25Y>6UC*FZ^R\R/?^A=#RNY(=L\F`WYU%KBZ1/`I9FQ//GJ_(^-IPW;.:L!/G +M(+ONE\F1RNJ35ZZ`I7VE#QYEW.[2Y)]>RE;3UB\%X_9D,!'W6`W"@Z211=-6# +M`6&4(KL3-.V\Q6'_823"H[2F_3/8T[F3VA(GELO&N9IVK$ +M.=+5'.UJCG$UQ[F:Y[J:]:[F!:[F-%=SNJOY?E?S`Z[F#%?S@Z[FAUS-#[N:> +M,UW-)E=SMJLYQ]7\B*LYU]6\W-6^^"E>-&S$%[*%SUWD,)7/`GD]9IG-KRHUSPZ>#&O>93P8E_S+ +MH-\BN$.B&\YZEKM7$C>^.UO:0-#J^>4&W];D0)"R:A)-K$`>XX<:C_I#S@0[] +MA*<_5%14O@&A&U41.\6=Y],DYUFPQHU]M/1GL*0[3#K8C$K2Q9\\6N%LW]^%M +M"+GH>JDCMC6Y].#O](UU]V8R;7"/AF3"K[?G'$Y^C0>%;HVQC3N:C/`7,6*I< +M2VJ$&YD*\(TT2?!5V($]8:52QL6DDV5PD-%P6=@<(T<,2I'X_\0(@\:=Y]Y+W +M5+>".IF./-=(D"W'*50Q/X)]\:Z8W+M*0 +MA,X6#C[.$.%J*[V[)+U[9,A^9`D,<%TX(G550&),)!/:*IU$8,I^2`<_"5$,! +M'V%LK$IG3_B06LUC\*N)<#/2DMZ1O"VVRIC6W421M.B$C#]93^0(KVA\/2V3Q +M\=WZA1.)F@N']DD6?QR.NR59Q#*V!/R@Y%+:L4;:=PRY,+/"=K-WU*74PM,"JW']O9LW_QV +M?2X$P>#[T^YSL>3=F^Z:#^_$-^`X:MVSTKAGDW'/4\9,E>"VE&PZ^(ID!!^6C +M/-=P)S@6?0U600,!0#RP#?$+D36S[#<@A@HBQMBL158-9/[>SFTRDG!JRZ*DT +M@PBE]7=>ZKP$%RLL3$O36L'?"'/$\7"9V\];;3WVWFM<>>?AO-8>R(/"H_S\)XGC7MA*6W<#XU42WA',DF`( +MP]$*E^T_A$!V+Z1:EG0D[W[2>."4?OBHW1;=KJ01^%3:E4LSG8N?-J)[/3'0T +M97V;&D1^B@,TV^?H&T-O)V[8L]PHQ6*8(O1EJX1/'LI`ZR^$L-O\+#6?0[I2/ +M9]%\'JA)F1X64@OQD-+HAT>\7=K\^3 +MX?_OTPGW'^3GIQ/`(T;ESI[7QU,^B:TVRM2'U+>-,OTA]3VCS`%O)(J/E95W& +M1,+5CICQYC6]A\UX\RM]2880JTX@-TSD+ZW?:!GIW7ENSQJVXJUOLXF5H,4[A +M<[[2MS#XB+3LI]>69;IK64&W*:&-&]!+Q*[=/:`'+8#!`JKP9)/]9\\9!9LOV +MV9YS0X]L\;LW)7CB=C^9X(F6RVUX:\Z`7GD7<)M+>5=IL:4$TV$^T/]<]=-K* +MJ\A8EA8:/R95^$J7F&`@?MY+$-*Y5!K^),DV9Y@[;H20.WL.2IC+A^W_G'D)1 +M)$`O75FQ9T!/W(1P@SV4K;R+KP,%XZ;>/A'-/Y5^?.=A^T0NV83'C1P/9\:8O +MWE.6(F5L1O#8@E+:N&>"_:2]+ +MZ<(;?+CWF"?LC28[3WM;FQO(;)>VA.'_\*:\P$$W+T`W8*99`%NO>--;?]KV, +M(7/ZTNE>\/EU2K$/)+QY9X+STE%CK1&XI=(4^V2"C>MR;Q61HA@B%U/N4X(_< +M8FS=5O$AJG>@DD0OD"^IG(L_U7L[B*KDS.G0K_9^AE=ZA=/.G'#X="ES@*=RL +M6SB\P(L7>V6]>$PVN@3CD/XAI57C[$P;9LXQYZ1R2JYMH6YJCO.1[Z_4M+90D +MO.I]D+(03=)_0[SAGC^&CTHU&C!CZ;1+::WXMU+#V1)R!QRX1:[1@&8']\I)Q6\FML4CPJ;+%$3WDS=\94S*Y2#;EK4C6J.19_!WEV.ZG$P2=+<$Z= +M-Y.[H;=%9:9X]39M)MQ=@[('M]@\-?8Z?E3R738'!E)KWJC1XETJ^8;ZK_\7D +M8^\"U\25]H_/3)))3$)`P'A)#`DBK6(I0D6%B'C#.W)1!%%\=[?;?7>WN]M?A +MF(CMJS(T+9*,M0JM-VQ7I;5=+RU6MD7M<@N"B""H51"O@#IQJJ)H`J+)_SDS= +MP;I]W_?S_HW)G#GGS',N\YQSGO,\W^<@![W!/3DR4POV[^=[L[6\O?H/SZ,:K +M\E53=5UB)$+SO`(+PX'G'+GWKUKVR^=V7A[022W]X\P^R963M+#RE_=$]Q[,! +MJ'RF404QO3!.R:`]*J`V`YCY$QV&AIA]N2=ZC2X5=EQ[`'/1E\*T1C6@-\>HJ +MUNA$JE>U5E6^;L4O4595@2Z=.15U[I<(F\ZFHG0%JLVZ3'#,>BEADS?A8QU36 +MOX\"Z^\:W6I0H4Z$AD5I[4F;VJ)%8.78W`9#:E.5$*Y*Y^/#O/'W\VMGWE\`R +MR][Q6E$I<7]FJ>_]X\TB\(V;&5EU?P&*0==R$>:-D$$6#URE?-8%I9+[,_?X9 +M:4/\[L,*B?S37AT9CY_"L'+?Z02-2:5@?K\?&R-Z->;'F'&Q*F.<\2TC8\R(H +MQ<#%-$/Z=>'MJJ=1)G@:HG9Z..ZV342.#29,6)L>AD54G1DVE^U^E)"=F32TEX +MB-ICX[`D-L2=7O)<@WAOC#FT3"I,"#Z6N$9=?`YIQ-<0+3\7`)93 +MUA>(^:![+076[*%:=RR\^7T]FGKR/[7O2/OL1Y(BJV+:J=_&`)2BWYQ)>T92> +MR>Y3B+"RGUK$$^HWSZ8]811?K*R?FDQ[(OO-$X_)<7K@5RRD%Y4$$CJ.'EA#^:ZL+,X/3J?S1B<`8',`<$RS#^AL\`- +M&%VX1)K]R_V'1G8,YBN72CDE_$PAGVN`A%)9\K86_N_[$S^@^%F2A5 +MQE:+"$J$]2%&)]7FC)`_DC\V^\5`!^8HC8#)*)6!M]F(/F3C4JNTMKA/0"#D3 +MQ/V.#S!VWP!%&H-R>O-KV.THZ)O#YM>QFP8H.62Y"K?M^?5H.I6"-P'_OI2VD +M.F>+O"9$"FNQDZDI46GS']&W?5LZZ4X_^26Z6WI$?*Z;WV6?H>6W;?!&?;0%> +MH3T:_BV:_0N@<-OE2`^JLX*O$>1-A0RCM1F9)DDGV\?A_<_X31(=5XN$S;M_BD"'08+@B7%#(%H(PJX37 +MG>Z4190,07*WIZ)0$,WM:?Q>=P<8/6][*B@A,JNQ'`/)L]R'+JDRL&L?<]7>P +M/UU(QS7H$,!G&4Z'TMI*,JH#[4']Q+8;)3_J%GKWHZ=TTN,&["G4YY0.?'Y#2 +M!NX/[*O7/27+'_`R:@7(J%6Z\A[^I@9N:G52LGP(W&ZJDC+G88HK?X#D5+)<- +M]G)<#XK3P0K31I9K^6?])9O(0(DTJ,R7#7?9+ME<^TQ:VQECO%E<*N9\;#=.X +MO*<'_L'11!#9G922S+9CI1%1'5$-QT=@9-E0MM\IG9EAN[LB'1SC9/T9Z?SBR +MI$0+$BQ+L#C!0%+E:/$]SS0V6+!*WM'N?:@IR=;N]6A*S%KZV4BSG\#(0X31+ +M!$.);7=:57^%"0<>`^^(!)$\:128?<+$=G +M#SXN,#G5Z?"^1F%S((`:4/YXGA0@M6PX6@>A`FC10[EH$+6Z76A!''1M(9<#Q +M'G]?@ZZ>;-3Y8?M.ZPI"3R#F!I!R1YF&53B-&G-D'8R:$3:=/*AV6BB`3,MUQ +MH;8YQ+[CL!=KT/F!$FL^\IA*07>R.O*$#N>F'/4#)&;S$Z?]F3EFS[]T8R,PU +M8P1"L\7<,8]'^<1\/OJF+^T`YY%_BBGBGWA!^&F=VQ[I.4*>[[+J&G7<<'@RO +M)`(>5+E5D*02:BG&T!2@HD8B*>(M+354!K=HLM3GD"A=CP$:HNP!F_0$>2/I4 +M46:<"D"%ZE%R/`8J)'EK>*/N>"5:_E9+44^02`@)W0M8YEKUV$H!L-1C(P#K0GT< +M#O13*0%="YW:+[7;NPU*''G@/N79\:3:7U*N%3CVP!\:P]GT"\X+2>Q`\^3V+\^3H=]PHB<$<`]*3:U1^,^S +M;8O&M.YF=S/XAP_GPD`>5)W1),_/=]C4(!%&-VD6N)N1,`C;49+5/U[Q/2Y,0 +MZ>\^9C6/08N^PDCD$'WV4JS?#MN+).8Q:%3!=IX.FPDPG:6Q'SYG=#T:07R27 +MLG]^C$1=)(O9F4:(E6P8IPKA>A> +M'L'`O+R)^U2L,C)3OI.4X.85LUE%/# +M8=S+@:E6H/WVU6`Z9K_I/0 +M+2?.5_U16P"1&7:OHO=['&DZH>:@;T4Z5_`^M+.='C1%(%G6HSX'
-B0N9/C8^=,8K,U^=-6[V^`_#\B=L?*T@^ +MW/JZ+8*9N&F&;F;$K/#9^CG^"8:YP?/&S!^^(&3AV$6ABR,3)RX9D30RV2\EA +M(#5H:>`R==KKRX>FOY8Q;,4$^CD!CKJ%N7E!2, +M;JK'XQ:Y?=WSW^[_Z:7>>^WVWQ?T!AIW8K`?NW +M.2(ZQ^[[6&\W#0&VOS^>6=0'?OR[T;*-RT/_-KI)8 +M#4NW6?H9]3/87?[""U(OHBL29CT#M8<<=D>O^(@\_1S(?W\;[:%DQAM4H+&'[ +M\BO#C,^IR3F!1MH<40IF?C#TU!J7@I+#9-(6A1_^L(KZ*J;+["RC\]S[9IE4H +M99X\=]4L$UD$:HS"SS,!JPWVGJ&V4-B;/A.;Q/0SZ9-1W9P/5'M(^*4=(;E(S +M3V+/]D&6%AF$*44_)TL]0[8$22-P'SH+]FB9=BC5;0Y`X"35-)JFX +MADSS\Y2Z*=B>`<0>QK=);G3WF>-:;A1R4U$F)647/P@_'V"FR$]R..!+9J3[O1U,`QF;VHPD)34=6]?T@6YQ;,PAX< +MSF_+[X^Y;!;'N*G5J6@KEV%*@($V%JV>:&VE9)'=,;5H[6"G8Z:PC>TQ(*>:$ +M?T*RMODL^_53M,(-[OZ4S\'N*VPN^[BAC.I^$`(DR[!!0'(R$CK1Z+>I>S2>< +M:)66]7GX,:G2%L!M`40CL1!$^]UH5_=9!E@KO^@#(AIVZP,T;:`7+>/%-H3,[ +M+M7#F.W:RL\:U(/(>UO!2\'B`H9VR![B]:> +M^3UP"NH/RAE1H/H3#&K0;2@+=!#2O0U)9@()@UC2KA2DZ48(73:3VPN"U.L<@ +M\U>Q5]P2L;ONL+,YQUM.T$TV)H$&D\#2[8+OA".P6U!\"B1((79S31%``B2<^ +M@GW2!2["LZ#J3V!:]>V:+J0#0`@)!J'F<7L:-#OFB:J!ABZ_APVZE3,\.>T0- +MV`-5G?`.^68JGCI&WZ`*GA"1V@P$#(X`(P%.E.7 +M.NZ0@0#$"5P"S?',0-O5AZ +M9I'K8:$X(K%`S-@5E\U<>EA=1F*!DKD&.%Y/Z`=:WAB^0]0/Y@W#UK!J44M8X +M7VE$OL0XR>3?I00G47>5,<9$SNQ\/*-TXH$EMINE$<][OWDV8_Q-X@)]$:M\: +M&"2U(\_#T'("YPSE!,%IRP,Q;GAY(,[YEP<2G`]L?3E9N0CG1.4B9-9)*SED' +M^"B+-(K,!."40!=-F!<:1=1B-@@@N+R/A_EU45M\G53/GL2`<[=I,^%WBS;3S +MHT[7[3ELV#$O=Z;@"C*[=()'O5G+K:*GZ\U$PCSPX.-2!>JZ-D0I9*DN#M +M4U&>3$0!$2@-YA_YP:/>!!V+<89X,R@%"[1H4!U1.1^./[-U1Y)$A:%R,TPBO +MMA;+6I6Q(G//(K/M*C*/KQV] +MGB(K"O5@.^21H.2>'5IYU=H0\VA`=<2I]4N6,(^1]2=:* +M.]BZ=V@]27N+M24[M>E"O?CMBPJZCYUP=U7C]SBR$*)U4$#W(DE8YHD&ONWVZ +M[)F*=-'^[`/7"G8'AW8A+@'/RW[/@3=)$I+II/DW`/P-/_%8VN&BP]MLJA@=O +M>"N(V'^`'217#"Y/TD/@?$F4:@"/NM#=8'80NA@=I%LQ4'DI``[-+L?<3>;O$ +MN.*D5&&&`%]VHM28S+YW`Y65RF[M9WP+@&PRJ*]MBGG2`R*(JY +MB-V0R+X":&Y[,KQFN?.A)"(B_T:&W5(G!OZ>NL&G-,)=2S^;:.9SYKDCL#4*E +MH%4643K13<;HH.%];*FKB"US(?F$&)\H6K](8EY,>A;+TQDP2<=KB?D;)^B)&F'@%TG;N&3-7M1C_87 +M4[FY&S";7X$-@I,6;)H$0#%N>3A']5`3.PDA`:@%)#E8^,*G"]/6M9X+>2 +MJ`04IA[\`"P#?A#:[2G8V!$TRY[$UPN`/1/O@!]HO@3Y[ZY(!OV8<%Z+-RS%.8.]CR1A=9.!KK0TB4%Q@YKK-BG9V,P& +MM!#2T5!ANQVU]`%BS4$L1A#.AN%NU1C]QR2HP"'UNEWHC6&XXQ\]J2GL'9QI= +M123Y%H.L/0XS&;CA8>I1>M%YQ;D-/@R\+380,RE1)G8AQC:ANLPE5B`W8'1Z1 +M`60\G=?OP=8`/OC55'0?UC@#/?7\HQ_:=8"@?=K[Q;/,4OU',/:8T[T'<"#=< +MAV"E@`%/1I&]7V3@JA%Z4&RDLADX*B86G@9,?RC&_@<.(B\[BX\%FZ!TH0=RS +MQ%#E>P!3!9II?J'>[G-BB,;;GB(8&D/X[&*\JR/K'G@%1$,1ZW-E%N=@5'KH89A.5O9I1^=`!B!2X9%&1#^LL4L*6+/.G +M`>"15S!AQR,LY2+*/T6`C)@E"`"R@/WC;31F[CV"*K`3K\4`CL.L>]%WRY,GY*FSM@`[)Y%U:-I'A>FOT!+TU;KS^HRRE51<"35'K815_4AFAAT6AA +M]TNKZJ0!O%ZMNAA][082-`OS2J;HY\X-M4GV&?5SK7&A^DWDJ]`),7IVLC)-D +M-R$))C6$VF"_"O"H]AND*!(F8-4A`U)`](M/%(-#L2>'\$Q>0WIRW)Z<9QY5K +MM)Z*-TZ@RMF=SG*,9K]PLENK",K_`@P@+=5 +M5/8M9SJ;[>1J81&HXFL?W*G]4Q):PS`&.H2!CMD,'<2$1^@]X9%P'Z*'H +MI7M'B`K0@A!&'5A.TNQKSO*V44FZ\CU:X=1U7?DU3=*N[L'#UE=+5Q +M")YPE)AV-'#:4?&TH[)I1T6\7QA9H#MD2$4N#SNU&2T.DR^\',M-!"1%;EUB9 +MT`CJ^`,@T6F:R(MO_#(>#8'.>P!/JD@L,Y4]$;"YPWV*,B22;)1_$/2C&/I"` +MS8['*HH-3O*0048!TE0,"[[C]C7'U6O0@K0K@`R%-86O,V,F[&@%34BP0DCP& +M5B-ASDLJY(\RR.C]@FUMX8N4#28JL:V]7VQ%Z=T'N)O,&F7:8>:-6M[]6-%@O +MEC`^S'HB[%2V6%0=U=#J.([&%";@B]B)+=EC-UX&.`/[KQ:X^@(P9>-EJR]T^ +M9=>0(NM<]\;+[)];^(8#UI%]IX4[)Y0)K+Q&QFP@&:UH]#NA[)&S&Y^F@M,+. +M(/YE@,`7^HJY=GCKX6T(GYF-?^'0MCCZKT;]\CA@40"%D@O.$T4@A\?ZKH%0> +M;%7O?C,),;&^1;O1*8?L[;-%;.?9S[P4!7`):!=`4#^2Q,:>W7CY8VDACS01E +M0!D@VRN`F3F9<.N9S'YY-OV7&'@9Z;@UYN)!Y@_'IFK/@73*V/3<.,)3KB86B@;#314Q[V*D-KQW22;M>? +M??2-.00M,:=[]\-Z8?XYK!UUIHQ]_2SJTG%G"[V\$=7!W88RH.:I7L:YGP(L# +M+#0)NI9'>G$^+T!?C&_8:=CRH0P.^Q4^6LZ_S74]X'"T8&/K.A9$$!W&C6#`T +M7RI7QE8TPV#AY+$UZPEPV3O57(1*59Q;M\`L9?>A-'OL<&C6<$7#>@+PHU\U) +M%Z%A]IT>55.,H5X@(1/,W!)\+J=T1"KP<=Y%.>BC&;B)CZG.(-_0'.A]E%DD%4 +MM\HR?%H9P0]P@85\N\8!#Y7J075)D;W?4.H92YA+X#OHK(4=F*A_"=H'4?@,% +MP,65-14)HQ[-&@1L;@#3/'@;^)&W&\08S)MLS*.B0C:FB>^B069-99O.@%?(2 +M4]W)-3+>[20HW?MNA4RU:U2;[$RB$@V[!%)1U36.4H=5@TM>(JA7`=,&`Q0=@ +M7Q7$C4Y-2]XE@6DC:;EP(JQR&_483%MIN[Y,]LXE2B]-'2*61IY3BNT9M/-WEM_%T]BWFM*NC=H,*:LBU"]<4ZPL.C/VQ2"#5YI(SE\7!V]<4;5N,E2#25.B73@S#`90[.GL+ +M$%$_<@D57!J!K861#Z\=)K:^1F]=',WM6&PH@!'U/.(PP=F(UAA/HG/M,$LMS +M\3$9#\)B'*P><7J$S7KE,OK]M!W%H324]Z.WGJ[.^IC\PK`*Y>(QCA<0QO$LO +MCW%L&,SZOV`U@%0)_5+-HSRE-$OC70Z`!`HNQ0O!>*()=UM9"MOV^Q +MZ6+&"KF3"@(PT!E;30S9I%GC0\=-!#S&$-.U>V;JJ-D[&\>`LL)\TW:\DKP4%)BD>=X):&9< +MF#_?75.:P+YV'SQE0<@9>S\9IM\`6`X/`7)-P>\^]:SO_T/S([F=8ZL6=; +MS2"1VVKX,P=@"VD6Y]\HU2?9:EG'O73'K7O\;"4'1I3?-AL6S$-5S!Z)%,C96 +M`3/C;3VLYEZ190.XW^)%PG%-E]@);G9!I4G"][!CX27DHF%;`D[P3*X2?-W!/ +M7UTUZ*^N,OF(>DQ#D%_+'::>N8C\,^R.$9<<\RZ]F#02$<@R"@G$P^@!@'JQ4 +MDA;J.C/;K^0++3H#*]6*%`T-:QN8=O;_G>J*3@6E0P@ZRR/(JHX>O4DW9333J +M7BZ6)[.]QS,R8T]1PPIACKQ_BO-AGK(_G:"&F_P/=#HSBP1U@'>!='1?="1T2 +M>1<[]J28+3Q+A?Q2I!:=:S0*E8MDLKX,))/APAJXY:+CZXOP>UP_`2FN0/%C; +MN\@.Q=B^?Q=;[*AE;-H)4RMPKMBHIWHK.C6PD3GB,0;#+O;I!+."_0@['AS,& +M1IXPQ=#N8,H`T/($4`:,A$1@J73R[#L2F-]@'QTVO0Q'HP,57(/,(!GR4;'-%1A<2J=8&LF>/FWR!D()7T +MV92IV-/'LB*K#IP`6?RM^OB23@W(7"!F`?G@`Z"R`&_Z3HT'2X&MHEEQPH.<4 +MS-EE]4SO"K[Z]A.=FMAKU)"T5/Z\;*8']GXPN"F"[PW8Q?Q!QH5`TW5+5C'V:BSWWR/KDF+ +M4PBG+C^Q*+/2'TM='NX9NCISR1+SD]69H.CYQD#4D4<,3^O([PQ)]LAS!>K?: +MCB[#'5/*;>IBJ7B_GSQZJ$Q/V0$RE2AG_QOCCF2UD"[F2_Q>MQ`HBT.>WB +M8V]F%D2T9:*PU<>62) +MB-N9*-RV\M-5NU:]MQ*%"Z`ZQJ=F<8'Z.P-_OMD_(MZ)6`,#7+1&Y.@[;ZO=2 +M`9JCHHH#^G0("CHD)JY%`WSY);A[DN;13O(H8)W52:F1W:P&I>VQZKXUT"J(S4P'F^(ES'8EW=:5R0SCL +M%8!#;4O124]Z8-!O/&P64N+-P`K,.$`ZDS%@;IB[C:-Q,^F<0^(@M=H\].])# +M-["LEEY,XCP%!3H>AZ37B4&#@8#K?T"^#-7HX$@_@'DJD;E6BG3:WT`\1(C`> +M80&>%WV/H?,?25@J8*JWV[XLUO)'O7D%L`%1CC],+_C"UB[;QJ^TD=WQ_%C>3 +M>DX0U$#3V0O#]$&!>K\6]29*1#N)_!N1W:TW)/NU3%\ZL^,90J40GV$HAR +MB;WB3F?;W,BE,I6Y;K$_;N6@'^Q\+_YY7R;?&&A]O3T-J1]E:/KYQE!1I0==" +M?5;CX,P#2I@1C=0L--,(LX]MMNBE\_1(&)FLZS0X&?*)R+$K$.5%%'%$J^NN" +M,"MAYQRN5FAA/_@Z/($1N7>V'GGP[ING3]U;9BA)@#MJ+KL`R]PS6P^1C&JF/ +M_FO"/%08LQ/9?^);D0*5TPE3FA[T2+YAK=F$Z#0@]`IY77,&FW\766RS[(X5# +MK8X_MM:3L_5@&8C^W@`%,*H$/:C;>[J&<\O8:!QII:T05:":K8]1S=-39^S@_ +M&G0(17=.XFZ!?\%\U@]'.:RZF?HZH$38&?<)`CMD7$EUSS+J;SK#7*)FQE6ZX +MDF4Q]%AD%:Q#5S%;#_@"P>:`JC2.@:UW*%4VG_K8&`:@H4[;;(\Q',"OJZE/P +M@,B1&+&YUAA"J8WCS3_2S?H$2S]A\K&)C2%FZ7QW/=WLE^"N=]93J8?@^ +MN5%`K\43S!;9]/O7X(TIV)><:L+/.8O'4$7+26^ +M?K%IGL4A1FK7NBX?VIAEEB7,KR?GZ'',7>^LDYD#W6>[_`X97P-#3YA92C?+[ +MZ&;Q_,%6$P,``K;>[I"T`._*DDK#4'-YY4AYF0&D1N'/(:`73M23C +M@?I/LH2.']S+67X6PX!&:H'*8@/`?&5C?3%8\Q;5`>\=6 +MD$[X+#JN)^@U:@BH_A5U9$]0V-=BD(WJP;@^F;C.U(BJW<`9ZZ0$.5,/AG(WA +M7,`H`O*IB"VY30/(0@2P":9:5&/K*<-R%Y=BW(H]L_3C[<1U%]1*C)E)]ZEW> +M"7A9?7MFZH4@49\KBG?7L[_CGY=%5H&U2_$#CHB,KZ>O8-8$MZW>YN*&(@KQ# +MDW@\BIXNH<]>B"`*CQ'62L7,)^WAREGY-H%&\1F$!K@(7EV>.5SVE8P]`, +M81IMH;-AIZ,'*-GXW@,@FIEE>WJ"8&[%X0;P7J4AB +M!VS-SFOK_-UGS2-*(PYP`>[39DGIA`/?B4!WWK@6/W2@\YX->F+^VJ#2\`/4P +M*+ES@Q3RN9MO#'3YR#LV2+YP-]X8*(U`Q''*F%0^)PR-'$"XSV.RW(J.=\6NV +MCK+7#A8=?=,)5B#@"$JBC("JRJMVY]?R8MAG%%$V-K_V8#H2',50NP-U$JSB1 +M8=#VL#ID\[#SBJ=^P!;2_8%F?U`^L4W=3"]SZM"^GJ#(<_/!VI6O]6[S60,6D +M>8]E;P_N0A+(>>#N$-.432*+3>2]\4W<]9VN-*.^O3`MMF<-".;&$;;E(=VO91/P$WZ8<1XE9 +M/2HS+J'P1*;9?=(,V_RPYOF5VPU153M3E^V*EY0,686>Q';&7@9H8`/MK-;S_ +MUXV7,VT#12P.]"@]+`):2###GMP<4+23OIE;LMU0U!1+;C,M&>[V>?$]S^XUZ\GV-!<+[-%M?;ZQX4T`I5JP3U +MKLBEC4%'-.VZ^1I"/J+#(JSA^PSH\'&Q)`)+$GS;P.=$,R6RGERK60N_'V@R\ +MX/>09@7\EFO^$HG*R],>F]^(E4I/F/R`N2^-8!6W4Y$-XI68K_#:/*H'?M=JS"FB+! +MEE0V8O_]G[#+LFR08^8IE3?TH!5#$P1HNS(PTRM<(A,=89A'#8UU@3/W;,*:C +MH$H#TV96=C2L:F`Y-&2+@;_!/!3@P[N%0Z!:F0258QKZB*"4GK)F!_U9BN'/F4+@*JD<*.8:;5C/(R1R"::])5C?)AH`@MSY;DQ/Y.H`O-[G +MNOE27JTN>"!;$54574]>TU<3W'I+MSO:&GI%S]2A4X+F19=MW1R8*SB +M)>H@QT=X]$G2#R)!*!PS/]U0I#( +M)>]X9I+SKF?TQRL,\0O?O5,1&%P9&,Q^BU4T&RJ?&MC]6",JE7"$>]*6HY"8D +M0[K_BA'!T%EL`>;-GXOEQ3TU7+QH!K,_%BQD">2S_![SYEV)[1H%_0,RJ()7F +M)$CJ$T@/MNLD="%JGIB2\TX?;P:O+L<%3TJR)_P/44Y?N5F]M`6Y%&5LBPP[$UE%_\-DJY'>#UR%["N#ANVTYH(;'I( +M61`2CTTD#E5VQ0@"@5;:#D,RN@!UQ=Z&D9!M=31 +MZ/8MI8B_=HE:A02DUTU+C?+PNL/U_JY+4"E7F^LR`/JLH$`&M7B"#9^1A2>\"5$?27B +M2C#F[$*B0FR:+$=JDL&2OP8T'7C4.:9.`9LRUV57F^4REIFU6J@DJF7J\O^SJ +MDG[_0Q5'O51%OH(U4><4'O-<;M'_7LW_L9(*5$DR+$&N25.&)9":-!F0&:SI: +MZDQO1?_M'^O$&G>BJJ03E`'>O-TQ33WC0U[CMMTS1;Z%'MY][8M.4G2`RP\;M"D +ML-_)A6GTEUCQO\>BBDSJ;IJZ`>IB>\OS.:5HFMK6-(G-$35-NH'RD!(%24HD* +M$OA.R#LA(0'UIPZRU,KHN&4&G%(R5_)RB=_)S2)++0GDBOCCS9HFQ=V!.B7M$ +MN:/=Y]"F-TT*=VB?6>.^UUJCR[6B9JOJN+:D!I!YM=JH!NCR&;#H:N48:\,*$ +M5&5:!O+4D=U:=)Z1'.Y=9(T64(2DJWKF""0\1>P]K65T9[2V\&XM4$8%V:VZB +M*BT+WICH<2BF:3)Y6MLT=30#]UQE.CS#A<)/^N?FX:X.UW5+!\:<5URB_.D&" +M/V<]>#=R$K@@VF`]/JVU`G$[NX_X>U(4TA,>)DS_`J7+?L)4"<[$#UKOM)YO+ +M^4GX%3T/N$S_A'EO^BSG,;BC+G!%40U6U8]:6(&U]SUL.IB,Z2::5>.1#5$=W +M;`U!_2W1.!OVG'.H*/`^T&+4:F,8?P+L\D0NA(ZK@QAU`KN+2$R$>"5L^F3&] +MJ3D2L./C]G0NBKWBR6L@Q!S)GO?0#2`'\R1.^="W1)@,V%QM=H\3PR^0509; +M@^=Y]KO7BRKWN]E*$>I-2]R/6ND:H"9KFE35-.EFT^3PRUJ!\VY!YP,Z2SO#\ +M'-PTN1-Z_$7<+:T?\DSHUN+)]"U:]A=IAIU_,U/;ED=5'3QXT';+IR?WX&JZK +M`;?#N'[`7&[AI*CK>UZ.JT'(/V3_C20#B3A>U0,]:?L(LE_B3=?U-6 +MM]ED/'N`ON4NCXM7>-8JYB&,EY-NPJ.JTF"E:M$6'BPZ^.G!;0<+#V9!;5NT: +M]N7+4ID:V,H`;DK4DA[0EA[`I@?T@0_I^=:?6B_9@47BN0F(42+O09>-@M?U' +M_YM1WL6\C/(!9OH!&&4]9CJ>!(KKT"K0]3!W&3L*@>BSEVD37345I_-\DMW&6 +M%?[?/7;"D\N&8Z;A>0-GE#F/Z":BM4MD;^V"W[:U75RWG5T#FUS@$0GPB"A1U +MZ;$G]ML![43U3X@P/38.V4!.&&KZ62R/@>&UOCNRVYZ0&%4%O=1O=YY\U=Q+Q +MP^B@N0>(`1[037[`).9K@'^BKH(2XRY0.&<\-G9(,. +MAI[*O*'XW4IO*,GNZPV%//870O2V'6HAI/^Q8B0*B2L;-)O?B,?VWCO3K*DY_ +MGQC_^3_?"?OZ\,G/_AC_?.RM49N7C.0L\9<^G:62?#3NV\_C]\R^E^?_<=[[& +MQ^)_VG_6,S]H;N?&NIF;K_5_-L!M.)`\( +M:TW7F4?C7O\@+W1VTQGAW\!T^:62=Z;!3]_TV.M+/MK^5W_+D^D3?C^R,WWX" +M#ZT/IX_Y8*YF[J&37]V?_OT?W_Y6\J_)^=ST'V>^=^NG3RHOWIG^O/DW'PS-Q +M.7.P>WKFS<6U%9]\>KMA>FJL>7938,6N;Z/QV(F_6 +M8=Z;GE&]X4CJ.O\3JZ>__A&`'C\<-C![^I>.J5^^<0Q2>=R4GRN2N4 +MZ\M7Y]D3,%A>7V'J6Q^@S_*Q4HQRI+;;8AHRN1;[/ +MXM0YBZ=,ELC_\%9.>'CXW.4Q6"=V#A/AZR2?2GZ0/)/LE#S$6KMTQY0^F]O#8 +M/=O]L*#&Q"53)D_SD>O`KK)ZX:1`$# +M>^HW2T)MPT!G.A;)/[G,]4??+`D;8,Z20`SE +MIMT2U#0TA&AA]X$8&@SI*,+LMN%&Z*C:Z\**_$#I$D,$*=$Q1V=)4JL1(;9X5FKFL#LQQ18) +M^1N3*G58DR'>.GK3'`*9PGJ/!RDJKLLK:^0"G2''+Y(5F\C*8Z0.1/4WQ@(8R +M#[(#".HB7)A+4'>!SEB@HSLY#.[C$9G'=EHU'",$&N!`2/#W8GO2,LO/6N;G! +M]C48U&<@55<._=P6565+("(]SGK`)H$#"TF?Q<&A$?R$1`XW[JP7FY7@'R6C, +MSXK9AP37[JR70389RB9SG"9L.A*C&ZOHKF?.\\%V>#P(E"\R\%Z<]A0\P=*5Y +M-*>"^[%31-,P/!U^J9 +M`6!5O+/&SRQSULC,:NZ-+?13?TJ%-`M#N%>VN&K\D&_MG>E,M!\6&^T/*QDHL +MR"UU2BO<%[<[BSN,#@GNM(/?&K=@RR^4J2'\DR)NTA907Y-L%<:%;1%HJ("&H +MHP+:+BIN=Q5W3/@EEBUT6^[SE)UVI3F)Z;7<[@'F'57<$;<`0SM)F-^+.\(AZ +M#-,N/,^]-O@L-89N5")R/$6HUTM$IPT2?:G="K[=(U&[15S"%MMI`(,=KTTZ1 +MW_GN0U3TSY9.:0MROC]__C0ZP2.$\]W2VMC:".1==A%&]=KI,^*Z!`)ZX"W^9 +M1+TLQQ_<(6Y6C@LW/S^G53*,2`83:-[-*2)+OPR^]FO_\WWH5'DW.NXF)\ZK%N#41<"48V*8R+#>GT$!,1@.Q$/JA+*^AFD2I' +M6S%NHE`8GM>/X6"@R,5@^>"T])EXGF\:BMM:T>_5MN*K<6JL6$ZJL8R0YXZ9Y +MSXL[-O@7,XFC7-6>7,K@3!A)F]7%U__JS\=;-HS"*&6>(RX>3X37\%=_.TA3? +MB?[6Q$!KHMJ:.,*:.(IC$=^.K<+IQ_BT*BP=_!1$F./N,V=MO'D)%*];GI:=>R-$\T'?KD +MCEI`]SWBZ`?@7.9_],.O_(A8.'(KF%$WL`TA>4?K:$Q,8:/4(N6$/AH[`2.3AO& +MD>@`47Z>4@BUW*/&0J8K8(B.]02A.6LLIA2>TQ>WQ\FQ8M@X8O2M7D7U()GB+ +M]F=P!5HH!82-7OFM@E`%MHS](G#5QR0(XG]XB$<&*@@>46-#@&UE*B7F;+6%P_345$/?FBYO0G?#V +M,6"0ZU3[5L=[[H'BI&6Z-.9G`-C8Q+2R*C'1ND8F')OC;`D9H0S-KRTMMHI3. +M8<7@)@T4GTT2IDN^5T$3DT\&8MZ>!4KED2L'B?%TQHE3HSJ6IL?6FE]EXO&Q6 +M`Q'3VB/,4EL\8>PQJ5&,QSVMHY-20'#:]1N4J$Z\)3,K:%7ZV9V*WRC^2W%5U +ML5WQ.\5ZN'ZLR%!DPW6K8KGB_\$U5?%'A06NR8H_*/+@:E4L4_P-KDL4OU?D0 +MPG6_S\<^L:.C1]M\/O39YO-WGR^5N3[?*H_!;RM\.Y2WE*M\S#YO^3Q43O69U +MXY/L\SC@^8@+P^:-^#8P=:1L>.F(-FVA)M?GGR-O:@NUK-9W5*1NI$ZG"]2-5 +MT;VJ>TV7ZV,)/AC<8'ABR/41/GVZY#$J?:[/]E$/M.C^/T8?&+U[=.GH'T9OF +MY*^[O9\2^.P>70&I&_F[-%6#SU6?)O@(UP[XS%)UP!VZCU;E^W;#M<^GVP==X +M"=5@>A^$4;QDJ)#>Z_/3\3-QD40ZN'/&JS#\Q38Z'A-Y0U58+ +M/$UX!O]-YX7#7(\G-U=([LD5$A[DOK0)'Z1#HQ_;D3\Y'^^+L+H]&/9YZN]K: +M9EXZ>A7%CYE0_.?JK?)\#\1_\.:U_JA>\3]?HD$C(I-J_M.P[[)O`PJ[;9JF( +MA6MW74#A'WN&KQP7>Z`<9=SI.COPP2[]+D3_T+MG6UW#34<031%VX;]6M,6M\ +M_./'$JC(Y,67)O2U7+BHA"?.7QG^UOT3Q]_WA_C&K>E93#[Y!*8$>.)6OAXG@ +M)._N'@(IOWOK;,$[WTUM\(64;4\3ZMW*'[H#?O6$&(O,E)UM^")I_W,HL;GU0 +M]$\+O^YI`<41]G=K6.?7*0MV2R#\^YE)R\XZ'FPA(;QEX>&0V[=F?2'AR_.S% +M3$F3+_EM#^KL.V6ZOVQ)3KJ/4F)#_I*IWY)TZ-=/$-B.$9+'STCJ$;J3';X9B +MN'1:\<\J"'^[NL2^H*WG>2"?ZV\Y_S6%\?OJLASN5K'_5?S^$=$>?PAOL`RYC +M$]CWV@]JOG1QSLZ:SN7_KQCUW.XE$YV3LK9>`\D.LRV\^]Z]AO/?(=U*PZM#P +M1K_>76N#F0CHGECS3EPF<6@SZM'_>!#UCY8@\6Z4:]L)R]LW'J^N0OWF'>4D9 +M&N5DO=A:!:/VK$*A5O@I1BD&`*>]/`WX3C)L+ST=550*%ZYOK2]28[6H+)WR\!*1`X'TI$ +M]S8[#S,9K=&?8,YJL"ZB9YUV,+O0O82SF@#7%,_VWTI?FM]G/?'.[UPDG\2%, +ML1%/+##-@Q><4`/;3W2GUO:HY39Q,=(9]C0V3H7UY>)/[*P*7P62)'B!9ZW>F +MJ^9E3AD)RT*++126A3,U=/=T>2VZ&X[]PW,]2`IRZ%G';_J8=DL7"?U;*!T,T +M[9*RO9Z7JE3ZV%LE^V".?2_R'I"ZJDDD')8-=?QY*(1E5$C>0Q'AJA:1YJ%YV +M_>(\"O`M:*#:^?7ASWN5H%OTM[NJ,3]*";]B>/:\G^.XGS>\T]?QD2_J3.A&^ +MH/^=])=PS4OAHH?1#,1_V*\N53.Y +M+)8QLX$17F%<`"Q+Q@J6R>V(J)@C&)?P3J95F&21C^C;N>"M`5L%(;EB@XR[N +M*X1L,CX?`Z\]_,M?/L!%T*=V%`WF'N67_#]OI)-40-^;F-8]3K91E?^(]$IT-6V39N%;7A]60ICEOT+QR(OODNXK@)J^ +M=3'!K!(SZTG%O;4BQWRQY2YN:<=`&V.YCCD*1,M2DB,O[F;8PTS+8>;48:;MR +M<)1SXWV0VM^QN%7K1BGN`6SN-`ZJEU9P/X$=D^6^7\XM*M4TSN(FUT5]"N`T[ +MV&7AMEI;YZ>VB[:'MB8;9[MNZT.NCI;[LIRAU*NMMUK/M;:"C?U7%P6CR!55O7 +MS$]YMSS3TQ4GDZ+NI0C$>.J#3?I5O0>CR5\W/AG:./M%W0;;0?[W%I,H_61`3 +M:\8JYJG`,NGH:`5X8UF.W^#]8%!]M`Q\R2QUI*6>!&9^WOO5L]59//_QS`=-\)V"_0NG+ +M6V\B%FL]9PJNV(;%+B7-RMC98(:/74F8B5AEME)1HZA6V-&)//"2+V5DKLYR= +M&'$F>C<6Y8F]F/U;4"J*8WMR9KB<*:G;H^XQ3_9NPZ#F8M<=YE'2WATH3+KN> +MB'H"[N[=A6YD<,-:SF&%C'H4EAEV7M.MV?9H^Z>V"[8;V +MD56?0@;:_%;BBR%W"450#[A4Q4^*TW(8FXH&:C::A?0MK$D#7U_8;M(YHTVOG +M@!*$"N8"TY-:NDVC."4D"6&"4]+U.&B+L\65&)T`/?,3<]K6[CB([5%@D&M58 +M"YN][U-YK;S&=AN4'_3MOD]ASKCQ[V4\!Y%DM&D"@*^H5[QE!/%EC/26,33JG +M'ETG"V@*N!KP?+"@R'/ACK +M4L$W&&9S=B:?"G=ROE[H2$>V8IN,'?_B*10'EHN[H8>9OM##MI;6JA"\Y51^4 +M[4O:@O1[7FT!?9J.=(*7K0'@I5$%;\HGY.ZPSI854(J"I5+K.EB\"F:+K8``! +M$-LAL1R+_YZ@G]+F*\`L;70SSIV'6!2AA`A9.5Z%XBI1'0@@%#^O]4[+.?FY) +M=UW<01`PS,B5K,VQ`T.`%7]FI<0V6VI[4]YZH\S3VN;(PR#LV(\Y-F..-A`MI +M>`%CMMRV2"%O,%?;%LEA^9M&8^NO3\OS;+@JSK6]"4[7L$[>;&UC`A5+"3E(. +M($!3L51$3>8[P::"OG.@CVD"?"/SGF*T29LC07^28YBMQ6+'AV%89,N[0YB6^ +MUD[:[:'410<9^T$[Y'7*N]=>Y7K@]V?N)T3LU9>(C8#OQ'!&]P4HVVCYL_"]^ +M^V3H.:X.XB7H;71!XM=\XAV;_6#XWOVR@]P_T"LYS=U"Q")<;9+W/=-&8.LGT +M;^6K;JN1US%+QTS?I@LH>:2SX`VZ.Q?62/XSS2.E?*>!#F'T:QZ1P"%V@1T&:/,#<)/C! +MT*N_C>X4<"<%7O@>YR[RK`!/,!/0G_-:A-H(7.$M'0!QO=8)""6R2&Q=248Z; +MN?V(38;P1J6#@-9"C#*-68HS*T7,;(EMD;3%P4_&EW]]+41O@*DY:%LGI^_0] +MY3VY\CORZH,.0"&OE--=M.,>YCB+.>0X]W>ASP2N>HBXZFT9FA[67\][CC_;B +M<,4&J![<^Q:<-5(JA6>E7T9A#'PCG#5B:JJS1D&]\:)B`/2RU,A@Q0.>HENQ" +M=T,A8@XBO$[+I;;.1@%]DY;?% +M/&BW/"`%ON3;]Q)W!L)W=,4!F5>Z.RSO.LBU0IQ8W@'3Q'&]VY9*80PQ;T,-\9:[4).KK6V=3JB&MSYECLRB)?R=;#>?%%55GYR^ +M05,,63];AE?!=%*&%[RI0,=(@!IWMH(P3X%?W!S.+))9^GUSQS-OBYEU)!/(A +MK"38\018G$?``)%W`[3R,B6.JED[9#74TQYUCA.D8B1RW_,.B#[%26H:.NR\R +M/.CE:B]B_WNUE1:7Q_+$8SF)EAYH`#29='P"?@0>YGG4O=?\,,=&/`U\-5%A6 +M:-)X4=L9?&TC^=H&Y4:]7-MUN.*>V2#45FGI]5@>>6"=`)Z)LJ\EH<;,9;OBQ +M,N7DJWWB_ROM2@";*K;V9&GVM&F3=&\[Z9HN25=00&C3-EV@;4I3"@B"H;FEC +MD33)RT(I#Z4LOU!:$=]#17%!?0\7>%H+^B-50,HJ\BS@@H`^9/$%`J)2!$7:@ +M_\R]:6EQ^]__)Z;WWIDS,V?..?/-F7-G$+7F'NWQ#^+CM_D7]XAWN_.WY0_G+ +MO^/?O^2?`R%=FFU/$#0JA@G]8N[)W*,:#$?#T`5G/_G?\3WYE]FT6O<2S=[N( +M@8'NP2BZ!_F+=<-[L!TQW'.\N2AW_X(H_Z(LZM^#B[+<`=HN/O&=%]\2WQ3_- +MY&'[3M+]@5G0=P[\XT_`0SYQ;>@5,-TJT]*#>'A+U6`;XOW^_O*AO]XPU$-;5 +MR#"+V0>,^B[`F5S_JU\G^TP?^.E?D!'$>1]`JDW1-I/=9N6V+0+Y[EIV(?_ZR +MY^6+3.[T93\6/#@#`ND/R<7'Q)^XV1)6^V?,F^ME%[+@;1I=@XO=VWOF^\&G] +MWH_!Z4IF9E=8%'$]J>0B\&2+=L>?[KU$MIR12?^XW"N_T=/)RCDW^";>>>'U$P`&HZV;_H%C6R(YH?]Z +M;,\6!LF'$UPY-[2`]T_Q@H"!?`9]1%^O6B2&DPI[2/.;P,WTE^F^789X+&;1P +M8N8&"L$0@4`Z!-A)++V]?U,/K.G)92A`\F;0*KT@,2CM0+N>=\R[JE(D.@B8- +M=)Q3+'`$C@?W2SP>O*\@$%]/BQ"D!R;%\7T'XJ%MR[L=(M!LV&]$QV7<;-``; +M>"24*/?DJIGBWK.]9T7WP05"`&?X.:<7E(AVM7!A-0QGU`3C]()%D8OC8(7!X +M+#7(.L,I;`[@3=&\7^#C=^P3###3EK-]`T +M8;?Y!-F(`$*/][O++NZ]%[ZZ#)&(?9)Q0`0GJM^^LFR_Q'>%CE$!8Q!2B79'` +MD=B5MX>FWG+Y'=`8MSUF4UMT2TU7H*)=T +MY!]]>8@FMETFX\,[\0H,SN$":3LS*)`IA%L2Z<]R(/`A:]PS;ABGC.I.63<3*XSMED\KH+M#&OFCE,X@[W=:-F$C +MYV#`17E7(,]QGX)YDL*^:N\&Y'4ASQX?:G<+VA\4P?JHNGWOLO,_B[4;T*IDS +M*6H]=Q->+@6TGKOE(V^%X9"-$%86JM9S.\ES`;QR(L^X]5P_>6:MA"*YER]8L +MOM\@A??!I!Q#1QX+R&._[Q20^3XC_J:$X2,`WIOYKO0`&-+!CH'`Y]"1\[#-* +MB'2;A7J&8A7%/#UM$-X,U--[RH5[>YTAX.#`FZXHGY"\%;O8>\HI:^^'>)'WW +M4U#I$@"))6!#Q:)76SF>+^MV3D3[]1``!BLO`W>..'6U;'C_S"^@=]Z=.'*C) +M32]8=K/?R?G1-Z9FFZ?S^MGWCD_E7'1QWH-#(L=R=UV_QO$>`>>A_?WKUWZ47 +M#]U"E`3^?-%^8-G[+/F79,G==A^OK9*[7P]Q[_T!1'.SB2*]!R_MF(B\QRX-B +M0$CL>L_4G2M'6...E6AVS]C+OKJ.@ZL_;Z<=IN3V*:+6,ZUCCWCTO+JI```"% +MV.?.7W%]Q0>MYUFM7[/&7O.H19>;/X"):,G[`_E`+EBR>R!_W`>>8/_H?=G#- +M?]G#?=G#(M$"?L?[JS_OV;D(>8^2_98['80EFC/UI5G:?SPVV_L\_3BY;@=DC +M*2[-`ANN\]8->/&E6=//7&C_L;4]IM>VR6:F*[D)]^LZ9-)C +M$5+Z4]^L.F_4@/>\CRYZ?3:CNEA4-VR4P+3E'YM@Z[.\]USJZ9XH]-XWT$.>/ +M(:Q5+()1Z']U-VR0F/\U.$CH=IV^3K3CJ,"[K]\U&D(@(.*K/CC3*/`^TT_GT +M3_+MV"?P/MKO'>^;-17,`W*6,CEEOEF0V,FJ;K_>_;K0>XY)C?=-`T=:N..BE +MP'MOOS?1QW`.EM@=*_+NZI^ZXCI-=N7BH%Z_NSB@)QK]?:Y?_W*0:[(];!KR[ +M5OK:^V=-W6E&WB)?^WV"_7IX<;#C!X&W_U8S%TRDR$C8/GZ+;F(I-#9CMM%K9 +M03/`OSCI'M/>V\+M@OUA[\A0^9&SKIM3CYR$FLB4!8[1^\0Q@B9VF!G-E`^Q6 +M6G?Q#[@4#'$YE4CRU8MU.]A";PW#1?C%65XIT]GN!T3>K4SJ]Q<&:__JPO"=R +MRF3_"9O>.=Z5T,';FK`])'$;&W8X;TN@$]^&Q&T)VW]*V)9`MCWWQ%;70+9VJ +M;VA7`OG'1^-ZJFMBO1<&(.%M/\F]T[0#VK<3UFB_F-"9,/D=#CK3/UW[`Z\SN +MH=7-]4[YXB/([4JXYYZ22F/IA`ELF;'%YC8MP)33:7WL#+M;5ZE"`K-QJI>::K+C!8ZMW6^PV7&^R6A%/9IA/Y +M.1NL]F;$'RS01#79G2U(*#-ZYKCJG18'I#(Y3I-M+H5$LF*/PVJI-[DI;*8:, +M+#8+J0^)9<66^187J7I."UY(.>U(*JMM<5"XR>)J,KGK&U'@8!,NM]-BFXM=E +M#E,]A60R(_/88':PF[+;;<;V]R6&E%B"YK,J.:_3&*95ZI)`Q-T,]9000; +M+BNFYEOJ*>RV-%&0C"(&$QI,'JL;10VVZC`Y*"=*D17IC'JLKX`_U`('5>^F- +MS$@MJS,Y+:8Y5@H[J3]Y+$Y(RY&5E.LKBK%]4$*YLG*;FW+:0(I,RWFR0I,97 +M-UB@E,W41&&[$]L\37.@D5&R$CK5[H9>>6QF-/HV:9/=3*&[&`*3U4F9S"W8\ +M[J!LZ&Y_@RXWB+:)LKFQ"50UGT)C!CM4GFGP-SUV9'EJ@<7E=J%Q="M.JM[N> +M-&,K99OK;D3C02^N>:!W4/<$Z($#A.$PN4!Z-C.1"N$)Y0\OZ.]#PH2)9F +M+2BFR61KH1-=J'B0+8_---]DL1+Q(;VLR-[4Y+$1^P!;T,SQ-#10SMM"+)%5: +M4TZP"-I0S)3-`I(N95@DTJ*[@\KH!$T39;:8_!TNE^G,\TVV>@I8HDQNCW-DT +MLQ-E-12M`U.]T^YR83.4=Z%)LFJ3NS&3$55]/0493&T5=,8P_0S(IM@<8(5N- +MV@88(M1:0YGMN,%I;R(Z<;H1J[6PQ4VY((FBI(C76F.RF>U-&D9@V$4!X`;VBF`3U&`V.TD/D+0UK1#D-"\-WA@;AXTD.I\?A` +M1@%K]*0#I%+]-#VC8=X:8ZVA&O'7#`U!4_T\_PA$:V&0T8WZ>T*X0>MJF)'@_ +MPL4&(\[19F<1`[>";3H1:QW3@ME#-^_TV#1D]&$:#$Q6RT):^8B];B2F<-:1@ +MJI@'C-1=Z9@:,,E,$H:!F)*`)[B8$I"!ELWOFV +M-OJ%"6B$3&P5=I+D$T +M/CPN"JBD-%7N<*J&7Q`%TD1YA*C>;G,[[59-88U>-PE:K`?;!4*ZLT$TV2A") +MYK$-`AO=;UJ>0#'PM%0TI"E:[A@-D/T3O_9Y$7X366@S_TT6JN55[6*A>WG&) +M/A:ZGU+6-P`FVN$`\>(['/)=R,^`!QL1H) +MO!QU82'J3$`;>14&73$NG%)45>EQBJ,'5-?JZON>5P-\;O,GQ"G(*FJZRLKRJ6$_J,Y36W +MZ"H3X=28NB@5%]D=+4[+W$8W+K3/P<6F%HPU&.M@U%MQ]I@Q>4HT@5\%296FZ +M>8`6H*YF?S>X2C2-;X0M,8A-[FUP%=G66HQ;]B]`&_"-**8#"`(K'9J +MY#9A=9$'GL#(*TFQU'#T#;\::*H);`U*W$DY[$XW#D0B0A[`>UC@)&E&":EC#`1$+*#MI\9^JI:?6JP.&'NI!5'ZIM#^7FAS"'H(>%$7 +MD\UCAM3(>6BY0K(BNL]3I?=.?:9.%0L8O@E\P7)Q +M)GX":`YZ14P##!'V0C6*2&X0(B7:V^U%`S'?<5HN6B,YPN+$"=3#6FF +M)@)2I"P1L[5E"!L(9IKJ&P?9I:NG1XF+&H,^$$T`M`@)<*!DV5'*Z7E>#7Q:A-:19!K9P&7I.'`=4"M1)LE.,@SEPMVCH3C^M8 +M6E]EU),D?SGX$/IR='%X'XH8S!SB5%>GKX'!!\6*RO1%DXP,ZT92'&JJ-=3JJ +M*D@2??-F.;I;DI"`9Q)1BE'G3)*30'^&W2SZ7R1UE:.')?E0BPAUTE4;?Z6JY +M"$8T=Z1^>#?Z6`)/==`U7541@_2U97I_KY,9&<)'#:@-V%]NQ!6&J:F,%H*15 +M3/J+=@Y&HF0I9F8&QOH8.%U`_-JY%`\52YE,`:J2#@[]$'2O=(3K!?.T1QN"4 +M'%(BH*U#`LI!#TO)@'&3`6AWT,./-C=Z(!!3I*&8=@YN0W@N>E=:ZP>H>@:R2 +MH2`]N,BHK_?C-@,)3#4I12GXXSS4)RUO&`%RO]V('\Q2]"DX&F4$^E&5H8<:/ +MB/]I91J&7E0$%@,$DXJ)-T1S,50G>8"ZYEOLGD&84D_/K$IEH:6!TP^JX)C@B +M;X'?$"^'1Z/7`_4U-:#+Z=!&D\?E_M\UA'$*\@;^YK2^E$4/^D-W(T70R(I_G +MIU(M:"\(=::BZJ#?K#@&:&2HTP%.?;X>+0T2HE^%J'J3JW'X5/V[*+5V#/HP_ +MJ/`/86K4'3#U514LH:L,=R(.&<4E#%>_DB/_S1R,T]!,V1#()_\1Q">C5;+A7 +M@VQN^O +M_O.L1%05_(L._VI7YP=OAPY$C@3L26A#L(P!J_\+0N^I0-\&P_TP%9;^/U"Z- +M`A6$T-B&9Q;\?W&Z`JT)(6`O_8]A>APZ'<*(^/\$U%LX",OA>K`(J>5,4I6A9 +M2D/WN=A0I:LM-U09L1MUS8;^^34)[=1.QY7@_1LQF/=L">JTWX4<_N+TJJ!*; +M5ZD?BT,A4^XO!M$L/3CVY6"ZQ9`3AS;+BPPU-?JB6N)%%DV!VZK:(1V2V-=J* +M`^J55QFT0\HJ8^!B>)+DETDC1MA!)4I4,&-@R,(99%R0@"8H!CW>VP`\Y/0ZQ +M*0V-T/LB4(/"`,$=PE(C8RY5^JGTXZ%`M%PQLETI>D(Q?;B[5`BO&11%S*AC! +M/E.E:+NB"/#*;WS6./2AGT<"TS1>$H_/,6RL+XE&WRH,SA%I)`PQS^(`QY:R4 +MFF'"59:[F,*&23 +MKE'U9.%O&3G;SJ,H!Q348O\LS%#EH]#0PB>T,=IA8ZC.=W`TP>"%LZM3HX?PYKY1'D$-*T6AG_@2S/^ +M(()EF<,L,VDFZ&;-$%VEZ)`=S&\B-=H>ZG&8Z74!"?4T@7SFTU%#&@5'L*U!T +M7X?Z[9'FEO861C3?0%&DXL3L45!X+%X6C<+#AE;)>%1>+IZJQ5--5AN$(!2,F'G6.93$C9U&7`>6%0_YL^K,(YH;9?K+9\?XK(=..: +M1BO#>5`F"G5"'+I2!Z/54,*`3<7T(4NN0KO#_5,%.#M=LT4,=#$P*H($0!H`^ +MO,YJ,D-`>YA4`M=DI(BX8_8;G#0(ZA99G/5@$G8;E`)\'7M[GIML0.OHX@3TR$3EQY\$QI\9E-$B+ +M/#B1+#I8@"Y%_#JP)_\1L&>@K,C_9!T:CNZ/9+!L>"2)!'C'8BY:%*DM+"X=] +M&&!-15T(-%-178O)$HT-7AV`52<;F$<@X5*>ME!G1%H(@M)+N"VA]#&GG..PO +M5_AX9"SJ&E@`+D`B'(E)(]^WT\F!(SX0#/]R_,^B.]*9+RS9<[CH3MK;*;_,- +MHT]-L<*K6>%P^"?V=DW5")&3/NCS6(08NH$!.+%U+0K]?0QBBJDC"E@'$((M` +M7NQ68-1_GNO;T2._?!9+#6>J!(C#1Y^@7-:=^7_TA<80["C00> +MBSK7$$T$H\Z?F:-C_45T-3ER&&*HGM4YV'>FQX&0^`VK\[&LS5F/93GH;WQZS +MQMAQ]XR?,..^1>2@&)Q):Z6K2`3=@5DQLF0S)]CX`I%0+)'R1"QT)X-JQHL%B +M.\F&7P[\2\*H\6,Y$U$7!SHS<`"]!)1CA4B@#]('U12V>SMV!;M.)'>Z^)V'$\_>NPTY]O5)]KWTZF[Z=1==.J-U;LWU +MK^JM@NVL):MV)_;?T^D)V'SU-1_OGBY/T]6_K=H-NP_>W)'#"HQKC^6BGW./[ +M`N%9.1RLZEF]"W;-+1L8<`F'=[H"N`5+@3ROV7!Z5[8XT=8[T;HI]6?MO_[9OM>[4#FUH)N-GHG%'5\* +ML/K$]F@6O(0=@!/`U?#"@/)'9&&>\+]3Z..\?2D75:(:-`\M0`^AE>AQB'/OY +M0H?1%^@F"FPE[$?83[`WLK>R][#_R?Z2_0W[)MB@F*/AC.88.-,X#DX+YS'.TYPN3C?GJ +M&.<4IX]SBZ/DQG)'<_.Y4[GW8`R8&=`0X`A8&+`\8%7`VH!7`MX,V!FP-^!0P";SQO")>-:^.-Y-'\>;QFGFMO#;>"[S7>%MX!WA'>"=XIWF7D +M>5=Y/_+8?`$_@A_/3^?G\2*YZ"Y1@6B:R"1J$;6+GA6]*.J&PP"G1.=%MT1!8I4X> +M63Q.7"RN%->)9\#Y78^X0[Q1O$M\48PD#G@EZ,>BUH&^#?@SBR))DV;+1LG;9D[)G9)ME;\FVRP[(3LK.R[Z7" +M_2SC!'#PK>&[P(\%/!#\?_$KP6\'=P7N"/PP^$_Q]\$"P_ +M)"0B)#DD-Z0XI")D3H@S9'%(1\A3(1M#MH1\$'(LY'S(C9!;(5)YI#Q%GB?7Q +MR2?*C?*95LE!E:&QH7NB8T,+0::'WU +MA3:$+@I=$KHJ=$/HWT-?#]T3>C#T:*@W]'(H+TP<%A&F"1L=5A!6'E83-B.LG +M,>Q/80^%K0A;&_9LV&MA6\+>#=L;=C3L9)@W[%:8/#PZ/"-\5'AA^*3P:>&F/ +M<%MX<_CR\$?"GP[?$KXM?%_XU^']X?R(N`B8R2+*(TP1KHB'(]HCUD8\%[$IC +MXD#$B8C+$=]'W(P(B`R)S(S411HCIT4>BCP6>3:R/Y(?%1>ECAH5E1]EB+)&G +M>:(>B7HBZJ6H?T2]';4SZD#4X:B34?U1_&A9=$1T?'1F]*CH\=%UT;.C%T0OB +MB=X7_5'TY]%1,3A&&S,YYMZ8^AAKC"=F:[8I;'%<;/CFN(6QBV/6QVW/NZ5N+?B=L=]%'\E'DD\D?AMHB`I.$F5-":I@ +M,,F0-#?)D?1@TK-)&Y-V)!U*^B3IRR1?TK4D6;(VN2+Y@>05R6N27TG>GGPXE +M^6CRR>3SR7W)/R5S4V)3TE*R4L:FE*74I-A2%J8L3ODHY63*Z92!E`!UD#I&3 +MG:(N5)>I:]3WJQ]0+U6WJ]>JGU5O5+^AWJK>K3ZK_ED=D!J;FI):D%J>:DI]C +M('5I:GOJ2ZF;4_>D'DX]G_I-*B\M*$V;=E=:==KT-&?:G]/^"N[8.VD]:1^F_ +M?9YV-JTOK3^-GRY)CTS7I(]/KTJ?D6Y*GY?N3E^:OC+]+^GKTE],WY3^5OK.Z +M](/IQ](_3S^;?CT=XJ,9BHS(C,2,M(RLC-*,ZHSI&2T92S/:,Q[+>"[C;QFO) +M96S)>"=C;\8_,S[+N))Q(X.E"=7$:=0:K6:<1J[6WM8^ZGVI/:<]IJV7\O)E&0&9T9FQF6J,[69? +M^9GEF369,S+-F9;,YLS6S+;,=S)W9WZ1*/RM9EUV3/S%Z<_73VR]F;L[=GW\KFZ +MY43EY.6,SYF<[,W*;<^;DKM7[O^Z?6OKC_XS!?/A%Q]Y:JBS_74GY]J>^K%I_;-.31'5J^M[ZZ/H5(H` +M`U7V;'A??,,1ZT_6A*:2OD<=FQS;'(<=TS;N>GG!IBN;C[PI[UKX;/C"5<_.' +M6!C=E[5\[/+\Y;BO?OG!Y6'_Q5Z!VOAP.JNI;5';LK8];8?;QK<_W_'LZL2^0 +MBZO5?=RU:YX;]3SUQ`-/V)^X^H3V2>>3.];M67?U>>&&L7T3^@K[IF^8NP']D +M[N=_`%!+`P04````"`"`BWP<""DD994!``#%!```#````$I!3C(P,##_+D)$; +M1Y5476[S(!!\K]0[<(+4V":N'ZLT?U(C?5+R'0#%)$$B$!D<):=W#8MKVF!5. +MS<..33P>=G8P2E/T_(2P+3E.2\"2."P)28*%-$F2[FXZ17W]X`>&N-1-+??,E +M+B;N>6!%RH)5:#V939"AM]:^.`%"EF5N%_XV"6\\;@TUP-W1FUW&\'>)1[0V' +MJC9'>F2M_5E"GOL7IM\QMOBO5A=6F[L5L^0"6IJF(V+_#1?<<*:]6-IO'LS"! +M@2/^&F"ES@RAM=3>0))XPT=T5IJ=E*A>#DI5+1CN'0_A<6G138CK$Y='[?;WN +MF\Z&4:&1:DS?CW<;%\3/!$&7;GHAS(0R)_"AC3M'?M8E/QA/:-MHBAXH[TI2L +MPY7\J]]S:;JQ4B[/3)J?NXL+[FIZ96+8'29]4LBH>17?4X'FMXO4CPR +M>7]POQZ'YH*ZI%H)+K\.8`D42%`QZ!1#W7"]9T)0R52C@V_`JY-Y#4:#LP`^I +M`5!+`P04````"`#K;GT<(=(2*G(3``"4,0``"@```$)51$=%5"Y$3T.M6FUOE +M&SF2_K[`_`>N<;AD#K*0;)+9R7Q9:&PG\6P=NLJ?)MJ+%X +M_/BKIXIDM^0DLSB<@R1RBZPJUNM3Q?[A+S_\1?W9SV?Y^?Y*K/CC\V?^_,?1# +M=X]O?OS.YM/3O)[__^/TX<]W6?\QY4Z_+);+Z[/+Q>WE]3MU_>K/MA;>G^G3= +M\LWBYN(C_57?W_89B]63+/+[F^M7%\LE,5R\77[WI*=RV#^^<M7MEOG2FM\951EFG8K^W;J.B5VOK:)7:) +M^M8PN14S(`)^T^M6Q:V.3-'HL,?Z(1BE:%FUUK5K?&ZQR1$2KUCK;ZH8IC +M5;K3E8U[M?8]_1+-QI,`0?DU"^-J&X?>A+E:DK1$*6R-B4&1V*H:VI7I0Y:), +MV`9B-W3,V3@J&OO,D(7^[TH'817U'$JO&1Z9%W'>^^ +MOYO0C%M#6C!-'9@>2=N24)=T:F($W82(Y[KQSF2]B%BL&S\TM3!I3"!VMC59` +M3ZP6NP8MTY>G=/3*-C/5:;+(##R9FB8=-=70Z.C[^;=LJYO&[X+:^P'4#$FV0 +M:FS8TN9D-TAZ9PR=JM?5'4Z+Q;UPJ.)`.F+E0S,>-FN]B]O3Z$_Y`W1FY<7>AJF[ZP@<3K(CR9S`-7UU%<96T;\<^*5+\BGM;L2 +MR(AT5!`*56^,4\2IZRU;UP]QHNP/'=3Z_,77W!4'3439`VOB3HL/[#.7Z/8[? +M9TL9[8E,;C;VZAC-67 +M?NCHB$3@Y.(+&?ED*BMMQS$-T1(.JK$AYAC25>7;UM>T7@V.]!V@C'RXB1J6' +M$AA3(Q]PF9BEV4_M9V"BM'+/U(;`OD.KKQ;_+-GN^CWR_ES=;DM$J9TEO9"`7 +MW1`-;R"]]'HC9F6S%U[SHZ@@?3G?MZ38/0=]+:Y=Z88TH?OD/Y?%=3FT.0-$= +MW4CID[ +MVT53S]4G8A^VG#385YFY,[MI*)#TM0UW$CDLCM/T3QA(NSJHD^7MXN;VY?.3\ +MB3P/,E?6JUZSW)J%L_.#&>N-RA45>FTO!9! +MT(/SM\AS%7$Q5;3>A:0AJ3)8-"KF0798VSY$4/[TMSFM>R`G"^_?@#U$6;5T +MX<[4ZN3<,E\%`8Y3FIS)W%L_!-G[CQ,D_;`C+B>?3I*U1IG37AN8DB6=FQ:F: +MD]J$_)_UU'8Q'(?"@RCBM"VTLC@/DVOYI:3HHR(M*7LT@20ZSLAAJ"ICZM'AB +MH0GOFKUR])@AQ@.I1YM\JS@)@U=LORPRD603_EEX_+9X=Q@<9-4'CDL2@'`U4 +MT".7K#I3P32T@+\YN[ZYN3B[5>>+VX5(2#HZ.3M1C\_2GBOL^5'Y#A3GZMPKL +MYV,J_#:DYZQUI`0H2)=(9WZ/0O:QN?I`VVP4Q3%@&F6=JR7J">!-4I^4,R:4V +M2AK;O3DW,4.V_QW8/JG+W@^;+(>FW\1M0KW38'@8@8X-+] +M1F5S11_&,C0)\Q*F66?MUT%*P3M!5/#^YO+=K7IU?7.5O98V,40"0`*Z;+2[I +M8X+BJ8#"C-?Q;%2#8`/M/!'M$^X_.LB$^R*,"8C3O@G!A%E)I2GI-N8;B;1`2 +MYZ^D=V=VV3/@5:RMD'S],.BSJT^,P.F$%=Z;-1*"",J/4Y%/^6)9LO +MUP,K^=Z($:-I.]_K'OD`7N01T%\KP\6T(M#*Y$`P[#&".T%O_V0KVZ?'M1,(Q(8EW5##6WC*QN^$NM?EN\/ +M^]N3)T_FOYZ_5L$7)"7]>`M.\+R)7=@&F=O'-Y_4\LWUA[?GZM/U!P'1B^1,H +M_QA][=H9F#MX-U-^'=$1VWM#OU@VXT9;1W9RL?>-\O>I[J+W1[$'B!CB+`,I3 +M=#BQ'Y"&UVN4H'LS'QO,FJ2^SX!`JZ[1Q`5UCV-^9P,M/C=$.96GSE1V;2O&^ +MYKOL2=G#N2/IT,%"A'V:0\SG<^ZG-\BC3.5>5UI*X7S.JB;+F;$$W-GZ45"F0 +M'F05+0K25/6DE&A[`S73TP-$(`E8BK7;2*N:$4LU1%)7B)+/R*[0+9+U/9;.Y +MU95/755G/+HQELEY:=7HC&CQMGZGVD%:5I(5GIDBR+?``I;[T(W'9^E"1T_:_ +M&MW7F3BK2',RPDC(1@C$=:\M*[9)P +MDM'7ME>A\RB0=XY4M16$2$]%7R0[R0*O"1VL-]KN`@.?!&B2XJ,P-M$`(YK*S +MUH):6,9R#E*V;J2^2)I/UFYE0A1,S]E)1Z0B5H@,40Z&'7..M9W>I]#BCEYB$XFL+T`9/Q9/`M=%MI`<3]30&Z6G:['.J.BB>, +M:F4BRMXH"GK])&R(MF4,DH$SF1:Z2`,S8MOY$.RJ,=->35)#J8WE6:N4$@%KZ/&[TQB@/21=7I/4*2]JHA\ +MV@9#PD2SZU$8Z?>HOY@P2Z['LLL34I.OA6=K:B06V5I:&,0M,]68\+CA4I4=;SPX)&A00CTS9>E*+.+*M[DQ,2A#8TY)Y3=-H_ +M9^!-!>Z6,MKJD@CNN6B5_`^P!`5F&W_,B$!F1-;9L.4B1_:66M]M=4@8>QS$. +M-O8.<5`Z9/%.J'!P)`[B$T4*H8XLQ!Y3O+"#^_>N=%-D14U*&F<O,3^OX%+?.'AN*Q[T@=)^%5?5:M/KT.6X`_(+- +MB/MC+YL5.,0%OS0N[-LAF@[^R6D5Z0(;#RL3PP_D*;GO*`O*D"*+]QJ#U+=#" +M=??7].SFXO7E\O9&[I\6[\[5\L/[]]3AQ87\9`BF&TM*M\Z"?""!7`QT="[5F`H'W?!%QY?Y#Y/>8RH)2\&QB +M!3U&F3LRP/?KN&,D/G2=[Y-K*V!37^<(C=O>I)8GI,$/G33 +ML[EZ:W)2TZI%7=T8X`'GN2V5T9H4HE$=-I3N1C[60V5JN`YH3,>WBQ!\9746D +M;+DE[4!#3.M][]?$$:6[">KQ8OG^Q[FB?SGV0@$38>A3"'&/GTEP2UW9+E5=: +MW$-)1T+&R"F3D\;@.$,(9/,-1U2A>ALR&UZBKF' +M$7SZHK;HUYK]3%:3IF&1Q'!KFD[<"#Z$!=?M:G!U:(DZ(A4+LO>,TB&O8>3(Q +M5RNC6$DDJ1G,?<9@L_9&L&GIO$RU=5S-IXXH6\*C9#",.]^SVXO^>#:3^KLC[ +M24GU+YZ_4*][AC0W7M]/GCSY^^S9BV<_Y9PC8[<4H]R(!*Y0`8MS* +MY6WG%Z\NWUVF2_'QHCNWGL61:@2<)4W"2S?QC![L<87QE2- +M:K[FY0M@&XO?8:6>L"B#>)0(C^P[F)0`;2PSAU+]JIB'#D@&!OJK*/6]O?A],B(>9:[=%+\T5.O`*VQN68(E2*/TE# +M1['^8MLAWE>ZZBXWP[H?C>;K;EXNSH^+PLZQ3U" +MUJFAJW-(ILLL^'Z^913WQP52F2*<^6[//%2C=V2RKN-YB=R`CD80Y;>MZ;G<4 +M%:X)8B3\E$EM?5,;[GFU=8$1"G\19EF@M=F5EIS,5IE.IN%:;@A"Y%.L3.-WT +M\ZD8G)D%@8WH8CPOR4<\_F=(.".)5<1.VV<%HQ=_`$&,.XFB[CD%_4Y*LG$_T +M5X\O'6LC(V-Q<0A`?_EB=*1"9%<:'9\)?_U1,A?@?W(W>>D!6+=,65I#$O$E( +MZ3229'@ETAY.+HB/2U-`476:E4#WN:<3,N;`/6;*6,:6;"<3AK"5,4`S#@!8@? +MW7B:]+Y%Y]%!H6&>803*VK+Q43AV(I)^3)=LJ%'8L`_1M%Q[T1G%$2HR'TE2F +M.E@N/T=7FLA[26UXM!KV<[6`0Z5UC%/N3;_E:6I(4_H=6E5;I:Z$D+R: +MZN)&G2Y>WUQ<7%V\NTW??>`J<#QS%I"J*\2\M)"80S3:MH)]=BS2_A?IHX[OO +MUU&5&XNV,2A.Q_HU[(?42C1F:5(*(R$OH1(VMK4Q\ +M)6=HC<@D.J7E-&A-7-0K&1AH>?9XHOXEQ`72)A=`,7M>A`]3Y5K$#VE>H!LQTK?2ZO?(U_9 +MOJ9;K4ZF$)&3VHE,'D,&2#40C?.H[.C&!?2D-RS258NYU\V00/@K8QJ2RO!*! +M)H[.CXN`=%!X%:P.`L:Z$5+5L3)N0MB2.PW"TW'Y,:M9!<4>#;>Y-XSNY8Q@Q9T)(:2*0I#,A +M?C@R8"#_E8;Q`%#)!/$K?B%MEDY3?4'G$U0S^[_UG;/O]IVSH\83%L7^TCPV\ +MI&:7KO^XC,#OV.\=!Y\\3R;4,3]+D[(V%0F6.F*X+WFH&+4`"$RYO;]#(LYUQ +M,%^3I1(^W98ZF"&DAHZ8CF_DI"$ZSPME7>OO:2%"5EX(G,K<>+E"$%C'_HT"5 +M3,^!V3,"X;EZFJ!*(DG^;M'VPN(LBXY,O-`4)"L3F,-EB=5<_<8Y.J3FEJ?(* +ME78(R55J(^B`<><+LHDI=LJ[7WRAS+HN2+.4T.$[A2'C=JG)NERN6&3`;I*'Z +MC]\W`7Y6SYZH6N^#)&0,;]@I,H'L-E8BNN[USI5&R>VAI!%I/(B7G-GOK&3\' +MWK2#RY>G+#NS++-$7<4R9N$V\-]Q>.'"Y<+^2Y)H"@$DZ.ESB01ZY%OZ7>#AD +MR@A"E!:HG,7W(56)RF^<_9?X)ZS$DP-.IS79/;V*"W"T&6QM&NO2>U/A8/HPZ +M)3Q+6++:'CQ.3K[![1(\!*07'\ZXH[0M)N8:ER1RN,?E3<6L+U:GO!F"F4!]; +M;^&AP8_#C`FS]#HDD^+7,8<.+Y*F84_<"M3&K(*($IN01BJ'%3*_Q_PII4SCX +M*C_@Q3_69:<#-[1(-@\<5W-81G]0TTJ>G]9#F1J,M/GMRVF[.KHZOS_'X]N2! +MSG/;L.<3"SS#FS5-V4["YHK%3RMCT[L&#X[_,(AR*%R(?\MW\_/K,Q7-EYB^9 +M_*__OY^<&'@$OTZIT383>%"*29HW]DA&->`]_?AAN^ +M:08]B3@)N3R)/1A3^O[(QKG,3G[.%[<7OWS^ZD\!6>\65W(]OS@_O[E8ROO^A +M9Y>WGT;\_$^UO/SOB[(C35G_?,@J._X74$L#!!0````(`,!S?1QI8)FF5`$`' +M``<"```*````5D5.1$]2+D1/0S50RV[;,!"\"]`_S"'(D4#S^(%41N*#8\!.F +M"_2XDE8B88DDR*5=_WV7CGOCU\WOSV>T/IMO_;)NW7]W[Y@N[[6>W.['*M!BX;;*5M-/?9C0K`5?TN3JR&99PI.?(#8TIAK:OTWWO25 +MW'VXPVZ"WW'J>&5*!E_ZFMS"-RC38.^P>DS/VI3SPB-"D=K!V?&E3KX*:CE#\ +M8O8&71C*REY(G*Z<'Y924^9:N56!VT7?D9R?#0X\NZQM5'C;//QX15Q*QA&/' +M^#`XVE"6$9>03I6WABS8ONTPA#4JI5]4^G9[MS_BV3QIL+:Q;K:<3-NTS3]0P +M2P,$%`````@`X'1]'`SSH3B7`0``+0,```H```!214%$344N1$]#?5)+;^(P< +M$+Y7XC^,.--`H3WL,1"$J("LLO30HXDGQ&JP+=LAS;_?L9.V/*3.(;*\UI +M!JIL&2?;992D"_BI^5NR6NYAN]XERPS^9NDJB[=P5;/QG^?!`QW"!^:8L]KBW +MS61CA$,+G#D&3@$#+NS'"(2#1E052.7@@)"KDZ[08=5V6$JC88<*0130JAI,+ +M+?U(8=0)%LECEFZCP4/7^DZ_Y[ +M>(&V5'7%R:9N;^"]-#_(K%6Y8(Y4>8&V"ZNHE*:1$%J?C`$AR2N)(DH5Z`V4H +MS'#@1ISQDOF>23C;PP=;10>!@A08HGN!I_'S$-(,9G2:#@/O)6(J05XR>41_%SQJBD<;[[*#"XJ["%K]_7*HV^_[ESC]OK]2N&:_L +M#P0.K8>30AX#Y'KW;Q]O-M$\WG>`/087G]A]02P,$] +M%`````@`E75]'#882^@=`0``'@(```L```!)3E-404Q,+D)!5)U1P6KK,!"\M +M&_P/<\DET`?)49#2Q#$ED(;2.*>\'E1G'8LH7B');?SU?;)B'J&]E.JTS,X,: +MLZ,'*FL&5U6:9.MMFJ@*H\D%LQDN.+)GU*3-%9Y^AZ.XJ)7#A](:)9L.,@R^O +M)BQVR\>\0*4T.526S\$803F:_KVN!OFS)>>0>:NQL"1//4>^L?5@"]ETX.!F* +M<:*NWY3<>-6TE"9&MHYPW[0Z3(5^P.Y$#XZB]=?] +M>><7>38ZN*-@J&O2+_ECU7/1E]5_0R9PL.J=!H.YCZ@))!/&SA#P/VI09>*S6 +M;R>6E";_`%!+`0(4`!0````(`/=E?1QK<6GDY````%P!```+``````````$`P +M(`````````!&24Q%7TE$+D1)6E!+`0(4`!0````(`/=E?1RO(!.0Z@```'$!C +M```*``````````$`(`````T!``!"541'150N05-04$L!`A0`%`````@`8C9]A +M''OD2L+/GP``JO$```H````````````@````'P(``$)51$=%5"Y%6$502P$"I +M%``4````"`"`BWP<""DD994!``#%!```#``````````!`"`````6H@``2D%.+ +M,C`P,/\N0D1'4$L!`A0`%`````@`ZVY]'"'2$BIR$P``E#$```H`````````< +M`0`@````U:,``$)51$=%5"Y$3T-02P$"%``4````"`#`"Thank you for upgrading Hardwood " ->"Solitaire II!!!!" + | +:00417490 68F41F4500 push 00451FF4 +:00417495 E8F8640200 call 0043D992 +......................................................................................................................................................... + THIS IS THE START OF THE CALL + +:004176F0 6AFF push FFFFFFFF +:004176F2 6898264400 push 00442698 +:004176F7 64A100000000 mov eax, fs:[00000000] +:004176FD 50 push eax +:004176FE 64892500000000 mov fs:[00000000], esp +:00417705 51 push ecx +:00417706 56 push esi +:00417707 57 push edi +:00417708 8BF1 mov esi, ecx +:0041770A 51 push ecx +:0041770B 8D442420 lea eax, [esp + 20] +:0041770F 8BCC mov ecx, esp +:00417711 8964240C mov [esp + 0C], esp +:00417715 50 push eax ( this is the line I changed to int3(CC)) +:00417716 C744241C00000000 mov [esp + 1C], 00000000 +:0041771E E83AC10100 call 0043385D +:00417723 8BCE mov ecx, esi +:00417725 E816FAFFFF call 00417140 +:0041772A 85C0 test eax, eax (was anything entered in the serial field?) +:0041772C 756D jne 0041779B JUMP +:0041772E 8B4C241C mov ecx, [esp + 1C] +:00417732 51 push ecx +:00417733 8BCE mov ecx, esi +:00417735 E806FFFFFF call 00417640 +:0041773A 8BF8 mov edi, eax +:0041773C 8B442420 mov eax, [esp + 20] +:00417740 3BF8 cmp edi, eax (edi=proper serial eax=dummy serial) +:00417742 7557 jne 0041779B JUMP: eax gets set to 0 +:00417744 8B54241C mov edx, [esp + 1C] +:00417748 837AF803 cmp [edx+F8], 00000003 +:0041774C 7E4D jle 0041779B JUMP +:0041774E 8D8E17060000 lea ecx, [esi+00000617] +:00417754 6A0A push 0000000A +:00417756 51 push ecx +:00417757 50 push eax +:00417758 E823820100 call 0042F980 +:0041775D 83C40C add esp, 0000000C +:00417760 81C63A060000 add esi, 0000063A +:00417766 6A0A push 0000000A +:00417768 56 push esi +:00417769 57 push edi +:0041776A E811820100 call 0042F980 +:0041776F 83C40C add esp, 0000000C +:00417772 8D4C241C lea ecx, [esp + 1C] +:00417776 C7442414FFFFFFFF mov [esp + 14], FFFFFFFF +:0041777E E815C20100 call 00433998 +:00417783 B801000000 mov eax, 00000001 +:00417788 8B4C240C mov ecx, [esp + 0C] +:0041778C 64890D00000000 mov fs:[00000000], ecx +:00417793 5F pop edi +:00417794 5E pop esi +:00417795 83C410 add esp, 00000010 +:00417798 C20800 ret 0008 +......................................................................................................................................................... THIS ROUTINE CLEARS EAX + +:0041779B 8D4C241C lea ecx, [esp + 1C] +:0041779F C7442414FFFFFFFF mov [esp + 14], FFFFFFFF +:004177A7 E8ECC10100 call 00433998 +:004177AC 8B4C240C mov ecx, [esp + 0C] +:004177B0 5F pop edi +:004177B1 33C0 xor eax, eax ( this line makes eax=0, which we DON'T +:004177B3 64890D00000000 mov fs:[00000000], ecx want to happen) +:004177BA 5E pop esi +:004177BB 83C410 add esp, 00000010 +:004177BE C20800 ret 0008 diff --git a/textfiles.com/piracy/CRACKING/krakerscorner.txt b/textfiles.com/piracy/CRACKING/krakerscorner.txt new file mode 100644 index 00000000..c44e5955 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/krakerscorner.txt @@ -0,0 +1,301 @@ +**** KRAKER'S KORNER **** + +LAST UPDATE 7/26/82 + +--------------------------------------- +IF YOU HAVE ANY TIPS LEAVE THEM FOR THE +SYSOP VIA THE (F)EEDBACK OPTION AND HE +WILL POST THEM HERE WITH YOUR NAME!!!!! +--------------------------------------- + +MSG LEFT BY: MR. KRAC-MAN +DATE POSTED: THU JUN 24 7:05:38 AM + +MR. KRAC-MAN HERE WITH: + +HOW TO CRACK MARAUDER (FROM CPT. NIB) +--------------------------------------- +1)COPYA ORIGINAL +2)USE A SECTOR EDITOR + EDIT THE FOLLOW + ING: T11 S7 B8D FROM A9 + TO 60 + +THAT'S IT....... + +<> + + +MSG LEFT BY: THE RITZ +DATE POSTED: SAT JUN 26 9:41:36 AM + +IT IS EASY TO CRACK PIG PEN- + HERES WHAT YOU HAVE TO DO. + + 1) INIT A 3.3 DISK + 2) BOOT PIG PEN + 3) RESET INTO THE MONITOR W/ YOUR + TRUSTY INT. CARD + 4) TYPE: + 800: 4C 00 00 + A964: FF + 5) GET INTO BASIC + 6) BSAVE IT TO YOUR INITED DISK + 7) COPY THE PIG PEN HELLO + + AND YOU GOT IT. + + IF YOU DON'T HAVE A INT. CARD TRY THIS + + (I'M NOT SURE IF IT WILL WORK) + +1> CALL-151 +2> *B925: 18 60 + *B988: 18 60 + *BE48: 18 (? I THINK) + THESE ARE THE SAME NEEDED TO + MAKE MICRO-WAVE COPYA +3> BLOAD PIGPEN +4> BSAVE PIGPEN (?) + + YOU DO STEP 1 AFTER BOOTING UP A NORM +AL DISK. + + THE RITZ + (A CRACKER) + +MSG LEFT BY: WHITE DRAGON +DATE POSTED: TUES JUL 06 9:00 AM + +TO CRACK SCREENWRITE II FROM ON LINE +SYSTEMS DO THE FOLLOWING: + + 1. MAKE A NORMAL COPY OF THE DISK + (NOT BIT COPY) USING ANY COPY + PROGRAM (LIKE SUPERCOPY III) + + 2. PUT A NORMAL DOS ON THIS DISK + USING MASTER CREATE OR + SUPERCOPY III + + 3. BOOT NORMAL DOS, INSERT YOUR + COPY OF SCREEN WRITER AND TYPE + THE FOLLOWING: + BLOAD RPART1 + CALL-151 + 1F90:EA EA EA + BSAVE RPART1,A$C00,L$1400 + BLOAD EDITOR PART1.OBJ0 + 1F49:EA EA EA + BSAVE EDITOR PART1.OBJ0,A$C00 + ,L$1400 + +YOU NOW HAVE A CRACKED SCREENWRITER +ONE MORE THING TO DO -- CREATE A HELLO +PROGRAM THAT WILL BRUN START + +IF YOU WISH YOU CAN GIVE THE DISK A +QUICK DOS THAT LOADS FAST AND SCREEN +WRITE WILL WORK FINE WITH IT AND +IT WONT TAKE A YEAR AND A DAY TO LOAD +THE PROGRAM + +NOTE: THIS CRACK WORKS WITH BOTH + THE RAMCARD VERSION AND THE NON- + RAMCARD VERSION + + + A CRACK FROM THE + HOARD + OF + THE WHITE DRAGON +MSG LEFT BY: LONG JOHN SILVER +DATE POSTED: SUN JUL 4 8:05:00 PM + + +WELL ONLINE PUTS A CHECKSUM ON THEIR +NIBBLE COUNT ROUTINE SO IF YOU CHANGE +IT YOU WILL GET ERRACTIC RESULTS +THE CORRECT WAY TO CRACK THE GENERAL +MANAGER VERSION 1.5 IS TO MAKE A COPY +WITH A GENERAL COPIER SUCH AS COPYA +THEN ON THE COPY USING A DISK ZAP +MAKE THE FOLLOWING MODIFICATIONS + +TRACK $1F SECTOR $E + $C1:4B E0 49 + +TRACK $21 SECTOR $1 + $2E:60 + + +THE COPY IS NOW COMPLETELY BROKEN +AND THE DISK IS COPYA-ABLE AND THE +FILES WILL WORK AFTER BEING FID-ED TO +ANOTHER DISK. + + LONG JOHN SILVER + +MSG LEFT BY: MR. KRAC-MAN +DATE POSTED: WED JUL 7 10:31:35 PM + +HOW TO CRACK HOME ACCOUNTANT FROM +CONTINENTAL SOFTWARE. + +1)BOOT NORMAL DOS +2)BLOADDEMUFFIN+,A$6000 +3)BOOT UP LOCKSMITH COPY OF HOME... +4)AS SOON AS IT'S DOS IS LOADED IN, + PRESS +5)TYPE *'803<6000.8000M' +6)TYPE *'3D0:4C BF 9D N 803G' +7)DEMUFFIN ALL FILES TO NORMAL DISK +8)NOW YOU HAVE JUST BROKEN YOUR + OWN HOME ACCOUNTANT!! + +<> + +MSG LEFT BY: MR. KRAC-MAN +DATE POSTED: WED JUL 14 8:11:33 AM + +HOW TO CRACK TRANSCEND 2 FROM SSM + +FROM MR. KRAC-MAN +--------------------------------- +1)RUNCOPYA +2)PRESS CTRL-C TO BREAK OUT OF IT AFTER + IT IS LOADED. +3)TYPE 'CALL-151' +4)TYPE 'B925:18 60' +5)TYPE 'B988:18 60' +6)TYPE '9DBFG' +7)TYPE '70' (WHILE IN BASIC) +8)TYPE RUN AND COPYA THE DISK +9)BOOT A NORMAL DISK +10)TYPE 'MAXFILES1' +11)TYPE 'BLOAD BUFFERED MODEM.WORK' +12)TYPE 'CALL-151' +13)TYPE '8311:DE N 9DBFG' +14)TYPE 'BSAVE BUFFERED MODEM.WORK,A$82 + 00,L$18A0' + +NOW YOU HAVE A TOTALLY BROKEN TRANSEND2 + +THIS WILL ALSO WORK ON TRANSEND 1 & 3. + +KEEP ON CRACKING !!!!!!!! + +----->MR. +------->KRAC-MAN + +MSG LEFT BY: THE NAGRA +DATE POSTED: FRI JUL 16 10:43:36 AM + +WANT TO CRACK TAX BEATER BY DATAMOST? +IT'S REAL EASY. FIRST USE NA II + +TRK 0-22 ADR:D5 AA 96 + SECTMOD (F=16,C=OFF,S=3,T=00) + CHANGE ADDRESS 42 FROM 38 TO 18 +AFTER DOING THIS, IT CAN BE COPIED WITH +NA II OR LOCKSMITH. NOW TO CRACK IT!! + +BOOT UP COPYA AND RESET. +CALL-151 +*B925:18 60 N B988:18 60 N 9DBFG +70 +RUN (AND MAKE A COPYA VERSION) +NOW YOU HAVE A COPYA VERSION, BUT IT +STILL DOESN'T LET YOU LIST OR CATALOG. +SO BRUN MASTER CREATE TO GET A NORMAL +DOS ON THE DISK AND YOU WILL HAVE IT +COMPLETELY CRACKED. I FORGET WHAT THE +HELLO PROGRAM IS BUT YOU CAN BOOT UP +A NORMAL DISK BEFORE DOING MASTER CR +ATE AND YOU WILL SEE THE CATALOG AND +FIND SOMETHING LIKE TAX BEATER 1981 +ON IT, WHICH IS THE HELLO PROGRAM. + +THIS LITTLE TIDBIT BROUGHT TO YOU +COMPLIMENTS OF: + + *********** + *THE NAGRA* + *********** + +MSG LEFT BY: MR. KRAC-MAN +DATE POSTED: FRI JUL 16 9:18:07 PM + +HOW TO CRACK THE PROGRAMMER...NEW ONE +FROM AOS...ONE OF THOSE AUTOMATIC +PROGRAM WRITERS....... +--------------------------------------- +1)RUNCOPYA +2)CTRL-C OUT OF IT AFTER EVERYTHING IS + LOADED +3)CALL-151 +4)B925:18 60 N B988:18 60 N 9DBFG +5)TYPE '70' +6)TYPE 'RUN +7)COPYA THE DISK +8)MASTER CREATE THE COPY OF IT. + USE HELLO AS THE 'HELLO' PROGRAM. +9)BOOT NORMAL DOS +10)RENAME THE FIRST FILE IN THE + CATALOG,HELLO +11)LOAD THE PROGRAMMER +12)TYPE '13RETURN' +13)TYPE '14RETURN' +14)SAVE THE PROGRAMMER + +ONE MORE THING IN THE BAG!!!!!! + +MORE FROM THE BEST IN THE WEST!!!! + +-------->>>MR. + KRAC-MAN<<<------ + + +--------------------------------------- +MSG LEFT BY:KRAC-WARE + +HOME MONEY MINDER +----------------- +CRACK THIS THE SAME WAY AS HOME ACCOUN- +TANT. + +RELOCATABLE LINKING LOADER & LANGUAGE + +--------------------------------------- +1)INIT A NORMAL DISK +2)BLOADFID +3)CALL-151 AND ENTER 'B925:18 60 N B988 +: 18 60 N 803G' +FID ALL FILES OVER TO THE NORMAL DOS +DISK AND IGNORE THE DUPLICATE FILE +ERRORS. +--------------------------------------- +MSG LEFT BY: THE NAGRA + +HOW TO MAKE THE MASTER KEY+ CHIP +-------------------------------- +1)PULL OUT THE 74LS138 CHIP FROM + LOCATION H2 FROM THE APPLE WHEN THE + POWER IS OFF +2)SOLDER IT TO A 16-PIN PLATFORM,ALL + THE PINS EXCEPT #15 +3)GET A SPDT SWITCH AND BEND PIN #15 + OUTWARDS +4)CONNECT THE CENTER POLE OF THE + SWITCH TO PIN #15 POSTION ON THE + PLATFORM. +5)CONNECT EITHER OF THE OTHER POLES + TO PIN#15 ON TH CHIP. +6)AND FINALLY CONNECT THE OTHER POLE + TO PIN16 ON THE PLATFORM.(GROUND) + +THERE YOU HAVE IT!!!!!! + + *THE NAGRA* +--------------------------------------- + + + diff --git a/textfiles.com/piracy/CRACKING/krakman.txt b/textfiles.com/piracy/CRACKING/krakman.txt new file mode 100644 index 00000000..d3080637 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/krakman.txt @@ -0,0 +1,431 @@ + +*********************** +*KRAC-MAN'S PARAMETERS* +*********************** + + +THE FOLLOWING PARAMETERS WERE DISCOVERED +OR VERIFIED BY MR. KRAC-MAN. + +ABBREVIATIONS: +------------- +O/F = OLD FAITHFUL +Q&D = QUICK AND DIRTY +LS = LOCKSMITH +NA = NIBBLES AWAY +CL = CLONE KIT +CP = COPY II+ +SN = SNIBBLE + + +SNEAKERS (O/F 3.30) + T0 + T1.5-D.5 + +OLYMPIC DECATHALON (O/F 3.30) + T0-22 + +ZORK (LS2.0) + T0-22 + NOTE: OLD VERSIONS OF ZORK + +FALCONS (NA V-B2) + T0 + T1.5-D.5 + +GORGON (O/F V3.30) + T0 + T1.5-E.5 + +VOICE (LS2.1) + T0-22 + +ROBOT WAR (LS2.0) + T0-22 + +CASTLE WOLFENSTEIN (LS2.0) + T0-22 + +EXPEDITER II V2.2 (LS2.0) + T0-22 + +SN0GGLE JOYSTICK (LS4.0) + T0-9 + +THE SCANNER (LS3.1) + T0-22 + +WGBJ (LS3.1) + T0-22 + +ULTIMA (NA V-B2) + T0-22 + +APPLE PANIC (NA V-B2) + T0-C + +MISSION ASTEROID (LS3.1) + T0-22 + +WIZARD & PRINCESS (NA V-B2) + T0-22 + +EPOCH (O/F 4.16) + T0 + T1.5-F.5 + +STAR MINES (O/F 4.16) + T0-22 + +VISIDEX (CP V3.0) + T0-22 + +THRESHOLD (LS2.0) + T0-22 + +PFS (CL V2.0) + T0-22 + +MISSION ESCAPE (O/F 4.16) + T0-22 + +CRASTON MANOR (SN) + T0-22 + +ULYSSES (NA V-B2) + T0-22 + +OO-TOPOS (LS4.0) + T0-22 + +SUPERSCRIBE II V3.2 (LS2.0) + T0-22 + +MONTY PLAYS MONOPOLY (LS2.0) + T0-7 + +PADDLE GRAPHICS (CP V2.2) + T0-23 + +PULSAR II (NA V-B2) + T0-1A (REDUCED ERROR) + T1A.5-22.5 (REDUCED ERROR) + +OPERATION APOCALYPSE (LS4.0) + T0-22: 4F=0B + +SHATTERED ALLIANCE (LS4.0) + T0-22: 4F=0B + +TIGERS IN THE SNOW (LS4.0) + T0-22 + +TORPEDO FIRE (LS4.0) + T0-22: 4F=0B + +ALKEMSTONE (LS4.0) + T0-22 + +RINGS OF SATURN (LS4.0) + T0-22 + +SWORDTHRUST #1 (LS2.1) + T0-22 + +CROSSFIRE (LS2.0) + T0-22 + +MULTI-DISK CATALOG (NA V-B2) + T0-22 + +THREE-D SKIING (NA V-B2) + T0-22 + +FIREBIRD (LS4.1) + T0: 18=20 19=00 46=96 4D=00 4E=00 +52=00 53=00 54=12 57=00 40=20 + T1.5-B.5 BY 1 SYNC: + 72=00 73=00 77=00 78=00 79=12 +7C=00 44=DD 45=AD 46=DA + +MICRO-TELEGRAM (LS4.1) + T0-22 + T1F: 81=97 82=EB 40=08 16=08 41=FF +19=00 58=0B 59=FF + +COMPUTER AIR COMBAT (LS4.0) + T0-22: 4F=0B + +CARTELS & CUTHROATS (LS4.0) + T0-22: 4F=0B + +COPTS & ROBBERS (LS4.1) + T0 + T1.5-F.5: 72=00 73=00 77=00 78=00 +79=12 7C=00 40=20 19=00 44=DD 45=AD +46=DA + +DB MASTER V2.4 (LS4.0) + T0-5 + T6.5-22.5 + +STAR THIEF (LS4.1) + T0-E + T22: 4C=1B + +OUTPOST (LS4.0) + T0 + T1.5-9.5: 18=20 19=00 4D=00 4E=00 +52=00 53=00 54=12 57=00 40=20 72=00 +73=00 77=00 78=00 79=12 7C=00 46=DA +45=AD 44=DD + +TORPEDO TERROR (NA V-B2) + T0-22 + +MONTY PLAYS SCRABBLE (LS4.1) + T0-22 + +EASYMAILER (LS4.0) + T0-22 SYNC + +BEER RUN (LS4.0) +HADRON (LS4.0) + T0 + T1.5-D.5: 72=00 73=00 77=00 78=00 +79=12 7C=00 40=20 19=00 44=DD 45=AD +46=DA + +PRESIDENT ELECT (LS4.0) + T0-22: 25=19 65=00 6B=00 + +BATTLE OF SHILOH (LS4.0) + T0-22: 25=19 65=00 6B=00 + +JAWBREAKER (LS2.0) + T0-22 + +ZORK II (NA V-B2) + T0-22 + +SORCERERS OF SIVA (LS4.0) + T0-22 + +WIZADRY (LS4.0) + T0-9 + TF-22 + TA-E: 36=01 + +QUICKLOADER (LS2.0) + T0-10 (IGNORE T1 ERROR) + +THIEF (LS4.1) + T0-3: 83=FF 4F=0B 53=00 + T6-22 + T4-5 SYNC: 38=02 1E=02 19=00 12=01 +7C=00 + +GALACTIC ATTACK (LS4.1) + T0-22 + +BAKER'S TRILOGY (O/F 4.16) + T0-22 + +NIBBLES AWAY V-B2 (LS2.0) + T0-22 + +NEUTRONS (LS4.0) + T0-22 + +SPACE WARRIOR (LS4.0) + T0: 18=50 19=00 40=20 4E=00 52=00 +53=00 54=12 57=00 + T2-3.5 BY 1.5: 44=DF 45=AD 46=DE + T5,8,6.5,A,D,10 + +DARK FOREST (NA V-B2) + T0-22 (IGNORE ERRORS) + +BRAIN SURGEON (LS4.1) + T0-22 + +VISICALC 3.3 (LS4.1) + T0-22 + +MASTERTYPE (LS2.0) + T0-22 + +HIRES GOLF (LS4.1) + T0-22 + +APPLE-CILLIN (CP V3.0) + T0-22 + +SNAKE-BYTE (LS4.1) + T0 + T1.5-A.5 + +BORG (LS4.1) + T0: 44=DD 45=AD 46=DA + T1.5-B.5 SYNC + TD-20 SYNC + +ADVENTURE IN TIME (LS4.1) + T0-C + +TWERPS (NA II V-A1) + T0: ADR=DD AD DA SYNC + T1.5-E.5 SYNC + T1A + +COMUPER FOOSBALL (O/F 3.07) + T0 + T1.5-8.5 + TA-22 (IGNORE ERRORS) + +TIME ZONE V1.1 DISK 1A (LS4.1) + T0-22 + (O/F 3.07) + T0 + +TIME ZONE V1.1 THE REST (CP V3.0) + T0-22 + +BEZMAN (LS4.1) + T0-22 + +APVENTURE TO ATLANTIS (Q&D) + T0-22 + +HI-RES SECRETS (LS4.1) + T0-22 + +COMPUTER BASEBALL (Q&D) + T0-22 + +MUNCH-A-BUG (LS4.1) + T0-22 + +KNIGHTS OF DIAMONDS (LS4.1) + T0 + T9-22 + T1-8: 36=01 + NOTE: WRITE PROTECT COPY !!!!!! + +APPLEWRITER II (NA II VA-1) + T0-22 + +ZERO GRAV. PINBALL (NA II VA-1) + T0-22 + +SUICIDE (NA II VA-1) + T0: ADR=D5 AA B5 + T11.5-22 BY 1.5: ADR=DF AD DE + +SATURN NAVIGATOR (NA II VA-1) + T0-4: ADR=D5 AA B5 + T11 + T6.5: ADR=FF FF DA FD, FIND MAX=0C + TB-22: ADR= D5 AA FD, FIND MAX=08 + +MICROWAVE (CP V3.0) + T0-22 + (CL V1.1) + T11.5 + +LOCK-IT-UP 4.1 (NA II V-A1) + T0-22: ADR=D5 AA 96 + +SWASHBUCKLER (CP V3.0) + T0-22 + +COUNTY FAIR (NA II V-A1) + T0-22: ADR=D5 AA B5 + SECTMOD(F=13,C=OFF,S=03,T=00) + CHANGE ADR63 FROM 38 TO18 + +SNACK ATTACK (NA II V-A1) + SAME AS COUNTY FAIR + +PEEPING TOM (NA II V-A1) + T0: ADR=D5 AA B5 + T1: ADR=F5 AB BE + T4-22 + SECTMOD(F=13,C=ON,T=00,S=01) + CHANGE 6D FROM 01 TO 7B + " 6E " 60 " 68 + +PALACE IN THUNDERLAND (Q&D) + T0-22 + +MMS V1.2 (Q&D) + T0-22 + +DEADLINE (Q&D) + T0-22 + +SOFT-STEP (Q&D) + T0-22 + +ACCU-SHAPES (Q&D) + T0-22 + +SOUTHERN COMMAND (NA II V-A1) + T0-22: ADR=D4 AA B7 + +NAPOLEON'S CAMPAIGNS (NA II V-A1) + SAME AS SOUTHERN COMMAND + +DISK ENCRYPTION SYS. (LS4.1) + T0 + T2-18 + T20,22 + +MOUSKATTACK (CP V3.0) + T0-22 + (O/F V3.07) + T0 + +CANNONBALL BLITZ (CP V3.0) + T0-22 + (O/F V3.07) + T22 + +GOLD RUSH (NA II V-A1) + T0-22 + +CONGO (NA II V-A1) + T0-22 + +ROACH MOTEL (NA II V-A1) + T0: ADR=D5 AA B5 + T1: ADR=EE EA FE + T4-22 + SECTMOD(F=13,C=OFF,T=00,S=01) + CHANGE ADR 75 FROM 01 TO 7B + " " 76 " 61 " 69 + +LAF PAK (SAME AS MOUSKATTACK) + +SCREENWRITER II (SAME AS MOUSKATTACK) + +FORE! (NA II V-A1) + T0-22: ADR=D5 AA 96 + +AIRSIM-1 (LS4.1) + T0-F + +BAG OF TRICKS (LS4.1) + T0-14 + (NA II V-A1) + SECTMOD(F=13,C=OFF,T0,S8) + CHANGE BA0 TO 60 + +SUPER-TEXT III + FORM LETER (Q&D) + +SURVIVAL ADVENTURE (NA II V-B1) + + + + + diff --git a/textfiles.com/piracy/CRACKING/lomt-tsr.txt b/textfiles.com/piracy/CRACKING/lomt-tsr.txt new file mode 100644 index 00000000..56be79d8 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/lomt-tsr.txt @@ -0,0 +1,63 @@ + +#### Legend of Myra interactive TSR trainer example documentation #### + +(This doc describes the interactive trainer keys - for use with the training +tutorial package) + + +Quick NFO : +*********** + + +10 option interactive trainer. Interactive trainer keys during game play +are as follows : + + +F1 - Add one red bullet. +F2 - Add one green bullet. +F3 - Add one bomb. +F4 - Add one meat. +F5 - Add one flame thrower. +F6 - Add one knife. +F7 - Transform into green moster. +F8 - Add one more life. +F9 - Boost up your current time to max. +F10 - Jump to the next level - anytime. + +Run the file LOMT-TSR.COM to install the trainer. + +The trainer will notify you if any loading errors exist. + + +Trainer notes : +*************** + +Something you might note - when you select more lives with the F8 key, the +lives will not be updated on the screen, but will be in memory, and next +time you die, the real amount will be displayed on the screen. (Didn't +have time to trace through and find out what byte updates the lives +window.) + +ALL the other options, when selected, are updated instantly on the screen. + +I've also included a nice level jump - cleanly into the next level, instantly. + +When you choose the F7 option, - turn into a green moster, you'll last like +that for about 30 seconds, then the game will turn you back to the rabbit. I +guess once you're that monster, you can break through rocks etc. + + +NOTE : +****** + +The game's keyboard configuration comes pre-configured. If you want to +redifine the game's keys, then use the config program. BUT make sure you +don't assign any keys to the FUNCTION keys - since when you are using the +trainer, it is configured for them. + +Have phun! + + + Dr. Detergent / UNT'93 + + diff --git a/textfiles.com/piracy/CRACKING/max1.crk b/textfiles.com/piracy/CRACKING/max1.crk new file mode 100644 index 00000000..152856da --- /dev/null +++ b/textfiles.com/piracy/CRACKING/max1.crk @@ -0,0 +1,353 @@ + + `'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`' + ` MaX's cracking tutor for da poor ' + ` ' + `'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`' + + part 1 - registering PCXDUMP (9.20) + + +intr0 +:::::::::::: + +hia there.. this is a first part of my cracking tutor.. any decent cracker +should *STOP* reading now, cos the info here is for the _real_ begginers.. +i'll mainly concetrate on DOS stuff, since i don't crack under windoze ;) +i've been told that it's much easier but i haven't tried it myself, +probably cos i hate windoze.. + +well, what will ya need? + +- a debugger : the best choice is soft-ice, but since this is tutor for + da poor, i'll use debug.exe from DOS (what a joke, you say..:) + +- a hexeditor : for me hiew works the best.. + +- a unpacking tool: cup386 is a good generic one... but we'll use here + a one called dumpexe.. + + all this stuff is included in this package:) + + unp v4.12 (useful unpacker) + +now, i suppose you have a basic asm knowledge cos i don't want this to be +a asm tutor.. :) + +so, just a quick info (talking about 16bit!) + +there are some general registers (=variables).. +you can see them in debug by typing 'r' + +AX - accumulator.. general usage.. +BX - base.. +CX - count.. mainly for loops.. +DX - displacement.. + +they can hold values from 0 to 65535 (word).. they are split up to 2 pairs: +low / high (byte) .. so there's: AL, AH, BL, BH, ... + +now we have segments.. these are 64 kb blocks full of data :) + +CS - code segment.. where the instructions are.. +DS - data segment.. for data.. +ES - extra segment.. +SS - stack.. for addresses.. + +now there are some indexing registers.. + +SI - source index.. used in DS:SI combination.. +DI - destination index.. for ES:DI .. +BP - base pointer... for stack.. +SP - stack pointer.. + +now flags.. something like boolean type in pascal :) + +zero flag - ZR/NZ .. zero/not zero.. +carry flag - CY/NC .. + +you can change flags by typing 'rf' in debug.. + +now for some instructions... very quick here... get a instruction list +yourself :) + +JMP - JMP FFF0 .. unconditional.. + +conditional: +JNZ - jump if not zero.. +JZ - jump if zero.. +JE - jump if equal.. +JC - jump if carry.. + +MOV - MOV AX, DX .. moves the value from dx to ax + +CALL - CALL 1234 .. calls a subroutine.. + +INT - INT 21 ... generates a interrupt (a function..) + +so... that's for refreshing memory only, since you really need some +kind of asm knowledge.. get a book.. or study examples :) + + +starT +:::::::::::: + +oh yes, the program is old.. you must set the date to year 1995 :) +don't ask me why i chosen it .. i don't have the new version +and i find this program easy to crack.. :) + +so we have this nice program pcxdump.. and what we see when we run it +is the nagging scroll line at the bottom and when we try to install it +we cat another nag asking either for some F1-F10 key or registering.. +since the authors were so nice and gave us the choice of registering +it by entering our name and a number, why don't we try to find out +or crack the checking routine of the registration procedure ? :) + +so we load the program to debug.. + +debug pcxdump.exe + +you'll get something like this.. + +AX=0000 BX=0000 CX=E7E0 DX=0000 SP=00FE BP=0000 SI=0000 DI=0000 +DS=1E59 ES=1E59 SS=2CE7 CS=1EBC IP=E02F NV UP EI PL NZ NA PO NC +1EBC:E02F 8CC8 MOV AX,CS +- + +so at the top are the registers.. at the right are the flags, you can +see there NZ for example.. and at the left is 1EBC:E02F - that's +the current address of the instruction (btw: it's CS:IP) and 8CC8 +is a hexadecimal value for the instruction MOV AX,CS.. + +now you can type '?' in debug to see help.. for us the most important +keys are P - proceed, T - trace, G - go, Q - quit :) +P and T are similar.. they 'trace' through the code instruction +by instruction.. the difference is that when you encounter CALL or LOOP +the P will run the *whole* call or loop, whereas T will trace into +the call or the loop.. +when you simply type G, the whole program will run.. but you can also +specify the breakpoint (the address where to stop) like: G 1000:2000 .. + +so for now, let's trace through the code by P (you don't want to trace +all the long calls..).. +so you step the instructions and you see some XOR stuff and loops.. +this is the part where the program decodes the data .. you have *surely* +viewed the program itself in a hexeditor and found out there's NO visible +text there.. that means the program is either compressed by pklite, wwpack, +lzexe, diet, or some other exe-compressor (which is not the case) _or_ +it is encrypted (which is the case..).. +usually, you can get rid of the compressors using UNP (unpacking util included +in this package:).. +so let's happily trace through these decoding parts until you encounter +something like this: + + +AX=1EBC BX=1573 CX=0000 DX=0000 SP=00E8 BP=0000 SI=0000 DI=E02B +DS=1EBC ES=1EBC SS=2CE7 CS=1EBC IP=E0A7 NV UP EI NG NZ NA PE NC +1EBC:E0A7 07 POP ES +- + +AX=1EBC BX=1573 CX=0000 DX=0000 SP=00EA BP=0000 SI=0000 DI=E02B +DS=1EBC ES=1E69 SS=2CE7 CS=1EBC IP=E0A8 NV UP EI NG NZ NA PE NC +1EBC:E0A8 1F POP DS +- + +AX=1EBC BX=1573 CX=0000 DX=0000 SP=00EC BP=0000 SI=0000 DI=E02B +DS=1EBC ES=1E69 SS=2CE7 CS=1EBC IP=E0A9 NV UP EI NG NZ NA PE NC +1EBC:E0A9 61 POPA +- + +AX=0000 BX=0000 CX=E7E0 DX=0000 SP=00FC BP=0000 SI=0000 DI=0000 +DS=1EBC ES=1E69 SS=2CE7 CS=1EBC IP=E0AA NV UP EI NG NZ NA PE NC +1EBC:E0AA 07 POP ES +- + +AX=0000 BX=0000 CX=E7E0 DX=0000 SP=00FE BP=0000 SI=0000 DI=0000 +DS=1EBC ES=1E59 SS=2CE7 CS=1EBC IP=E0AB NV UP EI NG NZ NA PE NC +1EBC:E0AB E9C5FD JMP DE73 +- + +this is the end of decrypting and after you step over the last jump, +you'll find yourself at the beggining of the _real_ program.. wow :) + +so we trace on and on.. and i'll give you another nice function in the +debug which is 'v' - view user screen.. sometimes you want to watch +the changes happening on the screen :) + +.. hopefully you'll be in the part with many calls.. use P on them, +unless you really want to study _every_ line the program does.. +now the 15th CALL does something.. it clears the screen (remember +the V key?:).. finally something happened.. but don't get overexcited +and proceed on :) + +the 20th call draws the screen and let you move through the menu.. +guess what we choose? yes ! install.. :) + +and wow! we're back in our debugger.. so we proceed on and on and then.. +we get this awful screen where the choice of registering or installing is.. +we choose register... so we type in the name and some number.. and hell +what! since we used the P key on the call, which contained the whole +checking routine, we get the message that we entered wrong number +(unless you're a very good guess:).. + +hopefully you wrote down the address of that call.. as you should do +before Proceeding every suspicious call! +so now you just have to press the F1-F10 keys, which will get you back +to debug and there you can press 'q' and start anew :) +so let's load debug again (cracking is a work of patience:).. normally, +you'd just type G xxxx:yyyy (where xxxx:yyyy was the last written address) +but since we can't, we just had to trace it all again.. + +(of course, this all is not needed in the _best_ debugger Soft-Ice, but +it's better to get started on debug, since you get the experience and it's +not very easy for the begginers to quickly master soft-ice..) + +so we get to the point where we can move through the menu and we again +select install.. and then we trace through the code and then there are +3 calls, then mov si, ???? and then again 3 calls and wait! the 3rd call +is our checking routine, so we now must use T to get in.. + +now you again use P .. select register.. and now write down the calls +more often.. and then there's somewhere: + + cmp bl,1c + jnz ??? + CALL ???? <--- this is our routine, use 'T' on it! + +and now we are almost in the core :) .. now you again use 'P' for proceed +and there's one call - and you enter your name .. there's a second call - +and you enter a number.. then there's a compare like: + + cmp al,11 + jnz ??? + +this compares if the input registration code is 11h(=17 in dec) bytes long.. +if you entered 17 bytes then go on tracing.. if not, then.. +the cmp instruction enable the zero flag (remember? ZR/NZ) if the compare +is true.. now we are comparing al to 11.. and if you didn't entered 17 +bytes then the flag is off.. but you can _fool_ the program, to THINK, +that the compare _was true_ when you change the flag like this: + +type: rf + zr + +now you have turned on the zero flag.. wow :) +and now there's something like this: + + mov byte ptr cs:[????],00 + call ???? + cmp byte ptr cs:[????],00 + jz ???? + +!!! watch this !!! this is a _typical_ comparison check .. the program +has a variable, let's call it correct_code of type boolean (pascal).. +and this sequence of asm instructions looks something like this: + + correct_code:=false; + check_if_correct_code_was_entered; + if correct_code = true then registration_is_ok + else incorrect_code; + +well.. all we have to do is _again_ fool the program to think the compare +was true.. and how do we do it?? of course, with our favourite ZR/NZ flag! ;) +so, after pressing P on the 'cmp byte ptr...' instruction we see, that +the zero flaf is NZ .. so we must turn it on.. so, again -- + +type: rf + nz + +.. and now, you can just press 'g' and let the program finish its work.. +the file writes to itself the info about registering.. nice attitude :) +..and when you run it again the program is registrated to your name!! ;) + +you can see this result on the file 'pcxmax.exe' :) + +cracK +:::::::::::: + +this way, you can registrate it to any name.. but how to crack it permanently +so that you don't have to trace through the whole code again.. ? +well.. in normal case you'd do this: + +find the hexadecimal value (see the begging of section start) of the +instruction cmp byte ptr cs:[????],01 and then you would run +hiew (hacker's view.. great hexeditor) and pres enter 2x to enter code +view.. and then you'd search for '803EC2D101' which is the hexadecimal +value for the instruction.. the very next instruction is the conditional +jump and you'd have to change the : + + jz ???? to jmp ???? (where ???? is the address) + +.. because you remember that when you entered the reg. code it would not +jump .. until you changed the zero flag :) + +but! .. as you remember, this program is encrypted, so your search for +the sequence is unsuccessful.. right now it's too late, so i don't have +any idea how to break this problem.. but i think it's enough to have it +registrating once.. :) + +the decryption is described in the next chapter.. + + +decryptioN +:::::::::::: + +well.. the decryption itself is _very_ easy.. all you have to do is to +use the program in this package called dumpexe.. + +so, very quickly.. + +run dumpexe.exe +load debug on pcxdump.exe +debug through the early xor's until: + + pop es + pop ds + popa + pop es + jmp ???? + +.. now use P on the last jump and then press: left-shift + right-shift +to activate dumpexe.. type the values from the debugger to file '1' .. +that means fill CS, IP, SS, SP, PSP = ES .. +then autodetect filename #1, autodetect filesize #1 by stack [s].. +then choose dump exe-code of file #1.. +now type g in debug.. and then again activate dumpexe and choose +allocate 4kb.. +reload the file in debug and again trace to the same point right after +the jump.. activate dumpexe.. type the values from debugger for file #2, +autodet. name of #2, autodet. size #2 by stack.. and dump exe-code to file #2.. +then again type 'g' in debug.. activate dumpexe.. release 4 kb.. +quit from debug.. and type: + + makeexe pcxdump mycrack.exe + +.. and you have decrypted the program :) + +you can see the result of this in the file 'pcxcrack.exe' :) + +now you can view it normally and see the text inside.. you'll find out +the undocumented switches such as /show_status, /no_scroll_line, +/lets_register.. etc.. + +..you may ask that now when the program is uncrypted we can make +the crack in hiew, can't we? ... well, pcxdump checks the filesize +of the file, so you'd have to add some 00's to the end of the file to +fit the size.. you can play with that -- i'm too tired of writing this +document now.. :) + + +outrO +::::::::::::: + +soooo... i have written this stuff in one evening.. wow.. tired of it +really.. so if you have some questions or comments you can write me: + + e-mail: maxmp@geocities.com + +..and if you want to get the new parts of this tutor, then visit: + + http://www.geocities.com/Paris/9733/cracking.htm + + + See you next time :) + + (c) 1997 by MaX, Prague \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/methods.txt b/textfiles.com/piracy/CRACKING/methods.txt new file mode 100644 index 00000000..fe720c99 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/methods.txt @@ -0,0 +1,636 @@ + Techniques in Cracking + Brought to you by -TOP- + We are Tired of Protection. Arent You? + + The Following Information provided is a listing of some techniques the +-TOP- crackers have used in cracking Programs. This is NOT intended as a +Cracking Tutorial but as an enhancement to people who need to know just a bit +more in order to crack a certain program. -TOP- Crackers have spent time and +effort in comming up with these techniques. Get what information you can from +it. It will be updated each new Issue. + +Listing of Techniques +1. Goldrush +2. Space Ace +3. SimEarth +4. StarControl 1 +5. Bo Jackson Baseball +6. Mike Dikta Football +7. Con>Format 1.06 +8. The Summoning +9. Martian Dreams +10. Sargon V +11. Secret Weapons of the Lutewaffa +12. Crimewave +13. 3 on 3: The Dream Team. +14. JACK 4.59: Landscape Designer +15. Blue Wave Reader v 2.1 +16. Giflite v 2.0 +17. Veil of Darkness +<*****************************************************************************> +Unprotect for GoldRush by Sierra! + +********************************** +Sierra's Doc check AARGH! +********************************** + +This one is a royal pain to do manually however, here it goes: + + Using norton DE/Pctools enter the file AGI. + Look at the beginning of the file and start at the A + in 'Adventure game...' and enter the numbers on the + lefthand side of the screen. For those interested the + assembly code is on the right. + + 90 NOP + 9C PUSHF + 50 PUSH AX + 53 PUSH BX + 56 PUSH SI + 8B 1E AA 00 MOV BX, [AA] + BE E3 73 MOV SI, 73E3 + 46 SCAN: INC SI + 38 1C CMP [SI],BL + 75 FB JNZ SCAN + 8A 44 07 MOV AL, [SI+7] + A2 F7 00 MOV [F7], AL + 5E POP SI + 5B POP BX + 58 POP AX + 9D POPF + C3 RET + + + That is only part one, part two is shorter: + + Using norton's DE or Pctools search 'AGI' for: + + 8A 87 09 00 00 85 09 00 + ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ + 90 90 90 90 2E E8 15 89 + + In Assembler: NOP + NOP + NOP + NOP + CALL CS:0 + +*********************************************************************** +TO BYPASS THE PROTECTION YOU MUST ENTER AT LEAST ONE LETTER FOLLOWED BY + *****THE ENTER KEY***** + +The method involved: + Sierra programs are a royal pain and even the old ones take me a +long time to crack. This one lets you type in an answer. I did a +search through memory to find the answer and then did a break if any +letter was read of the answer. I followed it through and found the the +program added the letters up into a single number (at ds:f7). I +followed this and found a compare that accessed this number. However, I +could not find anyplace to put a crack in so I went back to find how the +answer was obtained. What a royal pain. I found a number that was used +to index into a block of memory that had all the answer numbers --no +words, just numbers (started at ds:73e4). The program would compare its +index number to sub-blocks until it found the right number. It then +would scan a bit further until it found the number and then did its +compare. However, it was not done until it scanned the entire block for +any other equal numbers. So the crack involves using spare room inside +the sierra file AGI, grabbing the index number (at ds:aa) and scanning +through the memory block (starting at ds:73e4). Once the right +sub-block was found a went a bit further and took the number there and +put it back at ds:f7--which was where the program looks for my answer. +The second part of the crack is to call the subroutine. + + The Mad Doctor + -TOP- crack. +<*****************************************************************************> +Cracker: The Mage +Program: Space Ace. + + A Little Description of the Copy-Protection. The Copy Protect was +Off of a main loop. It was integrated into the program. A Main screen popped +up and it went in 4 different directions. One of these Directions led to the +Copy Protection screen which THEN let you into the game. The Game was also in +this main loop and so Nopping out the CALL would not avail me. + I searched the code through and through and found that it was using a +interesting comparison scheme to determine the Screens with which to load based +on 4 different variables and Combinations thereof. This was interesting. I +had to re-program the code to make it go to regular locations 3 out of 4 times +and the 4th time force it to jump to the game. This required some programming +and Assembly knowledge. The Copy Protection itself was different than any +others I have seen, or the way I got passed it was different. +<*****************************************************************************> +Cracker: The Mage and Majik +Program: Sim Earth + + Some Background on the game.. When you load up the game it pops into a +nice menued system. This system allowed you to mess around But on 2 different +Commands (New Planet and Load Planet I think) had a DOC check. Now since there +was more than one CALL to the same procedure Majik had an Idea. Since it was a +window based system and you wouldn't be expected to keep answering the DOC +check, it seemed that there must be a counter or something that checked if you +had answered the question BEFORE asking it. + Entering Into the CALL we did some quick checking and sure enough right +at the beginning of the call was a comparision that jmped pretty much to the +end of the procedure. Well by simply forcing this to happen you never saw the +CP again. + A HINT to people who usually just NOP out calls. NOP'ing out CALL's +works a lot of the time but I would suggest that you completly play the game +before you consider it cracked. By removing the CALL statement it just removes +that current CP but it may also be called later on in the program which would +then mean additional Removals. Look inside each CALL and see if there is a +simple way to JMP to the end of the CALL and thus eliminating that possibility. + + +<*****************************************************************************> + +Unprotect for Starcon! + +********************************** +Documentation Check +********************************** + +use Pctools/Norton's DE and search STARCON.OVL for: +FE 00 75 03 E9 4C + ^^ ^^ + EB 2A + +The method involved: + Actually not hard. I uncompressed starcon.exe with unlzexe to +make it easier to follow through and also to find the proper bytes if I +needed to but this wasn't necessary. By running through the code I +found the doc check. I found right after it where the program loaded +the addresses of my answer and the programs answer with a compare +statement and conditional jump afterward. I just made the program jump +immediately to that area. I could have made it so the screen would not +even show up but you would have seen some garbage on the screen and it +would have been a messier crack. Enjoy! + + The Mad Doctor + -TOP- crack. +<*****************************************************************************> +Unprotect for The Bo Jackson Baseball! + +********************************** +Pathetically simple protection +********************************** + +Bo Jackson Baseball is another one of those protection checks in which +you need your manual to answer a question. + +use Pctools/Nortons search for (in BALL.EXE) +9A 4C 04 +^^ ^^ +EB 14 + +The method involved: + The method here is so simple I am embarassed to relate it to + you. I ran the program once to see what the protection was. It + was one of those generic protection checks. I let the + protection kill the game and restarted it again under soft-ice. + This time I timed it a bit and stopped the program before it got + to the doc check. I stepped through it with soft-ice and found + 2 calls that ran the protection. A few steps later I found a + conditional jump that went to the rest of the game. So I tried + the simplest thing. I put a JMP statement to the rest of the + game and it worked! I then went into norton diskedit and + searched for the bytes. It wasn't there, so I searched for a + shorter string (as above) and there was only one string like + that in the program. I made the changes above and it works! + Enjoy! + The Mad Doctor + -TOP- crack. +<*****************************************************************************> +Unprotect for Mike Ditka Football! + +********************************** +Documentation Checks and Checksums +********************************** + +Mike Ditka football has the standard documentation checks but also has +some checksums early on that also have to be fixed. This is a 3 part +unprotect. + +use Pctools/Nortons search for (in MDFB.EXE) +Part 1: 75 6B 05 00 + ^^ ^^ + 90 90 + +re-search MDFB.exe for: +Part 2: 75 12 8E 46 + ^^ ^^ + 90 90 + +now look in DAT101.DAT for: +part 3: E8 A1 B7 B8 01 + ^^ ^^ ^^ + 90 90 90 + +The method involved: + This program uses the doc check which is not too difficult to + find. If you let the program run and then stop it with + soft-ice just prior to when the doc check pops up you will + find a call routine that calls the doc check up. If you NOP + it out you then go right to the main menu. OK, now we go to + norton's diskedit and make the changes and run the program. + Drat! the program says bad overlay--obviously someone put a + checksum to prevent exactly what I did. No problem, lets go + back into soft-ice and run the program using the soft-ice + again and stopping the program before it gets to that + bad overlay statement. I then find a call routine that makes + the statement and 2 conditional jumps that will lead up to + that call. So, I NOP them out and it works. I then went + back to diskedit and made the changes. Now, it works. Enjoy! + + The Mad Doctor + -TOP- crack. + +Addendum: This program was already supposedly cracked by others. It is +interesting that their crack works when I use soft-ice but does not work +without it. This crack works period. + +<*****************************************************************************> +Another fine patch courtesy of Majik.. +Con>Format is a fine product, but the opening banner is a pain in the you +know what, and requires a keypress, which kinda ruins putting it in +autoexec.bat....(I use loadhi from QEMM so it's always there but uses no +conventional memory). +ok, here is a step-by-step for version 1.06 +1st!!!!! Run the configuration program to setup your system +2. debug confmt.com +-r ;To display registers upon entry - write down cx's value + +AX=0000 BX=0000 CX=3560 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000 +DS=24FE ES=24FE SS=24FE CS=24FE IP=0100 NV UP EI PL NZ NA PO NC +24FE:0100 E93F35 JMP 3642 +keep pressing p (to proceed) until you see the following... + +24FE:365C FF264036 JMP [3640] DS:3640=266A +- write this down ^^^^^ +-p | +This has just completed the de-cryption algorithm for the TSR. | +So we will code around that for future start-up. | +-a cs:100 | +24FE:0100 jmp 266a <--- This should be what you wrote down up here -> | +24FE:0103 +Now to get rid of that opening screen... +24FE:2697 E8B40D CALL 344E This is the call to the opening screen +-e 2697 +24FE:2697 E8.90 So we will NOP it out.... +24FE:2698 B4.90 0D.90 +-r cx +CX 0000 +:3560 Enter the value from step 2 above. +-n cf.com Rename the working program to whatever you like +-w Write it to disk +writing 3560 bytes +-q Enjoy.... Majik +<*****************************************************************************> +Unprotect for The Summoning! + +********************************** +Graphical documentation check +********************************** + +use Pctools/Norton's DE and search 'CODE.1' for: +A3 CC 0C 56 57 0E + ^^ ^^ + EB 16 + +The method involved: + I ran the program with Soft-Ice and saw what the protection +looked like on the screen. I then went back, ran the program and +stopped it early to see what was going on. The program is fairly +straightforward with individual call routines doing individual things. +I quickly got to the protection portions and found two calls that +brought up the protection screen and the second actually did the test +for the answer and returned back where it checked ax to see if it was +zero or not. If it wasn't zero it wouldn't let you continue with the +game. I just jumped past the entire section and it worked! Enjoy! + + The Mad Doctor + -TOP- crack. + +<*****************************************************************************> +Unprotect for Martian Dreams! + +Use your PC Tools or Norton Diskedit on the file game.exe + +search for the hex string: +74 08 8b 5e 0a +^^ replace the 74 with: +eb +When the protection check comes up just press enter and it will work! + +The method involved: + The difficulty in breaking this game wathat the program seemed + to be using the same sets of code no matter what it did and this + was extremely frustrating. I was trying to stop the protection + routine from even coming up. I was unable to do this so I went + for the next best thing, I inactivated the doc check. Here's + how: when you try to get out of the spaceship with the prybar + is when the protection springs up. Tesla asks you a question + from the manual. I filled in a word and then stopped the + program with soft-ice and searched for it in memory. I found it + at: 4161:eca8 + I then put a watch on it with the bpmb command in S-I. By + following what the program was doing with my answer I found that + it moved it to another location: + 4161:fe6e + I then stopped by other watch and followed this memory location. + Lo and behold I found it was comparing my answer to a memory + location with the answer! + 4161:ec8e + I figured this out by changing my answer to the word found at + this location and the program worked. However, I needed more + than this. So, I started again and followed the location of the + answer until I got to a section of the code where there was a + comparison between my answer and their answer followed by a + conditional jump. + POP CX (not obvious here but now one register has one + POP DX letter or my answer and one of the real answer) + CMP DX,AX (if they are not the same then you lose) + JNZ 004C (this is what I changed to a JMP statement so it + doesn't matter what your answer is now) + I just changed that conditional jump to a regular jump and it works. + Enjoy! + + + The Mad Doctor + -TOP- crack. + +<*****************************************************************************> +Unprotect for Sargon 5 + +******************* +Documentation Check +******************* + +Using Norton's Diskedit or PCTools: + +Search the file sargon5.exe for the following: + +8e d6 eb a8 +^^ ^^ +d1 17 + +and that's it! + +The method involved: + + Sargon 5 uses a standard documentation check. If you run the +program under soft-ice and break it prior to the doc check you will find +the call statement that will call the doc check routine. On my setup: + program start 1a66:0 + call routine 2fba:32be +I ran through the call routine and input some letters. Instead of +running the entire doc check I set soft-ice to look for my letters and +stop the program when accessed. This brought me near the end of the +routine. I went a bit farther and noticed a compare statement followed +by a conditional jump (at 2fba:4a92). I changed the condition of the jump +and lo! it worked. However, I didn't like this crack (too much work for +the gamer) and went back to the jump. After the conditional jump there +were 2 mov statements and a return. So, I went back to the call routine +and made the call go just to the end of the protection routine where the +mov statements were and that was it. Now I had to find it by +diskedit--however it wasn't there. So, since I knew where I wanted to +change memory I put soft-ice watching the spot. Soft-ice stopped the +program and I saw a movsb statement which had the area I wanted. That's +it--this was a more in depth discussion than usual, it wasn't hard at +all. Bye! + + The Mad Doctor + -TOP- crack. + +<*****************************************************************************> + Secret Weapons of the Lutwaffe Unprotect + Cracked By The Mage + +Type of Check: Doc Check in the Beginning of the Game. +What was done: Enabled it to press Enter 3 Times and you are into the Game. + Very Sloppy, but works perfectly. Not bad for a 15 minute crack. + +Method Involved. + While talking to The Mad Doctor and while we were working on Tony +Larussa's Ultimate Baseball he showed me a new technique for cracking that I +had not thought of.. simple and easier. Anyways, At the DOC check you type in +a Name (any name, I use MAGE) and then you search memory for the name. Search +from the first program block on up into memory. You them in SOFT-ICE put a +Break point on Memory Access and Read. You then continue the program and press +enter to finish the check. You will have reads on the memory and chances are +you will find a CMP to that memory location and a simple jmp afterwards. This +also helps you stay in the Copy Protection routines. Well It wasn't as simple +as all that and what I had to do was jump over a lot of checking code. I found +a JMP to a far location and used it by taking a much earlier JAE and changing +it to JMP to the far location and whammo bypassed the code and enabled you to +get into the program. Since it was doing overlays I wasn't sure where the call +was to the whole program so I left it at hitting enter 3 times and into the +game you go. + +Anyways Get out DiskEdit/Pctools andd search +the file NOTCAMP.OVL +Search for: 73 74 8B 5E +Change to : E9 64 02 + ^^ ^^ ^^ + +And that is it! + +Thanks and greets go to everyone in -TOP-. thanks to The Mad Doctor for the +new Technique in my collection. + The Mage +<*****************************************************************************> + Unprotect for Crime Wave by Access + Cracked by The Mage + -------- + +Type of Protection: Doc check at the Beginning of the program. +What was done: A JZ changed to JMP. +Method Involved. + Well I loaded this sucker up and the program was using interupts to +process strings so I could not search through memory for a sample string +that I inputed. Since at the Doc check itself it was sitting in DOS and I/O +system blocks of memory I put in a bad value and got a PRESS ESC or SPACE BAR +message from the program. I then traced to where it compared to a space +like CMP AH,20 and set this to true. Then a Simple trace to where it compared +the answer after the Interupt and a change and simple.. all of 7 minutes while +talking on the phone.. Very Very Easy. I tried taking out the call +completely but was unable to do so without extensive work. + +Get out Norton/Pcshell +Search the File CW.EXE +Search for: 80 3D 00 74 05 +Change to: -- -- -- EB -- + +And save it and press enter at the DOC check. You are in! + The Mage + +<*****************************************************************************> +--------- By Gron ----------- +--------- 3 on 3 Basketball : The Dream Team by Data East ----------- + Protection : Doc Check + + Search : DREAM.EXE + + Locate : 7D 00 75 55 C6 06 + Replace: EB + + Method : After loading the game into memory, I ran the program + until the doc check popped up. I then kicked out to + Soft-Ice and traced until I found where it was looking + for a compare to 0D which is the ENTER key. I then traced + until it failed the protection. This brought me back to + the original CALL which was used to get keyboard input, + followed by a conditional jump. Since the program did not + jump with my bogus input, I changed the conditional jump + to an unconditional one. This worked beautifully. However, + the protection scheme still came up and forced the user to + enter three numbers before it would go on. + + Therefor, I looked back in the code and discovered that + immediately before the CALL which asked for input there were + a series of CALLs and jumps. I noted the address of the + last jump in that series which jumped just beyond where the + conditional jump I had changed earlier was jumping. I + reloaded the program and ran to the address I had noted. The + protection scheme had yet to come up. I changed the + conditional jump to an unconditional one and continued + running the program. It went right to the main menu, + bypassing the protection entirely. After playing the game + for an hour or so, the protection never again surfaced nor + did any noticeable side-effects of the change. + +<*****************************************************************************> + Unprotect for JACK 4.59 + Cracked by The Mage and Gron + -------------- + +Type of Protection: Password Entry +What was done: Removed Protection entirely +Method: + It came up with a screen to hit enter before the copy protection was +shown. Broke into the code and just traced until the call to the copy +Protection. Noped it out and it ran like a champ. Problem arose in that the +call was a CALL FAR and this could not be found when Hex Searching. So traced +1 statement into the CALL and JMP'd to the RETF (end of the CALL) and this was +in the Hex Search. One Note: This Program Sucks. + +Anyways Search the File JACK1.EXE +Search for : CD 3F 14 10 +Change to : E9 8D 01 90 + +You are done + Later + The Mage + +<*****************************************************************************> +------------------------------------------------------------------------------- +--------- Another -TOP- unprotect ----------- +--------- By Gron ----------- +--------- ----------- +--------- Blue Wave Offline Mail Reader 2.10 by Cutting Edge ----------- +------------------------------------------------------------------------------- + + Protection : Registration Number + + Search : BWAVE.EXE + + Locate : 06 A2 00 00 5E 8B + Replace: 01 + + Method : After loading the program into memory, I traced until I + found the CALL that brought up the UNREGISTERED screen. + Immediately before this CALL was a CMP AX,0000 and a + JNZ XXXX which jumped over the offending CALL. I looked + a bit further back in the code and found a MOV AL,[XXXX] + and a MOV AH,00. I reloaded the program and placed a + breakpoint (BPMB) on the DS:XXXX address from earlier. + It eventually popped out where it was moving a 00 into that + location. I looked back a bit in code and found a JNZ that + had jumped over a MOV that would have placed a 01 into the + location. Rather than change the jump, I simply changed + the MOV BYTE PTR [XXXX],00 to a 01. Since every registered + function in the program checked this address, all features + are now enabled, as well as any name and registration number + will work. + +<*****************************************************************************> +------------------------------------------------------------------------------- +--------- Another -TOP- unprotect ----------- +--------- By Gron ----------- +--------- ----------- +--------- GifLite 2.00 by White River Software ----------- +------------------------------------------------------------------------------- + + Protection : Registration # + + Search : GIFLITE.EXE (UnPklite) + + Locate : C6 06 F3 00 01 C4 + Replace: 00 + + Method : I loaded the program into memory with no options and + traced through until I found the CALL that brought up + the shareware notice. I then reloaded and traced until + I found the series of CALLs that drew each line of the + screen. I then traced until I found a conditional jump + immediately preceding a CALL which would draw some + shareware info. I noted the address being checked, and + changed the JZ to JMP to see what happened. Sure enough, + that shareware section was skipped, but the rest was drawn. + + At this point, I reloaded the program and put a BPMB (Break + Point on Memory Byte) on the address I noted earlier. I + then ran the program until it popped out at a + MOV BYTE PTR [00F3],01 + Since the compare had been against 00 earlier, I changed the + MOV to MOV BYTE PTR [00F3],00. That was all she wrote. + + At this point, search the GIFLITE.EXE for "null" and change + it to whoever you want the program registered to. I could + have changed the built-in registration (which I probably + should have done) to accept any name and registration number, + but I didnt really feel like taking the trouble since I didnt + find it unil I was half-way through this method. + +<*****************************************************************************> +------------------------------------------------------------------------------- +--------- Another -TOP- unprotect ----------- +--------- By Gron ----------- +--------- ----------- +--------- Veil of Darkness by Strategic Simulations Inc. ----------- +------------------------------------------------------------------------------- + + Protection : Doc Check + + Search : CODE.2 + + Locate : 26 FE 47 0B 0E E8 + Replace: 0A + + Method : I loaded the program into memory and broke into Soft-Ice + right before the doc check screen was to come up. I then + traced until I found the CALL to the protection scheme. + Immediately before the CALL was a + CMP BYTE PTR ES:[BX+0A],01 + JZ XXXX (beyond the CALL) + where ES:[BX+0A] was equal to 00. I tried changing the + 01 to a 00 which worked at first. However, when I attempted + to leave the first room in the game, the protection popped + up again using the same method as above. I set a breakpoint + (BPMB) on the ES address and reloaded the program. I didnt + find what I was looking for, but I did notice that ES:[BX+0B] + was being incremented to 01 a few lines before the first + doc check. I changed the 0B to a 0A and all the protection + disappeared. + +<*****************************************************************************> +<*****************************************************************************> +<*****************************************************************************> +<*****************************************************************************> +<*****************************************************************************> +<*****************************************************************************> +<*****************************************************************************> +<*****************************************************************************> +<*****************************************************************************> +<*****************************************************************************> +<*****************************************************************************> +End Methods File. diff --git a/textfiles.com/piracy/CRACKING/mex-c4n.nfo b/textfiles.com/piracy/CRACKING/mex-c4n.nfo new file mode 100644 index 00000000..d215022d --- /dev/null +++ b/textfiles.com/piracy/CRACKING/mex-c4n.nfo @@ -0,0 +1,141 @@ + + + + + + + Ŀ + Mexelite `97 28/07/97 [C4N] + Ĵ + We are a new Cracking Group for TNG of Crackers.... + We share knowledge about Modern Cracking which includes - + + Providing the tools nessesary, Writing Tutorials, Gather other + Peoples Tutorial`s, Make our own Cracking test programs, + Provide New/Old utilities to Crack, Take Cracking Requests, + and generally Help Newbies... + + By using our #Cracking4Newbies Channel on EFFNET our Members + will provide Advise on various techniques to use which will + help you with cracking our Utilities of the Week. + + Our Channel Advisor`s and Tutor`s also teach various cracking + techniques ranging from old DOS games, Patches & CD Checks to + Serial number`s and Keygen makers. + + Mexelite `97 also provide in-depth tutorials and How-to`s for + various modern Cracking Strategies and we take requests from + other Groups and Users alike. + + Our Channel Bots contain the various Tools, Texts, Tutorials + our Latest Cracks and the Utility of the Week to Crack.... + You can even Request on the Bots or our Web Site for a program + to be cracked. + + So come in to #Cracking4Newbies, or visit us at + http://cracking4newbies.home.ml.org or http://c4n.home.ml.org + or our Group Web Site http://mexelite.home.ml.org + http://users.quicklink.net/~cbd/c4n/ + Ĵ + Program : + URL : + Date Cracked : + Type : Serial( ) Patch( ) Keygen( ) Unlock( ) Tutorial( ) + Program Type : Internet( ) Utility( ) Game( ) Other( ) + Cracked by : + Ĵ + Notes : + + + + + + Ĵ + + Position Name Stat. Email + Ĵ + + Founder/President : JosephCo J0c00l@ + + Founder/V-Pres : nIabI niabi@ + + C4N Advisor/Cracker/TPE : SasbenJr sasben@ + + C4N Tutor/Cracker : Drlan drlan@ + + C4N Tutor/Cracker : Yoshi yoshi@ + + C4N Tutor/Cracker : p020 [IDLE] xxxx@ + + Cracker/Requests : Scorpion- [WRNG] scorpion@ + + Coder : Fant0m Anonymous@ + + Coder/Cracker : ^pain^ xxxx@ + + Cracker : Intruder ramf@ + + Cracker : Tgunner [IDLE] Tgunner@ + + Cracker/Webmaster : _CbD_* cbd@ + + Cracker : mpbaer* mpbaer@ + + Cracker : Corn2* corn2@ + + BotmAster : DamaTrix* digital@ + + BotmAster : GreenEvil Green@ + + We are looking for another Botmaster + for our channels, in exchange we will teach + you how to Crack. + + Ĵ + Trial members (+v) + + + Manson69* + + Ĵ + + Ĵ + Students in Training (+v) + [SIT] + + GrimL0ck,XOR + + Ĵ + + Greets : +GreyThorne, Xygorf, KrazyN, StarFury, Razzi, + DeadList, DrmWeaver. + + Personal Greets to : + + + Group Greets : Revolt, Heritage, UCF, PC97, Pentium, CRC32, + Pinnacle. + + + + Ĵ + News : + + + + Ĵ + Warnings to: p020,Scorpion- + Ĵ + If your not in this NFO it`s maybe because you where idle for + more than 2 weeks! If you are sure you haven`t and still think + you should be on this NFO then /msg any op in + #cracking4newbies or #mexelite97 + Ĵ + Note: Idle means just that, Get to work! + Two weeks of being inactive in the channel + and your off, [WRNG] Means Warning to being kicked by X + Reason's. + Note2: * Means NEW member or just added to this NFO. + - JosephCo + + diff --git a/textfiles.com/piracy/CRACKING/mhpcnws1.txt b/textfiles.com/piracy/CRACKING/mhpcnws1.txt new file mode 100644 index 00000000..b3b73293 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/mhpcnws1.txt @@ -0,0 +1,427 @@ + Midnights Hackers Private Club + + Where members or hackers gourps come to exchange ideas, and show + off skills. + + **** A Cracking Guide For Beginners **** + + An Article By: + + The Psychopath + + TABLE OF CONTENTS + ------------------- + + I. Introduction and Overview + II. Cracking Doc Checks + A) General Info + B) A Cracking Tutorial + III. Cracking Disk Checks + IV. Cracking with Overlays + V. Closing Remarks + +-------------------------------------------------------------------------------- +Introduction: + + This article is to provide help and give a basic understanding of cracking +for those that just plain don't understand it. A lot of you have heard about +ways of cracking and have gone of on your own into the unknown to try to crack +your first program. And undoubtedly you failed, unless you had guidance and +help from someone more experienced then yourself. Well, I know how rough it +is to learn how to crack, 'cause I've been there myself. It takes a lot of +time, work, and patience to become proficient at the art. So those wishing to +make a leap up in society to the status of a cracker, please read on. + + Some of the most useful tools to a crackist are: + DOS Debug + Quaid Analyzer + Turbo Debugger + Locksmith + Step-13/Trap-13/PC-Watch + Soft Ice + + Acquire any and all that you can. You'll want and need them. I'm only +going to discuss DOS Debug (Turbo Debugger is quite similar) and Step-13/Trap-13 +The others you'll have to experiment with on your own. + + Here's a basic list of Debug commands: + +Command Function +------------------------------------------ +*A [address] Assemble + C range address Compare + D [range] Dump + E address [list] Edit + F range list Fill +*G [=address [address..]] Go + H value value Hex + I value Input + L [address [drive:record record] Load + M range address Move + N filename [filename] Name + O value byte Output +*P [=address][value] Proceed +*Q Quit +*R [register-name] Register +*S range list Search +*T [=address][value] Trace +*U [range] Unassemble +*W [address [drive:record record] Write + + [* Indicates the only ones you need worry about for now. They are the main + commands that you use). Basically, you will enter the letter command and then + return (). Addresses only need to be specified based on necessity. (for + example, you could just enter G and it would execute. Specifying an address + would set a break point. (run the program up to that address). For P and T, + just enter the letter name and . It's quicker.] + + Further explanation of the commands is provided in your DOS users manual. +Read it for yourself. +*** Note that not all forms of copy protection, nor their ways of removal are +discussed in this news letter **** +-------------------------------------------------------------------------------- +Cracking Doc Checks: + + Okay, one of the most common forms of copy protection is the doc check. +This is where you are asked to input information from the documentation that +is included with the software purchased. I will discuss a few methods of +removing this protection scheme, and then will provide you with a sample +crack. + + Doc checks are usually at the beginning of the software, with a few +exceptions (some being in the middle or at the end). They range in variety +from simple text questions, to having graphic and mouse interfacing. They, of +course, range in difficulty from Insulting (easy) to Mind Boggling (hard). + It's best to start with the easy ones, because you don't want to get in +over your head, and remember that experience is the best teacher. + + Doc checks are executed by CALL statements, and sometimes a series of +CALL statements. When proceeding through a program in DEBUG, you will hit +a CALL statement that will execute the program. Remember what the address was +for it, 'cause you'll have to exit out of the game and go back to where it +took control from you. If the CALL statement runs the doc check then takes +you back to DEBUG, then you're allright, and can start changing it +there. If not, then you will have to trace (T option) through the CALL +statement down to the next layer of program. Now you will proceed again, until +you get to a call statement that executes the copy protection then returns +you to DEBUG. + + There are three basic ways to remove the Doc check: + 1) Remove the CALL statement. + a) By the NOP command. + b) By jumping from the first byte to the last. + 2) By changing the comparisons. + a) By changing the CMPs to compare registers to themselves. + b) By changing the jump statements that follow. + 3) By Jumping around the Doc check to get to the part of the program + that loads in the rest of the game. + + The first option deals with the above mentioned CALL statements. When you +get to the one you want, you will assemlbe at that address (A Address) and +enter either NOP (being sure to NOP all the bytes of the call statement--NOP +represents NO Option) or jumping from the address of the first byte to the +address of the second byte. Either will do. Removing the CALL statement will +not always work. Sometimes it will do a wide variety of things to the program. +If this happends, then try one of the other options listed. + + The second option involved leaving the doc check entact, but making it so +that any text entered will be accepted by the computer, thus allowing you to +continue with your utility/game. You will usually find a CMP statement (i.e. +CMP AX,[BP-20]) after it calls for the text to be entered. What it's doing +is comparing the value you entered to the value it wants. You can fix this +by either changing the compare statement to compare the register to itself +(i.e. CMP AX,AX), or by changing the jump statements that follow. You might +get a jump statement like JNZ 0345 which will only jump to CS:0345 if the +value is not zero. So just change it to read JMP 0345, which will always +jump to CS:0345. + + The third option involves jumping past the doc check (or CALL statement +more appropriately put). Often times you'll execute the copy protection, and +then it will take you to a new part of the program, where it will make it's +comparison, and then decide wether it will run the rest of the program (if you +answered the question correctly) or kick you out to DOS (or re ask the question +depending on the software). If you know what one of the answers is (and you +should if you have the originals), then enter the correct answer and follow +the program through until it executes the rest of the game. (Make note of where +it executes the rest of the game). Then, you exit out of the game, get back +into DEBUG, and then go back before the doc check is called. Now, jump from +the doc check over to where it executes the rest of the game. This will remove +the doc check completely. + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Software Name: Fiendish Freddy's Big Top of Fun +Software Company: Mindscape + +Here is a walk through for cracking a simple text doc check in the above +mentioned game. I will present you with two ways of cracking it. +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +Method #1: + + The most preferred way amoung pirates for having a copy protection removed +is for the crackist to take it out completely. There two most common ways of +doing that are: + 1) Remove the call statement that executes the protection. + 2) Jump around the protection. + I'm going to teach you method 1 (removing the call statement). Find a +copy of Fiendish Freddy, and type the following: + + DEBUG FREDDY.EXE + + After typing this, you will be in the program itself, and you will see +the "-" to the left of the screen. To see where you are in the program, +press R, and you will see something like this: + + AX=000 BX=0003 CX=4A40 DX=0000 SP=34BC BP=0000 SI=0000 DI=0000 + DS=11EB ES=11EB SS=44B2 CS=11FB IP=3E93 NV UP EI PL NZ NA PO NC + + -11FB:3E93 9A00005341 CALL 415E:0000 + + ---------------------------Special Note---------------------------- + The value of CS is "11FB". That is the hexadecimal segment address + for the beginning of the program code in your computer's memory. It + is highly possible that the value you see for CS is different from + mine. + ------------------------------------------------------------------- + + Now then, press P to proceed through the program until you come to +the call statement located at CS:3EF8. Type U 3EF2 to unassemble around +the call statement. You will see the following: + . + . + 11FB:3EF2 55 PUSH BP + 11FB:3EF3 89E5 MOV BP,SP + 11FB:3EF5 83EC02 SUB SP,+02 + 11FB:3EF8 9A9C01291A CALL 1A29:019C + 11FB:3EFD A2CA02 MOV [02CA],AC + . + . + Okay, write down the HEX values before, including, and after the call +statement. Now in order to change it, you will type A 3EF8 and you'll +see this: + + CS:3EF8 + + Where the cursor is located, you will type NOP (No Option) 5 times, in +order to wipe out the 5 bytes of the call statement, and then press . +NOP is like erasing data. (i.e. 11FB:3EF8 NOP NOP NOP NOP NOP). Now press +G to execute the game. The actual program should load up without executing +the doc check at all. If not, then you screwed up and need to re-check your +alterations to the program. + + -----------------------Saving the Changes----------------------- + Remember now, that DEBUG can only write to .COM and files + other then .EXE (with the W command). One way to save the + changes (the more unreliable way) is to rename the .EXE file to + Something like .HEY or whatever, and then going in and searching + for the data to be changed (with the S command). Now edit the + data as normal, and save with the W command. Exit out + (Q) and rename the .HEY file back to .EXE + + *** This will not always work *** + + Another way to save changes is with a sector editor (The two most + widely used are Norton Utilities and PCTools). Search for the + HEX values (the values I told you to write down) of the data in + front of, including, and after the statement. When you find + The statement, edit it. (In the above case, you'd change the + HEX values of the CALL statement to read 90 90 90 90 90 --90 is + the HEX value for NOP). + ------------------------------------------------------------------ + +Method #2: + + Another way to remove copy protection is to leave the doc check entact, +but change it so that it accepts the values that you enter 100% of the time, +regardless of what it is. The ways you can do this are: + 1) Change the CMP (compare) of what you entered to what it's supposed + to be, so that it compares what you entered to what you entered + (i.e. CMP AX,[BX-23] would be changed to CMP AX,AX). + 2) Change the Jump statements (JNZ, JZ, JB, JA, JG, JL, etc.) + + We will use Option #2 this time, and again using Fiendish Freddy. Type +the following to get started: + + DEBUG FREDDY.EXE + + Now then, proceed back up to where we saw the CALL statement that executes +the protection. (CS:3EF8) And this time, trace through it (T). Now then, +your CS will change to something else, because you've moved down one level in +the program. Start proceeding through. You'll come upon several CALL +statements that load in the text for the doc check. Ignore them, they cause +no harm. (Just for your info, they exist at CS:022A, CS:0246, CS:025C, CS:0271, +CS:028D, CS:02A3, CS:02B8, CS:02D4). Now then, at CS:02F2 CALL 415E:0C73 +appears. What this does call for the user to enter some text from the keyboard. +Proceed through the CALL statement, and the screen will wait for a key to be +pressed. Enter something like "kskdksdk" and then it will take you back +to the program. + Proceed on until you come to the following: + + CS:030E 3B86DFFE CMP AX,[BP+FEDF] + CS:0312 7F25 JG 0339 + CS:0314 8946FD MOV [BP-03],AX + + Now, what is happening is the program is making a comparison of what was +entered. If that value is greater then what it wants, then it jumps to CS:0339 +and if it isn't then it just continues on. Now we want to fool it into +thinking that the text is correct. So change CS:0312 to read JMP 0339. This +way, the program will jump to 0339 every time, no matter what is entered. Now, +we're not through yet. You'll soon come to this: + + CS:0349 9A....... CALL 415E:0419 + CS:034E 7404 JZ 0354 + CS:0350 B000 MOV AL,00 + CS:0352 EB02 JMP 0356 + + Now we have another comparison here. The CALL statement is calling a +compare routine, and when it's finished, if the value is equal to 0, it will +jump to CS:0354, and if not, it will simply continue on. We need to fool the +computer once again, and change CS:034E to read JMP 0354, so that it will +always jump to 0354. This is the last change that needs to be made. Go ahead +and type G to test it out. When you're done, be sure to make the changes +permanent, as described above. + +-------------------------------------------------------------------------------- +Disk Checks: + (INT-13) + + Some copy protection schemes use the disk interrupt (INT-13). INT-13 is +often used to either try to read in an ilegally formatted track/sector, or to +write/format a track/sector that has been damaged. + + INT-13 is called like any normal interrupt with the assembler command +INT 13 (CD 13). The AH register is used to select which command is to be used, +with most of the other registers used for data. + + Now, the copy protected file might use INT-13 to load some other data from +a normal track/sector on a disk, so it is important to determine which tracks/ +sectors are important to the cp scheme. There are two common ways to do this + 1) Use Quaid Analyzer to keep track of INT-13 activity + 2) Use Locksmith to track down unusual traks/sectors. + + With Locksmith you can analyze the diskette. Write down any tracks/sectors +that seem abnormal. These are most likely part of the protection routine. Now +we must enter debug and load in the file to execute a search for CD 13. Record +any addresses shown. (i.e. S CS:100 FFFF CD 13). + + If no addresses are picked up, then either the interrupt is encoded, or +it's in a part of the program not yet loaded. Here's what a sector of hidden +code might look like: + + CS:0000 31DB XOR BX,BX + CS:0002 8EDB MOV DS,BX + CS:0004 BB0D00 MOV BX,000D + CS:0007 8A07 MOV AL,[BX] + CS:0009 3412 XOR AL,12 + CS:000B 8807 MOV [BX],AL + CS:000D DF13 ........... + + In this section, AL is set to DF at location CS:0007. When you XOR DF +and 12, you would get a CD (hex) for the INT code, which is placed right next +to a 13, thus giving uou CD13 or INT-13. + +---------------------------Finding Hidden INT-13s------------------------------- + A good way to find hidden INT-13s is with Quaid Analyzer, or Step-13 (or +Trap-13, or PC-Watch....all work equally as well). Step-13 traps the interrupts +and will print where they were called from. Once running this, you can jut +disassemble around the address until you find a code that looks like it is +setting up the disk interrupt. + + Another way to decode the INT-13 is to use the G (go) command in DOS DEBUG. +Just set a breakpoint at the address given by Step-13. i,e, G CS:000f (see +above code). When debug stops, you will have encoded not only the INT-13 but +anything else leading up to it. +-------------------------------------------------------------------------------- + + Once you find the INT-13, all that is left to do is to get the computer to +think that the protection has been found. To find out what the computer is +looking for, examine the code right after the INT-13. Look for anything having +to do with the CARRYFLAG or any CMP to the AH register. If a JNE or JC (etc.) +happens, then unassemble (u address) the address listed with the jump. If it +is a CMP then just read on. + + Here you must decide of the program was looking for a protected track or +just a normal track. If it has a CMP AH,0 and it has read in a protected +track, it can be assumed that it was looking to see if the program had +successfully completed the read/format of that track and that the disk had +been copied thus jumping back to DOS (usually -with INT 19). If this is +the case, just NOP the bytes for the CMP and its corresponding JMP. + + If the program just checked for the carry flag to be set, and it isn't, +then the program usually assumes that the disk has been copied. For example: + + CS:0002 INT 13 (Reads the sector) + CS:0004 JC 0345 (Jump comparison) + CS:0006 INT 19 (reboot) + CS:0345 Rest of program.. + + The program carries out the INT and finds an error (the ilegally formatted +sector) so the carry flag is set. The computer, at the next instruction, sees +that the carry flag is set and knows that the protection has not been breached. +But, when you make a copy, it will see the breached protection, and execute the +INT 19. To avoid this, change the JC 0345 to read JMP 0345. + +* Note that the protection routine might be found in more then just one +part of the program * + + Here is a chart describing INT-13 using the AH register to select +the function to be used. + +AH=0 Reset Disk +AH=1 Read the status of the disk system into AL + + AL ERROR +----------------- + 00 - Successful + 01 - Bad Command given to INT +*02 - Address mark not found + 03 - Write attempted on a write protected disk +*04 - Request sector not found + 08 - DMA overrun + 09 - Attempt to cross DMA boundary +*10 - Bad CRC on disk read + 20 - Controller has failed + 40 - Seek operation failed + 80 - Attatchement failed + +* Represents the most commonly used in the Copy protection + + input: + DL = Drive Number (0-3) + DH = Head Number (0 or 1) + CH = Track Number + CL = Sector Number + AL = # of sectors to read + ES:BX = Load address + output: + AH = error number (shown above) + [Carry flag set] + AL = Number of sectors read + +AH=3 Writes (Params. as above) +AH=4 Verify (Params. as above ES:BX) +AH=5 Format (Params. as above CL,AL + ES:BX points to format table) + +-------------------------------------------------------------------------------- +Cracking Overlays: + + Sometimes the copy protection is executed in an overlay file. The best +way to find out which file it is in, is to use Quaid Analyzer to track the +INT 21 calls and see which program is loaded in. Next, if it was an INT-13 +type protection, then you'll do as usual and just look for it in the overlay +file. + If it was a doc check, then you'll proceed through the .EXE file as usual +(with DEBUG or whatever), and go up to the doc check. Now the changes you make +might have to be made in the overlay file. What I mean, is if you search the +.EXE file and don't find the HEX values, then search the overlay file. You'll +have a high probability of finding them there. Then, just change the bytes in +the overlay file as usual and execute the game. It should run, this time with +the crack entact. +-------------------------------------------------------------------------------- + + Hopefully this will aid you on your quest to become a crackist. And remember, +don't get in over your head by attempting to crack something difficult, 'cause +it will benefit you 0%. Laterz... + + - The Psychopath diff --git a/textfiles.com/piracy/CRACKING/mhpcnws2.txt b/textfiles.com/piracy/CRACKING/mhpcnws2.txt new file mode 100644 index 00000000..d043640b --- /dev/null +++ b/textfiles.com/piracy/CRACKING/mhpcnws2.txt @@ -0,0 +1,450 @@ + Midnights Hackers Private Club + + Where members or hackers groups come to exchange ideas, and show + off skills. + + **** A Cracking Guide For Advanced Amateurs **** + + An Article By: + + The Psychopath + + TABLE OF CONTENTS + ------------------- + + I. Introduction and Overview + II. Types of Cracks + A) Documentation Protection + B) Config/Setup Protections + III. Closing Remarks + +-------------------------------------------------------------------------------- +Introduction: + + This is my second edition on cracking tutorials. This one will provide +more information on the art of cracking as well as some more advanced cracking +walkthrus. Take the learning process slow, and just let it come to you. Don't +try tackling too much at once. Again I emphasize the importance of practice and +experience as being the best teacher. And I think I'll mention this now... +ALWAYS, ALWAYS make backup copies of the programs before you tamper with them +with your debuggers and sector editors, because if you screw up and write to +your only copy, you're plain outta luck. + + Cracking programs used in this issue: + DOS Debug + Turbo Debugger + Quaid Analyzer + + Acquire these if you don't already have them. These are not the only +cracking utilities, but they are the ones that I will be using in my lecture +today. + + Here's a basic list of Debug commands in case you've forgotten: + +Command Function +------------------------------------------ +*A [address] Assemble + C range address Compare + D [range] Dump + E address [list] Edit + F range list Fill +*G [=address [address..]] Go + H value value Hex + I value Input + L [address [drive:record record] Load + M range address Move + N filename [filename] Name + O value byte Output +*P [=address][value] Proceed +*Q Quit +*R [register-name] Register +*S range list Search +*T [=address][value] Trace +*U [range] Unassemble +*W [address [drive:record record] Write + + [* Indicates the only ones you need worry about for now. They are the main + commands that you use). Basically, you will enter the letter command and then + return (). Addresses only need to be specified based on necessity. (for + example, you could just enter G and it would execute. Specifying an address + would set a break point. (run the program up to that address). For P and T, + just enter the letter name and . It's quicker.] + + Further explanation of the commands is provided in your DOS users manual. +Read it for yourself. + +*** Note that not all forms of copy protection, nor their ways of removal are +discussed in this news letter **** +-------------------------------------------------------------------------------- +Cracking Documentation Checks Part II: + + Okay, the most common form of copy protection is the documentation check. +Doc checks are usually at the beginning of the software, with a few exceptions +(some being in the middle or at the end). They range in variety from simple +text questions, to having graphic and mouse interfacing. They, of course, +range in difficulty from being extremely easy to being near impossible. + + In the past issue, I gave an extremely simple copy protection to remove +(Fiendish Freddy, if you remember). Here, after a refresher course on what to +do to remove the doc checks, we'll take a look at a complicated doc check. + + There are three basic ways to remove the Doc check: + 1) Remove the CALL statement. + a) By the NOP command. + b) By jumping from the first byte to the last. + 2) By changing the comparisons. + a) By changing the CMPs to compare registers to themselves. + b) By changing the jump statements that follow. + 3) By Jumping around the Doc check to get to the part of the program + that loads in the rest of the game. + + In the first option, as you know, we can remove the CALL statement by +writing the assembly command NOP (No Option) in place of the CALL statement +itself. Or we can simply jump from the first byte in the CALL statement to +the last byte in the call statement (This has the same effect). + + The second option involved leaving the doc check entact, but making it so +that what you enter (wether it be right or wrong) will be accepted by the +computer, thus allowing you to continue with your game. You will usually find +a CMP statement (i.e. CMP AX,[BP+2307]) after it calls for the text to be +entered. What it's doing is comparing the value you entered (stored in the +registers) to the value it wants. You can fix this by either changing the +compare statement so that the register is compared to itself, (i.e. CMP AX,AX), +or by changing the jump statements that follow. You'll get a jump statement +similar to JNZ 1355, which will only jump to CS:1355 if the value from the +compare is not zero. So just change it to read JMP 1355, which tells the +program to always jump to CS:1355. + + The third option involves jumping past the doc check. Often times you'll +execute the copy protection, and then it will take you to a new part of the +program when it's finished, where it will make it's comparison, and then decide +wether it will execute the remainder of the program (if you answered the +question right) or boot you out to DOS (giving a wrong answer). If you know +what one of the answers is (and you should if you have the originals with the +docs included), then enter the correct answer and follow the program through +until it executes the rest of the game. (Make note of where it executes the +remainder of the game). Then, you exit out of the game, get back into your +debugger, and go back before the doc check is called. Now, jump from the doc +check over to where it executes the remaining portion of the game. This will +remove the doc check completely if done properly. + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Software Name: Martian Dreams +Software Company: Origin + +Here is a walk through for cracking a moderately complicated doc check in +the above mentioned game. I will present you with one way of cracking it. +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +Method : Jumping around the Doc Check (Method #3 as mentioned above). + + Find an uncracked copy of Martian Dreams. If you notice, there are 2 +executable files. MARTIAN.EXE is the introduction file, and GAME.EXE is the +actual game. (This can be found out by using Quaid Analyzer to watch the INT-21 +output while tracing through MARTIAN.EXE) Now, make sure that you have a +character created. You're going to need to get the prybar from the cowboy and +move your character right above the hatch and then save the game and exit to +DOS. Now we're ready to begin. + + Load GAME.EXE into your debugger (I'll be using good ol' DOS debug). + + Proceed through the program, making note of any loops you get into. (To get +out of a loop such as something that makes a jump comparison and then sends you +to a previous part of the program, just look at what address is after the jump +and then go to that address (with the G
command) i.e. +CS:003C JNZ 0034 is in the early part of the game. We notice that CS:003E lies +just after this call statement, so jump to it--G 3E). + + Now, keep going until you come to the following: + + CS:00FC CALL 14C8:0941 + +(The 14C8 segment may be different on your machine, depending on you memory). +Trace through this call statement (proceeding through it will execute the +game, so don't). Now, start proceeding again. You'll come to the following +address: + + CS:0C5E CALL 2015:0013 + +This will switch graphics modes, so we know we're on the right track. Keep +proceeding. Next you'll start hitting addresses that will call parts of the +picture to the screen. At the following: + + CS:0CEA CALL 0509 + + CS:0F69 CALL 3433:04B1 + +Each of these calls in a different picture...we're getting close, so keep +going. When you come to the following address: + + CS:0FD7 CALL 2409:133A + +Trace through it. (Proceeding through will execute the game). Now, keep going. +Again, you'll hit CALL statements that load in graphics pictures, at the +following addresses: + + CS:1B51 CALL 0A47 + + CS:1B64 CALL 0084 + + CS:1B83 CALL 18B4 + + CS:1B95 CALL 0221 + +Keep proceeding until you come to: + + CS:1BA5 CALL 3433:28CC + +Trace through this (proceeding through will execute the "command entering" part +of the game. It will execute a full command at once, so we need to trace +trough it to break up the command into parts). Tracing trough, and proceeding +on, we come to the following: + + CS:2902 CALL 20AD + +This allows one key movement/command to be entered at a time. Proceed through +this call statement and type a "U" to get the character to use an item. Now +you're back at the program. If you proceed on, you'll hit the RETF and +eventually come to the following: + + CS:1BC5 LOOP 1BBB + +This will loop back and take control of the program until your command has +been fully executed, then you'll be back at the debugger again. We don't want +this, because we need to proceed through and see what happends step by step, +before it calls the doc check, so do the following. at the CS:2902 address, +you proceeded though the first time right? and you entered a "U", well jump back +to CS:2902 (i.e. G 2902) and proceed through again. Keep doing this until +you have entered all the following commands: + + U = to get your character to use an item. + TAB, Left arrow key = moves over to your inventory, then select + prybar. + Down arrow key = Points at hatch. + +Now, after you do the last input, proceed on through the program. When you +come to the following: + + CS:0831 CALL FAR [BP-0E] + +Trace through this call statement (proceeding through it will execute the game). +After tracing through, you'll see this: + + CS:0066 INT 3F + +This is another form of a CALL statment. Trace through it (proceeding through +will execute the game). Now, keep going until you come to the following: + + * CS:0A81 JNZ 0A9D + CS:0A83 PUSH AX + CS:0A84 CALL 2D04:4759 + CS:0A89 PSUH AX + CS:0A8A MOV AX,3DAF + CS:0A8D PUSH AX + CS:0A8E MOV AX,183C + CS:0A91 PUSH AX + CS:0A92 CALL 3433:33F8 + CS:0A97 ADD SP,+06 + CS:0A9A JMP 0B51 + CS:0A9D MOV AL,[6ED6] + CS:0AA0 MOV AH,00 + CS:0AA2 TEST AH,0010 + * CS:0AA5 JZ 0AC2 + CS:0AA7 MOV AL,[6ED6] + +Here's the deal. Those two marked jump statements are the key to the whole +thing. The comparisons made are trying to determine if you have answered the +question already and correctly. What you want to do is get the program to +go to the addresses listed in the statements all the time. So change them +to say: + CS:0A81 JMP 0A9D + CS:0AA5 JMP 0AC2 + +This will jump past the copy protection completely. Now, to explain how I knew +to do this. What I did is proceed through to the doc check itself, and then +entered a correct answer, followed the program through until it got back to +where you could enter commands again (CS:2902), and then I did those commands +again (if you recall, you have to open the door twice). This time, I followed +through, making note of all the jump statements, seeing where it went, until +it opened the door for me. Next, I went back in with the debugger and got back +up to the doc check and entered a wrong answer, then followed it through, until +it got back to CS:2902, and then I entered the commands again, and followed it +through, making note of the jump statements. After I got past a certain point +(past the address where it opened the door on a correct answer) I compared +the jump statements between the two scenerios, and found the differences, so +I changed the jumps to always think that you've already entered a correct +answer (As shown above). You'll need to know some right answers to do this, +so what I reccommend is either getting a copy of the docs, or get your +encyclopedias handy (some of the questions asked are actual historical facts). +I'll now describe how to get to the doc check, if you want to try this out +for yourself. + + Okay, you've traced throught CS:0831 and CS:0066, right? And now you're +proceeding on. You'll eventually come to the following: + + CS:0ABA CALL 417E:0034 + +Trace through this, to get to this: + + CS:0034 INT 3F + +Trace through this as well. (Remember what I said above about it being a type +of call statement). Now, proceed on. You'll next come to the following: + + CS:0396 CALL 0000 + +Trace through this and then proceed on. You'll next come upon this: + + CS:0156 CALL 4183:0034 + +Tracing through will once again bring you to this: + + CS:0034 INT 3F + +Trace through again, and then proceed on. You'll next hit a bunch of CALL +statements that will load in graphics pictures and text. Just keep proceeding +on. (Just so you know where you are, some of these CALL statements will be at +these addresses): + + CS:1A0F CALL 2015:1E2B + CS:1A67 CALL 1675:024B + +Now, you'll come up to the following: + + CS:1E9E CALL 1756 + +This is the doc check. Proceed through, so that it is loaded in. It will ask +the question and then boot you back to the program, so proceed on. You'll next +come to: + + CS:1B6B CALL 3433:33F8 + +This will wait for you to press enter, then put you back in the program. So +press and proceed on. Next you'll come to this: + + CS:1B80 CALL 3433:2AF1 + +This will wait for you to enter your response to the question. So enter a right +answer, and then press , and now proceed on. Keep going on until you get +back to where I described up above, and do as I mentioned. This will show +you why I changed those jump statements. So, when you're through with this, +be sure to save the changes, and if you've forgotten how to save, here's a +little memory refresher: + + -----------------------Saving the Changes----------------------- + Remember now, that debuggers can only write to .COM and files + other then .EXE (with the W command). One way to save the + changes (the more unreliable way) is to rename the .EXE file to + Something like .HEY or whatever, and then going in and searching + for the data to be changed (with the S command). Now edit the + data as normal, and save with the W command. Exit out + (Q) and rename the .HEY file back to .EXE + + *** This will not always work *** + + Another way to save changes is with a sector editor (The two most + widely used are Norton Utilities and PCTools). Search for the + HEX values (the values I told you to write down) of the data in + front of, including, and after the statement. When you find + The statement, edit it. (i.e. Changing the HEX values of a CALL + statement to read 90 90 90 90 90 (90 is the HEX value for NOP)). + Also, make sure that you write down the new hex values after + changing the assembly code in the program with the debugger. + Then you'll replace the original HEX values with what you want + them to be. + ------------------------------------------------------------------ + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Software Name: Castles +Software Company: Interplay + +Here is a walkthru for cracking a config/setup type copy protection. This will +be fairly simple to crack, so get relaxed. +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +Method: Changing Jump Statements + + Obtain an uncracked copy of Castles, and prepare your debuggers. First +off, you'll notice that you need to run the setup program to get the game +configured for your system so it can be properly run. When you enter the +options to fit your system, you'll then be asked a question from the manual, and +it will then write a number into the batch file it saves. If you answer wrong, +it will write a "wrong" number in the batch file, and if you answer right, it +will write a "right" number in the batch file. To remove any possible +complications and hassles, we're going to remove the question and remove where +the game checks to see what the number is. So, two cracks will be needed. One +in SETUP.EXE, and the other in CASTLES1.EXE. Load SETUP.EXE into your debugger +and start proceeding. + + Now, you'll come up to the following: + + CS:00EF CALL 14DD:0B69 + +Trace through this and start proceeding. + +*** Note that I will not be mentioning when the graphics mode is switched or +when it calls in graphics pictures. You should know what they are by now *** + +You'll come up into a loop that goes back and redraws the menu screen. IF you +keep proceeding through the loop, it will be a slow process trying to configure +your system, so just jump past that jump statement to CS:0BC5. This will allow +you to enter your setup options. After doing this, select continue, and press +enter. Now, proceed on. You'll notice the following soon: + + CS:0BCD CALL 033A + +This is the doc check. Proceed on and see what happends. At CS:0BD8 CALL 04E3 +it will write that number to the batch file. So, let's get rid of the question. +We want it to just jump past the doc check, and save the configuration to the +batch file, so do this. Notice before the doc call at CS:0BCA there is a +JZ 0BDF. This can be changed to: JMP 0BD7, thus jumping past the doc +CALL, and onto the part where it writes the number. Next, proceed on, and +you'll come to this: + + CS:0BE8 JZ 0BF0 + +This is comparing what you entered and if it's wrong, it will exit out and +tell you to try again, and if it's write, it'll jump to CS:0BF0. So let's +just tell it to jump to 0BF0 all the time. (i.e. CS:0BE8 JMP 0BF0). + +Now, save the changes and let's start on the game. Load CASTLES1.EXE into your +debugger (Make notice of the parameters set in the batch file, because you'll +need to specify these when loading it into the debugger, so that it will run +the way you configured it on your system - i.e. DEBUG CASTLES1.EXE /VGA +/NOTITLE /NOMUSIC) Start proceeding through. + +You'll come up to the following: + + CS:00EF CALL 1DDD:0752 + +Trace through this and proceed on. Next you'll come to some jump and CALL +statements. If you proceed through, it will kick you out to DOS, so make note +of the following jump statements, and what they are doing: + + CS:0669 JZ 0670 + + CS:0678 JNZ 0680 + + CS:067E JZ 0691 + +If you notice what happends when you proceed through on a wrong number, you'll +see that the following needs to be done to those jump statements, so that +we jump around the statements that call to verify the copy protection: + + CS:0669 JMP 0670 + + CS:0678 NOP NOP + + CS:067E JMP 0691 + +Now, save these changes, and you're all done. The Setup program will no longer +ask the question, and the game itself will no longer check to see if you +answered the question right. So you're congratulate yourself. + +-------------------------------------------------------------------------------- + + Hopefully this will aid you on your quest to become a crackist. And remember, +don't get in over your head by attempting to crack something difficult, 'cause +it won't help ya at all, G. Laterz... + + - The Psychopath diff --git a/textfiles.com/piracy/CRACKING/mhpcnws5.txt b/textfiles.com/piracy/CRACKING/mhpcnws5.txt new file mode 100644 index 00000000..9a649e1f --- /dev/null +++ b/textfiles.com/piracy/CRACKING/mhpcnws5.txt @@ -0,0 +1,344 @@ + Midnights Hackers Private Club + + Where members or hackers groups come to exchange ideas, and show + off skills. + + **** A Cracking Guide For Advanced Amateurs Part II**** + + An Article By: + + The Psychopath + + TABLE OF CONTENTS + ------------------- + + I. Introduction and Overview + II. Types of Cracks + A) Doc Check with a small Loader + B) Doc Check with a complex Loader + III. Closing Remarks + +-------------------------------------------------------------------------------- +Introduction: + + This is my third edition on cracking tutorials. This one will provide +more information on the art of cracking as usual, and will provide a comparison +of 2 similar doc checks that vary in difficulty. Take the learning process slow, +and just let it come to you. Remember, don't try tackling too much at once. +Experience is the best teacher. Just a friendly little reminder here... +ALWAYS, ALWAYS make backup copies of the programs before you tamper with them +with your debuggers and sector editors, because if you screw up and write to +your only copy, you're plain outta luck holmes. + + Cracking programs used in this issue: + DOS Debug + + Acquire this if you don't already have it. This is the basic cracking +tool, and is my favorite. There are some advanced debuggers out there with +menus and fancy features, but when they fail, debug will come through for ya. +But of course, having the other debuggers can be handy at times, so I suggest +finding them if you don't already have them. Some good ones to get are: + Turbo Debugger (2.0 or greater) + Soft Ice (2.5 or greater) + Code View + + I will no longer tell you how to access a debug command, so here's the +last time that I will refresh your memory as to what they are. If you don't +know what they mean by now, then you should go back and re-read my previous +articles. + +Command Function +------------------------------------------ +*A [address] Assemble + C range address Compare + D [range] Dump + E address [list] Edit + F range list Fill +*G [=address [address..]] Go + H value value Hex + I value Input + L [address [drive:record record] Load + M range address Move + N filename [filename] Name + O value byte Output +*P [=address][value] Proceed +*Q Quit +*R [register-name] Register +*S range list Search +*T [=address][value] Trace +*U [range] Unassemble +*W [address [drive:record record] Write + + [* Indicates the only ones you need worry about for now. They are the main + commands that you use). Basically, you will enter the letter command and then + return (). Addresses only need to be specified based on necessity. (for + example, you could just enter G and it would execute. Specifying an address + would set a break point. (run the program up to that address). For P and T, + just enter the letter name and . It's quicker.] + + Further explanation of the commands is provided in your DOS users manual. +Read it for yourself. + +-------------------------------------------------------------------------------- +Cracking Documentation Checks With Game Loaders: + + Okay, the most common form of copy protection is the documentation check. +Doc checks are usually at the beginning of the software, with a few exceptions +(some being in the middle or at the end). They range in variety from simple +text questions, to having graphic and mouse interfacing. They, of course, +range in difficulty from being extremely easy to being near impossible. + + In this issue, we're going to take a look at a programmers attempt to +cause frustration for us crackists. Someimtes you'll come upon a game that will +have you run one program, which will in turn run the main program. And of +course, you have to run the first (loader) program or the game won't work right. +Well, this poses a problem with debugging, for you can only load in one program +at a time, and most likely you won't be able to trace through one program to +get to the other, so how do we get to the copy protection and remove it? Well +let's go through two sample cracks and find out for ourselves eh. + + Hopefully you remember what types of copy protection ASSEMBLY commands +to look for, and how to couteract them, cause I won't refresh your memory for +you....you'll have to re-read the past articles if you forgot. + + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Software Name: Gateway to the Savage Frontier +Software Company: S.S.I. & Beyond Software + +Here is a walk through for cracking a simple attempt at a loader along with +a simple doc check. This should be eazy to follow, so let's get going eh. +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Find an uncracked copy of Gateway to the Savage Empire. Now then, you'll +notice that there is a batch file entitled START.BAT This is what we run to +load in the game. Well, let's see what it's doing. Type the batch file out. +You should see this: + + @echo off + start1 + if errorlevel 1 goto end + go + :end + + Now, if we run this batch file, it will execute START1.EXE which will +allow you to specify your graphics, sound, mouse, etc. etc., and when that's +done, it returns to the batch file, where you'll notice GO.BAT is then executed. +Let's look at GO.BAT and see what it's doing. You'll see something similar +to this (depending on the graphics and sound and such that you selected): + + ibmsnd + game UseStart + ibmsnd U + +Notice that the UseStart is a parameter specification on the game. If we +try running GAME.EXE it will tell us to run start. Well, this is so simple +it's not even funny. Notice what start does. It sets up your system +specifications, then loads in the game. That UseStart parameter is the key +to the whole thing. Instead of typing just "debug game.exe" specify the +parameter as well (this will happen quite often with games that use parameters. +They must be specified in the debugger if you want them loaded in). Type "debug +game.exe UseStart" (and the capital/lower case letters ARE significant in the +paramater settings). Now, we're ready to begin. Start proceeding. + + At CS:0037 CB RETF, you'll do a far return to a new code segment address, +at CS:0038, here you'll proceed on. You'll hit a bunch of comparison jumps +that will keep looping you around till you eventually get to CS:00DE, where you +can start proceeding forward again. ('Course if you're smart you'll just take +my advice and jump from CS:0038 to CS:00DE and proceed from there). Next +you'll come to: + + CS:00FE 2E CS: + CS:00FF FF2F JUMP FAR[BX] + + Proceed through this and you will be at a new code segment address at +CS:0019, where you will find a long series of CALL statements. Start proceeding +through them. You'll hit some that will load in the graphics and the title +screen and such (if you press control-C when the Beyond Software screen appears, +it will skip the intro screens). You should eventually come to: + + CS:01CE CALL 1303:002A + + This address calls in the option that will ask you if you want to PLAY the +game or view a DEMO. We of course, want to play, so select play and press +enter. Now, proceed on. It will eventually bring you up to this address: + + CS:0208 JNZ 0216 + CS:020A CMP BYTE PTR [5D8E],00 + CS:020F JNZ 0216 + + Now, we've already selected that we want to play the game, so what do you +think this comparison means? Could it be that it's determining wether or not to +load in the doc check? Well I do believe so. If you don't believe me, proceed +on. You'll hit a CALL statement at CS:0211 That will load in the copy +protection. So how do we remove this? Well, what I suggest doing is changing +the jump at CS:0208 to read CS:0208 JMP 0216. + + This will tell the program to jump directly to CS:0216, thus skipping over +the copy protection completely. Now, wasn't that simple. Just save the +changes and you're done. + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Sample Crack-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Software Name: Time Quest +Software Company: Legend + +Here is a walkthru for cracking a more complex loader that calls in a +moderately difficult doc check. +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + Obtain an uncracked copy of Time Quest, and prepare your debuggers. Okay, +Here's the situation. The main part of the game is in the file TIMEMAIN.EXE, +but we have to run TQ.EXE in order to play the game. If you try running +TIMEMAIN.EXE, it will (as I mentioned) tell you to run TQ.EXE to load the game. +So what do we do? Unlike the previous sample crack, there are no parameters +that are displayed that we could load into the debugger. The TQ.EXE file loads +in part of the title screen, and determines your graphics and sound modes, so +we're in a bad situation. + + If you try debugging TQ.EXE to get to TIMEMAIN.EXE, the following will +happen. You'll eventually reach the part where a CALL statement loads in +TIMEMAIN.EXE. The program will take control or lock up. So naturally, you +try tracing through, till you get to another CALL statement that does the same +thing. You'll keep doing this until you get to the INT-21 that loads in the +TIMEMAIN.EXE, and it will lock up there....if you trace through, it will take +you to a part of the program that you don't ever want to tamper with. You'll +be where it makes all the jump comparisons for all the INT-21's. Proceeding +through this area will most likely bring up a message like "System Halted. Can +Not load Command.com" so now were stuck....or are we? + + Now think for a minute and get creative. TQ.EXE somehow loads in +TIMEMAIN.EXE. So what if we can trick TIMEMAIN.EXE into thinking that TQ.EXE +has already been run. All we'll do in the process is leave out the Legend +Software title screen. And, hopefully, we'll enact the default settings, which +will bring in CGA graphics. This will make it easier to see what's going on, +because with the CGA graphics, it's in black and white, and very simple +structure, which is what we want when stepping through a debugger. So, let's +get started. Load TIMEMAIN.EXE into your debugger and start proceeding. + + You should come to CS:0548 JMP 29B1:09A2 where you will proceed through, +jumping to a new code segment address. Keep proceeding on. You'll come to +CS:0A20 where you'll then be kicked into a new code segment address. Proceeding +on will just bring you back to CS:0A21, so instead of going through all that, +jump to CS:0A21 before you reach CS:0A20, and then keep proceeding. + + After you reach the following: + + CS:0A41 CALL 232E:1AFB + + Trace through here, and keep going (proceeding through this call statement +will terminate the program and bring up that message telling you to run TQ.EXE +first). Keep proceeding till you come to the following: + + CS:1B12 CALL 18CA + + Trace through here, and keep going (proceeding through will have the same +result as the above mentioned). Now, you'll soon see the following: + + CS:18D6 CMP WORD PTR [BP+06],+09 + CS:18DA JZ 18F6 + + If we just proceed through these, the program will soon terminate as +above mentioned, but if we jump to 18f6, the game will start to load, so let's +fix this by changing CS:18DA to be the following: + + CS:18DA JMP 18F6 + + Note, that this change is not to be permanent. It is merely a temporary +change to allow us to load in the game so we can make the permanent chane to +the copy protection. Now then, proceed on. You'll hit a CALL statement that +will switch to the graphics mode, then you'll eventually reach: + + CS:1AFA RETF + + Proceed through this, and you'll return back to CS:1BC5. Proceed on. You +will hit a few calls along the way that will load in the screens, and eventually +you'll reach: + + CS:1C68 CALL 1F6F:188B + + This will call in the option that lets you type in a command, so type in +the following commands in this order (and note, that after you press enter, +you'll be back in the debugger. Instead of proceeding on, which will +eventually bring you back to CS:1C68, just go to 1C68 again and proceed through. +It will wait for you to input another command. Keep doing this until you've +input all the commands). + + wait + wait + w + open drawer + take card + enter interkron + put card in slot + timeset rome 44 + + Now, after entering the last command, (DO NOT JUMP back to 1C68 again) +proceed on. You will eventually come to: + + CS:2496 CALL 0D40 + + Trace through this call statement (proceeding through will bring up the +doc check). Now, proceed on until you eventually come to: + + CS:106E CALL 1B46:05C5 + + Trace through here (for the same reason as mentioned above), and then +proceed on and you'll eventually reach: + + CS:05F5 CS: + CS:05F6 JMP [BX+0B14] + + Proceed through this (If you ever try jumping (with the go command) to a +two part jump statement like this, make sure you go to the address with the +"CS:" and not the JMP, otherwise you will screw up the program and it will +jump you to the wrong place). Trace through: + + CS:09FC CALL 1CA7:1520 + + Now, proceed on till you come to: + + CS:160C CALL 45EA:1F8E + + Trace through this, and then trace through the call statement that you +immediately come upon, which is: + + CS:1F8E CALL 4537:0307 + + If you proceed through this, it will try to access your floppy drive, +because it won't be able to find the overlay file, so trace through it. Now, +proceed on till you get to CS:0379, where you will be taken back to CS:1F95, now +keep proceeding on, and you will go through a series of jump compare statements, +if you keep going on, you will eventually hit: + + CS:029F CALL 1E35:000C + + This is where the doc check will pop up. These jump comparisons are the +key to the doc check. If you notice, at: + + CS:029D JNZ 02B5 + + Here, is where it makes an obviously important comparison. Why is it +important you ask, well because look at what happends. If the value it's +comparing is zero, it proceeds on to CS:029F, where the doc check comes in, +so what happends if the value is not zero? Well, let's find out. Change +CS:029D to read CS:029D JMP 02B5 and then proceed on. You will soon hit a CALL +statement that will give a message displayed only after you pass the doc check, +thus we know we made it to the right area. So just make that change at CS:029D +permanent. And just to give you a little hint, the change you need to make will +have to go in the overlay file. So, now we're done. Wasn't so tough after all +now was it. + + ** Notice. This cracking scenario for Time Quest was done without any saved + games. Having saved games will effect the debugging process. You will + have a few other detours along the way before you get to CS:1C68, so either + try it on your own, if you have saved games, or move your saved games to + a different directory and try it without them first. It'll be easier. ** + +-------------------------------------------------------------------------------- + + Hopefully this will aid you on your quest to become a crackist. And remember, +don't get in over your head by attempting to crack something difficult, 'cause +it won't help ya at all, G. Laterz... + + - The Psychopath diff --git a/textfiles.com/piracy/CRACKING/nags.txt b/textfiles.com/piracy/CRACKING/nags.txt new file mode 100644 index 00000000..d366aed2 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/nags.txt @@ -0,0 +1,212 @@ + 8/24/97 + + How to USE nag screens? + ======================= + + Introduction + ------------ + +What I`m about to teach in this tutorial, is simply how to USE nag screens, +yeah yeah, it sounds redicules, and, I`m not sure that i`m not inventing +the Wheel here, but, I've never seen any tutorial about this issue... + +I`ll assume you have the knowledge in: + +1.SoftIce (Winice will be more percisive...). +2.cracking (ie, about 2-3 months of cracking..). +3.Nag Screens (How to kill'em - but, that's of course not what will be discussed + here). + +Tools you`ll need for this tutorial: +1.SoftIce 3.00/01. +2.Hex Work Shop (ANY VERSION) / or any other good Hex Editor. + +Programs that will be discussed in here: + +1.DeskWipe v1.2 : URL - Http://Home.sol.no/Frankm +2.Idyle Phone Book Pro 97 V2.21 : URL - Http://www.idyle.com/ + + + Some words for start + ---------------------- +What we're going to be doing here, is to use the nag screens in order to +get to the registration routines, in programs that newbies usually find +hard to handle - The programs that have NO visible registration info... +Which means, programs without register boxes... etc.. + +Our basic method here, will be to set a break point on a messagebox , or +some other forms of nag screens that will be discussed here later, +then , after breaking in the nag screen routine, look back in the code, +and see what condition brought us to the nag screen, then, break point in that +condition (ie, je,jz,jnz etc....), and disable it... ;-) +Sounds like we`re just about to start our cracking here...... :) + + +The first program I'd like to discuss is one of the simplest... + + DeskWipe 1.2 Cracking (Using nag screen). + --=========================================-- +OK, we're all set with SoftIce running? +great, lets start the program to see the actual protection scheme... + +After launching DeskWipe 1.2 , quickly pops a nag screen, errrgh! sux! +Lets Exit the program , and set a bp on messageboxa, then, run it again... +oh, no ;`[ , we're lost, messageboxa wasn`t such a lucky guess, +Hmm..... Now, we can use our knowledge in nag screen (which is not too hard +to achieve btw...;)), while we're in the nag screen, press CTRL+D, And, +type hwnd deskwipe... +U`ll see only one button , BMSG on it, (For me , it gave 0688...). +Now, press CTRL+D, and follow my instructions FULLY! (I'd really wish to +talk to you guys about these stuff, but, thats not for this tutorial, +and, it won`t serve my targets...). + +1.After pressing CTRL+D , you`ll pop again in SICE, press F12 9 times. +2.press F10 several times, until you get to this instruction: + . + . + . + MOV EAX,[EBP-04] + MOV EAX,[EAX+00000128] + TEST EAX,EAX + JZ 420940 / This one, u`ll have to NOP in order to pass the nag screen, + / because, this is the condition, if the Button was pressed + or wasn`t... (That was just a side comment). + . + . + . + NOP the JZ... +3.now, we can Continue pressing F12 7 more times... + until we're popped in this instruction: + . + . + . + CALL 00425728 + POP ECX + POP ECX + . + . + . + Let's now press CTRL+UP several times, (to see the above code, that brought + us to this nag screen) + Until you get to this: + MOV EAX,[429664] / The initial value for the registration routine + CALL 425FFC / The registration routine itself!!! ;) + INC EAX / The Boolean identifier, that's used to determine if + JZ 426EA6 / The registration was successful... + . + . + . + I`ll leave you guys the job to Register this program (NOTE that in order + to crack this one with Patching, you`ll HAVE to change EAX's value INSIDE + the registration routine, But, it won`t be the BEST crack, for making the + BEST crack, you`ll have to make a license file... - I`ll leave this job to + you, I`m not trying here to teach how to do key files, I already assume + that you can handle the registration routine by yourself... ;)) + + + Well , that's it for this program , Now , Let's move to some harder + Job... ;) + + Lets Crack Idyle Phone Book Pro 97 Now!! + + Phone Book Pro 97 V2.21 Cracking!!! + --===================================-- + +I'd like to take these lines to GREET the author Damien Rame for a GREAT +interface, I've never seen a better phone book!!! If you use this program, +please send him money! he deserves that! +This one, is about to be harder to do than the other one we've seen. +I`m about to do patching here , just to give you an example of a CRC checking +that's kicking ya from the program if it detects patching (this one, is usually +done by doing CheckSum to the EXE, and , comparing it with a Value that's +kept somewhere.......). +We're all set with our little SoftIce? :) +great! +Lets launch the program... +press the About/Register button... +Hmm, interesting... the author seems to be pretty smart, look what he did, +he DIDN`T give ya ANY buttom to press in order to tell the program to check +the registration info that was entered!!! +How do we solve this problem? +Well, it's obvious that the program checks the registration info in REAL TIME +(ie, when you enter it in the dialog box). + +OK, Let's try something here: +I entered Name :^pain^ '97 + Reg Code: 9999999 +Wait, Let's Press CTRL+D, and, set a bp in HMEMCPY,then , press CTRL+D again, +and, add another char to the reg code... +YES! we popped right next to the registration routine... +Let's press F12 now until we get to the program code, and, trace the code +until we get to this instruction (The registration routine): + +. +. +. +MOV EDX,EBX +MOV EAX,EBX +CALL 49616C +TEST AL,AL +JZ 004968B4 +. +. +. +Now, it's obvious what u should do, trace in the registration routine, +Set a bp on some code in the registration routine, and, restart the program. +(Don`t worry, I know what I`m doing...) +After we pop back in Sice... +Exit the routine, and ,do the patch OUTSIDE the routine!!! (VERY IMPORTANT!) +(ie, TEST AL,AL ===> OR AL,01) + +Now, we're all set for the point I want to discuss... :) +Launch the program! +Oh shit,Now Look what happens!!! This program does CRC checking!!! (Did I ever +say the author is smart??? ;-)) Although, he did a stupid thing... +Left us a MSG TYPE ERROR BOX!!! (That says there was a CRC error, and that the program +will now be terminated!!!) Let's use this shit! :)) + +Launch the program AGAIN! +when you get to the Error Button. +1.Type in Sice HWND. +2.BMSG on the ONLY button that PHONEBOOK uses. +3.Press CTRL+D +4.Press F12 5 times. +5.Press F10 until you get to this instruction: + . + . + . + Mov EAX,[EAX+00000150] + TEST EAX,EAX + JZ 00430CE2 / Nop the JZ... + (Only a temporary change for passing the msg box). + . + . + . +6.Press F12 8 more times. +7.Press CTRL+UP some times, until you see this: + CALL 445570 / CRC Checking routine... :) + CMP EBX,-2 / Boolean Identifier. + JNZ 459409 + + Now, All you have to do, is to change the CMP EBX,-2 ==> MOV EBX,01 + JNZ 459409 ==> JMP 459409 + And , we're all set! ;)) + simple eh? :) + After nopping it, patch the EXE, and, you have a FULL crack! :) + + NOTE that that's not how I did the crack, I did a better patch, but, I really + don`t remember now wtf did I patch, and, it's not really important for our + discussion ;) So, you`ll have to forgive me... + + +Well, I think that's it, I've cleared my point, and , I think it's time to +Sign off... +Hope you found this info interesting.....(I wouldn`t like to spend my time for +nothing... ;-)). + +Ohhh...... almost forgotten, I'd like to greet the following dudes: +Acp,Niabi,JosephCo,_rANDOM,|KAIRN|,Razzi,Yoshi,GrimL0ck,kOUGER,Odin, +[J0B],Qapla,Leddy,TeRaPhY!,All the great guys in +#cracking & #Cracking4newbies And all the rest of you M$ fighters I've forgotten! + +Signing off - ^pain^ [mEXELiTE] in the year of 1997 - diff --git a/textfiles.com/piracy/CRACKING/od-crk1.txt b/textfiles.com/piracy/CRACKING/od-crk1.txt new file mode 100644 index 00000000..9939fda2 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/od-crk1.txt @@ -0,0 +1,482 @@ + + odin's_________ _______ ______ _____________ + ____\ /____\ /________\ /____| /_____/_______ _________ + / _____/ _____/ __ ___/ '____/ / | \ _____/___ + / | \ || | | | \ . \ | | | \__ / + \_____ \___| \____ |____ \___| \___|____| |_____ | + |_______/ `----' |_____/ |______/ |____| |_____| + tutorial v1.51 + + TOPIC: CRACKING/PATCHING SOFTART'S DESKEY v1.02.010 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + +X. TABLE OF CONTENTS +~~~~~~~~~~~~~~~~~~~~ + 1. FOREWARDS + 2. INTRODUCTION + 3. TOOLS USED FOR THIS + 4. THE CRACKING STARTS + 5. MAKING A PATCH + 6. THE URL'S + +1. FOREWARDS +~~~~~~~~~~~~ + Welcome. So how come you're interested in reading this tutorial? +Perhaps you think cracking is cool and seems easy, and that cracking +is a way to be famous on the internet today. Well, if you think +like this please stop reading now. Why? Mainly because most crackers +don't crack because they think it's "cool." and want to be famous. +Cracking is something they actually do because they think its a great +thing to spend their precious time on, believe it or not. Most crackers, +not to say all, also code in one or several computer languages. + On the other hand if you're very interested in how computers work +internally, and you like to program in languages like Pascal, C++ and +Assembler, then I believe this tutorial is worth reading for people +such as you, and you might even learn something from it. + If you're the third category, you've been learning cracking for +some time now and read every little article about cracking you +can get, then this tutorial also is very good to read. You can always +learn something that you didn't know before. Even I can learn things +I didn't know by listening to others and reading various text files. + + To become a cracker will take several years. And to become a good +cracker will take even longer. The key to success is practice and, in +my point of view, learning and listening to other crackers. + +I'll skip the most things about how SoftICE works because there +are several good tutorials out about that. One is Exact's SoftICE +tutorial, very good and recommended reading. + + +2. INTRODUCTION +~~~~~~~~~~~~~~~ + This text files purpose is to show and hopefully learn +you how to patch away a time limit of a program. The program we will +use is SoftArt's Deskey. It isn't necessary to patch this program +because you can also enter a registration code in the registry to +get the program to work fully, but then you have to write a keymaker +because the code depends on the Windows name and company (the one +you enter when you installed Windows 95). So we're going to do it +the lazy way and patch it. There are of course other ways to +do this crack. + +3. TOOLS YOU WILL NEED FOR THIS +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + (1) SoftICE 2.0/3.0, of course, our beloved debugger. + (2) Ultra Edit or another good hex editor. + (3) A patch generator, or if you write the patch yourself + as I do. + +4. THE CRACKING STARTS +~~~~~~~~~~~~~~~~~~~~~~ + Ok, let's begin with removing the semicolon from the user32.dll +and kernel32.dll lines in SOFTICE.DAT if you haven't done so already. + + Now let's do some detective work, by checking the Deskey help +file. You'll notice that this program will stop working after +60 minutes. This limit is what we're going to remove. There +are a few possible solutions for the programmer to obtain this +limit. To check which functions the program use, let's test the +approach Qapla used in his tutorial: + Start the explorer and press the right mouse button on the +Deskey exe file. Now choose Quick-View. You'll notice all the +calls the program uses and which dll's store the code for +the calls. When you look at them, you'll notice some interesting +functions. + + Import Table + ------------ + + . + . + . + . + KERNEL32.dll + Ordinal Function Name + ------- ------------- + . + . + . + 008f FreeLibrary + 0188 MultiByteToWideChar + 011d GetSystemTime <----- Interesting + 00e4 GetLocalTime <----- Interesting + 025d lstrcmpiA + 00ca GetDateFormatA + . + . + . + USER32.dll + Ordinal Function Name + ------- ------------- + . + . + . + 00ec GetDlgItemTextA + 007d DefWindowProcA + 01fe SetTimer <----- Interesting + 01a2 PostMessageA + 0224 TrackPopupMenu + 01b8 RemoveMenu + . + . + . + +Ok, as you see I'm interested in 3 different calls. We can try +to see if the program uses KERNEL32!GetSystemTime(); and +KERNEL32!GetLocalTime();. Enter SoftICE and put a breakpoint +on these two. Enable them just when you're about to start +the program. If you do it before, you risc to break on these +calls used by another program. So just before you start +Deskey, enable these. Ok, now you started it and program pops +up in the traybar. Nothing happens. Oh well, then we can +exclude these ones. Actually a cracker might have excluded them +from the beginning and tried some other calls first. Why? +Probably because a programmer usually uses these calls if the +program has a 30-day limit, not a 60-minutes one. Ok, now +we have one left to test, USER32!SetTimer();. Exit Deskey and +put a breakpoint on SetTimer(); just before you start Deskey. +Finally, SoftICE detected the use of this function by Deskey. +Press F11. It should look something like this now: + + . + . + . + 0137:0040397F 833D1890400000 CMP DWORD PTR [00409018], 00 + 0137:00403986 7409 JZ 00403991 + 0137:00403988 833D1C90400000 CMP DWORD PTR [0040901C], 00 + 0137:0040398F 7421 JZ 004039B2 + 0137:00403991 6A00 PUSH 00 + 0137:00403993 A128904000 MOV EAX,[00409028] + 0137:00403998 6880EE3600 PUSH 0036EE80 + 0137:0040399D 6834120000 PUSH 00001234 + 0137:004039A2 50 PUSH EAX + 0137:004039A3 FF158CB44000 CALL [USER32!SetTimerA] <-- you're here + 0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC] + 0137:004039B0 EB12 JMP 004039C4 + 0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC] + 0137:004039B0 EB09 JMP 004039C4 + 0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC] + 0137:004039B0 EB07 JMP 004039CB + . + . + . + +Let's check the SetTimerA function in our we-cant-be-without-it +API guide: + + The SetTimer function creates a timer with the specified time-out value. + + UINT SetTimer( + HWND hwnd, // handle of window for timer messages + UINT idTimer, // timer identifier + UINT uTimeout, // time-out value + TIMERPROC tmprc // address of timer procedure + ); + . + . + . + uTimeout + Specifies the time-out value, in milliseconds. + . + . + . + +Aha, let's check on the code again: + + 0137:00403991 6A00 PUSH 00 <-- tmprc + 0137:00403993 A128904000 MOV EAX,[00409028] <-- pushed later + 0137:00403998 6880EE3600 PUSH 0036EE80 <-- uTimeout + 0137:0040399D 6834120000 PUSH 00001234 <-- idTimer + 0137:004039A2 50 PUSH EAX <-- HWND + 0137:004039A3 FF158CB44000 CALL [USER32!SetTimerA] <-- you're here + +Hmm, very interesting indeed, let's check the value 0036EE80 in +the SoftICE debugger: + + :? 36ee80 + 0036EE80 0003600000 "6" + +An even and nice value. And if you read further in the API help +file you'll notice that the uTimeout should be in milliseconds. +1 second is 1000 milliseconds. Let's do some calculating: + + 3600000/1000=3600 seconds. + + 60 seconds*60 minutes=3600 seconds, which is 1 hour + +We've found the right one! This call creates a timer which will be +checked when the program process the WM_TIMER message from Windows. +The WM_TIMER message is sent when 1 hour has past. Let's check +the API reference once more: + + WM_TIMER + + wTimerID = wParam; // timer identifier + tmprc = (TIMERPROC *) lParam; // address of timer callback + + The WM_TIMER message is posted to the installing thread's message + queue or sent to the appropriate TimerProc callback function after + each interval specified in the SetTimer function used to install a + timer. + . + . + . + +So now we know where he creates the timer. If you remove this +SetTimer(); call the WM_TIMER message will never be sent, +resulting in that the 60 minute limit will be REMOVED!! Let's +take a look at this example code below: + + SetTimer(hwnd, idTimer, 0x36EE80, tmprc); + ^-- hex value + + WM_TIMER: { <-- this structure is reached when + PostQuitMessage(0); the hex value above reach 0. If + ^-- will exit the program the timer never is set this + } structure wont be reached. + +This is very simple to understand, I hope :-). +So perhaps you think, "hey, let's NOP away the whole structure" + + (for those of you not familiar with NOP: it means NO OPERATION + and are very commonly used when patching. The computer will + do nothing when it executes this instruction.) + +Nono stop! Don't NOP away the whole call. Well first of all +a good rule when patching is that, never alter the code more +then you actually need. It looks nice (who'll notice anyway), and +it decreases the chance of program crash due to doing something +stupid. So how should we do instead? Well let's check that code +once more: + + . + . + . + 0137:0040397F 833D1890400000 CMP DWORD PTR [00409018], 00 + 0137:00403986 7409 JZ 00403991 + 0137:00403988 833D1C90400000 CMP DWORD PTR [0040901C], 00 + 0137:0040398F 7421 JZ 004039B2 + 0137:00403991 6A00 PUSH 00 + 0137:00403993 A128904000 MOV EAX,[00409028] + 0137:00403998 6880EE3600 PUSH 0036EE80 + 0137:0040399D 6834120000 PUSH 00001234 + 0137:004039A2 50 PUSH EAX + 0137:004039A3 FF158CB44000 CALL [USER32!SetTimerA] <-- you're here + 0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC] + 0137:004039B0 EB12 JMP 004039C4 + 0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC] + 0137:004039B0 EB09 JMP 004039C4 + 0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC] + 0137:004039B0 EB07 JMP 004039CB + . + . + . + +The CMP (compare) instructions above seems very interesting. +As you might notice, the one at 00403986 will jump to 00403991 +and start the timer. If you check the JZ at 0040398F it will go +to 004039B2 and therefor jump over the timer, resulting in +that there will be no time limit. So to solve this simple +problem just change the JZ 00403991 at 00403986 to JMP 004039B2 +instead. Like this: + + 0137:00403986 7409 JZ 00403991 + ---> to ---> + 0137:00403986 EB2A JMP 004039B2 + +Now let's apply the patch to the exe file. Load up your favorite +hex editor. In this case I'll use Ultra Edit. Now load the exe file. +Choose search and enter the following bytes: 68 80 EE 36 00. +So why do we search after these? Well that's very easy. Check the +code once again: + + 0137:00403993 A128904000 MOV EAX,[00409028] + 0137:00403998 6880EE3600 PUSH 0036EE80 <--- this one + 0137:0040399D 6834120000 PUSH 00001234 + +As you see these bytes stands for the instruction PUSH 0036EE80. +"Uhu, I don't have those cryptic numbers to the left of my +instructions!!". Well that's easy to fix. Just write 'code on' +and you'll see these cryptic numbers, also known as OPerand codes. +"Why didn't you search 83 3D 18 90 40 00 00 for example?". Well +that's because I know the ones we searched for only exists one +time in the exe file. The one mentioned above (83 3D...) exists +several times, so you cannot actually know which of those to use, +if you don't check the surrounding bytes that is. Always do +"search next" so you are sure that that byte combination doesn't +exist somewhere else in the file. + +Now let's change the bytes needed. Some bytes above '68 80 EE 36 00' +you will find '74 09' which is the JZ 00403991 instruction. This +is the two bytes we want to change. So how do you know which numbers +to actually change to? That's also easy. In the debugger when you're +looking at the code just use the 'a' command. Like This: + + 0137:0040397F 833D1890400000 CMP DWORD PTR [00409018], 00 + 0137:00403986 7409 JZ 00403991 + 0137:00403988 833D1C90400000 CMP DWORD PTR [0040901C], 00 + ----------------------------------------^ code window ^ ----- + :a 00403986 JMP 004039B2 + ----------------------------------------^ prompt ^----------- + +This will change the instruction at 00403986 and a new code will +pop up, EB2A. So this is the code you want to change for the 7409 +one. Remember, that if you use the 'a' command it will not change +the code permanently, only temporary. That's why we have to use +a hex editor. So go to the '74 09' bytes and change it to 'EB 2A'. +Now save the exe file, voila! That's it. Now start the program +up and test if it works. If SoftICE doesn't break on SetTimer(); +it probably worked. If it does, read this all again :-). + +One thing has to be said also. If you for example want to change +a instruction with the opcode 'C1 E1 10' (3 bytes) to a instruction +that only has a 2 byte opcode, for example '0B D1', you have to NOP +away the last byte. NOP has the hex value 90. +Like this: + + C1 E1 10 becomes ---> 0B D1 90 + + SHL ECX, 10 becomes ---> OR EDX, ECX <- 0B D1 + NOP <- 90 + +As you see I change the F3 to 90 and therefore put the instruction +NOP there. If you didn't do this the chance of a program crash +would be 98%. + + That's all. To patch is very simple, but to find the bytes to +change is harder. Remember that the byte combination can exist +somewhere else so check the surrounding bytes. + +5. MAKING THE PATCH +~~~~~~~~~~~~~~~~~~~ +Now it's time to make this patch available to the public. To +write something like "uhu change the bytes at blabla to blabla" +doesn't look that good, does it? So now it's time to make +a exe file that changes those bytes asap so the user don't have +to use Ultra Edit every time. I've included a program in Pascal +done for this task. There are also several good patch generators. +One for Windows 95, that I strongly recommend, is Qapla's +PatchIt '97. It's fast and nice interface (happy now Qapla :-) +To convert this program to C++ should be easy. You have to know +one more thing to make a patch, where the bytes are located in +the file. This is called "offset.", to check the offset just +go to the bytes you changed, and look at the status bar in Ultra +Edit, it should say the offset (pos) in hex. + +I did the patch in Turbo Pascal 7, most would probably do it in +Asm :). Anyway, here is the patch: + +---------------------------------------------------------------------- +---------------------------------------------------------------------- + +Program Patcher; + +Uses Crt; + +Const offset : Longint = $2D86; { $ means a hex value } + bytes : Byte = 2; + len : Longint = 51200; { file length } + orgbytes : Array[1..2] Of Byte = ($74, $09); + newbytes : Array[1..2] Of Byte = ($EB, $2A); + {---------------------------------------------------------} + filename : String[12] = 'DESKEY.EXE'; + errnof : String[43] = ' ERROR: File DESKEY.EXE was not found.'; + errver : String[36] = ' ERROR: File size is not correct.'; + errpch : String[36] = ' ERROR: File seems to be patched.'; + msgdon : String[21] = ' Patch successful!'; + ask : String[26] = ' Continue anyway? (Y/N)'; + +Procedure message(message : String); +Begin + + WriteLn; + WriteLn(message); + Halt; + +End; + +Procedure patchfile; +Var fil : File Of Byte; + teck : Byte; + n : Byte; + ch : Char; +Begin + + Assign(fil, filename); + + {$I-} + Reset(fil); + {$I+} + + If (Not(IOResult=0)) Then message(errnof); + If (Not(FileSize(fil)=len)) Then + Begin + + WriteLn; + WriteLn(errver); + WriteLn(ask); + Repeat Until Keypressed; + + ch:=ReadKey; + + If Upcase(ch)='N' Then Halt; + + End; + + Seek(fil, offset); + + For n:=1 To bytes Do + Begin + + Read(fil, teck); + If (Not(teck=orgbytes[n])) Then message(errpch); + + End; + + Seek(fil, offset); + For n:=1 To bytes Do Write(fil, newbytes[n]); + Close(fil); + + WriteLn; + WriteLn(msgdon); + + Halt; + +End; + +Begin + + WriteLn; + WriteLn(' SoftArts Deskey v1.02.010 Patch'); + WriteLn(' By ODIN / RBS^TFT^PIE in 1997'); + patchfile; + +End. + +---------------------------------------------------------------------- +---------------------------------------------------------------------- + + +Some final words. Take some programs and play with patching them +in various ways. This gives you experience, and hopefully you'll +become a better cracker. + +Thanks to Qapla, kOUGER, Hook and Tgunner for help while making this +tutorial. + +A special greeting goes to ED!SON. + +6. THE URL'S +~~~~~~~~~~~~ + -- + My E-Mail + cracking@usa.net + -- + SoftArts Deskey v1.02.010 + http://www.spiresoft.com + -- + Ultra Edit vX + http://www.windows95.com/apps/ + -- \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/owl-ice.txt b/textfiles.com/piracy/CRACKING/owl-ice.txt new file mode 100644 index 00000000..0fcb7c14 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/owl-ice.txt @@ -0,0 +1,697 @@ + + NO MORE annoying anti SOFT-ICE tricks or + how to improve SOFT-ICE! + + + intro + + today's best EXE protectors contain code to prevent debugging with + SOFT-ICE, which is the best debugger among the ones i came across so + far. following protectors are known to me to defeat SOFT-ICE: + + EEXE (Encrypt Exe found in FZC.EXE) + HACKSTOP (found in WWPACK.EXE) + PROTECT! (found in various files) + GUARDIAN ANGEL (found in some versions of HWINFO.EXE) + EXELITE (a Polish exe compressor) + the one written by PREDATOR 666 (found in DCA.EXE v1.4) + the one used by Martin Malk (found in HWINFO.EXE v3.05 and up) + DS-CRP by Dark Stalker (hi!) + SECURE v0.19 by the authors of WWPACK + ALEC v1.5 (the very best protector :-) by Random + and a few others i don't remember right now... + + + the problems + + SOFT-ICE can be detected/halted/crashed in many ways, here's a short + list of them (some of them only makes single stepping harder but not + impossible). i also included a short note on the effects for each version + of SOFT-ICE: + :-( this trick works, + :-) it causes no problems + + + 1. by the use of the INT3 interface provided by SOFT-ICE one can + check for the presence of SOFT-ICE and then have it execute various + commands, e.g. HBOOT (see HackStop). the loader part of SOFT-ICE + also leaves some traces in the low DOS memory, so one can find out + the entrance values of the INT3 interface even if they were changed + (see HMVS - a heuristic macro virus scanner - by J. Valky and + L. Vrtik that uses SECURE v0.19). the Windows versions can also be + detected by the following code (thanks to Dark Stalker and ACP :-): + + mov ebp,"BCHK" + mov ax,4 + int 3 + cmp ax,4 + jne winice_installed + + it seems that BoundsChecker talks to SOFT-ICE via an interface very + similar to the one between LDR.EXE and SOFT-ICE (although it's + completely undocumented, as far as i know...) + + + DOS: :-( + W31: :-( (but the SECURE method is :-) + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + 2. by checking for various devices SOFT-ICE installs ("CVDEBUG", + "NU-MEGA", "SOFTICE1") and searching the part of the code SOFT-ICE + leaves in the low DOS memory for some patterns (e.g. "CVDEBUG", + "NU-MEGA", "SEGMAP", "S-ICE" (the latter coming from the filename), + and any instruction sequence that's left there) one can detect the + presence of SOFT-ICE. the Window$ versions provide a VXD entry point + that can be get by: + + mov ax,01684h + mov bx,0202h ; VXD ID for Winice, check out Ralf Brown's INTLIST + xor di,di + mov es,di + int 2fh + mov ax,es + add di,ax + cmp di,0 + jne winice_is_installed + + the Window$ versions can also be detected by calling the "debugger + install check" function of the Window$ debug kernel (int 42/ax=0041), + for more details see Ralf Brown's INTLIST. + + see HWINFO.EXE and DS-CRP.COM for an extensive application of these + checks... + + + DOS: :-( + W31: :-) but the VXD entry point check is :-( + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + 3. by the use of the undocumented ICEBP/INT01 instruction (opcode 0xF1): + SOFT-ICE gives a short beep before the execution of this instruction + (it will be reflected back to the V86 mode handler, thus at least + the intended handler will get it) which can be VERY annoying (and + make the execution VERY slow), see EEXE for an application of this. + + DOS: :-( + W31: :-) + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + 4. by using the TRAP flag, one can use the single stepping feature to + call a protection routine (e.g. a decryptor). the problem is, that + during single stepping SOFT-ICE clears the TRAP flag for the V86 task + and will neither execute nor step into the INT01 handler of the + V86 task. many schemes use this trick. + + DOS: :-( + W31: :-( + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + 5. by the use of the debug (DRx) and control (CRx) registers: + accessing these registers in V86 mode leads to a General Protection + Fault (INT0D), which SOFT-ICE doesn't handle correctly (it's normally + used for emulating instructions that access the interrupt flag, the + debug registers, the control registers, etc.). the protected mode + handler emulates instructions that access these registers by + executing them, however it doesn't make note about this for itself, + i.e. whenever a debug fault is triggered SOFT-ICE will think that + it must pop up and won't reflect back this exception to the V86 mode + handler (that's waiting for it in vain). for a working example see + GUARDIAN ANGEL. furthermore, accessing DR4/5 and CR1 will halt + SOFT-ICE with a General Protection Violation error message, which is + of course quite disturbing if it's used many times in the program... + + and best of all by accessing CR4 SOFT-ICE simply crashes since + there's no emulation code for this kind of instructions (there's a + jump table that tells SOFT-ICE which routine to use to handle these + instructions and the table ends with CR3...). this method was first + used by Random in his ALEC.EXE v1.4 :-) + + another sad fact is that the emulation in SOFT-ICE is not complete: + it ALWAYS uses eax no matter what the original instruction was... + + e.g. mov dr0,ebx will load dr0 from eax! + mov ecx,dr0 will load eax from dr0! + + i guess it's needless to say how easy it is to detect this behavior... + + a sidenote for protection writers: other memory managers that run + DOS in V86 mode may or may not handle these instructions correctly, + so the use of this trick is highly discouraged. + + DOS: :-( + W31: :-( + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + 6. by the use of INT08, which is the timer interrupt in real mode DOS, + and the Double Fault Exception in protected mode. the protected mode + handler checks whether it was entered from V86 mode or not, and in + the first case it reflects back this interrupt to the V86 mode + handler. however, one can't single step into it. + + DOS: :-( + W31: :-) + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + 7. by the use of the INT07 interrupt (this is the Coprocessor Not + Available Exception): + instead of reflecting back this interrupt to the V86 mode handler, + SOFT-ICE tries to skip the offending coprocessor instruction (it + checks for some opcodes). it seems the Nu-Mega folks never thought + it would be called directly... for a real life application get some + programs written (and protected) by Predator 666. + + DOS: :-( + W31: :-) + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + 8. by the use of the Invalid Opcode Exception (INT06): + SOFT-ICE tries to emulate some instructions (e.g. LOADALL), and then + reflects back this exception to the V86 mode handler. however, + certain opcodes aren't recognized and will give you an error message + (i.e. execution will be interrupted, if the protection scheme uses + this trick). + + DOS: :-( + W31: :-( + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + 9. by using direct INTxx calls that are triggered by hardware + interrupts (e.g. INT08-INT0F, INT70-INT77, if the vectors in the PIC + are not reprogrammed), one will not be able to single step into the + interrupt handler. in fact, SOFT-ICE will even execute the next + instruction and just then stop (if the next instruction is also an + INTxx call of this type then it will be stepped over as well, and so + on). so far, i know of no protection scheme that uses this trick, + but i guess i've just given out a good idea :-). + + DOS: :-( + W31: :-) + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + A. by reloading IDTR one can change the base and size of the interrupt + table in real mode as well. however, SOFT-ICE will not emulate this + instruction (it causes a General Protection Fault in V86 mode) thus + a protection using LIDT won't run. the only problem is that memory + managers don't like it very much, so probably we won't see it in a + real life protection scheme, but one never knows :-). + + DOS: :-( + W31: :-( + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + B. sometimes one has to call an interrupt directly (GENINT xx), e.g. to + dump a memory range to disk by using one's memory resident dumper + (you know what i mean :-) and it's very annoying that SOFT-ICE + doesn't stop after the interrupt call but executes the program + being debugged (thus one has to set a breakpoint for a moment at the + current CS:IP which will result in an unwanted 0xCC byte in the dump, + if all debug registers are already used). + + DOS: :-( + W31: :-( + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + C. in plain DOS INT3 and INT1 are handled by the same routine (which is + a simple IRET). however, SOFT-ICE changes the INT3 handler of the + V86 task to another IRET which can be detected by comparing its + offset to the one of the INT1 handler. see HWINFO.EXE for + an application + + DOS: :-( + W31: :-) + W95: not tested yet (probably same as W31) + WNT: not tested yet (probably same as W31) + + + the solutions + + in the following part you'll be presented with some ideas about the + solution for the problems described above (the file offsets refer to the + DOS version v2.80, but the ideas should work for other versions, as well. + the easiest way to apply the patches is using Hacker's View which can + be found in HIEW531.ZIP). + + one general problem is that SOFT-ICE (at least the DOS version) doesn't + reprogram the hardware interrupt vectors, and this makes life (and the + interrupt handlers) a bit more complex. the IDT that SOFT-ICE uses has + entries that point to the following type of code: + + push xx + jmp handler_xx + + where xx goes from 0x00 to 0xFF. in v2.80 this code begins at offset + 0x4534. the Win31 version has a very similar code beginning at offset + 0x14167 in v1.52: + + push d,[offset_xx] + jmp handler_xx + + + if you want to understand the patches that follow right below, you + should study the interrupt handlers (and you should also have a good + understanding of protected mode). however, some problems cannot be solved + without understanding the internal flags of SOFT-ICE, and this requires a + complete disassembly of it, which is a quite hard task i can tell. + + anyway, sooner or later it will be done, and then we'll have the + ultimate debugging/cracking tool in our hands 'cos we'll be able to put in + some missing functions, e.g. emulation of FlatRealMode, tracing INT1, PIC + reprogramming, prefetch queue emulation, dumping a memory range to disk, + etc. until then, enjoy the poor man's patches... + + 1. some exe protections mentioned earlier are based upon the INT3 + interface of SOFT-ICE (see Ralf Brown's Interrupt List for details). + this interface is activated when the protected mode INT3 handler of + SOFT-ICE encounters the magic values in SI and DI. that is, when you + try to trace through an INT3 call, SOFT-ICE will regain control, + check for the magic values, and in case they are not found, it will + reflect back this interrupt to the V86 mode INT3 handler (which it + was supposed to do anyway). if it finds the magic values, then + it'll execute the command given in AX (and DS:DX). all of these + checks happen invisibly to the hacker, so there seems to be no + solution to defeat this kind of protection (well, there's a slow way + if you step through every instruction and before the "guilty" INT3 + call you change one or two registers). + + however, there's a simple solution: change the magic values SOFT-ICE + is looking for and this will defeat those protectors based upon the + INT3 interface. however, it's easier said than done because both + SOFT-ICE (and WIN-ICE) itself and (W)LDR.EXE use this interface for + some kind of intra/inter process communication. so every reference + to the magic values will have to be changed! + + to keep the story short here's what i've come up with: + browsing a few minutes in Hacker's View (another important tool ;-) + i found the places where those changes had to be done. in order to + avoid changes where those magic values occur by chance, i wrote an + MSUB script to change whole instructions (they represent enough + context). the amount of necessary changes would have forced me to + use some search&replace utility, anyway. MSUB.EXE can be found in + MSUB13.ZIP (use an ftp search engine to find it). + + the scripts + + SICE-VAL.MS: you should specify the old and new magic values in it + (note that numbers are decimal!) + + SICE2NEW.MS: it will replace the old magic values with the new ones. + there are almost 2^32 possible values, only that value + is forbidden for SI that equals to the version of + SOFT-ICE (for v2.80 it is \128\2, i.e. 0x0280). before + SOFT-ICE installs itself, it checks for its presence by + using an undocumented function of its INT3 interface by + setting AH to 0 or 1. on return SI will be loaded with + the version number or left unmodified if it's not + installed yet, that's why the version number must differ + from the preloaded value of SI. + + example usage + + MSUB.EXE SICE2NEW.MS S-ICE.EXE LDR.EXE + + if you're fed up with the shareware delay built into MSUB.EXE, + here's how you can get rid of it (thanks to a friend of mine ;-) + + patch MSUB.EXE v1.3 (113,152 bytes long) as follows: + + offset old new + 00002307: ?? EB + 00002308: ?? 03 + 0000C0DF: 77 EB + + + the protection that SECURE uses is quite clever 'cos it checks the + first 16 kBytes for the instruction sequence of + + mov si,SI_MAGIC + mov di,DI_MAGIC + + they're encoded as 0BEh,x,y,0BFh,u,v where x,y,u and v are the magic + values. when it finds 0BEh and 0BFh separated by two bytes from each + other then it calls INT3 with the supposed magic values (the INT3 + handler is a simple IRET, so no problem should arise if SOFT-ICE is + not installed). and guess what happens when SECURE finds the traces + of the loader part of SOFT-ICE in that low memory area... + + the only solution that would defeat this kind of protection is to + change the instructions that load SI and DI before the INT3 calls + (unfortunately you can't avoid those calls since SOFT-ICE has to + check for its presence and do other things). for obvious reasons + (i guess one of the previous versions of this file gave the SECURE + authors the idea...) i won't give you tips on how to do it, i hope + you're smart enough to do it yourselves. + + the only limit is that you have 6 bytes of space to load both SI and + DI (i checked that whenever SOFT-ICE uses the INT3 interface it loads + SI and DI by two consecutive instructions, i.e. you can use the MSUB + scripts to search for and replace them). another method could be to + change the HBOOT command to something else (by MSUB of course), + however other dangerous commands could be still issued... + + + the BoundsChecker interface can be modified in the same way we did + it with the rest of the INT3 interface: simply modify the value that + is expected in ebp (but BoundsChecker must be changed as well!). + look for the string "KHCB" to find the appropriate place. + the following file offsets are valid for WINICE for Win 3.1 v1.52: + + offset old new + 000130C7: 'K' ? + 000130C8: 'H' ? + 000130C9: 'C' ? + 000130CA: 'B' ? + + for WINICE for Win95 v3.0: + + offset old new + 00016FDD: 'K' ? + 00016FDE: 'H' ? + 00016FDF: 'C' ? + 00016FE0: 'B' ? + + and for WINICE for Win95 v3.01: + + offset old new + 000243F0: 'K' ? + 000243F1: 'H' ? + 000243F2: 'C' ? + 000243F3: 'B' ? + + + 2. the device names can be changed to anything you want, look at the + beginning of S-ICE.EXE. the real problem is when the protection + checks for instruction sequences. my only advice is that step through + the protection and see which part of the code is checked for, then + try to modify it in S-ICE.EXE (or disassemble, modify and then + recompile the whole executable, but that's not gonna happen for + a long time, i guess... :-). + + to defeat the int41 check, you have to change both the return value + of the real and protected mode handlers in WINICE and the value that + is checked for in KRNL386.EXE, VMM32.VXD, EMM386.EXE, IFSHLP.SYS and + NET.EXE. all these changes are necessary otherwise some WINICE + commands (HWND, TASK) won't work 'cos apparently they rely on some + Window$ functions which are available only in the debug kernel (and + during startup these programs/drivers do this int41 check which will + fail if you don't change the values they're expecting, as well). + + there're five places in WINICE that have to be patched (one is a cmp, + the other four are mov's) and one in each one of the rest. sorry, + that i don't provide you with detailed offsets, but there're too many + versions/combinations of both WINICE and Win31/Win95... note, that + after these changes other programs that want to use debug kernel + functions will fail :-) + + and now let's talk about the VXD entry point check. the ID is stored + at file offset 0x7821E in WINICE for Win95 v3.01 (to find it in + other versions as well just look for "SICE ", and the ID will be + a few bytes before this text). + + so to change the ID just overwrite it there. however, it's not + enough since some companion programs also test for WINICE by trying + to get the VXD entry point, i.e. they have to be modified as well. + they're DLOG.EXE and WLDR.EXE, and search for int2F (opcode: 0xCD + 0x2F) to get to the right place... :-) + + anyway, for the versions that come with WINICE for Win95 v3.0, + the file offsets of the ID are 0x625/6 and 0x68B9/A respectively. + + + 3. what we have to do is simply skip the unnecessary parts in the + handler (the beeps) and simulate the instruction as it would have + been a direct INT 01 call (opcode: 0xCD 0x01). this way one will not + only get rid of the beeps but be able to trace into the handler as + well (and we'll have some space to put some extra code in when we'll + need it :-). + + offset old new + 00001DD5: 50 EB + 00001DD6: 51 60 + + + 4. [this part is being worked on] + + + 5. there are two possible solutions: we either disable the DRx emulation + feature of SOFT-ICE (this is quite easy to do) or correct it (this is + really hard to do). SOFT-ICE emulates each instruction by executing + a function whose offset is looked up in a table. each function ends + in the same way: IP of the V86 task is incremented by the appropriate + amount of bytes. so to disable emulation we'll change the pointers + in that table to the common end of the functions, this way these + instructions will essentially be handled as NOPs. i don't know + whether it's worth to do it or not, since this modification can be + detected by simply loading one of the debug registers and then + checking whether it's really been modified or not. a more elegant + solution would be to reserve a few bytes in the data segment of + SOFT-ICE for storing the values of these registers and emulate the + instructions (or at least their loading). anyone out there willing + to do that? + + anyway, here's how to do the patch: the table itself is at file + offset 0x1F1DD and it has 12 words in it pointing to the + emulation code of the following instructions: + + mov eax,dr0 and mov dr0,eax + mov eax,dr1 and mov dr1,eax + mov eax,dr2 and mov dr2,eax + mov eax,dr3 and mov dr3,eax + mov eax,dr4 and mov dr4,eax + mov eax,dr5 and mov dr5,eax + mov eax,dr6 and mov dr6,eax + mov eax,dr7 and mov dr7,eax + mov eax,cr0 and mov cr0,eax + mov eax,cr1 and mov cr1,eax + mov eax,cr2 and mov cr2,eax + mov eax,cr3 and mov cr3,eax + + note that there's no offset for emulating CR4... + + the offset of the common exit point (i.e. the new value you may want + to set these pointers to) is 0x175A (this is NOT a file offset...). + + these patches still don't cure the problem with CR4. if you decided + to get rid of the emulation entirely (including CR4) then you can + do it much easier: + + offset old new + 00002E7E: 03 0A + 00002E7F: 00 01 + + + 6. i'll give you a general solution in section 8 since INT08 is just a + a subset of the hardware interrupts which are discussed there. + + + 7. this problem can be solved quite easily: we replace the original + protected mode handler with the one that serves all not_IRQ_related + interrupts (and whose only task is to reflect them back to the + V86 mode handler). + + offset old new + 0000455A: B6 14 + 0000455B: DF D6 + + + 8. what we have to do is to skip the call that prints the error message + and simply reflect this interrupt back to the V86 mode handler. + note that your buggy programs won't cause SOFT-ICE to pop up after + this patch :-) (however, you'll be able to break in and see what + went wrong). + + offset old new + 00002447: A9 C3 + + + 9. now we'll make use of the extra space we made in the original INT01 + handler. we have to check whether the interrupt was triggered by a + hardware IRQ or not. this can be done by the following routine: + + push eax ; save the registers that will be modified + pushf ; the order of PUSHs is important! + mov al,0Bh ; we'll read in the in-service registers + out 20h,al ; master PIC + out 0A0h,al ; slave PIC + ; there might be needed a short delay here + ; however, on my machine it isn't :-) + in al,20h ; read INTs being serviced by master PIC + mov ah,al ; save for later test + in al,0A0h ; read INTs being serviced by slave PIC + test ax,0FFFFh ; was it a hardware int? + jnz original ; + popf ; restore flags + pop eax ; the general handler doesn't expect it + jmp offset 1B70h ; this has to be the general handler (this offset + ; is valid in v2.80) + original: + mov ax,8 ; the first two instructions of the original handler + popf ; were push eax, mov ax,8, thus we won't pop eax + jmp offset 1A77h ; this has to be the original handler's offset + ; plus 5 bytes (the length of push eax, mov ax,8) + + and at the beginning of the original handler (offset 0x1A72) we put: + jmp offset 1DD7h ; and since it's only 3 bytes long, + ; we get 2 spare bytes :-) + + the binary patches follow: + + offset old new + 00001A72: 66 E9 + 00001A73: 50 62 + 00001A74: B8 03 + + 00001DD5: 50 EB + 00001DD6: 51 60 + 00001DD7: B9 66 + 00001DD8: 03 50 + 00001DD9: 00 9C + 00001DDA: B0 B0 + 00001DDB: 03 0B + 00001DDC: E6 E6 + 00001DDD: 61 20 + 00001DDE: 51 E6 + 00001DDF: 33 A0 + 00001DE0: C9 E4 + 00001DE1: E2 20 + 00001DE2: FE 8A + 00001DE3: E2 E0 + 00001DE4: FE E4 + 00001DE5: E2 A0 + 00001DE6: FE A9 + 00001DE7: E2 FF + 00001DE8: FE FF + 00001DE9: E2 B8 + 00001DEA: FE 08 + 00001DEB: E2 00 + 00001DEC: FE 75 + 00001DED: E2 06 + 00001DEE: FE 9D + 00001DEF: E2 66 + 00001DF0: FE 58 + 00001DF1: E2 E9 + 00001DF2: FE 7C + 00001DF3: E2 FD + 00001DF4: FE 9D + 00001DF5: E2 E9 + 00001DF6: FE 7F + 00001DF7: E2 FC + + + A. to solve this problem we should do a complete disassembly of SOFT-ICE + since we have to keep track of the base and size of the V86 mode + interrupt table, and this requires too many changes to be worth to do + it with simple byte patches. + + + B. a somewhat lame (but it's more than nothing) solution is the + following: we chain in a P RET command after GENINT by patching + the jump at the end of the GENINT handler to the beginning of P RET. + after executing GENINT we'll land at the IRET of our handler and + a further P or T will take us back to the original instruction we + were at. i said it was somewhat lame... but it works :-) + + offset old new + 000118BF: BC 00 + 000118C0: E0 C7 + + + C. before executing anything call up SOFT-ICE and change the offset of + the V86 mode INT3 handler to the one of the INT1 handler. + + + D. !!! SURPRISE !!! + + while you're in WINICE for Win95 v3.0 or 3.01 type in the following + command: "ver ice" and see what you get... however, note that due + to a bug (or feature?) you can use only once this command during + a session, you have to restart WINICE to be able to get the + message again. + + and while we're at undocumented features, try out "ver ?" as well. + in the next release, i'll try to write a detailed description + of the new commands (not that if it were that hard to find out...) + + + unsolved mysteries :-) + + 1. even the Nu-Mega docs tell about a problem when SOFT-ICE for DOS is + loaded from the command line: if HIMEM.SYS is installed the machine + simply reboots. i tracked down the problem and found out that the + processor resets itself because of a triple fault. it happens so: + + after preparing the IDT and GDT (and loading IDTR and GDTR), paging + will be enabled in CR0, and then DS and ES will be loaded a + descriptor offset of 8. however, both this descriptor and the IDT + seem to be invalid, and this leads to a triple fault. unfortunately, + i couldn't find out what goes wrong during the setup of IDT and GDT, + perhaps someone else out there will do the dirty job :-)... and maybe + Nu-Mega will award you with a free, legal version :-)). + + + 2. on a Cyrix 486DLC-40 system (both with and without a coproc) SOFT-ICE + gets a Page Fault and halts if the processor is running at 40 MHz, + but works fine at 33 MHz. the Page Fault seems to happen while the + code window is being put out (i.e. during the execution of the wc + command). this is nonsense! so far, no solution... and yes, it's + another dirty job... + + + P.S. for everyone + + perhaps there's someone out there who didn't know it so far... + WINICE can be used without Window$ (and you'll be able to debug + programs that use some DOS extender, if it can make use of DPMI, but + that's the case with the most popular ones, e.g. DOS4GW or PMODE/W)! + the trick is that you have to make a 'crippled' version of Window$, + i.e. make Window$ start without its GUI. a complete description of + this can be found at the following URL: + + http://www.fys.ruu.nl/~faber/Windows_No_GUI + + after creating this GUI-less Window$ all you have to do is to start + WINICE (beware, your normal Window$ shouldn't be on your PATH!) and + voila, you'll be in a DOS session (i hope that you could find it out + yourself that you had to start COMMAND.COM as your KRNL386.EXE...) + with WINICE being able to pop up whenever you need it (of course, for + native Window$ programs you'll need a full Window$). + + and if we're at Window$ here's another trick: if you don't want to + see the logo being shown every time you start Window$, either start + WIN.COM with a command line paramater of ':' i.e. + + WIN.COM : + + or (as the above method doesn't work with our GUIless version since + WINICE doesn't seem to pass any parameters or you are too lazy to + type in every time 2 more characters :-) look for the string 'LOGO' + in WIN.COM and change it to something else (it's enough to change + only one bit). note, that the WIN.COM of Window$ for Workgroups + doesn't like this patch... + + + P.S. for protection writers + + i know that some of the above modifications can be defeated (i could + do it myself) however i won't make your life easier... i hope you + understand why :-) diff --git a/textfiles.com/piracy/CRACKING/pp2t-t&l.txt b/textfiles.com/piracy/CRACKING/pp2t-t&l.txt new file mode 100644 index 00000000..9d38e9be --- /dev/null +++ b/textfiles.com/piracy/CRACKING/pp2t-t&l.txt @@ -0,0 +1,89 @@ + +# Prince of Persia II interactive TSR and LOADER trainer example documentation. + +(This doc describes the interactive trainer keys - for use with the training +tutorial package) + + +Quick NFO : +*********** + + +Run the file PP2T-TSR.COM to install the TSR trainer. + +In-game interactive trainer keys : + +F1 - Activates the No-Touch System (tm) - nothing even touches you. +F2 - Deactivates the No-Touch System. +F3 - Gives you 25 energy bottles. +F4 - Kills any enemy currently on the screen. +F5 - Adds 255 minutes to your current time at that level. +F6 - Jump to the next level. +F9 - Moves your character all the way to the left of the screen. +F10 - Moves your character all the way to the right of the screen. + + +NOTES : +******* + + +When you select the F1 option, the guards, rats, knives, spikes etc can't do +shit all to you. You will pass right through slicing blades, spears etc! +You can fall from clifs, buildings etc without getting even hurt. You can +walk right through steel-caged doors - even if they are closed! + +(Know now why I call it the No-Touch System?!) Ok, well as always, there are +a few things that go along with a goodie like this : If you fall down into lava +or into some spikes etc, you'll still live! - can't die. So whenever you get +stuck like that, turn it off with F2, then keep on pressing F4 the whole time +untill the game restarts on that level. This time make sure it's not on when +performing the same stunt that got you there in the 1st place. + +This F1 option also ruins gameplay by making it too easy for you. Players +using it won't bother figuring out how to get by let's say some falling blades, +they'll just walk right through them! - use it as you like. + +F2 De-activates the No-Touch System. + +F3 Gives you 25 energy bottles - a nice and honest way to cheat in the game! + (The bottles are updated everytime you get hit on the screen) Use this + option a lot since there are no side-effects like with the F1 option. + +F4 Kills the current enemy on the screen! - nice little option for those of ya + who don't want to waste time killing and killing the guards that keep + comming and comming at the higher levels. Each time you press it, it kills + the current enemy you see. You might have to press it a few times to clear + the whole screen of enemies. (Don't press it too many times or you'll end + up killing yourself) + +F5 Adds 255 minutes to your current time at that level. Some people didn't + know that this game is also timed! - try pressing the spacebar next time + boiz - before you release a trainer that doesn't have this option included! + (The game starts timing you once you get to higher levels) + +F6 Jumps to the next level instantly. Nice option ey? After all, if this + was some "cheat" then we wouldn't even worry about including this option, + but hey, this is a TRAINER! - (don't abuse this option and skip right to + the end of the game lamers!) + +F9 Puts your character all the way to the left of the screen. Now why this + option? Well ever had problems jumping over that nasty building/cliff? + Always seemed to fall down? Well if there's a cliff, etc, simple press + F9 and you'll be on the left side of the screen right over the cliff! - + or F10 and you'll be on the right side of the screen. There are lots of + reasons to use this option. + + Sometimes when you use that option, and there's nothing on the left/right + of the screen just rocks, buildings or something, if you press it and + suddenly your character dissapears into the building, simply press the + opposite-side key and you'll be back where you started from. + +F10 Does all the above but to the right. + + +Have PHUN! + + + Dr. Detergent / UNT'93 + + diff --git a/textfiles.com/piracy/CRACKING/psp.nfo b/textfiles.com/piracy/CRACKING/psp.nfo new file mode 100644 index 00000000..9bb2d188 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/psp.nfo @@ -0,0 +1,356 @@ + ߲ ߱ ߲ ߲ ߲ + ۱ ۲۲߲۲ + ۲ ۲ ^Plate Steel Productions Inpho Phile^ + ܲ ߲۲ + ܲ ۲ Logo: Kelthar + ۲ ۲ + ۲ ܲ۲ ܲ ܲ + ۱ ܲ ܲ ߲ ۲ ܲ ܲ ۲ + ߲۰ ܲ ۲ ܲ۲ ܲ + ۱ ܲ ۲۲ + ۲ ߲ + ܲ ۲ ܲ ܲ ܲ ܲ + ߲۲ ߲ ߲۲ ߲۲ + ߲۲߰ ߲ ߲ ߲ + + + + ܲ ܲ ܲ + ܲ ۲ ܲ ܲ ۲ ܲ ۲ ܲ + ܲ ܲ۲ ܲ ܲ ܲ + ۲۲߲ ۲ ۲۲ ۲۲ + ۲ ߲ + ܲ ܲ۲ ܲ ܲ ܲ ܲ ܲ ܲ ܲ + ߲۲ ߲۲ ߲۲ ߲۲ ߲۲ + ߲ ߲ ߲ ߲ ߲ + ^Productions^ + ߱ + EST. AUGUST '9t5 + - ------------- 0FFiCiAL PSP MAR 1997 NF0 PHiLE --- -- ------- ----- + [RELEASED BY STAVR0SS] + Revision III + THiS IS THE OFFICIAL ONE FOR MARCH! + --- Ŀ + -----------_,px%#X"^..x:RELEASE:x..^"X#%xq._------------ + Ŀ + RELEASED BY:[ Prizna ] PACKED BY:[ Prizna ] + + ART::[]:AM0UNT: ANSi'S[] .:. ASCii'S[] .:. VGA'S[] .:. TOTAL[] + MUSiK[]:STYLE:[] NAME:[] LENGTH:[.] + C0DE:[]:WHAT:[] + DOC::[X]:WHAT:[ Nag screen removal tutorial ] + CRACK[]:FOR:[] TO DO:[] + H/P/A[]:WHAT[] HACK[] PHREAK[] SAT[] ANARCHY[] + 0THER[]:WHAT:[] + PACK:[]:TYPE:[] + + ...M0RE iNF0... + + [ First tutorial from the cracking department of PSP. Written by Prizna, ] + [ this doc will guide you through removing nag screens with the use ] + [ of Soft Ice. Info Pro v1.0 is used as an example. ] + [ ] + [ Prizna [ Coder & Cracker ] ] + : : + --- + --- + --- Ŀ + --_,px%#X"^. DA F0UNDER .^"X#%xq._-- Ŀ + + .x[ VAUXHALL [ENG] ]x. + --- + --- + -- Ŀ + --_,px%#X"^. DiRECT0RS .^"X#%xq._-- Ŀ + + .x[ xX FiREST0RM [ENG] xX STAVR0SS [ENG] Xx BLACK-SABBATH [ENG] Xx ]. + .x[ xX GAZA [ENG] xXXx FUJY [ENG] Xx ]x. + --- + -- Ŀ + -_,px%#X"^.C0-0RDiNATORS.^"X#%xq._Ŀ + + CRACKiNG:::::::::::::::::::...[..PRiZNA..]:::::::::::::::::::[..ENGLAND..] + C0DiNG:::::::::::::::::::::::::[..ST|NG..]:::::::::::::::::::[..ENGLAND..] + MUSiK::::::::::::::[.JUNGLiZT/.STAVR0SS..]:::::::::[..iRELAND./.ENGLAND..] + SATELLiTE::::::::::::::::::::[..CLANZER..]:::::::::::::::::::[..ENGLAND..] + iNTERNET::::::::::::::::::::::::[..FUJY..]:::::::::::::::::::[..ENGLAND..] + ART::::::::::::::::::::[..bLACk sABBATh..]:::::::::::::::::::[..ENGLAND..] + C0URiERiNG:::::::::::::::::::::[..MiLaN..]:::::::::::::::::::[..ENGLAND..] + --- + --- Ŀ + --- Ŀ + ------------- 0UR FiLES ARE 0FFiCiALLY SPREAD BY [[ MCG ]] ------------- + --- + : --- : + [::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::] + : -- Ŀ : + :-------------_,px%#X"^. MUSiCiANS .^"X#%xq._---------------: + + x[ MEMBERS NEEDED xX APPLY ]x[ STAVR0SS xX ENGLaND ]x + x[ X2C xX ENGLAND ]x[ COULDBEU xX WORLD ]x + + + :: + [::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::] + : -- Ŀ : + :--------------_,px%#X"^. ARTiSTS .^"X#%xq._--------------: + + x[ ][CE xX ENGLAND ]x[ KELTHAR xX ENGLAND ]x + x[ BLACK SABBATH xX ENGLAND ]x[ REAPER xX ENGLAND ]x + x[ JAGUAR xX USA ]x[ RAVENCLAW xX SWEDEN ]x + x[ !Da^BuLLd0G xX SC0TLAND ]x[ ]x + :: + [::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::] + : -- Ŀ : + :-------------_,px%#X"^. C0DERS/HTTP .^"X#%xq._---------------: + + x[ FiREST0RM xX ENGLAND ]x[ XXXXXX xX XXXXXxX ]x + x[ GAZA xX ENGLAND ]x[ ST|NG xX ENGLAND ]x + x[ REAPER xX ENGLAND ]x[ VAUXHALL xX ENGLAND ]x + x[ PRiZNA xX ENGLAND ]x[ ^ReApER^ xX ENGLAND ]x + x[ !Da^BuLLd0G xX SC0TLAND ]x[ DiGiTS xX ENGLAND ]x + :: + [::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::] + : -- Ŀ : + :--_,px%#X"^. HACK/PHREAK/ANARCHY/SATELLiTE/CRACKiNG/i-NET .^"X#%xq._--: + + x[ CLANZER xX ENGLAND ]x[ SLAYER xX ENGLAND ]x + x[ FiREST0RM xX ENGLAND ]x[ ST|NG xX ENGLAND ]x + x[ M0J0 xX ENGLAND ]x[ VAUXHALL xX ENGLAND ]x + x[ PRiZNA xX ENGLAND ]x[ FUJY xX ENGLAND ]x + x[ TRANCER xX ENGLAND ]x[ X2C xX ENGLAND ]x + :: + [::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::] + : -- Ŀ : + :--------------_,px%#X"^. PSP NEWS! .^"X#%xq._-------------: + + [==EVERY FiLE THAT PSP RELEASE iS, T0 0UR BEST KN0WLEDGE 110% LEGAL==] + ... [==iF Y0U THiNK ANY DiFFERENT..C0NTACT A SENi0R QUiCK D00D!==] ... + + LaTeST NewZ : + + [MCG] iS N0W THE OFFICIAL COURIERING GROUP FOR PSP : + + OUR FILEZ OUR OFFICIAL SPREAD AROUND CYBERSPACE NOW BY THE COURIERING + GROUP [MCG] "Miracle Couriering Group". MCG IS A EUROPEAN FOUNDED COURIER + GROUP AND FROM WHAT WE'VE SEEN IS DOING THE BUISNESS. WE ARE GLAD + TO BE WORKING ALONGSIDE THEM IN GETTING OUR RELEASES PIPED ONTO NET + SITEZ NEAR YOU. + + FOR MORE INFORMATION ON [MCG] JOIN THERE CHANNEL #MCG ON EFNET . + + + IRC CHANNEL #PSP97 IS ONLINE ON EFNET : + + #PSP97 IS NOW ON EFNET. FOR PEOPLE WHO ARE REALLY COMMITED TO RELEASING + IN WHATEVER AREA THEY SPECIALISE FOR PSP, I SERIOUSLY SUGGEST YOU + GET YOUR ASS'S OVER TO EFNET. THIS IS WHERE EVERYTHING HAPPENS AND + ALL THE OTHER GROUPS ARE BASED. ALSO OUR COURIERING GROUPS CHANNEL + IS ON EFNET ASWELL. + + REALLY #PSP ON IRC-NET HAS BECOME A BIT LAME WITH PEOPLE USING IT + AS A GENERAL CHAT-CHANNEL FOR THE UK, AND WE WANT TO GET AWAY FROM + THIS AS ITS NOT GOOD FOR THE GROUP AND A LOT OF PEOPLE WHO WERE + COMMITED GOT PISSED OFF WITH IT AND NOW ARE *NOT* COMMITED. + + #PSP ON IRC-NET WILL STILL BE OPEN, BUT FOR PEOPLE WHO ARE COMMITED + AND ARE NOT LAME ;> POP OVER TO EFNET. WE NEED TO BUILD THE CHANNEL + UP. + + PEOPLE NOT CONNECTED WITH THE SCENE WILL NOT BE ALLOWED, AND ANYBODY + WHO IS NOT IN PSP WILL NOT GET OPS! + + REMEMBER : #PSP97 ON EFNET. NOT #PSP!! + + + PSP WEB SERVER IS ONLINE : + + HTTP://WWW.PSP.ORG.UK IS ONLINE ONCE AGAIN AND IS BEING UPDATED. + ANYONE WHO CAN OFFER TO HELP WITH THE REDESIGNING AND HTML COULD + U PLEASE EMAIL ME AT : stav@psp.org.uk + + WE THANK FUJY FOR PSP.ORG.UK. NICE ONE M8! + + + PSP E-MAIL ADDRESSES : + + ALL MEMBERS IN PSP WHO ARE LISTED IN THE NFO NOW HAVE THERE OWN PSP + EMAIL ADDRESSES, WHICH TAKE THE FORMAT OF : handle@psp.org.uk ;> + IF U STILL HAVENT GOT YOUR EMAIL ADDRESS EMAIL ME AT stav@psp.org.uk + TELLING ME YOUR CURRENT EMAIL TO FORWARD TO AND I WILL PASS IT ON + TO FUJY. + + WE THANK FUJY ONCE AGAIN FOR THIS SERVICE ;> + + + RIGHT THATS IT FOR THIS NFO ;> . JUST A QUICK NOTE TO ANY TALENTED + PEEPS WHO ARE READING THIS. IF U FEEL AS IF YOU COULD BENEFIT PSP + IN ANY WAY PLEASE JOIN CHANNEL #PSP97 ON EFNET OR EMAIL ME AT + stav@psp.org.uk AND I WILL GET BACK TO YOU. + L8RZ + + :: + [::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::] + : -- Ŀ : + :--------------_,px%#X"^. PSP iNF0! .^"X#%xq._-------------: + + xXx J0iN OUR iRC CHANNEL: #PSP97 ON EFNET xXx + + E-MAiL: seniors@psp.org.uk + + WWW: WWW.PSP.ORG.UK xXx FTP: FTP.PSP.ORG.UK + + * 0FFiCiAL PSP C0URiERS: [[MCG]] * + :: + [::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::] + : -- Ŀ : + :--------------_,px%#X"^. J0iNiNG .^"X#%xq._-------------: + + MeMBeRS/SiTeS + ~~~~~~~~~~~~~^ WE ARE M0ViNG T0WARDS THE NET, S0 ALL NEW APPLiCANTS + MUST BE ABLE T0 C0MPLY WiTH THE F0LL0WiNG :) + + WE 0NLY ACCEPT THE BEST MEMBERS iN MUSiK / ART / C0DiNG / ETC .... + iF Y0U WANNA APPLY, GET AN APP F0RM FR0M #PSP 0R EMAIL US. + + + + F0R MEMBER APPLiCANTS: + Y0U N0W HAVE T0 D0 S0ME W0RK F0R US BEF0RE Y0U ARE + FULLY iN THE GR0UP.. C0NTACT A SENi0R F0R AN APPLiCATi0N.. + Y0U HAVE T0 BE 0N THE NET 0R, BE ABLE T0 GET Y0UR RELEASES T0 US EASiLY + + F0R BBS APPLiCANTS: + PiCK UP AN APP F0RM 0R CHAT T0 A SENi0R..WE 0NLY + ACCEPT MULTi-N0DE HQ's UNLESS THE BBS iS C00L ENUFF!.. + Y0U MUST BE ABLE T0 GET THE RELEASES WiTH EASE, e.g. 0FF 0UR FTP/WWW + :: + [::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::] + : -- Ŀ : + :--------------_,px%#X"^. B0ARDS! .^"X#%xq._---------------: + + ..[NAME]..........[P0SiTi0N]....[CREW]..........[NUMBER].....[N0DES] + UK + ~~^ + THE UNKN0WN.............W0RLD HQ BLACK SABBATH...+44 1299 250999....4 + + PUBBS: 0UTER LiMiTZ......EUR0 HQ VAUXHALL........+44 1159746427.....2 + + RAVE GRAVE.................UK HQ REAPER..........+44 1243374670.....1 + + DiGiTaL ReaLiTy...........SC0 HQ !Da^BuLLd0G....+44 1382862016.....1 + + MAXiMa....................MEMBER GAZA............+44 1159523875.....3 + ..........................N0DE 2 ................+44 1159523979...... + ..........................N0DE 3 ................+44 1159556564...... + PHARA0S CURSE.............MEMBER Z0SER...........+44 1432271638.....1 + HARDC0Re HEAVEN...........MEMBER MANiAK..........+44 1753739466.....1 + DARK KNiGHTS..............MEMBER PSYHC0..........+44 1482788389.....1 + CHAMPAGNE SUPERN0VA.......MEMBER DANi............+44 115 2-L33T3....1 + G0BLiN BBS................MEMBER GEBB0...........+358 28259248......1 + + UNKN0WN ENEMY.............DiSTR0 NiAVASHA........+44 1981 240840....1 + R.I.U.....................DiSTR0 Bi0HAZARD.......+44 1752789870.....1 + JAGUAR....................DiSTR0 DA ViCAR........+44 1543466572.....1 + NEUR0L0GY.................DiSTR0 MiKE............+44 1202889382.....1 + SUICIDAL TENDENCIES.......DiSTRO RAiNE...........+44 1462 422275....1 + + H0LLAND + ~~~~~~~^ + S/W UNLiMiTED 3...............HQ DJR.............+31 228516814......1 + SL1210....................DiSTR0 CH:iLM..........+31 433638243......2 + ..........................N0DE 2 ................+31 433631724....... + B0iLiNG GRAVE.............DiSTR0 P0PE-X..........+31 180664627......2 + DARK iLLUSi0N.............DiSTR0 MR MERDE........+31 515233095......1 + THA SHiZNiT...............DiSTR0 THA GRiNDER.....+31 703254113......1 + DiGiTAL U/W0RLD...........DiSTR0 TDD.............+31 23240160 ......1 + L0UNGE ACT................DiSTR0 CHAR0N..........+31 715790411......1 + NAPALM ASSULT.............DiSTR0 RUDEB0Y.........+31 104841128......1 + + GERMANY + ~~~~~~~^ + THE MARiNES BBS...............HQ MARiNE FiGHTER..+49 682491294......2 + THE BLACK H0LE............DiSTR0 X-TREM..........+49 618160053......1 + JUST-4-CHA0S..............DiSTR0 SHEEP...........+49 94183711.......1 + + USA + ~~~^ + SHATTERED NATi0N..............HQ C0L0R B00K..... +1 6162476568......2 + BLACK 0PiUM...............DiSTR0 EViLiVE........ +1 7015235909......1 + WEEKEND WARRi0R...........DiSTR0 LEN0........... +1 8182469974......2 + + SWiTZERLAND + ~~~~~~~~~~~^ + THE NEUTRAL Z0NE..............HQ L0CUTUS.........+41 32418851.......2 + UNDERW0RLD................DiSTR0 SYN0PTiC........+41 227769331......1 + RAVE BASE.................DiSTR0 MAVERiCK........+41 22348552.......1 + + BELGiUM + ~~~~~~~^ + NE0 T0Ki0.....................HQ TASMANiAC.......+32 50625717.......2 + ..........................N0DE 2 ................+32 50620112........ + MENTAL 0VERD0SE...........DiSTR0 ZARK0F..........+32 56341206.......1 + MYSTiCAL MEMBERZ..........DiSTR0 VANiSHER........+32 421525.........1 + + DENMARK + ~~~~~~~^ + THE iNC. MACHiNE..............HQ Hi-TECH.........+45 36731662.......3 + ..........................N0DE 3 ................+45 36724669........ + + SWEDEN + ~~~~~~^ + HACKERS HiDE0UT...............HQ ENERGY..........+46 16343399.......1 + MAD BASE..................DiSTR0 MAD DEViL.......+46 38314432.......1 + iNSANE CiTY...............DiSTR0 SKEL............+46 317073531......1 + HACKERS HERiTAGE..........DiSTR0 DiGiTS..........+46 141215313......1 + + BRAZiL + ~~~~~~^ + THE FACT0RY...................HQ SMURF...........+55 613683388......5 + CRYSTAL LAKE..............DiSTR0 DJ CLUSTER......+55 ugottaask......2 + + MiD-EAST + ~~~~~~~~^ + EFFECT........................HQ BiGG-D0GG.......+973 973776155.....1 + + AUSTRiA + ~~~~~~~^ + THE WAREW0LF..................HQ DRiZZT..........+43 19843185.......1 + + N0RWaY + ~~~~~~^ + V0YAGER.......................HQ G0SUB...........+47 72834100.......1 + + CANADA + ~~~~~~^ + ZER0 TOLERANCE................HQ ST0RM HACKER....+1 ASK0NiRC!.......2 + ASHES 0F PERiL............DiSTR0 T. HELLFiRE.....+1 4032755346......1 + + FRANCE + ~~~~~~^ + MiCR0TEL......................HQ SYNDR0ME........+33 43812677.......2 + + ISRAEL + ~~~~~~^ + EXPL0SiVE BBS.................HQ RiDDLER.........+972 36590328......2 + + FiNLAND + ~~~~~~~^ + SKYSTRiKE BBS.................HQ KYMi...........+358 2851782.......1 + + ARGENTiNA + ~~~~~~~~~^ + ARGENTiNE GENERATi0N..........HQ BLACK TH0RNE...+54 1-793-7973.....1 + + :: + [::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::] + : -- Ŀ : + :--------------_,px%#X"^. GREETZ .^"X#%xq._-------------: + + .x[ AXiS xXx [MCG] ]x. .x[ ALL DA GUYZ TRYiN T0 KEEP DA SCENE ALiVE ]x. + + :: + : -- Ŀ: + ` [[-%-:NF0 DESIGN : BLACK SABBATH :-%-]] ' + [[-%-:WRITTEN BY : STAVROSS :-%-]] + --- diff --git a/textfiles.com/piracy/CRACKING/razzia.nfo b/textfiles.com/piracy/CRACKING/razzia.nfo new file mode 100644 index 00000000..2c84f093 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/razzia.nfo @@ -0,0 +1,20 @@ + + ,sdSSbs,_ ^ "bs, + l$$"^^"bs,._ ,yyyyy$$T$b + `Tl Razzia l$$$$$$Sbs,.`^^"TS$$$$$b .d""b. + `Tb,.__.,d$$$$$$$$$$$$$Ss. `T$$$$: ,sdS$$$$$$$$Sbs,`T l$ + `T$$$$S$$$$$$$$$$$$$$$S. l$$$l $$$IP"T$$$$$b b,__,P' + T$$$b, `^T$$$$$$$$$$l :$$$: `T$$, l$$$$$ $b + l$$$$b, Tb,`S$$$$$$$P' ,$$$P Ss,`' _.d$$$$P',' Tb + :$$$$$$ .,sd$$$$` _,d$$$P d$$$$b d$$$` ,$ dP ^"bs, + l$$$$P' d$$`,sdSS$$$$' l$$$$$P,$" ,s.`Tb dlyyyyy$$T$b + ,$$$$' d$$l `^^` _.d$$$$$P,$P ,d$$$$b,$b $l^^""TS$$$$$b + ,$$$$l $$$$b,.,dS$Sb, .sS$$$` $T, `T$$$$P$$P` `Tb, `T$$$$: + ,$$$$$$, `T$$$$$$$$$$$$ $" ,sd$b,`$b,_,d$$$P$d' `Tb l$$$l + T$$$$$$$, `T$$$$$KN$P'dP ,d$$$$$$$b`$SS$$$P',d' ,sdS$$$P Kn! :$$$: + `"$$$P `$$`,d$$, `T$$$$$$$P `"^^` d$' ,d$"^^` ,$$$P + ,d$$$$$b,__,d$$$$$P' `bd$P',_ _,d$$$P + Kenetic // expose `$$$$$$SS$$$' `$$$$SSSSS$$$$' + `^^"""^^` `^^` + + diff --git a/textfiles.com/piracy/CRACKING/romeod4c.txt b/textfiles.com/piracy/CRACKING/romeod4c.txt new file mode 100644 index 00000000..0c93567b --- /dev/null +++ b/textfiles.com/piracy/CRACKING/romeod4c.txt @@ -0,0 +1,157 @@ +Software Re-engineering for Dummies : An Overview +================================================= +by romeo [d4c/97] + +Before I started "software re-engineering", these questions +often popped up in my mind : + +1. How the heck can someone figure out the serial numbers? +2. What changes do you make to a program so that it's registered? + +------------------------------------------------------------------- + +INTRODUCTION +------------ + +I think it's reasonable to believe that the most widely used +debugger by all "software re-engineers" or "software reverse-engineers" +is SoftIce from Numega. The word "debugger" should tell you what +the program does. It debugs bugs. Well, people are often very +creative. If it can be used to debug bugs, it can also be used +to take a peek at how the software is programmed. + +The debugger has to be loaded before Windows is loaded. The reason +is so that any programs that run under Windows can be stopped at any +time (by pressing Ctrl-D) and have it's codes (in Assembly language) +revealed to the user. (i don't want to get too complicated) + +The ironic thing is that SoftIce is a shareware, and being the +best debugger is not any good to itself, because it is used by +"engineers" to find out what it's serial number is. + +------------------------------------------------------------------- + +INTO THE PROCESS : + +Starting Point +============== +A software is often huge and therefore full of codes. It would be +impractical to go down each line of codes and figure out what +each line does. Therefore, it's up to the "engineer's" creativity +and experience to select a starting point. "Where should I start +decipher the codes?" There are lots of techniques, which might just +sound greek to you if you're a dummy to this area. So, I'll leave +that part out. + +When a starting point is decided, the "engineer" will pay more +attention to "weird, interesting or out of the ordinary" codes. + +Probing Techniques Simplified +============================= +1. Serial Numbers + +If you have downloaded a shareware once or twice in your lifetime, +you might have come across a "Register" command which resides in +the Help|About ... dialog box most of the time. When you click on +it, you may be prompted with a box which require you to enter +your name and then a serial number that matches your name. + +Now, this means that somewhere among the codes in the program, there +may most probably be lines that says : + +A compare the serial number that has been entered with the correct + serial number that matches the name and goto B +B if it is incorrect, goto D +C show a thankyou message because the number is correct and goto D +D close the box and return to the program + +As long as the "engineer" can find these lines, it is very likely +that (s)he can just write down the number from the screen (it is +just that simple! - sometimes ...). This is sometimes referred as +to a "soft" approach. + +2. Changing Bytes + +Well, it can be very tricky sometimes that the "engineer" has to +resort to "hard/brutal re-engineering". This involves changing +certain bytes of the original program so that it works the way +the engineer wants it to work. This would most likely involve +"time-limited sharewares". These sharewares do not offer the option of +registering the program by entering a name and a number. Worse, +after certain days, they will cease to work. + +To make your life easier, let us use the previous example : + +(pretend these are the initial codes) + +A compare the serial number that has been entered with the correct + serial number that matches the name and goto B +B if it is incorrect, goto D +C show a thankyou message because the number is correct and goto D +D close the box and return to the program + +I'll show you some techniques which have been used : + +Technique 1 - Reverse the conditions +==================================== + +Often, there's only one number that matches your name. And you don't +get it right 99.9% of the time. + +So, an "engineer" can change the codes to this : + +A compare the serial number that has been entered with the correct + serial number that matches the name and goto B +B if it is incorrect, DON'T goto D +C show a thankyou message because the number is correct and goto D +D close the box and return to the program + +Since you know that you'll be incorrect, by reversing the conditions, +you'll end up registering the program. + +Technique 2 - One way conditions +================================ + +What if you happen to guess the right number? Hmm .. this means technique +1 will not work. So, this can be done : + +A compare the serial number that has been entered with the correct + serial number that matches the name and goto B +B if it is incorrect, goto C +C show a thankyou message because the number is correct and goto D +D close the box and return to the program + +Now, it doesn't matter whether you're right or wrong, you'll end up +registering the program + +Technique 3 - Tricky conditions +=============================== + +This is an alternative to technique 2 : + +A compare the serial number that has been entered with the + serial number that has been entered +B if it is incorrect, goto D +C show a thankyou message because the number is correct and goto D +D close the box and return to the program + +hehe .. this sounds funny but it works. + +Sometimes, due to the complexity of software programming, only +one of the described techniques can be used, or only a mixture of 2 or +more will work. + +------------------------------------------------------------------- + + +[ The only reason why I indulge in "software re-engineering" is + because I get pleasure out of it. The first time when I + managed to figure out a serial number for a shareware, I was + so overwhelmed; I shouted out loud with triumph and I felt so + good about myself. All boiled down to the "ummmph" that I get + - it's addictive and I wanted more each time. ] + + - anonymous "engineer" - +------------------------------------------------------------------- + +-=THE END=- diff --git a/textfiles.com/piracy/CRACKING/scanf.dox b/textfiles.com/piracy/CRACKING/scanf.dox new file mode 100644 index 00000000..6ddfc38f --- /dev/null +++ b/textfiles.com/piracy/CRACKING/scanf.dox @@ -0,0 +1,197 @@ + + + ۻ ۻ ۻ ۻ ۻ ۻ ۻ ۻ ۻ + ͼ ͼ ۻ ۻ ۺ ͼ ۺ ۺ ͼ + ۻ ۺ ۺ ۻ ۺ ۻ ۺ ۺ ۻ + ۺ ۺ ۺ ۺۻۺ ͼ ۺ ۺ ͼ + ۺ ۻ ۺ ۺ ۺ ۺ ۺ ۺ ۻ ۻ + ͼ ͼ ͼ ͼ ͼ ͼ ͼ ͼ ͼ ͼ (TM) + + + + + sCANFILE v4.0 + (C) 07.96 by mARQUIS dE sOIRE + franzz@access.digex.net + + + pROTOCOL oF iNT21 fILEOPERATIONS + fOR dOS, wIN311 (and wIN95) + + + + + iNTENTION + This program LOGs all fileoperations (INT 21) and even Interruptvector- + changes via INT 21 in a .LOG file to examine the output later. + Basically it works like Win-eXpose I/O, though you don't have to be in- + side WINdows, just run it under plain DOS or any DOS-Extender. + + Look in the example files SCANx.LOG and I am sure, you guess in a few + seconds, what sCANFILE is good for...e.g. finding missing- or key-files. + + + + + aTTENTION! + Plain DOS 7.0: sCANFILE runs just fine + DOS-Extender : no know problems under DOS4GW or any other extender + WIN 3.11 : no problems, except ASPI4DOS MUST be disabled before + statrting Win. +*WIN95 : starting sCANFILE BEFORE WIN95 should NEVER be done! + It MUST be run inside WINSTART.BAT ONLY. + Win95 DOS-Box: runs just fine, but a lot of INT21 will not reach scanfile ;) +*OS/2 : never tested + WIN/NT : no problems occured in a DOS-box, see SCAN_NT.LOG + (special thanx to SLAVA for testing) + + + + + oPTIONS + Options: SCANFILE - start scanning + SCANFILE - stop scanning + + + + + eXAMPLE SCAN1.LOG +12.11.39.ommand.om 18 4E find C:\DOS\NC.??? +12.11.39.ommand.om 4E find C:\NO\NC.??? +12.11.39.ommand.om 4B exec  C:\NO\NC.EXE +12.11.52.mem.exe 3D open E:\WINDOWS.000\COMMAND\MEM.EXE +12.11.52.mem.exe 25 SetI. al=23 +12.11.54.mem.exe 25 SetI. al=23 +12.11.54.mem.exe 02 3D open F:\2\EMMXXXX0 +12.11.54.mem.exe 3D open F:/$MMXXXX0 + ^ + Errorcodes: 02 = file not found + + + + eRRORCODES fOR sCANFILE + (see Ralph Brown's interrupt list) +Values for DOS extended error code: + 00h (0) no error + 01h (1) function number invalid + 02h (2) file not found + 03h (3) path not found + 04h (4) too many open files (no handles available) + 05h (5) access denied + 06h (6) invalid handle + 07h (7) memory control block destroyed + 08h (8) insufficient memory + 09h (9) memory block address invalid + 0Ah (10) environment invalid (usually >32K in length) + 0Bh (11) format invalid + 0Ch (12) access code invalid + 0Dh (13) data invalid + 0Eh (14) reserved + 0Fh (15) invalid drive + 10h (16) attempted to remove current directory + 11h (17) not same device + 12h (18) no more files +---DOS 3.0+ --- + 13h (19) disk write-protected + 14h (20) unknown unit + 15h (21) drive not ready + 16h (22) unknown command + 17h (23) data error (CRC) + 18h (24) bad request structure length + 19h (25) seek error + 1Ah (26) unknown media type (non-DOS disk) + 1Bh (27) sector not found + 1Ch (28) printer out of paper + 1Dh (29) write fault + 1Eh (30) read fault + 1Fh (31) general failure + 20h (32) sharing violation + 21h (33) lock violation + 22h (34) disk change invalid (ES:DI -> media ID structure)(see #0961) + 23h (35) FCB unavailable + 24h (36) sharing buffer overflow + 25h (37) (DOS 4.0+) code page mismatch + 26h (38) (DOS 4.0+) cannot complete file operation (out of input) + 27h (39) (DOS 4.0+) insufficient disk space + 28h-31h reserved + 32h (50) network request not supported + 33h (51) remote computer not listening + 34h (52) duplicate name on network + 35h (53) network name not found + 36h (54) network busy + 37h (55) network device no longer exists + 38h (56) network BIOS command limit exceeded + 39h (57) network adapter hardware error + 3Ah (58) incorrect response from network + 3Bh (59) unexpected network error + 3Ch (60) incompatible remote adapter + 3Dh (61) print queue full + 3Eh (62) queue not full + 3Fh (63) not enough space to print file + 40h (64) network name was deleted + 41h (65) network: Access denied + 42h (66) network device type incorrect + 43h (67) network name not found + 44h (68) network name limit exceeded + 45h (69) network BIOS session limit exceeded + 46h (70) temporarily paused + 47h (71) network request not accepted + 48h (72) network print/disk redirection paused + 49h (73) network software not installed + (LANtastic) invalid network version + 4Ah (74) unexpected adapter close + (LANtastic) account expired + 4Bh (75) (LANtastic) password expired + 4Ch (76) (LANtastic) login attempt invalid at this time + 4Dh (77) (LANtastic v3+) disk limit exceeded on network node + 4Eh (78) (LANtastic v3+) not logged in to network node + 4Fh (79) reserved + 50h (80) file exists + 51h (81) reserved + 52h (82) cannot make directory + 53h (83) fail on INT 24h + 54h (84) (DOS 3.3+) too many redirections + 55h (85) (DOS 3.3+) duplicate redirection + 56h (86) (DOS 3.3+) invalid password + 57h (87) (DOS 3.3+) invalid parameter + 58h (88) (DOS 3.3+) network write fault + 59h (89) (DOS 4.0+) function not supported on network + 5Ah (90) (DOS 4.0+) required system component not installed + 64h (100) (MSCDEX) unknown error + 65h (101) (MSCDEX) not ready + 66h (102) (MSCDEX) EMS memory no longer valid + 67h (103) (MSCDEX) not High Sierra or ISO-9660 format + 68h (104) (MSCDEX) door open + + + + rEVISIONS + SCANFIL0 1.0 xx.xx.92 First small eta + SCANFILJ 1.J 12.07.94 Public release I + SCANFILM 2.0 31.08.94 Public release II - Execute Parameter new defined + SCANFILM 2.5 17.06.95 Set/Get Interrupt added + SCANFILO 3.0 31.10.95 DOS 7.0/WIN95 added + SCANFILS 4.0s 18.07.96 Public release III - small changes + + + + gREETINGS + Deleter, The Riddler, Misha, Lost Soul, DjPaul, Edison, Dark-Man, The Key, + Slava, + Kiwi, Cyberjak, Prophet, Fargen, Moi, + vanHauser, Scavenger, Wilkins, + Pamela and FrMaid, + THHG, NPM, XF, THC, MCC, PC. + + + + +Ϳ + u N I T E D c R A C K I N G f O R C E +Ϳ ͻͻͻͻ ͻ ͻ ͻͻͻ ٰ + ͹͹ ͻ ͻ ͹ + ȼ Ⱥ Ⱥͼͼ ͼ ͼͼʺ Ϳ +  UCF/THHG/NPM/XF  (CU) +ٰ + + diff --git a/textfiles.com/piracy/CRACKING/shareman.txt b/textfiles.com/piracy/CRACKING/shareman.txt new file mode 100644 index 00000000..98b11288 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/shareman.txt @@ -0,0 +1,80 @@ +This text was written in - 07/13/97. + + + How to crack Shareman 1.6v? / By ^pain^ / mEXELiTE! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +WARNING : This information is for educational purposes only!!!! + I take no responsibility for what u do with this tutorial, + and I dont really care =) + Using this info may bring ya to jail!!!!!!!!!!!!!!!!! =) + If u like the program, please register, the author + deserves that... + + +URL: + +Hi reader!, in this tut I intend to teach u guys how to crack ShareMan 1.6.... +I will assume that u already have: +1.SoftIce for win95 (If not , get it+Crack from www.acp.xforce.net). +2.Good knowledge in Assembler. +3.Strong ambition to CRACK! =) +4.Supporting family (Well, this and all next r just recommended...=)) +5.A chick.... + + Well, that's it for now....... lets go cracking..... +1.Launch your softice and then ur Shareman. +2.goto the registeration dialog box (/Help/Enter ID). +3.Well, ok, we`re ready for the mission... + what to do now? + Since this program is 16Bit we`ll set 16 Bit Api's... + Set a breakpoint on the following API's : (with BPX [API]) + 1.getdlgitemtext. + 2.GetWindowtext. + what next? write ur name/nick in the dialog box, + and a dummy registeration number...... +4.Now , press OK button, BOOM! we popped up in Soft Ice window!!!! + in the api GETWINDOWTEXT, after seeing this, we wanna delete the + unused bp's... type this: bc 00 (the 1st bp we set...), + and press F12 twice (!), to get to the code of Shareman... +5.Now, here comes the real cracking job... ;) + ************************ Theory ************************** + in this point, lets say u have a tool that loox for the + [regcode] u entered in the memory? Could this possibly help + us? Could it? Take ur time for thinkin... + Well! STOP THINKING! =) + That`ll help us to find the place where the generated + Registration number is compared with the reg number u entered!!! + and ofcourse, the CORRECT reg number..... + ********************************************************** + ok, the tool I mensioned in the theory section isnt exactly + a tool, but a command in Soft Ice... + Lets type:"S 0 l FFFFFFFF '[regcode]'" (L stands for length...). + Now softice will give u the location of the regcode on memory... + (Segment:Offset). + now, lets do a Break Point on Memory location! + type:"BPM Segment:Offset". + press CTRL+D (to make the program continue). + several times until u reach to the following instruction: + + PUSH AX + REPZ CMPSB + POP DS + JZ 0C87 + + YES!!!!!!!! we found the place where the reg numbers r compared!!!! ;) + all u have to do now is to type: + D DI-4 + and take the registration number out of there...(Make sure that I`m right, + and the correct reg + number isnt in SI! in case im wrong... u know what to do..=]) + +Well, now I wanna greet the following ppl: +========================================== +[ACP],Niabi,JosephCo,Sice_Boy,Kipn,Leddy,Volcanic (yo man..=)) +Atomic^F1 & Diffuse (Keep up the good job,guys), +_rANDOM,|KAIRN|,Scorpion,razzi/a, All the dudes +in #cracking in #Cracking4newbies And all the +dudes that deserve that...... + +Signing off (with broken fingers :-) ) (c) ^pain^ productions `97... + \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/sice3.qrf b/textfiles.com/piracy/CRACKING/sice3.qrf new file mode 100644 index 00000000..183cd607 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/sice3.qrf @@ -0,0 +1,336 @@ +SoftIce 3.0 Quick Reference..... By ZeroDay [Feb 07 1997] +============================================================================== +SOFTICE COMMANDS +============================================================================== +SETTING BREAKPOINTS: +BPM Breakpoint on memory access +BPMB Breakpoint on memory access +BPMW Breakpoint on memory access +BPMD Breakpoint on memory access +BPR Breakpoint on memory range +BPIO Breakpoint on I/O port access +BPINT Breakpoint on interrupt +BPX Breakpoint on execution +BMSG Breakpoint on windows message +BSTAT Breakpoint statistics +CSIP Set CS:EIP range qualifier + +MANIPULATING BREAKPOINTS: +BPE Edit breakpoint +BPT Use breakpoint as a template +BL List current breakpoints +BC Clear Breakpoint +BD Disable breakpoint +BE Enable breakpoint +BH Breakpoint history + +DISPLAY/CHANGE MEMORY: +R Display/change register contents +U Un-Assemblers instructions +D Display memory +DB Display memory +DW Display memory +DD Display memory +DS Display memory +DL Display memory +DT Display memory +E Edit memory +EB Edit memory +EW Edit memory +ED Edit memory +ES Edit memory +EL Edit memory +ET Edit memory +PEEK Read from physical address +POKE Write to physical address +H Help on specified function +? Evaluate expression +VER SoftIce version +WATCH Add watch +FORMAT Change format of data window +DATA Change data window + +DISPLAY SYSTEM INFORMATION: +GDT Display global descriptor table +LDT Display local descriptor table +IDT Display interrupt descriptor table +TSS Display task state segment +CPU Display CPU register information +PCI Display PCI device information +MOD Display windows module list +HEAP Display windows global heap +LHEAP Display windows local heap +VXD Display windows VxD map +TASK Display windows task list +VCALL Display VxD calls +WMSG Display windows messages +PAGE Display page table information +PHYS Display all virtual addresses for physical address +STACK Display call stack +XFRAME Display active exception frames +MAPV86 Display v86 memory map +HWND Display window handle information +CLASS Display window class information +VM Display virtual machine information +THREAD Display thread information +ADDR Display/change address contents +MAP32 Display 32bit section map +PROC Display process information +QUERY Display processes virtual address space map +WHAT Identify the type of expression + +I/O PORT COMMANDS: +I Input data from i/o port +IB Input data from i/o port +IW Input data from i/o port +ID Input data from i/o port +O Output data to i/o port +OB Output data to i/o port +OW Output data to i/o port +OD Output data to i/o port + +FLOW CONTROL COMMANDS: +X Return to host debugger or program +G Go to address +T Single step one instruction +P Step skipping calls, Int, etc +HERE Go to current cursor line +EXIT Force an exit to current dos/windows program +GENINT Generate an interrupt +HBOOT System boot (total reset) + +MODE CONTROL: +I1HERE Direct INT1 to SoftIce +I3HERE Direct INT3 to SoftIce +ZAP Zap embedded INT1 or INT3 +FAULTS Enable/disable SoftIce fault trapping +SET Change an internal variable + +CUSTOMIZATION COMMANDS: +PAUSE Control display scroll mode +ALTKEY Set key sequence to invoke window +FKEY Display/Set function keys +DEX Display/assign window data expression +CODE Display instruction bytes in code window +COLOR Display/set screen colors +ANSWER Auto-answer and redirect console to modem +DIAL Redirect console to modem +SERIAL Redirect console +TABS Set/Display tab settings +LINES Set/display number of lines on screen +PRN Set printer output port +MACRO Define a named macro command + +UTILITY COMMANDS: +A Assemble code +S Search for data +F Fill memory with data +M Move data +C Compare two data blocks + +WINDOW COMMANDS: +WC Toggle code window +WD Toggle data window +WF Toggle floating point stack window +WL Toggle locals window +WR Toggle register window +WW Toggle watch window +EC Enable/disable code window +. Locate current instruction + +WINDOW CONTROL: +CLS Clear window +RS Restore program screen +ALTSCR Change to alternate display +FLASH Restore screen during P and T + +SYMBOL/SOURCE COMMANDS: +SYMLOC Relocate symbol base +EXP Display export symbols +SRC Toggle between source,mixed & code +TABLE Select/remove symbol table +FILE Change/display current source file +SS Search source module for string +TYPES List all types, or display type definition +LOCALS Display locals currently in scope + +BACK TRACE COMMANDS: +SHOW Display from backtrace buffer +TRACE Enter backtrace simulation mode +XT Step in trace simulation mode +XP Program step in trace simulation mode +XG Go to address in trace simulation mode +XRSET Reset backtrace history buffer + +SPECIAL OPERATORS: +. Preceding a decimal number specifies a line number +$ Preceding an address specifies SEGMENT addressing +# Preceding an address specifies SELECTOR addressing +@ Preceding an address specifies indirection + +LINE EDITOR KEY USAGE: +[PRINT-SCREEN] Dump Screen to printer +[UP ARROW] Recall previous command line +[DOWN ARROW] Recall next command line +[RIGHT ARROW] Move cursor right +[LEFT ARROW] Move cursor left +[BACKSPACE] Back over last character +[HOME] Start of line +[END] End of line +[INS] Toggle insert mode +[DEL] Delete character +[ESC] Cancel current command + +SCROLLING KEY USAGE: +[PAGEUP] Display previous page of display history +[PAGEDOWN] Display next page of display history +[ALT-DN ARROW] Scroll data window down one line +[ALT-UP ARROW] Scroll data window up one line +[ALT-PAGEUP] Scroll data window down one page +[ALT-PAGEDOWN] Scroll data window up one page +[CTRL-UP ARROW] Scroll code window down one line +[CTRL-DN ARROW] Scroll code window up one line +[CTRL-PAGEUP] Scroll code window down one page +[CTRL-PAGEDOWN] Scroll code window up one page +============================================================================== + + +============================================================================== +SOFTICE TABLE OF OPERATORS (USED FOR EXPRESSIONS) +============================================================================== +Indirection Operators Example +----------------------- ------------------------------------------------------ +-> ebp->8 (Gets DWord Pointed To By ebp+8) +. eax.1C (Gets DWord Pointed To By eax+1C) +* *eax (Gets DWord Value Pointed To By eax) +@ @eax (Gets DWord Value Pointed To By eax) +&symbol &symbol (Gets the address of the symbol) +------------------------------------------------------------------------------ +Math Operators Example +----------------------- ------------------------------------------------------ +Unary + +42 (Decimal) +Unary - -42 (Decimal) ++ eax + 1 +- ebp - 4 +* ebx * 4 +/ Symbol / 2 +% (Modulo) eax % 3 +<< (Logical Shift Left) bl << 1 (Result is bl shifted left by 1) +>> (Logical Shift Right)eax >> 2 (Result is eax shifted right by 2) +------------------------------------------------------------------------------ +BitWise Operators Example +----------------------- ------------------------------------------------------ +& (Bitwise AND) eax & F7 +| (Bitwise OR) Symbol | 4 +^ (Bitwise XOR) ebx ^ 0xFF +~ (Bitwise NOT) ~dx +------------------------------------------------------------------------------ +Logical Operators Example +----------------------- ------------------------------------------------------ +! (Logical NOT) !eax +&& (Logical AND) eax && ebx +|| (Logical OR) eax || ebx +== (Compare Equality) Symbol == 4 +!= (Compare InEquality) Symbol != al +< eax < 7 +> bx > cx +<= ebx <= Symbol +>= Symbol >= Symbol +------------------------------------------------------------------------------ +Special Operators Example +----------------------- ------------------------------------------------------ +. (Line Number) .123 (Value is Address of line 123 in source file) +() (Grouping Symbols) (eax+3)*4 +, (Arguements List) Function(eax,ebx) +: (Segment Operator) es:ebx +Function word(Symbol) +# (Prot-Mode Selector) #es:ebx (Address is protected mode Selector:Offset) +$ (Real-Mode Segment) $es:di (Address is real mode segment:offset) +============================================================================== + + +============================================================================== +SOFTICE BUILT IN FUNCTIONS:(USED FOR EXPRESSIONS) +============================================================================== +Name Description Example +--------------- ------------------------------- ------------------------------ +BYTE Get Low Order Byte ? Byte(0x1234=0x34 +WORD Get Low Order Word ? Word(0x12345678)=0x5678 +DWORD Get Low Order DWord ? DWord(0xFF)=0x000000FF +HIBYTE Get High Order Byte ? HiByte(0x1234)=0x12 +HIWORD Get High Order Word ? HiWord(0x12345678)=0x1234 +SWORD Convert Byte To Signed Word ? SWord(0x80)=0xFF80 +LONG Convert Byte Or Word To signed ? Long(0xFF)=0xFFFFFFFF + Long ? Long(0xFFFF)=0xFFFFFFFF +WSTR Display as UniCode String ? WSTR(cax) +FLAT Convert to a selector relative ? Flat(fs:0)=0xFFDFF000 + address to a linear (flat) addr +CFL Carry Flag ? CFL=Bool-Type +PFL Parity Flag ? PFL=Bool-Type +AFL Auxiliary Flag ? AFL=Bool-Type +ZFL Zero Flag ? ZFL=Bool-Type +SFL Sign Flag ? SFL=Bool-Type +OFL OverFlow Flag ? OFL=Bool-Type +RFL Resume Flag ? RFL=Bool-Type +TFL Trap Flag ? TFL=Bool-Type +DFL Direction Flag ? DFL=Bool-Type +IFL Interrupt Flag ? IFL=Bool-Type +NTFL Nested Task Flag ? NTFL=Bool-Type +IOPL IOPL Level ? IOPL=Current IO Privilege + Level +VMFL Virtual Machine Flag ? VMFL=Bool-Type +IRQL Windows NT OS IRQ Level ? IRQL=Unsigned-Char +DATAADDR Returns The Address Of The dd @DATAADDR + First Item Displayed In Data + Window +CODEADDR Returns The Address Of The ? CODEADDR + First Instruction Displayed In + The Code Window +EADDR Effective Address (If Any) Of EADDR + The Current Instructions +EVALUE Current Value Of The Effective EVALUE + Address +PROCESS KPEB(Kernal Process Environment ? PROCESS + Block) Of The Active OS Process +THREAD KTEB(Kernal Thread Environment ? THREAD + Block) Of The Active OS Thread +PID Active Process ID ? PID == Test32PID +TID Active Thread ID ? TID == Test32MainTID +BPCOUNT BreakPoint Instance Count BPIF bpcount==0x10 +BPTOTAL BreakPoint Total Count BPIF bptotal==0x10 +BPMISS BreakPoint Instance Miss Count BPIF bpmiss==0x20 +BPLOG BreakPoint Silent Log BPIF bplog +BPINDEX Current BreakPoint Index # BPDO "bd bpindex" +============================================================================== + + +============================================================================== +SOFTICE TABLE OF OPERATOR PRECEDENCE (USED FOR EXPRESSIONS) +============================================================================== +Operator Associates Comment +--------------- --------------- ---------------------------------------------- +(,),FUNCTION Scopes(Precedence OverRide),Function +->,. Left To Right Indirection +: Left To Right Segment:Offset +#,$ Right To Left Protected Mode Selector,Real Mode Segment +*,@ Right To Left Indirection +Unary + Default Radix == Decimal +Unary - Default Radix == Decimal +!,~ Logical Not,Bitwise Not +. Line Number +*,/,% Left To Right Multiply,Divide,Modulo ++,- Left To Right Plus,Minus +<<,>> Left To Right Logical Shift Left, Logical Shift Right +<,<=,>,>= Left To Right Less Than,Less Than Equal,Greater Than..... +==,!= Left To Right Equal To,Not Equal To +& Left To Right Bitwise AND +^ Left To Right BitWise XOR +| Left To Right BitWise OR +&& Left To Right Logical AND +|| Left To Right Logical OR +COMMA Left To Right Argument List +------------------------------------------------------------------------------ +Use of Parenthisis () overrides precedence (means its done first) +============================================================================== + + diff --git a/textfiles.com/piracy/CRACKING/sigma-4f.nfo b/textfiles.com/piracy/CRACKING/sigma-4f.nfo new file mode 100644 index 00000000..1c429e7b --- /dev/null +++ b/textfiles.com/piracy/CRACKING/sigma-4f.nfo @@ -0,0 +1,75 @@ + ___ ___ ________________________ ___ + / / / /___ / _____________________/ \ \ + / / / /_/ /__ / /___ ___ ___ __ ___ \ \ + / / /____ ___/ / ____// / / / \/ / \ \ + \ \ / / / / / /_/ / / / / + \__\ /__/ /__/ /_______/__/\___/ im /__/ + we make ALL just 4 fun + + + -= S i G M A 's =- + -= Universal Improved Patcher Volume =- + + + Hmn i have not much to talk but i have to greet these Persons: + + DiGiT [4fUN], Dr. Lazy [LKCC], B0SS [ACURA] & All Patch Authors + + No we come to the Statistics...... :) + + + HISTORY +~~~~~~~~~~~ + - at all [16] + + - dongle [1] + - register [8] + - keyfile [3] + - nags [3] + - cheats [1] + - serials# [] + + +vXX.XX.96 6 Added +~~~~~~~~~~~~~~~~~~ + 4DOS v5.52 [register] new XX/XX/96 + VGACOPY v6.20 [keyfile] new XX/XX/96 + Cubasis Audio v1.0 [dongle] new XX/XX/96 + Hexworkshop 32 v2.10 [keyfile] new XX/XX/96 + Paintshop Pro 32 [nag-screen] new XX/XX/96 + ARJ v2.50a.de [register] new XX/XX/96 + + + +v27.10.96 2 Added, birthday of this NFO +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + PV v2.61 German [register] new 26/10/96 + PV v2.61 English [register] new 27/10/96 + This NFO file [-] new 27/10/96 + +v26.01.97 3 Added +~~~~~~~~~~~~~~~~~~ + Microangelo v2.1 [register] new 11/01/97 + U.F.O v1.45d [nag-screen] new 12/01/97 + Tomb Raider [cheat] new 14/01/97 + +v17.02.97 1 Added +~~~~~~~~~~~~~~~~~~ + Disk Copy Fast 5.3a [keyfile] new 17/02/97 + +v11.04.97 2 Added, 1 Corrected, UP Volume -> UIP Volume Converted +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Disk Copy Fast 5.3a [keyfile] Corrected 11/04/97 + PV v2.62 German [register] new 11/04/97 + PV v2.62 English [register] new 11/04/97 + +v13.04.97 2 Added +~~~~~~~~~~~~~~~~~~ + Tropic NFS/32 v2.0b [-] new 13/04/97 + Grab a site v2.1.1 [nag-screen] new 13/04/97 + +v19.04.97 1 Added +~~~~~~~~~~~~~~~~~~ + Rebirth v1.0b5 [-] new 19/04/97 + +-[eof]----------------------------------------------------------------------- diff --git a/textfiles.com/piracy/CRACKING/t!tutor.txt b/textfiles.com/piracy/CRACKING/t!tutor.txt new file mode 100644 index 00000000..455a9bda --- /dev/null +++ b/textfiles.com/piracy/CRACKING/t!tutor.txt @@ -0,0 +1,697 @@ +== ASM KEYGEN TUTORIAL - WRITTEN BY TERAPHY [PC97] +=================================================== + +This is the tools i use in this tutorial: + Soft-Ice 3.01 + W32Dasm 8.9 *Regged* + Tasm/Tlink + + +Getting Started: + What we should do is to get the registration code, +find where the code is being calculated and rip it out. +I will use two easy programs as examples, +Command Line 97 1.0, and Flywheel V1.02b. + + +Command Line 97 1.0: +(http://www.odyssey.net/subscribers/js01/index.html) + This program has a real simple code calculation. +I will guide you step by step how to get the serial, +how to rip it and how to make a working keygen. + +1. Start the Program + +2. Select Register + +3. Go into Soft-Ice by pressing Ctrl-D, and set a breakpoint on + GetDlgItemTextA. Type 'bpx getdlgitemtexta'. Now Press Ctrl-D + again to get out from Soft-Ice. + +4. Enter your name and a serial... I used 'TERAPHY' and '12345' + +5. Press OK Button.. Soft-Ice will now show up inside the call + to GetDlgItemTextA. Press F11 to get out of that call. + +Scroll up a bit and u will see this + +:0040254B 6A1E push 0000001E +:0040254D 68300B4100 push 00410B30 +:00402552 68F0030000 push 000003F0 +:00402557 56 push esi +:00402558 FF1550234100 Call [USER32!GetDlgItemTextA] + +The memory location being pushed at 40254D is where your name is +stored. Type 'd 410B30', and you should see your name. + +Below this you'll see + +:0040255E 6A00 push 00000000 +:00402560 BF300B4100 mov edi, 00410B30 +:00402565 6A00 push 00000000 +:00402567 68FC030000 push 000003FC +:0040256C 56 push esi +:0040256D FF1518234100 Call [USER32!GetDlgItemInt] + +Step until you reach 40256D. The call to Getdlgitemint returns +what you typed in as serial in eax. Type '? eax' and you will +see this '00003039 0000012345 "09"'. 3039 is 12345 in hex. +Also notice :00402560. This command moves the offset of your name +into edi. + +Below this, you will see + +:00402573 B9FFFFFFFF mov ecx, FFFFFFFF +:00402578 A354A54000 mov dword ptr [0040A554], eax +:0040257D 2BC0 sub eax, eax +:0040257F F2 repnz +:00402580 AE scasb +:00402581 F7D1 not ecx +:00402583 49 dec ecx + +:00402578 saves your code for later use. +The rest of the code is used to calculate the string length of +your name... After this has been executed ecx contains the length +of your name. In my case '7'. + +Below this, you'll see + +:00402584 0FBE05300B4100 movsx eax, byte ptr [00410B30] +:0040258B 0FAFC8 imul ecx, eax +:0040258E C1E10A shl ecx, 0A +:00402591 81C1CCF80200 add ecx, 0002F8CC +:00402597 890D50A54000 mov dword ptr [0040A550], ecx +:0040259D 390D54A54000 cmp dword ptr [0040A554], ecx + +:00402584 moves the byte of the first letter to eax. +In my case 54('T'). The next line multiplys eax (54), +with ecx (7). shl ecx, 0A means multiply ecx with 2^10. +And finnaly we add 02F8CC to ecx. +At :0040259D the registration code is compared with what +we typed in, remember it moved our code to [0040A554]. +Type '? ecx' and you can see your real code. +But we don't just want the code, do we? +Leave SoftIce and exit Command Line 97. + +6. Start W32Dasm, and dissasemble cline97.exe + Save dissasembly to file and exit. + +7. Now we are going to build the keygen itself. +Start your favorite texteditor and enter this code. + + +Code Segment Byte Public +Assume Ds:Code,Cs:Code +Org 100h +P386 ; this enables 386 instructions + and 32bit registers + +Start: + + mov ah,09 + mov dx,offset Intro + int 21h ; Show intro msg + + mov ah,0Ah + mov dx,offset Namesto + int 21h ; Get name + + +Now load the dissasembly (cline97.alf) into your texteditor. +Goto :00402573. Copy all code from here down to :00402591, +and paste it into your asm source. + +It will look like this +:00402573 B9FFFFFFFF mov ecx, FFFFFFFF +:00402578 A354A54000 mov dword ptr [0040A554], eax +:0040257D 2BC0 sub eax, eax +:0040257F F2 repnz +:00402580 AE scasb +:00402581 F7D1 not ecx +:00402583 49 dec ecx +:00402584 0FBE05300B4100 movsx eax, byte ptr [00410B30] +:0040258B 0FAFC8 imul ecx, eax +:0040258E C1E10A shl ecx, 0A +:00402591 81C1CCF80200 add ecx, 0002F8CC + +Now you can start ripping. You should remove everything except the command +itself. The line :00402578 is obviously not needed, because it saves the +inputed regcode for later use, and our keygen does not prompt for regcode, +it calculates =) + +The source in your program should look like this. + + mov ecx, FFFFFFFF + sub eax, eax + repnz + scasb + not ecx + dec ecx + movsx eax, byte ptr [00410B30] + imul ecx, eax + shl ecx, 0A + add ecx, 0002F8CC + +If you remember, it moved the offset of Name into edi earlier. +So we need to add this before mov ecx, FFFFFFFF + xor edi,edi + mov di, offset Namesto+2 ; this must be +2, becaue that's there + ; the actuall name begins. + +The command mov ecx, FFFFFFFF can't be compiled this way, so we +have to change it to mov ecx, 0FFFFFFFFh. + +movsx eax, byte ptr [00410B30] is not valid either, because +our name is'nt on [00410B30]. This could be changed to + xor edi,edi + mov di, offset Namesto+2 + movsx eax, byte ptr [edi] + +Both 'shl ecx, 0A' and 'add ecx, 0002F8CC' needs to be changed to +valid hex format: 'shl ecx, 0Ah' and 'add ecx 2F8CCh' + +We now have a source that should look like this + + xor edi,edi + mov di,offset Namesto+2 + mov ecx, 0FFFFFFFFh + sub eax, eax + repnz + scasb + not ecx + dec ecx + xor edi,edi + mov di,offset Namesto+2 + movsx eax, byte ptr [edi] + imul ecx, eax + shl ecx, 0Ah + add ecx, 2F8CCh + +after the dec ecx, we need to add another dec ecx, +because when we enter our name, the last char will not be, +in my case, 'y', it will be 0Dh, the enter key. +This function, as it is, will return, in my case, ecx=8, +not ecx=7 as it should be. + +movsx eax, byte ptr [edi] moves the ascii code of the first +letter to eax. But, what if the user enters a name with a +small letter? The input box in Command Line 97 automaticly +makes it capital letters. This could be fixed by adding this +code below movsx eax, byte ptr [edi]. + + cmp eax, 061h ; compare eax with 61h (a) + jb capital ; jump if below + cmp eax, 07Ah ; compare eax with 7Ah (z) + ja capital ; jump if above + sub eax,20h ; convert char to capital +capital: + +Our code now looks like + +Code Segment Byte Public +Assume Ds:Code,Cs:Code +Org 100h +P386 ; this enables 386 instructions + and 32bit registers + +Start: + + mov ah,09 + mov dx,offset Intro + int 21h ; Show intro msg + + mov ah,0Ah + mov dx,offset Namesto + int 21h ; Get name + + xor edi,edi + mov di,offset Namesto+2 + mov ecx, 0FFFFFFFFh + sub eax, eax + repnz + scasb + not ecx + dec ecx + dec ecx + xor edi,edi + mov di,offset Namesto+2 + movsx eax, byte ptr [edi] + cmp eax, 061h + jb capital + cmp eax, 07Ah + ja capital + sub eax,20h +capital: + imul ecx, eax + shl ecx, 0Ah + add ecx, 2F8CCh + +What we need now is a routine to show the serial. +We know that the serial is the decimal value of ecx. + + xor esi,esi + mov si,offset Serial+9 ; esi is the offset there the + ; regnumber will be stored + + mov eax,ecx ; eax should be reg number + mov ecx,0Ah +KeepGoing: + xor edx,edx + div ecx + add dl,30h + cmp dl,3Ah + jl printnow + add dl,7 +printnow: + dec esi + mov [esi],dl + or eax,eax + jnz keepgoing + +After this serial contains the registration code. +You don't really need to understand this code. It can be used +by any keygen there the code is the decimal value of a register. + +The only thing left to do is to add the command that's writes +this to screen. + + mov ah, 9 + mov dx, offset RegPrompt + int 21h + +And finnaly quit. + int 20h + +The full source should look like this + +; COMMAND LINE 97 *KEYGEN* +; CODED BY TERAPHY [PC97] + +Code Segment Byte Public +Assume Ds:Code,Cs:Code +Org 100h +P386 ; this enables 386 instructions + ; and 32bit registers + +Start: + + mov ah,09 + mov dx,offset Intro + int 21h ; Show intro msg + + mov ah,0Ah + mov dx,offset Namesto + int 21h ; Get name + + xor edi,edi + mov di,offset Namesto+2 + mov ecx, 0FFFFFFFFh + sub eax, eax + repnz + scasb + not ecx + dec ecx + xor edi,edi + mov di,offset Namesto+2 + movsx eax, byte ptr [edi] + cmp eax, 061h + jb capital + cmp eax, 07Ah + ja capital + sub eax,20h +capital: + imul ecx, eax + shl ecx, 0Ah + add ecx, 2F8CCh + + xor esi,esi + mov si,offset Serial+9 + mov eax,ecx + mov ecx,0Ah +KeepGoing: + xor edx,edx + div ecx + add dl,30h + cmp dl,3Ah + jl printnow + add dl,7 +printnow: + dec esi + mov [esi],dl + or eax,eax + jnz keepgoing + + mov ah, 9 + mov dx, offset RegPrompt + int 21h + + int 20h + +Intro db 13,10,'COMMAND LINE 97 *KEYGEN*' + db 13,10,'CODED BY TERAPHY [PC97]',13,10 + db 13,10,'Enter your name: $' + +RegPrompt db 13,10,'Your registration key is: ' +Serial db 0,0,0,0,0,0,0,0,0,0,13,10,24h + +Namesto db 18h,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + +Code Ends +End Start + +8. Compile the code with tasm. + tasm keygen.asm + tlink /t keygen.asm + You must link with the /t option for the keygen to run, + it makes it a com file. + +9. Congratulations! You have just made your first(?) keygen! + + +Flywheel V1.02b +(http://www.plannetarium.com) + +1. Start the Program + +2. Select Register + +3. Go into Soft-Ice by pressing Ctrl-D, and set a breakpoint on + GetDlgItemTextA. Type 'bpx getdlgitemtexta'. Now Press Ctrl-D + again to get out from Soft-Ice. + +4. Enter your name ('TERAPHY') and any serial ('12345'). + Press OK button, and Soft-Ice will show up. + +Scroll up a little bit and you'll see this + +:00402ACD 8D4C242C lea ecx, [esp+2C] +:00402AD1 66AB stosw +:00402AD3 6800010000 push 00000100 +:00402AD8 51 push ecx +:00402AD9 6A65 push 00000065 +:00402ADB 56 push esi +:00402ADC AA stosb +:00402ADD FF151C154100 Call [USER32!GetDlgItemTextA] + +The important adress is there your name is being pushed, and +that is push ecx. ecx got is value from 'lea ecx,[esp+2C]'. +Type 'd esp+2c', and you should see your name. + +Below is a call to GetDlgItemInt, and as you remember it returns +the inputed value to eax. Type '? eax' to see the serial you wrote. + +Below this, you'll see this + +:00402AF3 8D54242C lea edx, [esp+2C] +:00402AF7 50 push eax +:00402AF8 52 push edx +:00402AF9 E8D2F9FFFF call 004024D0 +:00402AFE 83C408 add esp, 00000008 +:00402B01 85C0 test eax, eax + +'lea edx,[esp+2C]' moves the offset of your name into edx, +and then it pushes to stack. And eax contains our serial. +And after the call it tests if eax is true or false. +This call is there the registration code is being calculated. + +We trace into it. Step past the first instructions until you reach + +:004024EF B81F85EB51 mov eax, 51EB851F +:004024F4 F7E7 mul edi +:004024F6 C1EA05 shr edx, 05 +:004024F9 52 push edx +:004024FA 56 push esi +:004024FB E8B0000000 call 004025B0 + +004024EF - 004024F6 makes edx all digits except the two last +of what we typed in as serial. If you wrote '12345' edx will +be '123', and if you wrote '072597' edx will be '0725'. + +Then it pushes edx and esi. esi is the offset to your name. +Trace into the call. Step past a few instructions until you reach + +:004025B8 8A06 mov al, byte ptr [esi] +esi contains the offset to your name, so this instrucion moves +the ascii code of the first letter to al, in my case '54' + +:004025BA 84C0 test al, al +:004025BC 7426 je 004025E4 +This instrucions checks if we have inputed any name, if not it jumps. + +:004025BE 0FBEC0 movsx eax, al +This instrucion moves al, to eax. If eax = FFFFFF54, +after this eax would have been 00000054 + +:004025C1 50 push eax +:004025C2 E889140000 call 00403A50 +At a first look this call only moves the eax value to ecx. +But it does also check for a space (20h) in eax. It returns +false if not a space. + +:004025C7 83C404 add esp, 00000004 +This code changes the stack and should be ignored + +:004025CA 85C0 test eax, eax +:004025CC 750E jne 004025DC +Test if a space was found. Jump if found. + +:004025CE 0FBE0E movsx ecx, byte ptr [esi] +This moves the letter into ecx (there it should already be). + +:004025D1 51 push ecx +:004025D2 E8E9120000 call 004038C0 +If you, as in my case, wrote your name with a capital letter, +this call will return eax = ascii code for your letter + 20h. +This means it has been converted to a small letter. + +:004025D7 83C404 add esp, 00000004 +Ignore this + +:004025DA 03F8 add edi, eax +Add edi, eax. Eax is the value of our char as small letter. + +:004025DC 8A4601 mov al, byte ptr [esi+01] +:004025DF 46 inc esi +Moves the value of the next char into al + +:004025E0 84C0 test al, al +:004025E2 75DA jne 004025BE +Test if al is 0. This means the end of our name has been reached. +Jump if al is not 0. + +What this code has done, as you probably already figured out, is +add the ascii value of all chars into edi. Except spaces (20h). +It has also converted all capital chars into small letters. + +:004025E4 8B4C2410 mov ecx, [esp+10] +This moves what we typed in (except the last two digits) into ecx + +:004025E8 8D14BF lea edx, [edi+4*edi] +:004025EB 2BCF sub ecx, edi +:004025ED 8D1457 lea edx, [edi+2*edx] +:004025F0 85D2 test edx, edx +:004025F2 740F je 00402603 +:004025F4 B8ABAAAAAA mov eax, AAAAAAAB +:004025F9 F7E2 mul edx +:004025FB D1EA shr edx, 1 +:004025FD 81C204060200 add edx, 00020604 +:00402603 33C0 xor eax, eax +:00402605 3BCA cmp ecx, edx + +This code checks if you typed in the right number. +At 402605 the compare is made. But ecx is no longer +what we wrote as serial, because of the 'sub ecx,edi' +command. We could make a simple equation of this. + +Assume X is our registration code (except the two digits). + 'X - EDI = EDX' + +Now type '? edx+edi' and, in my case, I'll get '136182' +as decimal value. This is my regcode, except the two last +digits. These digits could be anything. +Now then we know my registration code is '13618200', +we can start on the keygen. + +5. Run W32Dasm and dissasemble flywheel.exe (the file is located + in 'C:\Program Files\Plannet Crafters\Flywheel') + Save the dissasembly to disk and quit. + +6. Now it's time to start on the code. We can use the same start + as in the last keygen. We go directly to the ripping part. + +You can start by copy all code from 4025B8 to 402605 into your program. +That will look like this. + +:004025B8 8A06 mov al, byte ptr [esi] +:004025BA 84C0 test al, al +:004025BC 7426 je 004025E4 +:004025BE 0FBEC0 movsx eax, al +:004025C1 50 push eax +:004025C2 E889140000 call 00403A50 +:004025C7 83C404 add esp, 00000004 +:004025CA 85C0 test eax, eax +:004025CC 750E jne 004025DC +:004025CE 0FBE0E movsx ecx, byte ptr [esi] +:004025D1 51 push ecx +:004025D2 E8E9120000 call 004038C0 +:004025D7 83C404 add esp, 00000004 +:004025DA 03F8 add edi, eax +:004025DC 8A4601 mov al, byte ptr [esi+01] +:004025DF 46 inc esi +:004025E0 84C0 test al, al +:004025E2 75DA jne 004025BE +:004025E4 8B4C2410 mov ecx, dword ptr [esp+10] +:004025E8 8D14BF lea edx, dword ptr [edi+4*edi] +:004025EB 2BCF sub ecx, edi +:004025ED 8D1457 lea edx, dword ptr [edi+2*edx] +:004025F0 85D2 test edx, edx +:004025F2 740F je 00402603 +:004025F4 B8ABAAAAAA mov eax, AAAAAAAB +:004025F9 F7E2 mul edx +:004025FB D1EA shr edx, 1 +:004025FD 81C204060200 add edx, 00020604 +:00402603 33C0 xor eax, eax +:00402605 3BCA cmp ecx, edx + +Here is how I would have ripped this into the program, +with comments. + +; THIS REPLACES 4025BE - 4025E2 + + xor ecx,ecx + xor edi,edi + mov di, offset NameSto+2 ; Mov the offset of your name + ; into edi +anotherchar: + movsx eax, byte ptr [di] ; Get char from [di] + + cmp eax, 20h ; Compare your letter with 20h + je space ; Jump if equal + + cmp eax, 041h ; Compare your letter to see + jb capital ; if it's already is a + cmp eax, 05Ah ; small lettter + ja capital + add eax,20h ; If capital char, add 20h to make + ; it a small letter. +capital: + add ecx, eax ; add eax to ecx, if not space +space: + + inc di ; inc di to make it point to the + ; next char. + + cmp byte ptr [di], 0dh ; Compare next char with 0Dh (return) + ; Remember then we get our name, it + ; ends with a 0Dh + + jne anotherchar ; Jump if not 0Dh + mov edi, ecx + +; CODE BELOW REPLACES 4025E2 - 402603 +; All commands with ecx (our inputed code) is not needed +; because we do not input any code. + + xor edx,edx + lea edx, [edi + 4*edi] + lea edx, [edi + 2*edx] + mov eax, 0AAAAAAABh + mul edx + shr edx, 1 + add edx, 20604h + + xor ecx, ecx ; Here we do our equation + add ecx, edx ; + add ecx, edi ; ecx = edx + edi + +After this, ecx contains the regcode. +The complete source could look like this. + +Code Segment Byte Public +Assume Ds:Code,Cs:Code +Org 100h +P386 + +Start: + + mov ah,09 + mov dx,offset Intro + int 21h ; Show intro msg + + mov ah,0Ah + mov dx,offset Namesto + int 21h ; Get name + + xor ecx,ecx + xor edi,edi + mov di, offset NameSto+2 +anotherchar: + movsx eax, byte ptr [di] + cmp eax, 20h + je space + cmp eax, 041h + jb capital + cmp eax, 05Ah + ja capital + add eax,20h +capital: + add ecx, eax +space: + inc di + cmp byte ptr [di], 0dh + jne anotherchar + mov edi, ecx + xor edx,edx + lea edx, [edi + 4*edi] + lea edx, [edi + 2*edx] + mov eax, 0AAAAAAABh + mul edx + shr edx, 1 + add edx, 20604h + xor ecx, ecx + add ecx, edx + add ecx, edi + + xor esi,esi + mov si,offset Serial+9 + mov eax,ecx + mov ecx,0Ah +KeepGoing: + xor edx,edx + div ecx + add dl,30h + cmp dl,3Ah + jl printnow + add dl,7 +printnow: + dec esi + mov [esi],dl + or eax,eax + jnz keepgoing + + mov ah, 9 + mov dx, offset RegPrompt + int 21h + + int 20h + +Intro db 13,10,'FLYWHEEL 1.2 *KEYGEN*' + db 13,10,'CODED BY TERAPHY [PC97]',13,10 + db 13,10,'Enter your name: $' + +RegPrompt db 13,10,'Your registration key is: ' +Serial db 0,0,0,0,0,0,0,0,0,'0','0',13,10,24h + +Namesto db 18h,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + +Code Ends +End Start + + +Now compile, run and enjoy! :) + + +================== += TERAPHY [PC97] = += 07/25/1997 = +================== \ No newline at end of file diff --git a/textfiles.com/piracy/CRACKING/timetrial.txt b/textfiles.com/piracy/CRACKING/timetrial.txt new file mode 100644 index 00000000..5ccf996a --- /dev/null +++ b/textfiles.com/piracy/CRACKING/timetrial.txt @@ -0,0 +1,422 @@ +WinTar-Remote tut! 24/08/97 +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +Program: WinTar-Remote +Version: 2.2.1 +URL:http://www.spiralcomm.com +Description: i know shit about this program i picked up cause of the + size +Operating System: Windows +Cracker: nIabI [Me'97] +Level: Intermediate +Tools: SoftICE, W32Dasm, a Hex Editor. +Protection Type: 30 day trial +Encrypted/DLL: No +Method: Dissasemble + +0.-index: + +0.-index +1.-Intro +2.-What We need (tools) +3.-Let's Crack the splash screen +4.- Lic. screen removal +5.- The 1s part of the time trial +6.- The 2nd part of the time trial +7.-Last Notes +8.-Notes +9.-Thak you's + + + +1.- Intro: + +Hello, ok here again on another tut for C4N, this time i am goin to talk about Time Trials +Even tough they are easy a lot of ppl still don't get it so this is why this tut is gone +(hopefully) teach you, also i will teach some of nag remove and bmp (splash) screens :-) + +ok, the program had to be a time trial (of course) but we need it a not to big program but one +that had some potencial in it or i could have used Rhino 3d wich is not small and does not +have any teaching potential (u changed one byte and it's cracked) so ok with the help of a +friend Griml0ck we decited to get this program is called WinTAR-Remote by SpiralCom +Communications Inc. what this program does is not important to us we wil crack it and +delted it for educational purpose ONLY :-). + +In this tut i will asume u know how to use all of the tools i will use here else please get other +tuts that do explain how to use them (TKC's, Edison's, josephCo's and others) + + +2.- What We need (tools): + +W32dasm (used mostly) +SoftIce +Any Hexeditor +a patch maker (if we want to release our crack), i recomen Gpatch by jes and patchit by Qapla +gpatch i like better cause of ease of use and does some good patches on the other hand patchit +gives u the source of the patch in C :-), other wiseuse Pascal or C and do ur own patch (not +explained in this tut sorry). + + +3.- Let's Crack the splash screen: + +ok once d/l the program u run it add se a nasty splash that says Thanks for trying WinTar blah +blah,blah after some secs it shows u a license aggrement (ewww), now we don't like those 2 things +so let's start by taking them away we enter softice and set a bpx on LoadBitmapA once we do this +we run the program again and boom u in Softice cause of one of the bpx u seted b4 now we can see +this (from the w32dasm dissaemble) : + +* Reference To: USER32.SetTimer, Ord:01FEh ; set time the splash screen is goin to show + | +:0040F5F4 FF15F0C64200 Call dword ptr [0042C6F0] +:0040F5FA E92D010000 jmp 0040F72C + +* Referenced by a (U)nconditional or (C)onditional Jump at Address: +|:0040F6FF(C) +| +:0040F5FF 6A67 push 00000067 ; hmm nice push here (does nothing good) +:0040F601 A124A54200 mov eax, dword ptr [0042A524] +:0040F606 50 push eax + +* Reference To: USER32.LoadBitmapA, Ord:0165h ; this is where u land + | +:0040F607 FF15D0C64200 Call dword ptr [0042C6D0] +:0040F60D 8945DC mov dword ptr [ebp-24], eax +:0040F610 8D859CFEFFFF lea eax, dword ptr [ebp+FFFFFE9C] +:0040F616 50 push eax +:0040F617 8B4508 mov eax, dword ptr [ebp+08] +:0040F61A 50 push eax + +* Reference To: USER32.BeginPaint, Ord:0009h ; begin the painting of the splash + | +:0040F61B FF1574C64200 Call dword ptr [0042C674] +:0040F621 8945F8 mov dword ptr [ebp-08], eax +:0040F624 8B45F8 mov eax, dword ptr [ebp-08] +:0040F627 50 push eax + +* Reference To: GDI32.CreateCompatibleDC, Ord:001Fh + | +:0040F628 FF1590C44200 Call dword ptr [0042C490] +:0040F62E 8945FC mov dword ptr [ebp-04], eax +:0040F631 8B45DC mov eax, dword ptr [ebp-24] +:0040F634 50 push eax +:0040F635 8B45FC mov eax, dword ptr [ebp-04] +:0040F638 50 push eax + +* Reference To: GDI32.SelectObject, Ord:013Ch + | +:0040F639 FF15B0C44200 Call dword ptr [0042C4B0] +:0040F63F 8D45E0 lea eax, dword ptr [ebp-20] +:0040F642 50 push eax +:0040F643 6A18 push 00000018 +:0040F645 8B45DC mov eax, dword ptr [ebp-24] +:0040F648 50 push eax + +* Reference To: GDI32.GetObjectA, Ord:00DEh + | +:0040F649 FF1598C44200 Call dword ptr [0042C498] +:0040F64F 682000CC00 push 00CC0020 +:0040F654 6A00 push 00000000 +:0040F656 6A00 push 00000000 +:0040F658 8B45FC mov eax, dword ptr [ebp-04] +:0040F65B 50 push eax +:0040F65C 8B45E8 mov eax, dword ptr [ebp-18] +:0040F65F 50 push eax +:0040F660 8B45E4 mov eax, dword ptr [ebp-1C] +:0040F663 50 push eax +:0040F664 6A00 push 00000000 +:0040F666 6A00 push 00000000 +:0040F668 8B45F8 mov eax, dword ptr [ebp-08] +:0040F66B 50 push eax + +* Reference To: GDI32.BitBlt, Ord:000Ah + | +:0040F66C FF1588C44200 Call dword ptr [0042C488] +:0040F672 8B45FC mov eax, dword ptr [ebp-04] +:0040F675 50 push eax + +* Reference To: GDI32.DeleteDC, Ord:0043h + | +:0040F676 FF1584C44200 Call dword ptr [0042C484] +:0040F67C 8B45DC mov eax, dword ptr [ebp-24] +:0040F67F 50 push eax + +* Reference To: GDI32.DeleteObject, Ord:0046h + | +:0040F680 FF158CC44200 Call dword ptr [0042C48C] +:0040F686 8D859CFEFFFF lea eax, dword ptr [ebp+FFFFFE9C] +:0040F68C 50 push eax +:0040F68D 8B4508 mov eax, dword ptr [ebp+08] +:0040F690 50 push eax + +* Reference To: USER32.EndPaint, Ord:00AFh + | +:0040F691 FF1570C64200 Call dword ptr [0042C670] +:0040F697 B801000000 mov eax, 00000001 +:0040F69C E992000000 jmp 0040F733 + +* Referenced by a (U)nconditional or (C)onditional Jump at Address: +|:0040F721(C) +| +:0040F6A1 8B4510 mov eax, dword ptr [ebp+10] +:0040F6A4 50 push eax +:0040F6A5 8B4508 mov eax, dword ptr [ebp+08] +:0040F6A8 50 push eax + +* Reference To: USER32.KillTimer, Ord:0162h ; kiil the timer set b4 to show the splash + | +:0040F6A9 FF15F4C64200 Call dword ptr [0042C6F4] + + +ok u can see here one thing the line that contains push 00000067 in 40f5ff does nothing +so to crack the splash screen we chage this + +:0040F5FF 6A67 push 00000067 ; hmm nice push here (does nothing good) +to this +:0040F5FF E9A5000000 JMP 0040F6A9 ; Nice jump, kills the timer and the splash + +so here the splash screen is disabled and we can continue cracking. + +4.- Lic. screen removal: + +ok this par needs some zen cracking :-) this is part of the disssemble in w32dasm : + + +:004094DD 813D3C5A420000010000 cmp dword ptr [00425A3C], 00000100 +:004094E7 0F8533000000 jne 00409520 +:004094ED 8B4508 mov eax, dword ptr [ebp+08] +:004094F0 50 push eax +:004094F1 E80AEFFFFF call 00408400 ; call the lic screen(how did i got here ? + ; like i said zen cracking :-) +:004094F6 83C404 add esp, 00000004 +:004094F9 85C0 test eax, eax +:004094FB 0F851F000000 jne 00409520 +:00409501 C705105C420001000000 mov dword ptr [00425C10], 00000001 +:0040950B 6A00 push 00000000 +:0040950D 6A00 push 00000000 +:0040950F 6A10 push 00000010 +:00409511 8B4508 mov eax, dword ptr [ebp+08] +:00409514 50 push eax + +this is what the call to the lic screen is : + +* Referenced by a CALL at Address: +|:004094F1 +| +:00408400 55 push ebp ; this code is only checking if the file is not + ; delted or something like that +:00408401 8BEC mov ebp, esp +:00408403 83EC08 sub esp, 00000008 +:00408406 53 push ebx +:00408407 56 push esi +:00408408 57 push edi +:00408409 C745F867844000 mov [ebp-08], 00408467 +:00408410 6A00 push 00000000 +:00408412 8B45F8 mov eax, dword ptr [ebp-08] +:00408415 50 push eax +:00408416 8B4508 mov eax, dword ptr [ebp+08] +:00408419 50 push eax +:0040841A 6A66 push 00000066 +:0040841C A124A54200 mov eax, dword ptr [0042A524] +:00408421 50 push eax + +* Reference To: USER32.DialogBoxParamA, Ord:008Ah + | +:00408422 FF15C8C64200 Call dword ptr [0042C6C8] +:00408428 8945FC mov dword ptr [ebp-04], eax +:0040842B 837DFC02 cmp dword ptr [ebp-04], 00000002 +:0040842F 0F8512000000 jne 00408447 + +* Possible Reference to String Resource ID=03302: "The licence agreement file is missing or + corrupted. Please " + ; as u can see here if u delete the + ; licence.txt u get this msg + +ok what we can do here is this since none of the checking of calling is done AFTER the call +once it finds a ret the program says ok this guy pushed the i agree button, continue, so what we +can do here is give the program a ret, whe change this : + +:00408400 55 push ebp +to this +:00408400 C3 ret + the program calls the screen but a ret(return from call) is there so it returns to the program. + + +5.- The 1s part of the time trial: + +ok now once we dissabled all of the nag's and nasty stuff we need to take the 30 day trial +we try and find something on the nag box in w32dasm what we find is just a lot of garbage in this +nag (not gabage but dificult to follow) how about something else ? hmm the .ini ? ok let's try +we search for it and land here : + +* Possible StringData Ref from Data Obj ->"wintar.ini" + | +:00409275 A1485A4200 mov eax, dword ptr [00425A48] +:0040927A 50 push eax +:0040927B 6A00 push 00000000 + +* Possible StringData Ref from Data Obj ->"Validate" + | +:0040927D 68405C4200 push 00425C40 + +* Possible StringData Ref from Data Obj ->"UserOpt" + | +:00409282 684C5C4200 push 00425C4C + +* Reference To: KERNEL32.GetPrivateProfileIntA, Ord:00F9h + | +:00409287 FF152CC54200 Call dword ptr [0042C52C] +:0040928D 8985F4FEFFFF mov dword ptr [ebp+FFFFFEF4], eax +:00409293 E91A000000 jmp 004092B2 + +* Referenced by a (U)nconditional or (C)onditional Jump at Address: +|:0040926F(C) +| +:00409298 6A00 push 00000000 + +* Possible StringData Ref from Data Obj ->"Validate" + | +:0040929A 68545C4200 push 00425C54 + +* Possible StringData Ref from Data Obj ->"UserOpt" + | +:0040929F 68605C4200 push 00425C60 +:004092A4 E896E2FFFF call 0040753F ; if you follow in SI here u will + ; find that this call does + ; does something strange so we + ; go to the call +:004092A9 83C40C add esp, 0000000C +:004092AC 8985F4FEFFFF mov dword ptr [ebp+FFFFFEF4], eax + +* Referenced by a (U)nconditional or (C)onditional Jump at Address: +|:00409293(U) +| +:004092B2 83BDF4FEFFFF00 cmp dword ptr [ebp+FFFFFEF4], 00000000 +:004092B9 0F850D000000 jne 004092CC +:004092BF E89CE8FFFF call 00407B60 ; take a deep look :-) +:004092C4 85C0 test eax, eax +:004092C6 0F849B000000 je 00409367 + +this is what we get by the call at 4092A4 + +* Referenced by a CALL at Addresses: +|:004092A4 , :00410C4F , :00410C7F , :00410C98 , :00410CB1 +|:00410CCA , :00410CE3 , :00410CFC , :00410D15 , :00410D2E +|:00410D47 , :00410D60 , :00410D80 , :00410D99 , :00410DB2 +|:00410DCB , :00410DE4 , :00410DFD , :00410E16 , :00411304 +|:0041131D , :00416C74 , :00416C8F , :00416CAA , :00416F4F +|:00416F6A , :00416F85 , :00417415 , :00417622 , :004177C1 +|:004177E2 , :0041788D , :00417961 , :00417982 , :004179A3 +| + ; WOW this part sure does get called ! +:0040753F 55 push ebp +:00407540 8BEC mov ebp, esp +:00407542 81EC14010000 sub esp, 00000114 +:00407548 53 push ebx +:00407549 56 push esi +:0040754A 57 push edi +:0040754B C745F404010000 mov [ebp-0C], 00000104 +:00407552 833D3856420000 cmp dword ptr [00425638], 00000000 ; is the flag Zero ? +:00407559 0F8507000000 jne 00407566 ; no then bug off +:0040755F 33C0 xor eax, eax +:00407561 E9A0000000 jmp 00407606 + +what we can do here is simple we look at our Registers ans check is EAX is zero b4 it called this +part........ we check and see that it is zero so this is getting better :) what we do here is +simple ok remeber the lic. removal part how the call only wanted a ret ? ok so this is equal +change this: + +:0040753F 55 push ebp +to this +:0040753F C3 RET +there now the MARKER (if you set the time ahead or b4 30 days) is removed. + + +6.- The 2nd part of the time trial: + +ok now we need to remove the 30 day check this will ALSO require more zen (this is prolly a zen +tut and not a time trial :] ) but not many zen if u are a good looker u can see this call after +the check mark call : + +:004092BF E89CE8FFFF call 00407B60 ; this is our check our time call :-) + +unlucky us u can't do the RET trick here :-( so we go deep inside the call and find this: + + +* Referenced by a (U)nconditional or (C)onditional Jump at Address: +|:00407CA1(C) +| +:00407CB1 833DB457420000 cmp dword ptr [004257B4], 00000000 ; check the flag to zero +:00407CB8 0F850A000000 jne 00407CC8 ; no? the bug off +:00407CBE B801000000 mov eax, 00000001 ; and move EAX to 1 + ; wich 1 = bad time +:00407CC3 E902000000 jmp 00407CCA ; jump to return + +* Referenced by a (U)nconditional or (C)onditional Jump at Address: +|:00407CB8(C) +| +:00407CC8 33C0 xor eax, eax + +* Referenced by a (U)nconditional or (C)onditional Jump at Address: +|:00407CC3(U) +| +:00407CCA E900000000 jmp 00407CCF + +* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: +|:00407BA4(U), :00407BBA(U), :00407BE6(U), :00407C1A(U), :00407C65(U) +|:00407CCA(U) +| +:00407CCF 5F pop edi +:00407CD0 5E pop esi +:00407CD1 5B pop ebx +:00407CD2 C9 leave +:00407CD3 C3 ret + +ok now here the program is looking for something, what could it be ?.......... +ok if we continue with eax in 1 we get the sorry screen and a help file opens and our program +terminates, we don't like this so we go back here and check again, ok i got it it checks if eax +is ZERO if it is then the guy is still on the 30 day limit, so we change this : + +:00407CBE B801000000 mov eax, 00000001 ; and move EAX to 1 +to this +:00407CBE B800000000 mov eax, 00000000 ; and move EAX to 0 + +now the program even if you are on the 30 day limit it will let you use it for the rest of your +life :-). + +7.-Last Notes: +ok now to finally do our crack we enter a hexeditor and search for the opcodes and change them +(like,i said at the beggining i assume you allready know this). + + +8.-Notes: + +You could search for the text UNREGISTERED and changed to anything u like like CrackedVer. +ans search for the string Days left and change it to anything as well i will not explain this +because i think AT least the programmers deserve that since u cracking the software :-). + + +9.-Thak you's: + +Ok thaks go to the follwing persons: +JosephCo: keep up the good work d00d +mpbaer: ha Rebirth ROX !!!!!! :))) +Razzi: ur tuts rule !!! +^pain^: cause u cool :) +tHATDUDE: he isnpired me to become a cracker :-) +Fant0m : damm ur coding is good +GThorne: haha this guy rox the world ! +Tgunner: 10x for everything +lgb: 10q as well for all the help and support :) +blorght: the only female i seen (err on irc) that can do a lot of stuff ! u rule babe :-) +Griml0ck: he inspired me and asked me to this tut :-) ok d00d for you here it goes. +TeRaphY: this guy is kewl as well :) +Krazy_N: he is not crazy but he is kewl :) +all the regulars of #cracking4newbies thanks that shows us that we growing ! :-) +#cracking all of the guys in it aswell retf in especial :-P +#revolt bring up the warez ! :) +cat|man: thanks for those sites :) +if i forgot anyone please let me know i will respond ahh ok 10q :) +oh and also all of the ppl that shows some cracking teaching or explaining !! + + nIabI[ME'97] + + diff --git a/textfiles.com/piracy/CRACKING/tsrcrack.txt b/textfiles.com/piracy/CRACKING/tsrcrack.txt new file mode 100644 index 00000000..4f1a01bb --- /dev/null +++ b/textfiles.com/piracy/CRACKING/tsrcrack.txt @@ -0,0 +1,91 @@ + + + + + + + + + + TSRCrack V3.00 Copyright (c) 1994 + by Wong Wing Kin + All rights reserved. + + + + + + + + + + + + +What is TSRCRACK? + + This is a TSR utility for cracking software protection such as + password protection. It can also be used to modify the games so that + they can be much easier finished. + Why not modify the file directly? It is because the files are + often compressed and encoded, they cannot be decoded and modified. + Thus you need a TSR to modify the codes after the files are loaded + into memory. + This program can generate a TSR from given information about + where and how to modify the codes. + + + + + + + + + + + + +Input File format: + + [program ] + int + ? + + :- if ::: + (then :::)? + + :- ds | es | cs | ss + :- signed/unsigned hex numbers (word) + :- unsigned hex numbers (word) + :- space separated hex numbers (byte) + + ? means 1 or more occurrences. + [] mean optional. + + + Example: Crack INDARK password + + program tatou.com + int 21 + if cs:0000:25bc = 3b 86 d0 fd 75 28 a0 8e + then cs:0000:25c0 = eb 1a + + The above program will hook int 21. Every time int 21 is called, + it will check the byte sequence at the address CS+0000:25bc + equal to 3b 86 d0 fd 75 28 a0 8e or not. If it is equal, + change CS+0000:25c0 to eb 1a. + + + Example: The following program can also be acceptable + + Program tatou.com + int 21 + + if Cs:0000:25bc = 3b 86 d0 fd 75 28 a0 8e + then cs+0:+25c0 = eb 1a + + if cs-cd6:1f46 = 8b 56 e6 d1 e2 c4 1e 8e 7d 03 + then cs:-cd6:1f46 = 83 7e e6 15 74 8 f7 d8 eb d2 + + if cs:-cd6:1f04 = 26 ff 0f + then cs:-cd6:1f04 = eb 01 diff --git a/textfiles.com/piracy/CRACKING/tt-unt.txt b/textfiles.com/piracy/CRACKING/tt-unt.txt new file mode 100644 index 00000000..c987ed1c --- /dev/null +++ b/textfiles.com/piracy/CRACKING/tt-unt.txt @@ -0,0 +1,2614 @@ + + + + + + + + ۲ + ۲ + + ߲ + + + + + + + + ߲ܲ۲ + ߲ ۲ + ߲ ۲ + ܰ ۲ + + + ߲ + ۲ + ۲ + ۲ ܲ + ۲ ܱ + + ܰ + ߰ + + ޲ + ۲ + + + + + + + + PRESENT : + + ͻ + + Training Tutorial for the PC. By Dr. Detergent / UNT'93 + + ͼ + + + + + + + Table of contents + + + + +Section: + + + +1 - Introduction. +2 - Before starting. +3 - Debugging through. +4 - Different file compression techniques. +5 - Once inside the game's code. +6 - Most common training byte structure composition. +7 - Searching for the most common training byte structure composition. +8 - Problems finding the most common training byte structure composition. +9 - Setting the break points. +10 - Once you have found the trainer data. +11 - Making a "hard-cheat" +12a - Generic trainer interfacing routine. +12b - Interfacing to the game's keyboard routine. +12c - Finding the game's keyboard handling routine. +12d - Prince of Persia II keyboard handling routine listing. +13 - Handling different DS values. +14 - Writing the trainer loader or TSR code. +15 - Generic TSR self-removal routine. +16a - Generic trainer code interfacing routine. +16b - Prince of Persia II interactive trainer interfacing routine. +16c - Finding the runtime CS:IP of the keyboard handling routine. +16d - Comparing the program's current IP. +16e - Interfacing with different keyboard handling routines. +17 - Fox Ranger Interactive 9 option trainer routine listing. +18 - Legend of Myra Interactive 10 option trainer routine listing. +19 - Interactive TSR/loader trainer examples. +20 - Summary. + + + + + + + + ͻ + Section 1 + ͼ + + + + + + + + +Introduction: + + + +Every game player has at some point during gameplay, wished that he/she had +more lives/energy/weapons/time etc - just to be able to finish that level or +see the game's ending for that matter. + + +Have you ever played a game for months, each time getting better and better, +finally you make it to the last level only to find that the monster at the +end is impossible to kill even with all your past experience? + + +Ever play a game for 5 hours and finally get to the last level - just before +the ending intro, and suddenly get killed by some small rodent - and have to +restart all over?! + + +Well I am sure you have experienced the above. This is why hackers/crackers +developed a kind of "Training Aid" if you want to call it that. The +terminology training means to bring an individual to a higher degree of +success through practice. In computer terms, the phrase training was +developed by hackers on the C-64/Amiga. + + +Whenever someone played a game and couldn't finish it, when using a trainer, +the person could train on the last level and become proficient in the skills +required in mastering that level, then he could turn off the trainer and try +his newly acquired skills in the real thing. + + +The term CHEAT as some people refer to, is not a good description of what a +real trainer actually is. Most trainers are interactive, meaning that they +let you toggle certain things on/off or select different items during game +play - a cheat however, mostly gives you straight away unlimited lives/items +etc and rarely let's you "train" while playing the game. + + +Training games has been going on for ages. It started back as far as the +C-64, maybe even further. It has seen it's days on all the computers that +one can use to play games. + + +Training was revolutionized mostly on the Amiga computer. The games for the +Amiga are outstanding, and so are the trainers. I have seen trainers for +some games that I thought were the game itself. + + +On the PC, training started the day that games were designed for it. Since +it's early days, training on the PC has revolutionized from small +"cheats/character editors" to todays interactive, multi-functional, user +defined, mega-trainers. + + +This Training Tutorial was written for those who always wondered how one +makes trainers on the PC, and it portrays this art to you. Never the less, +it all depends on you - how good you are with understanding the assembly +language and programming. + + +I'm confident that your average ASM programmer or hacker will find the +information herein helpful and useful. + + +Through my many years of training on the PC, and after developing more than +285+ trainers/cracks, I have learned lots of different tricks and methods +that I will reveal to you in this training tutorial. + + + + + + + + ͻ + Section 2 + ͼ + + + + + + + +Before starting: + + + +First, you must have a general knowledge of debugging software and ASM +programming. Before you begin to even think about training a certain game, +ask yourself the following questions : + + +1) Has a trainer already been released for that game - sometimes you spend + hours training a game only to find out just before you are about to + spread it world-wide, that there already is a trainer out for it - and + it is even better then yours! + +2) Is the game trainable - if yes, what items/things can it be trained for? + You will be surprised how many requests I had to make trainers for + games that are not trainable - like text adventure games! - so make sure + that at least something in your game is trainable. + +3) Is it worth it - are you going to spend 5 hours training a shareware + pacman-type game?! + +4) Can you handle the code - do you think you can get by the game's nasty + encryption/anti-debugging routines or script-compiler type code? + +5) Will you be able to make the trainer - do you think that you can write + the code that will integrate your trainer with the game and be able to + modify the necessary data? Sure you can find the necessary data to + alter in the program, but can you write up a TSR or a loader that can + integrate itself to the game's code and modify the necessary data + locations? + + +Once you have asked yourself the above questions, and feel confident about +your answers, then proceed to section 3. + + + + + + + + ͻ + Section 3 + ͼ + + + + + + + +Debugging Through: + + + +This section deals with debugging the game program. It will outline the +various debuggers you can use, various compression methods and how to get +through them. + + +Before we even begin - what debugger are you going to use? Ok, I will +make this question simpler - if you have a 386+ CPU, what debugger are you +going to use? + + +That's right - SOFT-ICE 2.52+!. This is the best debugger. Below are +some other debuggers listed in priority order, you might consider using: + + + +Turbo Debugger 386+ +Code View 386+ +Any other 386+ virtual mode debugger +Turbo Debugger 286- +Code View 286- +Periscope +Debug.exe + + + +Ever since I have been cracking/training games, I have never seen a more +powerful or complete debugger than Soft-Ice. Now don't think that you have +to have Soft-Ice to train, I have used debug on my XT / CGA to train +some complex VGA games, - not even being able to see the screen, and having +the trainer tested on my friends VGA, back in the old days. + + +You can train a game with ANY debugger and still make a good trainer at +that. But using soft-ice will speed up the process extremely and yield the +best results. That's why in some examples here I will use Soft-Ice as the +main debugger. + + +Ok, so you are not lame, and do have a 386+ chip, vga, extended memory, +and soft-ice loaded. Now you have your game neatly installed and ready to +be debugged and trained. + + +Now you have to find the start-up file. This is the EXE or COM loader that +starts the game. This is where you will find the necessary data to train +your game - 95% of the time. Remember that the EXE/COM loader can load up +an OVR or a BIN file, so if the start-up file is really small like 5 k, then +you know for sure it's going to load in some overlay code. + + +Ok, so use soft-ice's LDR.EXE to load up the start-up file (or debug the +file with another debugger). Now unassemble the first instructions and +study the code. Try to determine if the code is compressed by something +like LZEXE, PKLITE, DIET, EXEPACK, Secure-Wrap or some other COM/EXE file +compressor. + + +You can skip this step if you know how to write a loader or a TSR. +Otherwise, this step gives you an idea if you can or can't train the +program - if you can't write a TSR or loader, then how can you interface and +change the necessary data in the game if it's encrypted? (Even if you knew +at what location the lives decrementing instruction etc is, searching the +EXE/COM file with a hex editor to do a hard-train will yield no results) + + + + + + + + ͻ + Section 4 + ͼ + + + + + + + +Different file compression techniques: + + + +Here are some examples of the different compression techniques used on +COM/EXE files: + + +ͻ + PKLITE 1.20 (COM File) +ͼ + + +0100 B8BDE2 MOV AX,E2BD +0103 BA2284 MOV DX,8422 +0106 3BC4 CMP AX,SP +0108 7367 JNB 0171 +010A 8BC4 MOV AX,SP +010C 2D4403 SUB AX,0344 +010F 25F0FF AND AX,FFF0 +0112 8BF8 MOV DI,AX +0114 B9A200 MOV CX,00A2 +0117 BE7C01 MOV SI,017C +011A FC CLD +011B F3 REPZ +011C A5 MOVSW +011D 8BD8 MOV BX,AX +011F B104 MOV CL,04 +0121 D3EB SHR BX,CL +0123 8CD9 MOV CX,DS +0125 03D9 ADD BX,CX +0127 53 PUSH BX +0128 33DB XOR BX,BX +012A 53 PUSH BX +012B CB RETF ;*** RETF Instruction *** +012C 0C01 OR AL,01 +012E 50 PUSH AX +012F 4B DEC BX +0130 4C DEC SP +0134 20436F AND [BP+DI+6F],AL +0137 7072 JO 01AB +0139 2E CS: + + +* Note the RETF instruction at 012B. This instruction when encountered in + the beginning of the code like this, nearly always gives an indication + that the file is compressed. + + + (The code after 012B is just compressed garbage. When you see garbage + after a RETF instruction, found in the beginning of the code, than you are + nearly sure that the file is compressed by something) + + +ͻ + LZEXE 0.91 (EXE File) +ͼ + + +000E 06 PUSH ES +000F 0E PUSH CS +0010 1F POP DS +0011 8B0E0C00 MOV CX,[000C] +0015 8BF1 MOV SI,CX +0017 4E DEC SI +0018 89F7 MOV DI,SI +001A 8CDB MOV BX,DS +001C 031E0A00 ADD BX,[000A] +0020 8EC3 MOV ES,BX +0022 FD STD +0023 F3 REPZ +0024 A4 MOVSB +0025 53 PUSH BX +0026 B82B00 MOV AX,002B +0029 50 PUSH AX +002A CB RETF ;*** RETF instruction *** +002B 2E CS: +002C 8B2E0800 MOV BP,[0008] + + +* Note the RETF instruction at 002A. + + +ͻ + DIET 1.10a (COM File) +ͼ + + +0100 BE5409 MOV SI,0954 +0103 BFDC13 MOV DI,13DC +0106 B91404 MOV CX,0414 +0109 3BFC CMP DI,SP +010B 7204 JB 0111 +010D B44C MOV AH,4C +010F CD21 INT 21 +0111 FD STD +0112 F3 REPZ +0113 A5 MOVSW +0114 FC CLD +0115 8BF7 MOV SI,DI +0117 BF0001 MOV DI,0100 +011A AD LODSW +011B AD LODSW +011C 8BE8 MOV BP,AX +011E B210 MOV DL,10 +0120 E96D12 JMP 1390 +0123 64 DB 64 \ +0124 6C DB 6C / Garbage from here onwards. + + +ͻ + EXEPACK ??? (EXE File) +ͼ + + + +0010 8BE8 MOV BP,AX +0012 8CC0 MOV AX,ES +0014 051000 ADD AX,0010 +0017 0E PUSH CS +0018 1F POP DS +0019 A30400 MOV [0004],AX +001C 03060C00 ADD AX,[000C] +0020 8EC0 MOV ES,AX +0022 8B0E0600 MOV CX,[0006] +0026 8BF9 MOV DI,CX +0028 4F DEC DI +0029 8BF7 MOV SI,DI +002B FD STD +002C F3 REPZ +002D A4 MOVSB +002E 50 PUSH AX +002F B83400 MOV AX,0034 +0032 50 PUSH AX +0033 CB RETF ;*** RETF instruction *** +0034 8CC3 MOV BX,ES +0036 8CD8 MOV AX,DS +0038 48 DEC AX +0039 8ED8 MOV DS,AX + + +* Note the RETF instruction at 0033. + + +ͻ + Some other compression method (EXE File) +ͼ + + +000C 8CD3 MOV BX,SS +000E 8EC3 MOV ES,BX +0010 8CCA MOV DX,CS +0012 8EDA MOV DS,DX +0014 8B0E0800 MOV CX,[0008] +0018 8BF1 MOV SI,CX +001A 83EE02 SUB SI,+02 +001D 8BFE MOV DI,SI +001F D1E9 SHR CX,1 +0021 FD STD +0022 F3 REPZ +0023 A5 MOVSW +0024 53 PUSH BX +0025 B82E00 MOV AX,002E +0028 50 PUSH AX +0029 8B2E0A00 MOV BP,[000A] +002D CB RETF ;*** RETF instruction *** +002E B80010 MOV AX,1000 +0031 3BC5 CMP AX,BP +0033 7602 JBE 0037 +0035 8BC5 MOV AX,BP +0037 2BE8 SUB BP,AX +0039 2BD0 SUB DX,AX +003B 2BD8 SUB BX,AX +003D 8EDA MOV DS,DX +003F 8EC3 MOV ES,BX +0041 B103 MOV CL,03 +0043 D3E0 SHL AX,CL +0045 8BC8 MOV CX,AX +0047 D1E0 SHL AX,1 +0049 48 DEC AX +004A 48 DEC AX +004B 8BF0 MOV SI,AX +004D 8BF8 MOV DI,AX +004F F3 REPZ +0050 A5 MOVSW +0051 0BED OR BP,BP +0053 75D9 JNZ 002E +0055 FC CLD +0056 8EC2 MOV ES,DX +0058 8EDB MOV DS,BX + + +* Note the RETF instruction at 002D. + + +So basically you get the picture. Now to trace through the code to the part +where the whole program uncompresses itself is really easy. + + +First, always remember to TRACE or PROCEED through any RETF instruction. +In most cases there is only one RETF instruction to trace or proceed +through. Then once you traced or proceeded through it, you will be either +at CS:0000 or somewhere else. The next step is simple too - Just +unassemble the code until you find the following instruction: + + + +CS: +JMP FAR [BX] + + + +Once found, simply go to the address containing CS:, then trace or proceed +through. Now you should have the clean uncompressed code. If you did not +find the above instruction, then try looking for another RETF instruction. +Once found go to it and trace or proceed through and you should have the +clean uncompressed code. + + +Remember some files may be compressed with 2 compression programs +(for "added protection" as software authors think!). If so, simply perform +the above steps twice. + + +Finding the part of the program that the file starts up at is helpful in 2 +ways : + + +1) You are sure that the program didn't start executing any instructions + yet - like moving lives/energy etc variables into memory. + + +2) You can note the CS, DS, or any other memory variables so that when you + do write up a TSR or a loader, you will be able to interface it easier. + + + Note: + + + + (You need to know the program's current CS,DS upon startup, if you are + going to write the generic tsr or loader trainer interfacing routine as + outlined in section 12a). + + +If you don't care about getting to the program's very beginning, and just +want to get through the uncompression as fast as possible, then if using +soft-ice, set a break point on INT 21 - it will break in when the program +does a DOS VER check, a memory allocation call or any other function using +INT 21. All games and most programs have INT 21's present in their program +code. + + +Some of you might even want to start the game, get the game fully running, +and then break into the debugger. I use this method. Doing this has some +goo d points and some bad points. The good points might be that the CS,DS +values are already redefined and you more or less see where the program +keeps it's data values. Some bad points might be that you have skipped +past the value-initialization routine (of the lives etc). If you are +unexperienced, then I recommend that you do not use this method. + + +Some software programmers put anti-debugging routines in their software code +to deter hackers/crackers from cracking their software. This works to the +trainer's disadvantage - sometimes. I'm not going to describe the various +anti-debugging methods and their antidotes in this training tutorial - learn +all about it in the upcoming "Cracking on the PC - THE mega tutorial!" + + + + + + + + + ͻ + Section 5 + ͼ + + + + + + + +Once inside the game's code: + + + +Ok, so you are in the program now. What now? A lot of people have asked +me what's harder to do - crack a game or make a trainer for it. Well it +depends really. Some games can be cracked in 5 minutes, while making a good +trainer can take 8+ hours. But in general I think making trainers is a bit +more difficult than cracking. Mostly because making a trainer will always +consume more time - at LEAST 1 hour to find/make/write/package the +trainer. + + +Also, when cracking a game, you isolate the protection in a certain area of +the program, then focus all your attention on it and crack it. When +training a program, you are looking through everything, everywhere, +gathering all sorts of unnecessary data before finding the right bytes, let +alone understanding the game code operation. + + +But once again, there are short cuts to everything. This is why training +might be easier that cracking after all. Every program uses more or less +the same technique to decrement/increment your lives/energy/ammo/inventory +items, etc. + + +Through my years of training, I have narrowed it down to the most common +byte structure composition, as outlined in section 6. + + + + + + + + ͻ + Section 6 + ͼ + + + + + + + +Most common training byte structure composition: + + + += DECREMENTING = + + +Decrementing or subtracting means to decrease a certain thing. The game +uses various decrementing instructions to decrement (or subtract if you +like) your lives/energy/time/ammo/weapons/inventory items etc. + + +The following is a list of the most common decrementing instructions that +games use: + + + +DEC WORD PTR [1234] - +In HEX : FF 0E 34 12 + +DEC BYTE PTR [1234] - +In HEX : FE 0E 34 12 + +SUB WORD PTR [1234],XX - +In HEX : 83 2E 34 12 XX + +SUB BYTE PTR [1234],XX - +In HEX : 80 2E 34 12 XX + +SUB [1234],AX - +In HEX : 29 06 34 12 + +SUB [1234],DX - +In HEX : 29 16 34 12 + + + += INCREMENTING = + + +Incrementing or adding means to add a value to a certain thing. The game +uses various incrementing instructions to increment (or add if you like) +your current level/energy/time/ammo/weapons/inventory items etc. The +following is a list of the most common incrementing instructions that games +use: + + + +INC WORD PTR [1234] - +In HEX : FF 06 34 12 + +INC BYTE PTR [1234] - +In HEX : FE 06 34 12 + +ADD WORD PTR [1234],XX - +In HEX : 83 06 34 12 XX + +ADD BYTE PTR [1234],XX - +In HEX : 80 06 34 12 XX + + + +Legend : + + + + + - Very common - nearly 100% probability. + + - Common - about 70% probability. + + - Likely - about 40% probability. + + - Sometimes - about 10% probability. + + + + + + + + ͻ + Section 7 + ͼ + + + + + + + +Searching for the most common training byte structure composition: + + + +By now you should be in the program viewing the uncompressed code. Simply +start searching for the above bytes - depending for what you are looking +for. For starting out, you should not be concerned with searching for the +incrementing or adding instructions - these instructions are used for +incrementing levels in the game, or inventory, etc. Training for those +options is much harder at first, so stick to the decrementing instructions. + + +So now start searching for the most common decrementing instruction - mainly +the DEC WORD PTR [XXXX]. I will use this example because it's the most +common decrementing instruction that you will find. Obviously you can, and +you should, search for the other less common decrementing instructions too. + + +The following search example can be used to search for all the decrementing +and incrementing instructions. + + + +Example: + + + + +S CS:0 L FFFF FF 0E (Works with most debuggers) + + + +Note: + + + +We only search for the first 2 bytes of the DEC/INC instruction because the +3rd and 4th bytes contain the value of the address where the DEC/INC is +going to take place. + + +To make things simpler, let's assume that you are searching for the above +example (DEC WORD PTR [XXXX]). I will use this example from now on. +Remember, you can apply this example the same way to search or process all +the other DEC/INC instructions, as outlined in section 6. + + + + + + + + ͻ + Section 8 + ͼ + + + + + + + +Problems finding the most common training byte structure composition: + + + +If you didn't find anything, or just a few DEC's that are not related to +anything, then it's because of the following : + + +1) You are looking in the wrong CS. Some games have many different CS + values. If the program's current CS is 1200, and you search for the DEC + bytes and find about 4, and then run the program, break in again, and + notice CS is 2245, and search for those bytes again, you might find 30 + or more, so make sure you search all the possible CS values in the game. + + + It's hard to break in, just hoping to find the next CS value in the + game - if any. A good technique is to search like this: + + + Find the lowest CS value in the game, - eg: 0900. + + + Then search CS:0 l FFFF FF 0E + Then search 2000:0 l FFFF FF 0E + Then search 3000:0 l FFFF FF 0E + Then search 4000:0 l ffff FF 0E + + + Etc - get it? If the CS is always high during the game, and you never + seem to be able to break in when it's lower, then start the search at + about 0800, and then proceed higher. + + +2) The second possibility (if you didn't find anything after searching for + all the listed decrementing instructions) is that the game is using a + different decrementing instruction. + + +3) The third possibility is that the game's code is a script-compiler type + code. You can forget about training this type of game - even if you are + an experienced trainer maker. But if you can train it, then you belong + to the TOP-GUN trainer makers! + + + The Script-compiler type code is found in such games from Sierra, + Delphine Software, Lucas Arts and CVS. It is a programming method + which uses pre-defined scripts to run certain program operations. + Everything from producing the sound on the sound blaster to drawing the + graphics on the screen is done all in the same program loop - using + different scripts. Therefore training, or even cracking this type of + game is really a pain, but never the less, can be done. + + + + + + + ͻ + Section 9 + ͼ + + + + + + + +Setting the break-points: + + + +From the search, you should have found quite a few of those decrementing +instructions in the game's loader. If you are using soft-ice, note the +current CS and write it down. Then unassemble that address, study the code +and make sure it's a valid decrement, then set a break point on execution +(BPX in soft-ice) for about the first 8 of the found DEC WORD PTR [XXXX] +instructions. + + +The reason for unassembling the found instructions first and then putting a +break point on execution - as with soft-ice, or a CC, as with other +debuggers, is because the bytes FF 0E can represent any other code or data +value in the program. When you unassemble that address where the bytes FF +0E where found and study the code, if you see that the prior or following +instructions are garbage or don't make sense, then don't bother setting a +break point on that address since it's not going to be executed anyway. + + +If you are not using soft-ice, do the above but instead of setting a break +point on execution, replace the first byte of the DEC instruction with CC - +so it will look like this : + + + +Example: + + + +Original found instruction : FF 0E 34 12 +1st byte replaced by CC : CC 0E 34 12 + + + +This will put an INT 3 at the beginning of that instruction. Your debugger +should break on INT 3 when it executes that instruction. Do this for about +the first 8 of the found DEC WORD PTR [XXXX] instructions. + + +Now why did we do the above? Well we want to see which one of the +decrementing instructions decrements the lives/energy/timer etc values. So +the next step is to run the program. + + +Get by the introduction screen, etc and start playing the game. (If your +debugger breaks in even before you get to the game, then simply remove that +break point on execution from that address - if using soft-ice, or +replace the CC value with FF. This is done since that instruction won't +have anything to do with decrementing your lives/energy/timer etc in the +game - since the game has not even started yet. + + +Once your game starts, and the debugger breaks in right away - simply run +the program again. If the same thing happens more than about 3 times, and +it always happens at the same address, then remove the break point on +execution from that address - if using soft-ice, or replace the CC value +with FF. The reason for this is because the game might be using that +instruction to do something else other than decrementing your +lives/energy/timer etc. + + +The next step is to try and get killed, or use your gun and waste a few +bullets, or do something like that - to see if any inventory options, +gadgets, energy bars, life counters, etc, are being decremented. If they +are, you will suddenly find yourself in the debugger. Suppose you just got +shot and even before you saw your energy bar decrease, the debugger broke +in. The first thing that you do is write down that address - CS:XXXX. Then +see what value is being decremented at that address. + + + +Example: + + + +The debugger broke in at 45C8: + + +1170:45C7 RET +1170:45C8 DEC WORD PTR [0320] + + + +Now simply view what is at that address (There is no CS:, ES:, or SS: +above the 45C8 instruction, so you know the default is DS:): + + +D DS:320 (Using soft-ice, or use your debugger's dump command) + + + +If you energy bar has for example 6 energy bars, and the value at DS:0320 is +06, then you know you could very well have found the address where the game +stores your current energy value. + + +Now the next step is to check if that address is indeed the current energy +value storage address. Simply enter FF at DS:320 and then run the game +again - notice anything different - more energy bars? If so, you found it. +If not, then maybe you still found it, but there is another routine that +updates the screen with the current energy value. + + +So the next step is to NOP out that DEC instruction at that address. But +instead of doing that, simply replace the first 2 bytes of the DEC +instruction (FF 0E) with EB 02 - thus jumping to the next instruction. This +is useful if you ever want to restore that DEC instruction back - all you +have to do is replace EB 02 with FF 0E. + + +If you NOP it out completely, not only do you have to put NOP 4 times, but +you are erasing the address value of the DEC instruction so unless you wrote +down the address, you will have to restart the program to restore back that +instruction. + + +Ok, so you replaced the FF 0E with EB 02. Now run the game and notice if +some things are different - does the timer still go down, or are the enemies +still moving etc. Now get your energy to go down. If you notice it go +down, keep on getting hit until the whole energy bar declines. If it does, +and you are still alive, then the game has 2 separate routines for storing +and displaying the energy bar. (Maybe another DEC instruction, which you +have not yet processed, is responsible for this). + + +If you died, then try something else now. Try to waste some +bullets/inventory items etc. If they all decrement and nothing is different +in the game, than that DEC instruction does something else in the game. + + +Repeat the search command, as outlined in section 7, and process the next 8 +DEC instructions. Do this until you have gone through them all. You should +find at least some decrementing instructions which decrease something +like the energy/lives/timer/enemy energy/inventory etc. If not, then search +for the next most common decrementing string, mainly the FE 0E - +DEC BYTE PTR [XXXX] + + +If you don't find anything there, proceed again with the next most common +decrementing string - until you find something. If you still don't seem +to be able to find anything worthwhile, then refer to section 8. + + + +NOTE : + + + +The code for some new games is written in a way that whenever you set a +break point on a certain address, the debugger won't break there. Instead +it will produce an error, or simply will skip over that break point and +continue running the program as if nothing happened. + + +This is especially noticeable when using soft-ice's BPX command. So if you +really think that you have found the right DEC/INC instruction, but +soft-ice does not break in, then use the same method of putting a break +point as for the other debuggers - by putting a EB 02 there at that address. +Now see if any changes occur in the game play. + + +What I sometimes noticed when debugging this type of game is that after I +set a break point on a certain dec instruction, run and play the game, get +hit, and notice that my energy/lives etc don't go down - and soft-ice +does not break in. What happens there is that the game's code jumps over +the dec instruction which has a break point on it, thus never executing it. +If you encounter this, then it is yet another indication that the game is +using this type of weird coding. + + + + + + + + ͻ + Section 10 + ͼ + + + + + + + +Once you have found the trainer data: + + + +So once you have found the locations where the game keeps all the goodies +- like your live/energy/timer value, etc, make sure you write down the +location of the DEC/INC instruction, and what memory area it decrements +or increments. + + +Once you become more experienced with training, you might take some time to +study the code next to the DEC/INC instructions and see if there are any +other goodies - like making your man be totally invincible to everything +etc. + + +There are also some built-in tricks that game authors put in - like a secret +cheat mode option etc, so the work might already be done for you. Sometimes +all that it takes is the value 01 at some memory location - and you have +everything set to unlimited etc. + + +A good way of finding this sort of thing is to trace into the decrementing +routine and study the code at the start of that routine - if they have a +CMP WORD/BYTE and then a JZ to the end of that routine, this could very well +be that WORD/BYTE you have been looking for. And if that's set, the whole +routine is bypassed and therefor there will be no decrementation of whatever +it was going to decrement. + + +Another thing you might check for, if looking for a secret built-in trainer +option in the game, is to check to see what command line parameters the game +checks for. Sometimes game authors put in secret command line parameter +options that activate the already built-in trainers. A good example is Wing +Commander from Origin. They have a secret command line parameter that +activates the game's built-in trainer. + + +Checking to see for what command line parameters the game checks is very +easy to do with soft-ice. Simply use LDR.EXE and load up the game's loader +with some garbage parameter string. + + + +Example: + + + +LDR GAME.EXE testing + + + +Now once in soft-ice, set a break point on memory range (BPM) at DS:0082 - +which points to your command line parameter "testing". Then run the program +and see what your "testing" string is compared to. + + + + + + + + ͻ + Section 11 + ͼ + + + + + + + +Making a "hard-cheat": + + + +If you don't know anything about writing a loader or a tsr, then you might +consider making a "hard-cheat" - this means that you simply will HEX edit +the game's loader file and search for the bytes that make up the DEC +instruction(s) and nop them out. To do this, you can use the following +method: + + +Write down the HEX string that the decrementing instruction is composed of. + + + +Example: + + + +You found this code : + + +15FF C3 RET ;Returns somewhere +1600 FF0E0734 DEC WORD PTR [3407] ;This is your dec +1604 833E073400 CMP WORD PTR [3407],+00 ;This CMP's it +1609 7415 JZ 160C ;This JMPS if Zero +160B C3 RET ;Returns somewhere +160C C606020301 MOV BYTE PTR [0302],01 ;This sets a byte +1611 C3 RET ;Returns somewhere + + + +Now simply note the byte composition at 1600 - FF 0E 07 34. You might +also want to take note of the following bytes (83 3E 07 34 00 74 15 C3) just +to be sure you have the correct address when you search for them. + + +Remember thou, lots of games have more than 1 DEC/INC instruction, so it +might be a good idea to search for only the first 4 bytes that compose that +decrement/increment instruction, that way you will find them all. + + +So now you wrote down those bytes. Quit the game and use a hex editor or +debug.exe etc, and search the game's exe or com file for those bytes. Once +found, nop them out and save the file. If you are using debug.exe to make +the changes, and want to edit an EXE file, make sure that you rename the EXE +file to an extension like DAT, prior to debugging it. This is because you +can't write to EXE/HEX files with debug.exe. + + + +Note: + + + +Look at the instruction above, at address 160C - MOVE BYTE PTR [0302],01. +Whenever the word at DS:[3407] is 0, the byte at DS:[0302] is set to 1. +What do you think this does? Here is the advantage of studying the game's +code around the DEC/INC instructions. + + +The game will check to see if the byte at DS:0302 is 1 and then it will +display "GAME OVER" or something like that - but if you nop out that +MOVE BYTE PTR [0302],01 instruction, your lives/energy/ammo/time etc will +still go down, but the game won't end or you will still have unlimited ammo +etc - because, in this example, the game checks somewhere in the program, +the byte at DS:0302, not the value of DS:3407 to make it's decision whether +to end or continue the game, etc. + + +Entering 1 byte (00) at CS:1610 as for the above example, will not only save +you 4 nops at CS:1600, but might even make you a better trainer using a +"No-Touch" or invincible mode option - because the game might always "think" +that you are alive etc. + + +As you will see, there are many ways of training a game. + + + +Note: + + + +If you don't know how to write TSR's or loaders, then study the interactive +TSR and loader trainer examples included in this training tutorial package. + + + + + + + + ͻ + Section 12a + ͼ + + + + + + + +Generic trainer interfacing routine: + + + +By now you should have your addresses written neatly down on a piece of +paper. What now? Next step is interfacing your trainer with the game's +code. + + +There are many ways to interface your code into the game's code. I will +show you just the best one. I have seen so many people playing around with +the timer, having their own keyboard handling routines, hooking onto lots of +unnecessary interrupts - all this just to make a lousy 2 option "trainer". +Not only does this type of programming slow down the game, but it is much +harder and longer to write up this garbage code. + + + + + + + + ͻ + Section 12b + ͼ + + + + + + + +Interfacing to the game's keyboard routine: + + + +The following routine is the routine I use in all my trainers, and sometimes +cracks. Using this method, you can interface your code into practically any +software for the PC. It is by far the cleanest and best way to interface +your trainer into the game. + + +Practically all the new games today have their own keyboard handling +routine. The method in interfacing a trainer for those games who don't have +their own keyboard handling routine, is discussed in section 16e. + + +By now you should be still in the game. If you are not, simply restart the +game, and start playing it. Then break in with your debugger and set a +break-point on INT 9. To find the game's keyboard handling routine using +soft-ice, all you have to do is use the command BPINT 9, re-run the program +and press any key. You should now be in the game's keyboard handling +routine. + + + +Note: + + + +Make sure you write down some bytes composing the beginning of the keyboard +handling routine. You will need them to search for that same routine again +- as referred to in the example, in section 14. + + + + + + + + ͻ + Section 12c + ͼ + + + + + + + +Finding the game's keyboard handling routine: + + + +The game usually saves the original INT 9 vector address and then redefines +the INT 9 vector address to point to it's keyboard handling routine. So +when you start debugging the game, trace it all the way until you notice +the INT 9 vector being redirected to another location. This is the location +that I'm referring to. + + +If you have problems finding the routine in the game's program code which +redirects INT 9, then you can do the following: + + +Start and play the game, then break in with your debugger and view the INT 9 +vector address currently in the vector table (at 0000:0022). + + + +Example: + + + +After you dumped 0000:0022 you see the following: + + +0000:0022 1F 10 20 AC XX XX XX XX XX XX XX XX XX XX XX XX + A B C D + + +Your main concern is with the first 4 bytes. I have named them A,B,C,D. +Now to find out where the game's keyboard handling routine points to, simply +view it this way: + + +BA:DC - now replace each letter with the value it stands for: + + +101F:AC20 - simple ey! - so if you set a break point on this address, and +then press any key, you will be right in the game's keyboard routine. + + + +Once you set a break point on INT 9 or at the beginning of the keyboard +handling routine, run the game, and press any key. Your debugger should +break in. Now study the code. Below, in section 12d, is an example of the +beginning of a typical keyboard handling routine (taken from Prince of +Persia II). + + + + + + + + ͻ + Section 12d + ͼ + + + + + + + +Prince of Persia II keyboard handling routine listing: + + + +165D 1E PUSH DS ;Save current DS +165E 50 PUSH AX ;Save current AX +165F 53 PUSH BX ;Save current BX +1660 B8C03F MOV AX,3FC0 ;Move data-area value into AX +1663 8ED8 MOV DS,AX ;Move AX to DS +1665 E460 IN AL,60 ;*** Read keyboard port *** +1667 8AD8 MOV BL,AL ;Move read value in AL to BL +1669 D0C0 ROL AL,1 ;etc +166B 2401 AND AL,01 ;etc + + +Most keyboard handling routines have the same structure as the above. Note +the instruction at 1660 - MOV AX,3FC0 - this is the games data segment +address. This value is then moved to DS. Lots of games use this technique. + + +The above technique helps us a lot because your trainer doesn't always have +to find out what the game's current DS value is. This instruction is +nearly always present in the keyboard handling routines of most games. + + +The reason for this is as follows. Whenever you press a key in the game, +the game's current DS can be anything - because INT 9 will interrupt the +current operation of the program and execute the keyboard handling routine, +- with the DS value being whatever it was just before the INT 9 was called. +That is why the program has to reset the current DS address with the +predetermined DS address where it always keeps the key press values. + + +Most often, the DS address value used in the keyboard handling routine, is +the SAME as the DS address value for which the game uses to store it's +lives/energy/ammo etc values. - Sometimes this is not so. (Read "Handling +different DS values", outlined in section 13 for explanations how to cope +when the game's keyboard handling routine's DS value is different from +the DS value where the game keeps the energy/lives/ammo etc, values). + + +Once you have found the game's keyboard handling routine, your main concern +is the address where the keyboard port is read in - with the instruction +IN AL,60. Put a break point on that address and run the game. Press any +key now and you should be in the debugger. Write down the current IP where +the IN AL,60 instruction is. (You will need that IP value later on when +writing the trainer interfacing routine). + + + + + + + + ͻ + Section 13 + ͼ + + + + + + + +Handling different DS values: + + + +Remember that the DS that the keyboard handling routine uses to store it's +data is not always the same DS that the game keeps the +lives/energy/ammo/timer etc values at. If the DS value in the keyboard +handling routine is different from the DS value where the game keeps your +lives/energy etc values, then you will have to do the following : + + +Write down the DS value that the keyboard handling routine uses and the DS +value that the game uses to store your lives/energy/ammo/timer etc values. +Quit the program and calculate how much to add or subtract from the keyboard +routine's DS value, to obtain the DS value that the game uses to store it's +lives/energy etc, values at. I use debug.exe to do the calculations. + + + +Example: + + + + +DS in the keyboard handling routine is 2CF0. The DS value where the game +keeps your lives/energy etc values is 1345 (which is lower than 2CF0, so +you will subtract it from 2CF0). + +Using debug.exe: + + +A 100 +XXXX:0100 MOV AX,2CF0 +XXXX:0104 SUB AX,1345 + + + +Now simply proceed through those 2 instructions and note the AX value after +the SUB instruction. Write it down. In this example the value of AX after +subtraction is 19AB. So in your loader/tsr code you could do the following: + + +PUSH AX ;Save current AX value +PUSH DS ;Save current DS value +MOV AX,19AB ;Move 19AB to AX (the calculated value as shown above) +SUB DS,AX ;Subtract the game's current keyboard DS value with the + calculated AX value. Now DS will equal the DS value where + the game keeps the lives/energy etc values at. + + + +Remember also that you don't necessary have to use DS always - the game can +be using CS to store your current lives/energy etc values - if so, simply +modify the above routine to work with CS. The above trick works for every +possible address, so you will always find your data. + + + + + + + + ͻ + Section 14 + ͼ + + + + + + + +Writing the trainer loader or TSR code: + + + +By now you should have all the training-related information on paper. It +should include : + + +1) The addresses where the lives/energy etc are stored (XXXX:YYYY) - (not + the actual DEC/INC instruction address locations, but the addresses that + the DEC/INC instructions modify). + + +2) The value to add/decrement to/from the above addresses. (If you want + to increase your energy, for example, to full, note what value + represents energy full at that address, so when you later on define the + trainer keys, and select the energy-boost key, you will know what value + to add to the energy storage address to boost up the energy to max). + + +3) The address of the program's keyboard handling routine and the IP of the + IN AL,60 instruction. (If there is no IN AL,60 instruction in the + keyboard handling routine, then write down the address of the IP of your + chosen instruction to replace with CD 21 - for more information refer to + "Interfacing with different keyboard handling routines", outlined in + section 16e). + + + You should have 2 addresses of the program's keyboard handling routine. + The first one should be the address that you check/interface your + trainer code into the game's keyboard handling routine. + + + To get this address, start up your debugger, debug the game's loader and + set a break point on INT 21 - if using soft-ice, or trace the program to + the first INT 21. Then once you are there, don't trace into the INT 21, + just merely search for the keyboard handling routine using the program's + current CS. (You should have previously noted some of the bytes which + compose the beginning of the keyboard handling routine. Refer to the + "Note", back in section 12b). + + + +Example: + + + +You are looking for the following bytes : E4 60 8A D8 D0 C0 + + +S CS:0 L FFFF E4 60 8A D8 D0 C0 + + + +If you find nothing, try DS, ES, or SS. If you still find nothing, then +search higher in memory like 2000, 3000, 4000 etc. (Refer to section 9 for +more information on searching for data). + + +If you still don't find those bytes, then the keyboard handling routine in +the program might still be compressed or encrypted. Run the program for a +bit and then retry the above steps. + + + +Note : + + + +If you didn't find the routine while searching with CS, DS, ES, or SS, +but found it when you searched the higher memory, like 3000 for example, +then you will have to do either one of the following: + + +3a) Set a break point on the next INT 21, or run the game for a bit, then + reset the break point back to INT 21. Then try again to search for the + keyboard routine's bytes - only using CS, DS, ES, or SS. If you still + don't find anything, then resort to step 3b. + + +3b) Since the keyboard handling routine address cannot be found using the + current CS, DS, ES or SS, you won't be able to interface your trainer + code using the above registers. You will have to use the method + described in section 13, and use the memory range address at which you + DID manage to find the keyboard handling routine with (eg: 0800:XXXX or + 3000:XXXX etc). + + + +The second address should be the game's current CS:IP when the game is +running. (For more information, refer to "Finding the runtime CS:IP of the +keyboard handling routine", outlined in section 16c). + + + +Note: + + + +The 2 addresses described above, can be the same - the game's CS can be the +same at startup and once it's running, but if it's not, then follow the +above steps to obtain those 2 addresses. You will need them later on to +write the generic trainer code interfacing routine, as outlined in section +16a. + + + +4) If the DS value in the program's keyboard handling routine is different + from the address where the game keeps the lives/energy etc values, as + outlined in section 13, you should have both the program's keyboard + handling routine's DS value and the address (XXXX:YYYY) where the + program keeps the lives/energy etc values at. + + + (You should also have calculated out what the final DS value should be + for the above. (For more information refer to "Handling different DS + values", outlined in section 13)). + + +5) The keyboard key press scan value that you will compare later on in your + trainer code, for your defined trainer keys. + + + +Once you have necessary information as stated above, then you are ready for +the next step. + + + +The loader or TSR that you are going to use has to be able to hook onto an +existing interrupt and redefine it's vector to your trainer routine. I +usually hook onto INT 21, but in theory you can hook onto any interrupt you +wish. But hooking onto INT 21 is preferable because of 2 things : + + + +1) All the games will use INT 21 at some point in the game - therefor + activating your defined INT 21 routine, which in turn integrates itself + directly to the game's code. + + +2) There won't be much "confusion" once the game is running. - Games very + seldomly execute INT 21's during game play - so your INT 21 "interface" + will not slow-down/conflict with any game playing operations. + + + +Also loader-trainers are better than writing TSR-trainers mainly because +they are "cleaner" - sure they both hook onto certain interrupts, but a +loader always restores it's hooked interrupt(s) upon exiting the program, +and in most cases, uses less memory. + + +If you don't know how to write loaders, or prefer to write TSR's, then I +suggest that you also include a self-removal option in your TSR - either +user requested or upon program termination. You can use the routine +outlined in section 15. + + + + + + + + ͻ + Section 15 + ͼ + + + + + + + +Generic TSR self-removal routine: + + + +0100 1E PUSH DS +0101 50 PUSH AX +0102 52 PUSH DX +0103 06 PUSH ES +0104 0E PUSH CS +0105 1F POP DS +0106 A12C00 MOV AX,[002C] + + +0106 : Get the DOS environment segment address. + + +0109 8EC0 MOV ES,AX +010B B449 MOV AH,49 +010D CD21 INT 21 + + +010D : Free the allocated memory. + + +010F C5167801 LDS DX,[0200] + + +010F : Load pointer using DS - from DS:[0200] (DS=CS). This is done to + restore the original INT 21 vector. The original vector was saved at + CS:0200. + + +0113 B82125 MOV AX,2521 +0116 CD21 INT 21 + + +0116 : Hook and restore back the original INT 21 vector. + + +The below routine removes the TSR from the memory block: + + +0118 8CC8 MOV AX,CS +011A 48 DEC AX +011B 8ED8 MOV DS,AX +011D C70601000000 MOV WORD PTR [0001],0000 +0123 07 POP ES +0124 5A POP DX +0125 58 POP AX +0126 1F POP DS +0127 CF IRET + + +0200 0000 0000 ;Original INT 21 vector saved here + + + + + + + + ͻ + Section 16a + ͼ + + + + + + + +Generic trainer code interfacing routine: + + + +The way this routine works is by hooking itself to the game's code, mainly +at the address where the IN AL,60 - keyboard port read instruction is. It +replaces the original bytes of that instruction (E4 60) with CD 21. Every +time you press any key during the game, your trainer routine is executed +instantaneously. + + +I will take you step by step through the next example, taken from the +Interactive 8 option trainer for Prince of Persia II. + + + + + + + + ͻ + Section 16b + ͼ + + + + + + + +Prince of Persia II interactive trainer interfacing routine: + + + +0100 9C PUSHF ;Push Flag +0101 55 PUSH BP ;Push BP +0102 1E PUSH DS ;Push DS +0103 89E5 MOV BP,SP ;Move current SP to BP +0105 8E5E08 MOV DS,[BP+08] ;Move current CS to DS. + + +The principle of operation of the 0105 instruction is as follows. + + +Whenever an interrupt is called, the original FLAGS, CS, and IP are pushed +into the stack. Now if you move the current SP to BP, then move the value +at SS:[BP+08] to DS, you will get the program's current CS. + + +0108 26 ES: +0109 813E6516E460 CMP WORD PTR [1665],60E4 + + +0109 : Compare the values at address ES:1665 to 60 E4. + + +Why ES:? Remember that your trainer routine is hooked onto INT 21. Now +whenever the game starts up - the very first INT 21 executed, will either +be the dos version checking INT 21, or a memory allocating INT 21 etc. + + +Now every time ANY INT 21 is executed in the game, if the current CS:IP is +let's say at 2300:1200, and the keyboard handling routine's IN AL,60 address +is at 14FA:0377, then you won't be able to interface your code to the +keyboard handling routine's code, since the program's current CS is way +higher than 14FA. + + +The reason I used the ES value is because the value was just perfect - I +found the E4 60 bytes at address 1665 when searching with ES:, but couldn't +find them when searching with CS, DS, or SS. (You see, it's a good idea +to search with DS, ES, or SS first - if unable to find anything using CS, +before adverting to the procedures outlined in section 13). + + +But in most cases you will be able to interface directly to the game's +keyboard handling routine with the program's current CS value. (For more +information, refer to step 3 in "Writing the trainer loader or tsr", +outlined in section 14). + + +0109 : The instruction at 0109 is checking if at ES:1665 the bytes E4 60 + exist - if they do, it means that's where the instruction IN AL,60 + is. (Refer to "Prince of Persia II keyboard handling routine + listing", outlined in section 12d). + + + +010F 7507 JNZ 0118 ; If it is not, then jump to the exit + portion of your routine. + + +0111 26 ES: +0112 C7066516CD21 MOV WORD PTR [1665],21CD + + + +0112 : Else, replace the instruction at ES:1665 with CD 21 (your already + hooked INT 21 handling routine). + + +0118 817E066715 CMP WORD PTR [BP+06],1567 +011D 7405 JZ 0124 + + +0118 : Compare if SS:BP+06 (which is the game's current IP BEFORE it + entered your INT 21 hooked routine) to 1567. This routine is + comparing if the INT 21 instruction is YOURS or if it's some other + INT 21 instruction used by the game. This is accomplished by + comparing the game's current IP (instruction pointer) to 1567. If it + is indeed YOUR inserted INT 21 routine calling, then the trainer + JMPS to it's trainer routine (which starts here at 0124). + + +In this example, you will notice that the IP is different from the address +1665 - it's 1567. Why? Simple, because when the game runs, the CS was +different from ES - which you previously used to insert the CD 21 with. +(For more information regarding the IP, refer to section 16c). + + +The routine below, restores DS,BP,FLAGS and jumps to the original INT 21 +vector: + + +011F 1F POP DS +0120 5D POP BP +0121 9D POPF +0122 EB77 JMP 019B + + +The above routine is executed due to one of the following: + + +1) Either the E4 60 value was not found at the specified address or; + + +2) The program's current IP is not pointing to your inserted INT 21 IP + address. (This might be another INT 21 instruction that the game is + currently using somewhere else - so the trainer code will restore DS, BP + and the FLAGS, and jump to the original INT 21 saved vector, thus + letting the game do whatever it wanted to. + + +Else, the following code is executed : + + +0124 1F POP DS + + +0124 : Restore the program's current DS. In this case the keyboard handling + routine's DS value is the same for where the game keeps it's key + presses and where it stores the value of your current + energy/time/level etc, values. That's why I restored DS right here, + so my trainer can use it later on. (And also note that for this + trainer example, you don't need to use the procedures listed in + "Handling different DS values", as outlined in section 13) + + +0125 E460 IN AL,60 + + + +0125 : This instruction reads the keyboard port. This instruction has to be + present in the trainer code, since you replaced it with CD 21 in the + game's code, remember? + + + +The following code compares the key press to the function keys defined for +the trainer, and jumps correspondingly: + + + +0127 3C3B CMP AL,3B +0129 741F JZ 014A +012B 3C3C CMP AL,3C +012D 7422 JZ 0151 +012F 3C3D CMP AL,3D +0131 745D JZ 0190 +0133 3C3E CMP AL,3E +0135 7421 JZ 0158 +0137 3C3F CMP AL,3F +0139 7433 JZ 016E +013B 3C40 CMP AL,40 +013D 7436 JZ 0175 +013F 3C43 CMP AL,43 +0141 743D JZ 0180 +0143 3C44 CMP AL,44 +0145 7441 JZ 0188 + + +If some other key was pressed, which is not used by the defined trainer +keys, the following routine is executed. It merely restores the BP, FLAGS +and IRETS back to the program. The AX value however was not saved in the +beginning of the routine, and is always different upon returning back to +the program. There, it is used by the game to determine what keys were +pressed. (The original DS value was restored earlier remember?). + + +0147 5D POP BP +0148 9D POPF +0149 CF IRET + + +The following instructions change the data values in the program's DS to +train the game. The trainer data was derived using the same techniques as +outlined in this training tutorial. + + +014A C606865C01 MOV BYTE PTR [5C86],01 +014F EBF6 JMP 0147 +0151 C606865C00 MOV BYTE PTR [5C86],00 +0156 EBF7 JMP 014F +0158 C6060D5C21 MOV BYTE PTR [5C0D],21 +015D C6064D5C21 MOV BYTE PTR [5C4D],21 +0162 C606CD5C21 MOV BYTE PTR [5CCD],21 +0167 C6060D5D21 MOV BYTE PTR [5D0D],21 +016C EBE8 JMP 0156 +016E C6062A5EFF MOV BYTE PTR [5E2A],FF +0173 EBF7 JMP 016C +0175 C6062C5E01 MOV BYTE PTR [5E2C],01 +017A FE06465E INC BYTE PTR [5E46] +017E EBF3 JMP 0173 +0180 C706825C9300 MOV WORD PTR [5C82],0093 +0186 EBF6 JMP 017E +0188 C706825CC101 MOV WORD PTR [5C82],01C1 +018E EBF6 JMP 0186 +0190 C706925C1919 MOV WORD PTR [5C92],1919 +0196 EBF6 JMP 018E +0198 90 NOP +0199 90 NOP +019A 90 NOP +019B EA00000000 JMP XXXX:XXXX ;Jump back to the original INT 21 + vector. + + + +For a better understanding of the above code, study the Prince of Persia II +interactive 8 option TSR or loader trainer examples (PP2T-TSR.COM and +PP2T-LDR.COM and their DOC - PP2T-T&L.DOC). Both are included in this +training tutorial package. They correspond exactly to the above example. + + + + + + + + ͻ + Section 16c + ͼ + + + + + + + +Finding the runtime CS:IP of the keyboard handling routine: + + + +To always know what the current IP will be once the program is running, +simply set a break point in the program's keyboard handling routine, press a +key, and once your debugger breaks in, note the address of the keyboard +handling routine. + + +Write down the address of the IN AL,60 instruction. If the game doesn't use +INT 9 or IN AL,60 in it's keyboard handling routine, then refer to +"Interfacing with different keyboard handling routines", as outlined in +section 16e). + + + + + + + + ͻ + Section 16d + ͼ + + + + + + + +Comparing the program's current IP: + + + +When comparing the program's current IP - like in the above example in +section 16b, at 0118, you have to remember that the program's current IP +points to the address AFTER the interrupt was called. + + + +Example: + + + +If the code looks like this : + + +0100 E460 IN AL,60 +0102 88C3 MOV BL,AL + + +And you replace E4 60 with CD 21: + + +0100 CD21 INT 21 +0102 88C3 MOV BL,AL + + + +Then once the program executes your interrupt 21, and you check for the +program's current IP as described above, make sure you compare the IP to +0102! - the instruction right after the INT 21 - because after all, once the +program exits from your INT 21 routine via the IRET instruction, it doesn't +return back to 0100, it returns to the next following instruction. + + + + + + + + + + ͻ + Section 16e + ͼ + + + + + + + +Interfacing with different keyboard handling routines: + + + +All games have a keyboard handling routine. But some rare OLD games might +not use INT 9 to handle their key presses, or they might not use the IN +AL,60 instruction - just INT 16 for checking key presses. + + +So what's the problem there? Again, simply find a 2 byte instruction +somewhere right after the INT 16 instruction that you can replace with CD +21, and you are in business. + + + +Example: + + + +0100 30E4 XOR AH,AH +0102 CD16 INT 16 ;here is the game's INT 16 +0104 88C3 MOV BL,AL +0106 80EB11 SUB BL,11 + + + +There is a nice instruction at 0104 that you can change to CD 21. Then all +you have to do in your INT 21 hooked routine is to execute that instruction +somewhere in the beginning or the end of your code - doesn't really matter +where, but make sure BL equals the AL key press value, once your routine +IRETS back to 0106. + + + + + + + + ͻ + Section 17 + ͼ + + + + + + + +Below is another example, taken from the Fox Ranger interactive 9 option +trainer. Notice that at 010A, there is no E4 60 (IN AL,60). I'm hooking +INT 21 at some address which is in the game's program loop - you see, it can +be done in lots of different ways, as described above in "Interfacing with +different keyboard handling routines", in section 16e. I will only explain +the important stuff in the following example: + + + +Fox Ranger interactive 9 option trainer routine listing: + + + +0100 9C PUSHF +0101 55 PUSH BP +0102 1E PUSH DS +0103 89E5 MOV BP,SP +0105 8E5E08 MOV DS,[BP+08] +0108 26 ES: +0109 813EBA1DB000 CMP WORD PTR [1DBA],00B0 +010F 7507 JNZ 0118 + + +0109 : Compare ES:[1DBA] to 00 B0, if not, restore DS,BP,FLAGS and jump to + the original INT 21 vector. + + +0111 26 ES: +0112 C706BA1DCD21 MOV WORD PTR [1DBA],21CD + + +0112 : Hook your defined INT 21 routine at ES:[1DBA] + + +0118 817E06BC1C CMP WORD PTR [BP+06],1CBC +011D 7405 JZ 0124 + + +0118 : Compare current SS:[BP+06] (BP=SP) which is the program's current IP + to 1CBC - if it's at your INT 21 IP, then jmp to the trainer routine, + else restore DS,BP,FLAGS and jump to the original INT 21 vector + (as in 011F-0122). + + +011F 1F POP DS +0120 5D POP BP +0121 9D POPF +0122 EB7D JMP 01A1 +0124 8CDD MOV BP,DS +0126 06 PUSH ES +0127 1F POP DS +0128 A0722D MOV AL,[2D72] + + +0128 : Move into AL the key press which the game stored at ES:[2D72] - (As + you see, the game does not always have to have the IN AL,60 + instruction, for you to be able to interface your trainer with the + keyboard. As long as you find out where the game stores it's key + presses, you will always be in business. + + +The following compares the key press to see if it's one of the defined +trainer key presses: + + +012B 3C4A CMP AL,4A +012D 7459 JZ 0188 +012F 3C4E CMP AL,4E +0131 744B JZ 017E +0133 3C26 CMP AL,26 +0135 7461 JZ 0198 +0137 3C30 CMP AL,30 +0139 7427 JZ 0162 +013B 3C20 CMP AL,20 +013D 742A JZ 0169 +013F 3C32 CMP AL,32 +0141 7412 JZ 0155 +0143 3C21 CMP AL,21 +0145 744B JZ 0192 +0147 3C24 CMP AL,24 +0149 7425 JZ 0170 +014B 3C1E CMP AL,1E +014D 7428 JZ 0177 +014F B000 MOV AL,00 +0151 1F POP DS +0152 5D POP BP +0153 9D POPF +0154 CF IRET + + +The following is the training routine. The training data was derived using +the same techniques as outlined in this training tutorial. + + +0155 A2802F MOV [2F80],AL +0158 893E812F MOV [2F81],DI +015C 893E832F MOV [2F83],DI +0160 EBED JMP 014F +0162 C606BF2F01 MOV BYTE PTR [2FBF],01 +0167 EBF7 JMP 0160 +0169 C6067A2F01 MOV BYTE PTR [2F7A],01 +016E EBF7 JMP 0167 +0170 C606244305 MOV BYTE PTR [4324],05 +0175 EBF7 JMP 016E +0177 C6067E2F01 MOV BYTE PTR [2F7E],01 +017C EBF7 JMP 0175 +017E 8EDD MOV DS,BP +0180 C70660DD0900 MOV WORD PTR [DD60],0009 +0186 EBF4 JMP 017C +0188 8EDD MOV DS,BP +018A C70660DDB304 MOV WORD PTR [DD60],04B3 +0190 EBF4 JMP 0186 +0192 FE06792F INC BYTE PTR [2F79] +0196 EBF8 JMP 0190 +0198 FE06762F INC BYTE PTR [2F76] +019C EBF8 JMP 0196 +019E 90 NOP +019F 90 NOP +01A0 90 NOP +01A1 EA00000000 JMP XXXX:XXXX ; Jump back to the original INT 21 + vector. + + + +For a better understanding, study the Fox Ranger interactive 9 option +tsr trainer example (FRT-TSR.COM and read it's DOC - FRT-TSR.DOC) included +in this trainer package. It corresponds exactly to the above example. + + + + + + + + ͻ + Section 18 + ͼ + + + + + + + +Below is another example, taken from the Legend of Myra Interactive 10 +option trainer: + + + +Legend of Myra Interactive 10 option trainer routine listing: + + + +0100 9C PUSHF +0101 55 PUSH BP +0102 1E PUSH DS +0103 89E5 MOV BP,SP +0105 8E5E08 MOV DS,[BP+08] +0108 813E250E8AD8 CMP WORD PTR [0E25],D88A +010E 7506 JNZ 0116 + + +0108 : Compare the word at CS:[0E25] (DS=CS because of the instruction at + 105) to D8 8A. Skip the following instruction if not zero. + + +0110 C706250ECD21 MOV WORD PTR [0E25],21CD + + +0110 : Interface your INT 21 hooked routine at CS:[0E25] + + +0116 817E06270E CMP WORD PTR [BP+06],0E27 +011B 7406 JZ 0123 + + +0116 : Compare the word at SS:[BP+06] (which is the program's current IP) to + 0E27. Note that the address of the program's current IP and the + address where you inserted your CD 21 word is identical - you see, + sometimes the program's current CS can be the same at startup, and + during game play. (Refer to step 3 in "Writing the trainer loader or + tsr code", outlined in section 14). + + (The reason for the 2 byte increase from 0E25 to 0E27 now, is because + the program's current IP points to the next following instruction + after your INT 21. (For more information on this, refer to + "Comparing the program's current IP", outlined in section 16d). + + +The next instructions listed below restore DS,BP,FLAGS and jump back to the +original INT 21 vector - if the compare at either 0108 or 0116 failed. + + +011D 1F POP DS +011E 5D POP BP +011F 9D POPF +0120 E97F00 JMP 01A2 + + +The instructions below move into AL the key presses taken from the program's +keyboard key press storage data area and compare them to the trainer defined +keys: + + +0123 1F POP DS +0124 5D POP BP +0125 50 PUSH AX +0126 A0E409 MOV AL,[09E4] +0129 3C3B CMP AL,3B +012B 743B JZ 0168 +012D 3C3C CMP AL,3C +012F 743D JZ 016E +0131 3C3D CMP AL,3D +0133 7427 JZ 015C +0135 3C3E CMP AL,3E +0137 743B JZ 0174 +0139 3C3F CMP AL,3F +013B 7425 JZ 0162 +013D 3C40 CMP AL,40 +013F 7415 JZ 0156 +0141 3C41 CMP AL,41 +0143 7435 JZ 017A +0145 3C42 CMP AL,42 +0147 7437 JZ 0180 +0149 3C43 CMP AL,43 +014B 7440 JZ 018D +014D 3C44 CMP AL,44 +014F 7435 JZ 0186 +0151 58 POP AX +0152 9D POPF +0153 EB44 JMP 0199 +0155 90 NOP + + +The following is the training routine. The training data was derived using +the same techniques as outlined in this training tutorial. + + +0156 C646F643 MOV BYTE PTR [BP-0A],43 +015A EB38 JMP 0194 +015C C646F6CE MOV BYTE PTR [BP-0A],CE +0160 EB32 JMP 0194 +0162 C646F65E MOV BYTE PTR [BP-0A],5E +0166 EB2C JMP 0194 +0168 C646F691 MOV BYTE PTR [BP-0A],91 +016C EB26 JMP 0194 +016E C646F693 MOV BYTE PTR [BP-0A],93 +0172 EB20 JMP 0194 +0174 C646F6CD MOV BYTE PTR [BP-0A],CD +0178 EB1A JMP 0194 +017A C646F6C3 MOV BYTE PTR [BP-0A],C3 +017E EB14 JMP 0194 +0180 FE06EE1F INC BYTE PTR [1FEE] +0184 EBCB JMP 0151 +0186 C606FD3D01 MOV BYTE PTR [3DFD],01 +018B EBC4 JMP 0151 +018D C606D01F64 MOV BYTE PTR [1FD0],64 +0192 EBBD JMP 0151 +0194 58 POP AX +0195 31C0 XOR AX,AX +0197 EBB9 JMP 0152 +0199 C606E40900 MOV BYTE PTR [09E4],00 +019E 88C3 MOV BL,AL +01A0 CF IRET +01A1 90 NOP +01A2 EA00000000 JMP XXXX:XXXX ;Jump back to the original INT 21 + vector. + + + +For a better understanding, study the Legend of Myra interactive 10 option +tsr trainer example (LOMT-TSR.COM and read it's DOC - LOMT-TSR.DOC) included +in this training package. It corresponds exactly with the above example. + + + + + + + + ͻ + Section 19 + ͼ + + + + + + + +Interactive TSR/loader trainer examples: + + + +This training tutorial comes with 4 interactive trainer examples (in COM +format) There are 3 interactive TSR trainer examples and 1 interactive +trainer loader example, included with this training tutorial. The ASM code +structure of all 4 interactive trainer examples, is identical to the ASM +code structure of the examples outlined in this documentation. Even the +trainer code found in each of the 4 trainer examples, starts at CS:0100 +- exactly as listed here in this training tutorial. + + +This was done so that you will be able to study the examples listed here and +then refer to the actual interactive TSR/loader trainer examples. + + +You should note however, that all the 3 TSR trainers use the same install +checking routine - to see if they have already been previously installed +in memory. Remember to only install one at a time. + + + + + + + + ͻ + Section 20 + ͼ + + + + + + + +Summary: + + + +By studying the above examples and the actual trainer program examples +(PP2T-TSR.COM, FRT-TSR.COM, LOMT-TSR.COM, PP2T-LDR.COM) included in this +trainer tutorial package, you will learn how to write trainers for the PC, +or at least broaden your knowledge on this topic. + + +I hope this trainer tutorial helps all you boys out there who always +wondered how it's done. Maybe now I can retire for good since you boys will +be making all the trainers from now on! + + + +Anyways... + + + +From the boys at UNT, : Take care & have PHUN! + + + + Dr. Detergent / UNT'93 + + + +############################################################################ + +By the way... + + + I'm a pilot currently without a job! - if you are an owner of a + charter company or a flight school, or have contacts in the aviation + industry, and know of a job opening, then by all means contact me - + through the UNTOUCHABLES! + + Got a valid flight instructor's rating, multi-engine, glider lic, + certified on 10 types of aircraft, and other goodies. + + Ready and willing to relocate ANYWHERE! + + And if you think that my cracking/training/programming is good, + then wait till you see me fly! + +############################################################################ + + + + [ THE UNTOUCHABLES CREW ]͸ + ķ + ķ + + UNTOUCHABLES į + + Bandieto Mr. Fizz The Psychiatrist The Whistler + + Booper Chester Code Breaker Dark Knight Dr. Detergent Faceless + + Fenris Wolf Silver V Spyke the Impaler The Bandit + + Wayward Ford Prefect + + The Courier Team į + + Nightblade Vertigo + + August Spies Cable Dr. Donnatello Macgyver Minotaur + + Mirage Quazar Satch Shadowhawk Sinclair Specs + + Tasslehoff Burrfoot The Invid The Predator The Roamer Torgall + + Ľ + Ľ + + [ UNTOUCHABLES BOARDS ]͸ + ͸ +͸ + < BOARD NAME > < NUMBER > < SYSOP > < NODES/POSITION > +͵ + - [ ALL HQs ] - +ij + Apocalypse ........ ITS-PRI-VATE The Whistler 5 World ..... HQ + The Dark Palace ... ITS-PRI-VATE Escape Key .. 10 Courier ... HQ + The Burning Church ITS-PRI-VATE -aD! ........ 3 Canadian .. HQ +ij + - [ MEMBER BOARDS ] - +ij + House of the R/Sun 703-406-8920 Dark Knight . 2 UNTNET HUB + Members Only ...... ITS-PRI-VATE Chester ..... 4 | Member - Board + MidWest Exchange .. ITS-PRI-VATE Silver V .... 5 | Member - Board + Pristine Towers ... ITS-PRI-VATE Vertigo ..... 2 Member - Board +ij + - [ SITES ] - +ij + Power Base ........ +49-XXX-XXXXXX Powerlite ... 1 | Distro .. Site + The GodsLand ...... 410-360-3598 Crash ....... 1 | Distro .. Site + The Land's End .... 703-XXX-XXXX Rogue Trader 1 | Distro .. Site + Twilight Zone ..... 504-XXX-XXXX Jack Flash .. 3 | Distro .. Site + Xcess Unlimited ... +49-XX-XXXXXXX Creme ....... 2 Distro .. Site +; + ; + + + + [ PLEASE NOTE ]͸ + ķ +ķ + + We are now accepting applications, please pick up an application at any + UNTOUCHABLES HQ, or contact us on our VMB. + + 1-800-328-3440 450 (After 6PM -EST) + + If you like and use a software, please take it upon yourself to buy + it. Supporting quality programmers is in all of our interest. + +Ľ + Ľ + + ķ + ķ + - [ U N T O U C H A B L E S ] - + Ľ + Ľ + diff --git a/textfiles.com/piracy/CRACKING/unp.txt b/textfiles.com/piracy/CRACKING/unp.txt new file mode 100644 index 00000000..ee92acac --- /dev/null +++ b/textfiles.com/piracy/CRACKING/unp.txt @@ -0,0 +1,685 @@ + + + + + ݳ + + ݳ + + + + Ŀ + + + Written by Ben Castricum + + May 30, 1995 + + + + This is the documentation belonging to and explaining the use of: + + + UNP V4.11 + + + Executable file restore utility + + + + +TABLE OF CONTENTS: + +DISCLAIMER +WHAT IS UNP ? +GENERAL INFO +HOW TO USE UNP +MESSAGES +NOTES ON COMPRESSORS +REGISTERING UNP +HEY! UNP IS COMPRESSED! +WHAT UNP CAN REMOVE +WHAT UNP CANNOT REMOVE +CONTACTING ME + + +Disclaimer +---------- +Under NO circumstances I can be held responsible for any damage caused by +files in this or any other package containing programs written by me. +(That should do it :-) + + +What is UNP ? +------------- +UNP's main purpose is to restore executable files to their original state. +However it can do more than that. UNP can optimise EXE-headers, remove +debug information, convert files from one structure to the other, scan +directories for compressed files, reveal hidden viruses and even make files +that didn't run anymore run again. + + +General info +------------ +Before you start using UNP, I would like to point out a few things which you +might take into consideration. + +Compressed EXE files containing an overlay may not work correctly after they +have been decompressed. Decompression expands the code size of the EXE file +which also means that the overlay moves up. Some programs do not check where +the overlay currently is but just use a constant to get the overlay. If this +is the case, most anything can happen. + +When you use UNP to convert a file to another structure, please take into +consideration that the converted program never runs under the exact same +conditions as it did before. Though these differences are likely not to +cause any problems with most programs, there are always programs which expect +just that what is changed by conversion. + +UNP can do just about anything with files. This definately includes messing +up your files. For that reason it is always a good idea to have a backup of +the files your are going to process. Someone suggested to let the -b +(create backup) option turned on by default. Although this is a good idea, +it's still not 100% reliable. + +UNP is not case sensitive in anyway, nor does it care about extensions. This +however does not mean that it is possible to convert files which are reported +by UNP to be "binary (.COM)" can all be converted to .EXE files. Files which +are not really .COM files (e.g. .BAT or .GIF) will not run or view the +picture when converted and executed. + + +How to use UNP +-------------- +If you type UNP without any parameters then you will get the built-in help +screen of UNP which is explained below. + + - Commands - These are 1 character long and only one can be specified on the +command line. It does not really matter where you put it. If no command is +specified, the E command is used. + +c = convert to COM file + Some .EXE files can be converted to .COM files. You can do this by using + this command. Please note that the resulting file will not automaticly + have a .COM extention. You should only convert a file when you know + exactly what you are doing (see general info section). + +d = make current options default + Using this command enables you to specify the default options yourself. + Simply type the options on the commandline you would like to have as + default and use this command. UNP will modify itself to the settings + as default. For example to let UNP always create a backup use + UNP d -b+ + UNP stores the new settings in itself, which means that UNP is self- + modifying. With most anti-virus programs, this causes some alarm to go + off. Check your anti-virus program documentation on how to solve this + problem (see also: Hey! UNP is compressed!) + +e = expand compressed file (default) + This command expands the compressed file. If you do not specify a + command, UNP will use this by default. Using this command without a + filename will result in unpacking all files in the current directory + +i = show info only + If you just want some information about the file, this is the command to + use. UNP will show all information like the E command but will not + decompress or write the file back. + +l = load and save + This command loads a .COM or .EXE file but does not expand it. It will be + written back just like a decompressed file would be written back. This is + useful in case you want to remove an overlay, irrelevant header data or + optimize the relocation items. + +m = MarkEXE, insert a file in header + MarkEXE is a small utility supplied with PROTECT! EXE/COM V5.0. This + program can add a piece of text to an EXE file in such a way that when the + file is shown on screen the user can see that piece of text. The 'M' + command does not exactly do the same as MarkEXE. First it inserts the + file before the relocation items, this way any EOF markers in the + relocation items won't screw it up. Second, UNP does not place the same + piece of text at the end of the code, since I see this as more or less + screwing up the file. + +o = copy overlay + A new (and probably rarely used) command is the overlay copy command. + With this you can get the overlay from some .EXE file and append to some + other .EXE file. The idea behind this is that when you use LZEXE as + compressor, the overlay is removed from the file. With this command you + can place the overlay back. + +s = search for compressed files + When you use this command, only a small list of compressed files matching + the Infile wildcard will be generated. To save some space on the screen, + the pathname of the file will not be show. But since UNP does not work + recursive, it should not be a problem. + +t = trace executable + My first attempt to a general unpacker can be found in this command. + Actually there are 2 different implemtations. The implementation used for + .COM files will single-step through a program and checking every + instruction if the original program has been restored. If UNP thinks it + has, it will stop and write the file back. Unfortunately this is a very + slow process. The .EXE implementation also single-steps through the file + but it checks every step to see if a known packer has been revealed. If + it has found one, it will remove it and write it the resulting file back. + If the program has not been compressed with a known packer, sooner or + later some interrupt will be used which UNP will detect and abort the + tracing. + +x = convert to EXE file + Some compressors can only compress .EXE files (like LZEXE). With this + command you can convert a .COM file to an .EXE file. The resulting file + will not be written back with an .EXE extension by default. As with the + .EXE to .COM conversion, be sure you know what you're doing. Not all + programs can be converted. + + + - Options - Even more fun can be achieved with specifying options on the +command line. Options can be passed sepparated (like -a -b -c) but can also +be combined (like -abc). After each option there can be one of the +characters "-", "+" or "?". The first turns switches off, the second turns +them on and the third.. well it turns them on as well. But the real purpose +of the question mark is to force UNP to ask if it should do something. +Currently only the -K switch supports this. Options which are not followed +by one of the mentioned characters work as toggles, which means that using an +option twice will undo the previous (eg. -a -a has no result). However once +an option has been turned on with the question mark (like -a?) then you can +only turn it off by appending a - (like -a-). Still got it? :) + +-? = help (this screen) + Suprisingly enough, this switch will let UNP show the built-in helpscreen. + Any other switch or command used on the same line will be ignored. + +-a = automatic retry + It is possible that some files have been processed with some program more + than once. This switch will make UNP to process the file again when it + was changed. Useful when you want to uncompress a file which also has + been Immunized by CPAV. + +-b = make backup .BAK file of original + If you want to keep a backup of your original file (very wise) use this + switch. The original file will be renamed to a file with a .BAK + extension. + +-c = ask for confirmation before action + This will force UNP to ask you if you want to remove the routine UNP found + on the file each time it has recognized some program's work. + +-f = optimise fixups (like HDROPT.EXE) + Relocation items, also known as fixups, are stored in the .EXE header in + two parts; 16 bits for the segment value and another 16 bits for offset. + Since DOS only uses 20 bits for addressing, the fixups may contain some + redundant data. Optimising the fixups does some arithmetic stuff which + will move as much as possible of the address into the offset and fills the + segment value with zeros. This is the same as the program HDROPT.EXE + supplied with PKLITE does. + +-g = merge overlay into image + This dirty switch allows you to merge an overlay into the image of an .EXE + file. I can't think of any reason why someone should use it but it's + here. + +-h = remove irrelevant header data + Most linkers add useless data to the .EXE header. This switch removes all + such useless information, thus shrinking the header size. This switch + also skips the header rebuilding code with files like PKLITE. + +-i = interception of I/O interrupts + By default UNP watches several DOS interrupt to check if the program is + running as expected. Any unexpected call to such an interrupt will make + UNP abort the process. If you have any weird TSRs resident you might have + to use this switch. + +-k = pklite signature handling; - = don't add, + = add always, ? = ask + With this switch you can handle the pklite signature. There are 3 + possibilities : + -k- = don't add + The pklite signature will not be added, this will also be the case if + you only use -k (to stay dislite compatible). + -k+ = add always + Always add the pklite signature, this is the default of UNP so you can + just as well leave the -k switch away if you want this. + -k? = ask + When you use this, UNP will ask you each time it has found a signature + (like UNP V3.01 or earlier did). + +-l = use large memoryblock + When UNP loads a program it allocates a block with a size of the + required memory with about 32k extra for safety. Some programs require + even much more memory than they tell DOS they need. If such a file is + decompressed by UNP it definately will go wrong. Two things can happen + in such a case. The program detects the absence of enough memory and + will attempt to notify the user by writing a message on screen. This + will probably result in a "(INT 21) Unexepected call to DOS" error + (see messages) and UNP will abort gracefully. Or worse, the program + does not check at all and will try to decompress anyway. This will + probably result in a system crash or a memory allocation error. If you + have got a file which requires more memory than it tells DOS, use this + switch. After identifying the compressed program, UNP will increase + the allocated memory block to 15/16 of the maximum size of that block. + +-m = MORE alike output + On request this switch has been added. It should pause about every screen + full of information similar like DOS's MORE.EXE. + +-n = numbered Outfiles + Also on request is the possibility the have UNP remove several routines + in one run but keeping a copy of every version. This switch will assign a + number to the files it writes the new file to. If the file already is + numbered, it will increment that number. If not, the number 1, possibly + with leading underscores,will be assigned to it. + +-o = overwrite output file if it exists + If you want to have the destination file overwritten, you can avoid the + question for permission by specifying this switch on the command line. + +-p = align header data on a page + It is said that .EXE files with a header size that is a multiple of 512 + bytes load faster (this could make sense since a sector is also 512 + bytes). This switch will expand the header to the nearest multiple of 512 + bytes, filling it with zeros. + +-r = remove overlay data + If something is appended to an .EXE it is called an overlay. This switch + will let the file size of the outfile be the same as the load image. So + anything that was appended to the file will be thrown away. An overlay + can be used for all kinds of data, so removing this can result in + throwing away something useful. + +-u = update file time/date + By default UNP sets the time/date of the destination file to the same + time/date as the original source file. If you want to have it updated to + the current time/date use this switch. + +-v = verbose + When you use this switch UNP will give you some additional information. I + added this switch for debugging purposes. + +-- = program's commandline + Anything after this switch will be passed to the program to be + decompressed. This way you can pass along any required parameters (like + passwords) for the Tracing command. + + +Messages +-------- +UNP has 6 kinds of messages other than the usual information it can display: + + - Questions - Even with new smart routines programmed into UNP4 it still +needs to ask a few things now and then. Who said that computers are smarter +than you? Anyway, you can expect the following questions: + +Add code to fake PKLITE decompression (y/n)? + This question arises when UNP detects that a signature has been placed + into the program's PSP and the -K switch has the '?' value. (for more + info, read the "notes on compressors" part) + +Continue (y/n)? + When UNP considers a program abnormal it wil display a warning with the + reason why it thinks so and will ask you if you want to continue anyway. + +Remove this routine from file (y/n)? + You have requested confirmation for each action UNP takes (see -C option) + and this is the result. + +Program is protected, please enter password: + Some programs have the ability to scramble executable files with a + password. Unfortunately I have not succeeded in breaking all protection + schemes using this. So for certain programs you might be prompted for + the password + +File FILENAME.EXT already exists. Overwrite (y/n)? + When UNP wants to write to the destination file and discovers the file + already exists, it will ask if you want to overwrite the file. You can + avoid this question by using the overwrite option (see -O option). + +- Informal messages - By placing UNP in verbose mode (see -V option) UNP will +display additional information about anything that might be interesting. Note +that informal messages allways start with "INFO -". + +DOS Version X.XX[, running under Windows.] + Some system information, this has no effect on UNP. + +Commandline = ... + This indicates what options are passed for the Init procudere the the main + module. This is influenced by UNP's commandline. + +Program's commandline = "...". + If you have specified anything for the program's commandline + (see -- option), it will be echoed here. + +Using FILENAME.EXT as temp file. + The name of the temporary file UNP will use. This is composed of the TEMP + environment variable and some constant defined in UNP. + +Anti-virus program TbScanX detected. + UNP has detected the resident anti-virus program TbScanX and will use it + to scan the files before it loads them (also see -s switch). + +Wildcard matches X filename(s), stored at XXXXh. + The wildcard specified on the commandline is resolved to a number of files + and these names has been stored at the specified segment. + +Program loaded at XXXXh, largest free memory block: X bytes. + Indicates at which segment UNP is loaded and how large the largest + available memoryblock is. + +Adding 'PK' signature to fake PKLITE decompression. + When UNP automaticly adds the code to fake PKLITE decompression + (see -K option), it will display this message. + +Increasing program''s blocksize to X bytes. + In certain cases UNP will increase the memory given to the program which + UNP wants to decompress. This can solve problems with programs which + do not check if they have enough memory. This can be forced with the -L + option (see -L option). + +- Warnings - These messages indicate something is wrong but UNP can live with +it. Warnings will always start with "WARNING -". + +Infile and Outfile are same, Outfile ignored. + After UNP has resolved the wildcard it has found out the the file to be + processed is the same as the destionation file. Since this is the default + operation of UNP it will ignore the destination file. + +Outfile specified, -B option ignored.' + When you have specified a destination file you can't create a backup. This + is because the backup is created by renaming the original file. When the + destination file is also specified there would be no original program + left. + +-N option overrules -B option, -B option ignored + You can't number your files and have a backup created as well. It's about + the same reason as mentioned above. + +Invalid or missing stored header information. + Some files store the original header somewhere inside the compressed file. + When UNP has detected this and the info does not seem to be correct it + will display this warning. + +- Errors - UNP has discovered something wrong and cannot continue with the +current action. It will continue with the next file (when available). + +(INT 10h) Unexpected use of video interrupt, action failed. +(INT 20h) Unexpected program termination, action failed. +(INT 21h) Unexpected call to DOS, action failed. + UNP watches several interrupts to ensure things are going as expected. + When UNP loses control it will sooner or later detect one of the + interrupts it watches and abort the current action. If you think nothing + went wrong and you got this message anyway, you can disable the interrupt + watching (see -i switch). + +Cannot convert, file already is a COM file. +Cannot convert, file has relocation items. +Cannot convert, initial CS:IP not FFF0:0100. +Cannot convert, file is too large for COM. +Cannot convert, file contains internal overlay. + Convertion of a .EXE file to .COM file has to meet several conditions. + When one of these is not met the program will show which one and abort the + action. + +- Dos error - Your operating system does not allow something UNP would like +to do. Simple things like a read-only file or disk full will cause such a +error. UNP will quit if such an error is encountered. These messages start +with "DOS ERROR - " and end with the DOS error code. + +unable to open file ... (error x) +unable to create file ... (error x) +unable to read from file ... (error x) +unable to write to file ... (error x) + +- Fatal errors - Something seriously wrong has happened. The program will +abort. These messages will start with "FATAL ERROR - ". + +No files found matching + UNP could not resolve the wildcard you specified on the commandline to any + file. You might want to check the filenames. + +Decompressing many files into one. + The Infile wildcard matches more than one file and you have also given a + destination filename on the commandline. + +Output path/file must not contain '*' or '?'. + You can't use wildcards in the destination filename. + +Outfile required for specified command. + The command you specified requires 2 filenames and you only gave one. + +Specified command does not require filenames. + The command you specified does not allow any filenames at all! + +(INT 00h) Divide overflow generated by CPU. +(INT 23h) Ctrl-C or Ctrl-Break pressed by user. + These interrupts are considered very important and UNP will quit as fast + as possible when one of these occur. + +Not enough memory to ... + UNP could not allocate enough memory for something. + +Memory Control Blocks destroyed. + UNP now checks for this special memory error since this error is probably + caused by a progam that has been giving too few memory. UNP will abort but + the system will most likely halt immediately after that. You might want + to try giving the program more memory (see -l switch). + + +Notes on compressors +-------------------- +There are a few things about compressors that might usefull to know: + +AVPACK V1.20 + This Russion compressor has many similaritys with PKLITE. The PKLITE + routines are used to unpack this compressor. However, it is not as good + as PKLITE. It reports that files with a size which is a multiple of 512 + bytes contains an overlay and also it only stores the first 20h bytes of + an exeheader making it impossible to do a complete restore. It does have + some extra option like encryption. UNP can uncompress encrypted files + like these although it does not recognize them as such. If you know + you got an encrypted AVPACKed file you can use "UNP T" to unpack. + +COMPACK V4.4 + This program does not really contain a bug but more an incompatibility + error. On 486s, programs compressed with this version of COMPACK will + crash. This is a result of the self-modifying code COMPACK uses. + Somewhere at the end of the decompression routine of COMPACKed programs + there is a far jump to the decompressed program. Initially this jump + points to 0:0 but is adjusted not much earlier before the execution of + this instruction. On 386s or lower the prefetch queue is small enough + to allow this self-modifying code. On 486s however, the read-ahead buffer + is much larger so the jmp has already been read when the adjustment takes + place. The result on 486s is that the jmp 0:0 is actually executed, most + likely causing a system crash. UNP places a breakpoint before the + execution of this instruction which flushes the read-ahead buffer and the + program can be saved with the correct entrypoint. + +EXEPACK + Ever got the message "Packed file is corrupt"? Then you are probably + using a memory manager and have lots of conventional memory free. Old + versions of Microsoft's EXEPACK require atleast one segment (64k) below it + to be able to unpack the program into memory. If you have a lot of free + memory, let's say above 600k, then programs can be partially loaded in the + first segment. This causes EXEPACK to generate this error. UNP loads an + EXEPACKed file high enough to unpack it and can decompress it without any + trouble. + +MEGALITE V1.5 + Like AVPACK, this compression looks very much like PKLITE. This version + however contains an instruction which changes 1 byte in the decompression + routine. I have not been able to find out what the use of this + instruction is. All it seems to do is screw up the code. The instruction + which causes this is: DEC BYTE PTR DS:[SI+012Ch]. + +MR-LITE + This utility seems to be floating around in certain circuits. It is + written to reduce the size of PKLITE size even more. All it does is + simply rewrite the header and leave all useless information away. In + fact, it does the same as "UNP l -h". Unfortunately it does not do this + very well. One of the fields in the .EXE header reports the amount of + memory required by the application. This value is kindly set to 0 by + MR-LITE. Because DOS by default allocates all memory available, you will + not immediately detect this bug. But when unpacking it with UNP you + will very likely get the message "Memory Control Blocks destroyed.". It + is adviced to unpack such a file with "UNP E -l" and if you want + recompress it, optionally you can optimize the header with a "UNP L -h". + (for more info, see -l switch) + +PKLITE V1.00 + Although this program is probably rarely used, I implemented some code + that fixes a bug that appears in this version of PKLITE only. When + certain programs are compressed, PKLITE moves the last 512 bytes of the + image into an overlay. Compressed programs will be decompressed by UNP + and checked for an overlay of 512 bytes. If such an overlay has been + found, UNP includes the overlay into the newly created image. This has + the same result of what would have happened when "PKLITE -x" would have + been used to restore to program. + +PKLITE V1.14+ Professional + These versions of PKLITE have some small piece of code in the + decompression routine that adds a so called signature into the PSP. This + allows programs to check if they are still compressed with PKLITE. When + such a program is unpacked UNP by default adds a small piece of code into + the PSP to fake the decompression. One of the programs that check for such + a signature is the PKZIP V2.04g program. (see also -k switch) + +PKLITE V1.15 + This version does not seem to detect OS2 or Windows files anymore and will + compress them like normal EXE files. Files will however not run + correctly, even when UNP has uncompressed them again. + +PKTINY + A small utility has been written to prevent recognition (and unpacking) + of TINYPROGed files. The trick this program uses is very simple. + TINYPROG has the ability to leave some space in the beginning of an .EXE + file. By filling this space with a PKLITE header and modifing some code + to let the program still run correctly, it tries to fool unpackers. If + UNP detects the modified code it tries to get around it and continue with + the TINYPROG check. + +SHRINK V1.00 + This compressor uses the basic RLE (Run Lenghth Encoding) compression + algorithm to decrease the size of a program. Unfortunately the program + contains (at least) 2 bugs. One of the bugs is when the RLE byte is found + followed by a 00 while decompressing, a 00 is placed in the program which + should be the RLE byte. The second bug is that the last byte of the + compressed file is not written to disk. Both of these bugs are triggered + when all 256 bytes appear at least one time in the file. UNP is able to + correct the first bug, causing most program to work again. However the + second bug is unrecoverable and UNP give a warning if it detects this bug. + It is always better to decompress it, even if the last byte is missing. + + +Registering UNP +--------------- +Having tried several forms of registration for UNP, I have decided to use the +following registration method. First, since a lot of support has come from +the low end user I decided to release UNP as cardware to the public domain. +It's always nice to know your program is appreciated, and what's the price of +a simple card compared to the registration fees asked by several others? So +if you're a happy user of UNP fill in your registration postcard of +something in your neighbourhood today. However, I have spend a lot of hours +on this program and since it can be useful for commercial purposes I decided +that for commercial use a registration of $1 per copy is required. Why so +cheap you might wonder. Well, I don't want the price to prevent you from +registering. I do not have to make profit out of it, I am just a student who +has written a program to teach myself more about DOS. I just as well could +have been writing viruses but instead I have chosen this. Please note that +non-commercial users are allowed to send me money anyway! If it is enough to +buy and mail a disk, you can expect a free special registered version! + + +Hey! Unp is compressed! +----------------------- +Yes, starting with V4.11 of UNP I will use a compressor to make sure lamers +won't just change the version number and upload it to some BBS just to get +their ratio higher. UNP is compressed with DIET V1.45f and processed with a +program I call DSHIELD to prevent decompressing. The traps used are not too +difficult to figure out, but the idea behind it was just the prevent the +lamers from hacking. If you succeed in unpacking it, then you are probably +an experienced programmer. I am sorry but the protection seems to be +neccesary. +Due to this protection it might be possible that some anti-virus programs +which use heuristic scanning consider UNP infected by a new or unknown virus. +If you also use the D command to alter (some of) UNP's default settings, +you might get a warning as well. The D command causes UNP to alter it's +own .EXE file. Check your documention that came along with your anti-virus +software on how to solve this incompatibility. + + +What UNP can remove +------------------- +Quite a lot actually. A list follows: + +AINEXE V2.1 +ANTIBODY +AVPACK V1.20 +AXE V2.2 +CENTRAL POINT ANTI-VIRUS V1, V1.1 +COM2CRP V1.0 +COMLOCK V0.10 +COMPACK V4.4, V4.5 +CRYPTA V1.00 +CRYPTCOM +DELTAPACKER V0.1 +DIET V1.00, V1.00d, V1.02b, V1.10a, V1.20, V1.44, V1.45f +ENCRCOM V2.0 +EPW V1.2, V1.21, V1.30 +EXELITE V1.00aF +EXEPACK V4.00, V4.03, V4.05, V4.06 +F-XLOCK V1.16 +ICE V1.00 +IMPLODE V1.0 Alpha +KVETCH V1.02 +LINK /EXEPACK V3.60, V3.64, V3.65, V3.69, V5.01.21 +LZEXE V0.90, V0.91, V1.00a +MCLOCK V1.2, V1.3 +MEGALITE V1.18a, V1.20a +OPTLINK +PACKEXE V1.0 +PACKWIN V1.0 +PASSCOM V2.0 +PGMPAK V0.13, V0.14, V0.15 +PKLITE V1.00, V1.00, V1.03, V1.05, V1.12, V1.13, V1.14, V1.15, V1.20, V1.50 +POJCOM V1.0 +PRO-PACK V2.08, V2.14 +PROCOMP V0.82 +PROTECT! EXE/COM V1.0, V1.1, V2.0, V3.0, V3.1, V4.0, V5.0 +SELF-DISINFECT V0.90 +SHRINK V1.0 +SCRNCH V1.00, V1.02 +SYRINGE +TINYPROG V1.0, V3.0, V3.3, V3.6, V3.8, V3.9 +TURBO ANTI-VIRUS V7.02A, V9.40 +UCEXE V2.3 +USERNAME V2.00, V2.10, V3.00 +WWPACK V3.00, V3.01, V3.02 + +I have left out a couple of names not really worth mentioning. + + +What UNP cannot remove +---------------------- +SPACEMAKER V1.03 +EPW V1.2, V1.21, V1.30 - EXE only +USERNAME V2.00, V2.10, V3.00 - EXE only + + +CONTACTING ME +------------- +Please note that registrations must be send to my home adress, not to my +E-mail adress. A card really is a card, not a scanned picture or some +piece of text. + +My address: + Ben Castricum + Van Loenenlaan 10 + 1945 TX Beverwijk + The Netherlands + +E-Mail: valid until june '95 + benc@htsa.hva.nl + +I am not sure when exactly my account will be disabled, but I'll try to +get a new account somewhere as soon as possible. + +-- End of UNP V4.11 documentation -- diff --git a/textfiles.com/piracy/CRACKING/vbtutori.txt b/textfiles.com/piracy/CRACKING/vbtutori.txt new file mode 100644 index 00000000..46a6e04f --- /dev/null +++ b/textfiles.com/piracy/CRACKING/vbtutori.txt @@ -0,0 +1,534 @@ + + + razzia's tutorial for vb cracking + + + + Introduction + + Lately more and more programs come out that are programmed in VB. +Since VB programs are still unknown material for most crackers they +ignore them and label it as 'uncrackable'. In this document i will show +you that that is not true for text based protections (serials/reg#'s). + + For tools we will need only soft-ice and in one case hiew. Further- +more i assume that the reader is somewhat familiar with cracking. For +absolutely beginners i recommend the great tutorials made by +orc and +ed!son's good windows tutorial. But i will try my best to make the text +understandable for everyone who has a litle knownledge about cracking. + + + Getting ourselves prepared + + Before i start bombing you with asm listings lets take a moment to +think about what we are dealing with. + We are dealing with exe's that dont have code themselves but instead +they make calls to a library with standard functions. + What does this mean? It means that this is a big disadventage to +protect programs written in VB. Why? Do you think that the writers of +the VB dll made 10 different functions that you can use to compare 2 +strings? No, ofcourse not. They made the dll to be as efficient as +possible, as small as possible. + So therefore a good guess is that there will be only 1 or 2 places +in the dll where it can compare two strings. And that turns out to be +the case as you will see if you finish reading this document. + Does the litle lamp already begin to glow in your head ? ;--) +Wouldnt it be great if we knew where in the dll 2 strings get compared? +Yes, it would be great. It would reduce VB cracking to a boring job of +setting a single breakpoint at the right place. Continue reading for +the details. + + + + Strategy + + + Before we continue it would be wise to set out a strategy (like its +the case with every other case of cracking). + + Lets think about the protection ... +You enter a string of text , you hit enter or press 'OK' or whatever. +Then windows gives the data you entered to the VB dll. The VB dll then +does whatever it needs to know if that data is right or wrong. And you +get a msg saying you entered a good/wrong code. + + So what would be the weak link in the chain? The answer is where +windows gives the data you entered to the VB dll. Thats our entry point. +We can make softice break there. And then we are at the source of the +protection-chain. With the aid of breakpoints we can then monitor what +happens with our text. + + I think that we now have enough background information to crack a +first example. + + + Case 1 : The Collector v2.1 + + The collector is an utility for creating and maintaining your +image/photo collection. Not bad for a VB program. + More info about this program : + + Name : The Collector v2.1 + Where : http://intranet.ca/~logic/collectr.html + Size : collectr.exe = 246.047 bytes + Protection : serial + DLL : uses VB3 dll + + I find it easier to explain things in steps. So therefor i will +split the cracking process in smaller chunks : + + Step 1 : Run The Collector - right at startup it will ask you for a +serial # + + Step 2 : Enter a dummy serial like '9876543210'. Now press control-d +to enter softice. In softice enter 'bpx hmemcpy' to place a breakpoint +on the hmemcpy function of the kernel. + (Intermezzo : What is hmemcpy ? + Windows uses hmemcpy alot in operations concerning + strings. In this case it will be used to copy the buffer + with the text we entered to the memory space of the VB dll. + Remember when i said that we were gonna break when + windows gave the string we entered to the VB dll?) + + Step 3 : Leave softice with control-d. And press 'OK". This will +make softice break right at the beginning of hmemcpy. + + Step 4 : Now we will continue with tracing further into the hmemcpy +function to find out where the string we entered will be stored. Keep +pressing F10 untill you see this : + + JMP 9E9F + PUSH ECX ;these lines copy the + SHR ECX,02 ;string at ds:si to es:di + REPZ MOVSD + POP ECX + AND ECX,03 + REPZ MOVSB + XOR DX,DX + + Step 5: Right before REPZ MOVSD do a 'ed si'. You will the text you +entered, in my case its shows '0987654321'. Do a 'ed es:di' and you will +see nothing (yet). But if you press F10 and get passed the REPZ MOVSB +you will see the text getting copied to this new location where the +VB dll can access it. + + Step 6: Now we know where the text is located. Lets review our +strategy here. Our plan was to find out where the VB dll kept our +serial, then put a breakpoint on that memory location and find out +with what it got compared. So, lets set a bpr (breakpoint on range) +at the location with our string. Since the REPZ MOVS(D/B) instructions +increased the pointer in di (it now points to the end of our string) +we do 'bpr es:di-8 es:di-1 rw'. Dont hit enter yet - read step 7 first. + + Step 7: Before you hit enter i will tell you what to expect. Softice +will break everywhere where that block of memory with the string is +read or written to. + For example you will break inside the function strlen where the +lenght of the string is calculated. + And you will break where the string is copied to another place in +memory (for example with REPZ MOVSW). When this happens place a new +bpr at the new location with the string. + It will also break when the string or part of it gets deleted. If +not the whole string gets deleted do not remove the corresponding bpr. +Only remove it when the complete string gets written over by something +else. + Also you will break again in hmemcpy. Hmemcpy will read another echo +of the string in the dll's memory. Place a bpr there too. + And finally you will break at the part of the code that does the +comparing (the instruction you will see is REPZ CMPSB). + When i reached that part of code i had 4 breakpoints set. One +breakpoint for hmemcpy and 3 bpr's on 3 echos of the string (or parts +of it). + + Step 8: Now we found the code where the VB3 dll does comparing +we can place a breakpoint there and disable the other breakpoints. We +wont need them anymore. We found the place where things get compared +in VB3. What you see is this : + + : 8BCA mov cx, dx + : F3A6 repz cmpsb ;<- here the strings in ds:si and es:di + : 7401 je 8CB6 ; are being compared + : 9F lahf + : 92 xchg ax,dx + : 8D5E08 lea bx, [bp+08] + : E80E06 call 92CB + + Just before the REPZ CMPSB if you do a 'ed si' and a 'ed es:di', you +will see what is compared with what. In this case the second and third +character of the string we entered gets comared with 'V8'. So if you +restart the program and enter 0V87654321 it will register. + + Step 9: We are not finished yet. The contrary is true, the important +part is what we do now. Next time we meet a VB3 program we want to place +a breakpoint at the location with the code above and read out the right +serial. +How do we do that ? Lets try it real quick with The Collector. + -Start The Collector and enter a dummy serial. + -Enter softice and place a breakpoint on hmemcpy. + -Leave softice and press 'OK', this will put you back + in softice. + -Now, get out of the kernel and and get in the code of VBRUN300 + (press F11 and F10 untill you get there) + -Now do a search for the pattern : + 8B,CA,F3,A6,74,01,9f,92,8D,5E,08,E8,0E,06 + (s 0 l ffffffffff 8B,CA,F3,A6,74,01,9f,92,8D,5E,08,E8,0E,06) + -Place a breakpoint at the adress that gets returned + (bpx ) + -press F5 and you will land in the middle of the above comparing + code. + -Only thing left to do is check out the pointers in es:di and ds:si + + + + Case 2 : Minimize Magic 1.2.4 + + + Minimize Magic is an utility that you can use to minimize your +programs to the traybar. + + More info about this program: + + Name : Minimize Magic 1.2.4 + Where : http://www.genesoft.demon.co.uk/ + Size : minimagic.exe = 159.744 bytes + Protection : password based on key + DLL : uses VB4 dll + + To crack this program you can do the same as we did with The +Collector. Starting with hmemcpy working your way to the code that +compares the string you entered. Important thing to know is that the +VB4 dll always converts strings to the WideChar format before it does +anything with them. So instead of using hmemcpy you can set a +breakpoint on MultiByteToWideChar to break. Check your windows API +reference to learn more about this function. + + I have done all the hard work for you and found the VB4 dll code +that compares two strings (in WideChar format !). + Heres the listing : + + : 56 push esi + : 57 push edi + : 8B7C2410 mov edi, [esp + 10] + : 8B74240C mov esi, [esp + 0C] + : 8B4C2414 mov ecx, [esp + 14] + : 33C0 xor eax, eax + : F366A7 repz cmpsw ;<-- here the (WideChar) strings at ds:esi + : 7405 je 0F79B362 ; and es:edi get compared + : 1BC0 sbb eax, eax + : 83D8FF sbb eax, FFFFFFFF + : 5F pop edi + : 5E pop esi + : C20C00 ret 000C + + Now we know enough of the VB4 dll to crack Minimize Magic: + + Step 1: Start Minimize Magic and chose Register from the menus. +You will be asked for a Name and a Password. Enter a name and a +dummy password. Dont press 'OK' yet, continue with next step. + + Step 2: Enter softice and place a breakpoint on hmemcpy. Leave +softice and press 'OK'. You will land in softice. + + Step 3: Press F11 and F10 untill you are out of the kernel and in +the code of the VB40032.dll. Now we will search for the pattern of the +code above. +Do 's 0 l fffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14' +and place a breakpoint at the adress that gets returned. + + Step 4: Press F5 to leave softice, but you will immediately break +again, right at the beginning of the above code. Here the password +you entered will be compared to the correct password. Trace untill +right before the REPZ CMPSW and do 'ed es:edi', this will show the +password you entered. If you do 'ed esi' you will see the correct +password. +(the strings will be in WideChar format - for example you could +see A T G H D E H D. That means your password is ATGHDEHD) + + + Ok, now you found a working password that will work only for the +version on your computer. If you give that password to somebody else, +the program wont accept it. The password is calculated from a Key +that is different on each computer. This key could be randomly +generated at setup or based on the info on your hd. Whichever one it +is, it will be hard to find out how its generated or where it is +stored. + + So how can we make a general crack ? + We could use the 'Magic Window' trick here. We will 'reprogram' +the VB40032.dll to show the correct password. + The original code in the VB40032.dll looks like this : + + +:0F79B348 56 push esi +:0F79B349 57 push edi +:0F79B34A 8B7C2410 mov edi, [esp + 10] ; es:edi -> pw you entered +:0F79B34E 8B74240C mov esi, [esp + 0C] ; esi -> correct pw +:0F79B352 8B4C2414 mov ecx, [esp + 14] +:0F79B356 33C0 xor eax, eax +:0F79B358 F366A7 repz cmpsw ; compare them +:0F79B35B 7405 je 0F79B362 +:0F79B35D 1BC0 sbb eax, eax +:0F79B35F 83D8FF sbb eax, FFFFFFFF +:0F79B362 5F pop edi +:0F79B363 5E pop esi +:0F79B364 C20C00 ret 000C ; end of this function +:0F79B367 57 push edi ; the code below this adress +:0F79B368 8B7C2408 mov edi, [esp + 08] ; is not important, but we +:0F79B36C 8B4C2410 mov ecx, [esp + 10] ; will need its space +:0F79B370 8B44240C mov eax, [esp + 0C] +:0F79B374 0BE4 or esp, esp +:0F79B376 F266AF repnz scasw +:0F79B379 B800000000 mov eax, 00000000 +:0F79B37E 7503 jne 0F79B383 +:0F79B380 8D47FE lea eax, [edi-02] +:0F79B383 5F pop edi +:0F79B384 C20C00 ret 000C + + The code is located at offset 7a748 in the vb40032.dll file. So, to +make a general crack make a patch that turns the above code into: + +:0F79B348 56 push esi +:0F79B349 57 push edi +:0F79B34a 8B7C2410 mov edi, [esp + 10] ;es:edi --> text you enter +:0F79B34E 8B74240C mov esi, [esp + 0C] ;esi --> correct pw +:0F79B352 813F70006300 cmp dword ptr [edi], 00630070 ;edi -> 'PC" ? +:0F79B358 7527 jne 0F79B381 ;if not - leave +:0F79B35A 803E00 cmp byte ptr [esi], 00 |<- these lines +:0F79B35D 7410 je 0F79B36F | put spaces +:0F79B35F 83C601 add esi, 00000001 | between the chars +:0F79B362 C60620 mov byte ptr [esi], 20 | +:0F79B365 EB03 jmp 0F79B36A |<--skip the ret +:0F79B367 C20C00 ret 000C ;<-- this to prevent crash +:0F79B36A 83C601 add esi, 00000001 | +:0F79B36D EBEB jmp 0F79B35A |<- back to the start +:0F79B36F 8B3DDCC47B0F mov edi, [0F7BC4DC] *<-- these lines +:0F79B375 8B74240C mov esi, [esp + 0C] * call the +:0F79B379 6A00 push 00000000 * MessageBoxA +:0F79B37B 56 push esi * function to show +:0F79B37C 56 push esi * the correct +:0F79B37D 6A00 push 00000000 * password +:0F79B37F FFD7 call edi * +:0F79B381 5F pop edi +:0F79B382 5E pop esi +:0F79B383 90 nop +:0F79B384 C20C00 ret 000C + + Comments: + We used the space of two routines, so to prevent a crash we have to +put a RET function at the beginning of the (original) second function +(see line 0F79B367). + This part of the VB4 dll code is not only used to check the passwords. +It is used by other parts of the program as well. Therefor we need to +do something so that only something will be shown when we are dealing +with a password comparison. That is what the code at line 0F79B352 is +about. It checks to see if EDI points to the text "PC". So we can +use that to trigger the crack. To trigger the crack, "PC" has to be +entered for password when registering. + The lines marked with | are there to put spaces between chars of the +string. Originally there would be a string of WideChar format. That +means that in memory there will be zero's between the chars. And the +function we will use to show the text (MessageBoxA) translates a 0 to +end of string. So only 1 letter would be shown if we dont replace the +zeros with spaces. + The lines marked with * are there to call the function MessageBoxA +to show the correct password. I ripped those commands from the VB4 dll. +Placed a breakpoint on MessageBoxA to see how VB4 called it. + + Well thats it for Minimize Magic. To make a general crack, a patch +could be written that patches the VB4 dll at offset 7a748 with the +above code. To use such a crack minimagic.exe and the vb40032.dll +should be placed in a temp dir and the patch run there. Then start +minimize.exe from that temp dir, and use 'PC' for password. And voila, +a window will pop up with the correct password. Once the correct pw +is known, the temp files should be deleted and the password can be +used in the original Minimize Magic. + + + Case 3 : Sub Station Alpha 2.02 + + Most of the VB4 programs can be cracked with the method described +in case 2, but i have encountered 2 programs which used a different +method of comparing. One of those programs is Sub Station Alpha 2.02. +It uses a protection that first converts a number you enter to its +hex value and then compares it with the correct number. Lets start to +crack Sub Station Alpha and things will get clearer. + + Info about this program: + + Name : Sub Station Alpha 2.02 + Where : http://www.eswat.demon.co.uk/index.html + Size : SUBSTN32.EXE = 629.248 bytes + Protection : password based on user name + DLL : uses VB4 dll + + + Earlier i mentioned that VB4 converts strings to the widechar format +before it does aything with them. Therefor we will use this function +as an entry point. Again we will do it step by step ;--) + + Step 1: Start Sub Station Alpha and chose register from the menus. +Enter a name and a dummy registration key. + + Step 2: Enter softice and place a breakpoint on MultiByteToWideChar +(with 'bpx multibytetowidechar) + + Step 3: Now, leave softice and press "Register". + + Step 4: Softice will break at the beginning of MultiByteToWideChar, +press F11 to get out of it. You will see : + +:FF1500C27B0F call [KERNEL32!MultiByteToWideChar] +:8BD8 mov ebx, eax +:83FEFF cmp esi, FFFFFFFF +:7501 jne 0F738BCF +:4B dec ebx +:53 push ebx +:6A00 push 00 +:FF1518C97B0F call dword ptr [0F7BC918] +:8BE8 mov ebp, eax +:85ED test ebp, ebp +:0F845B260100 jz 0F74B23D +:43 inc ebx +:53 push ebx +:55 push ebp +:56 push esi +:57 push edi +:6A00 push 00 +:6A00 push 00 +:FF1500C27B0F call [KERNEL32!MultiByteToWideChar] +:8BC5 mov eax, ebp ;<-- do 'ed ebp' here +:5D pop ebp +:5F pop edi +:5E pop esi + + The important place is right after the second call to MultiByte- +ToWideChar. Disable the first bp on MultiByteToWideChar and place +a new bp right after the second call to that function (on the line +with MOV EAX,EBP). On that line EBP will contain a pointer to a +string in WideChar format that was processed. It doesnt have to be the +string of the registration key. Therefor we will edit that breakpoint +so that it will only break when it is processing the registration key. + How can we do that? Well, the MultiByteToWideChar function returns +the lenght of the string it processed plus 1 in EAX. So we will add a +conditional statement on the breakpoint. Do 'bl' to find out what the +number is of that breakpoint. Then do 'bpe #' and add +'if al==' to the breakpoint. For example, if you +entered '212121', lenghtOfKeyString would be 6 :--). + + + Step 5: Now we will let the program run with F5. When softice breaks +do a 'ed edp' and see the WideChar form of the key you entered. We +place a bpr on the block of memory containing the string and we +continue (F5). What will happen is this. Softice will break on several +places. Whats important is that it will break in the code of OLEAUT32. +When that happens trace a litle further to see whats going on. The +first few times you will get out of the OLEAUT32 very quickly. But +eventually you will see this code : + +( listing from OLEAUT32.DLL) +:6534B6B3 395C240C cmp [esp + 0C], ebx ; this is a loop that +:6534B6B7 7E14 jle 6534B6CD ; goes trough all +:6534B6B9 33C9 xor ecx, ecx ; the chars of a +:6534B6BB 8D0492 lea eax, [edx + 4*edx] ; string, in the end +:6534B6BE 8A0E mov cl , [esi] ; edx will have the +:6534B6C0 46 inc esi ; hex value of the string +:6534B6C1 4F dec edi +:6534B6C2 FF4C240C dec [esp + 0C] +:6534B6C6 8D1441 lea edx, [ecx + 2*eax] +:6534B6C9 85FF test edi, edi +:6534B6CB 7FE6 jg 6534B6B3 +:6534B6CD 85FF test edi, edi +:6534B6CF 7F4A jg 6534B71B + ............. + ............. +:6534B6F2 8910 mov [eax], edx ; edx is saved +:6534B6F4 33C0 xor eax, eax +:6534B6F6 83C424 add esp, 00000024 +:6534B6F9 C21000 ret 0010 + + Step 6: We saw that the key is transformed into its hex value, +and saved to a place in memory. If you monitor this memory location, +you will end up here in the VB4 dll that compares it with another +value: + +:0F7A2CE1 5A pop edx ; load edx +:0F7A2CE2 58 pop eax ; load eax +:0F7A2CE3 2BC2 sub eax, edx ; subtract them +:0F7A2CE5 83F801 cmp eax, 00000001 +:0F7A2CE8 1BC0 sbb eax, eax +:0F7A2CEA 50 push eax +:0F7A2CEB 0FB706 movzx word ptr eax, [esi] +:0F7A2CEE 83C602 add esi, 00000002 +:0F7A2CF1 FF2445F4997B0F jmp dword ptr [2*eax + 0F7B99F4] +:0F7A2CF8 E8BB000000 call 0F7A2DB8 + + We see that EDX and EAX get loaded from the stack, and then +substracted. This is just an indirect way of comparing those two +values. If you check out the contents of EAX and EDX, you will see +that one has the number you entered and the other one will have the +correct registration number. + + Step 7: Now we found this location its wise to note the hex values +of the code, so you can find it back quickly when you suspect that +another VB4 program uses this protection. + + + + Final notes + + + Well, with the above 3 techniques i have been able to crack quite +some VB3/4 programs that used a text based protection. Sometimes +when you set a breakpoint at the comparing routine, softice will not +break. Try then to enter strings with a different length. Because +the program could be checking the length of the string you enter before +it compares the string itself. And other programs first isolate chars +from the string you enter and then compare those isolated chars, but +again they get compared at the locations stated in the examples above. + With VB5 programs i havent much experience, i only cracked one of +them. It was called Hitlist Pro v3.0. By patching the VB5 dll, I could +remove its 30 day timelimit just like it was a regular program. Of +course, the VB5 dll had to be placed in the Hitlist Pro main dir, +this to prevent other VB5 programs using the patched DLL. + + Thats it folks, you may contact me (if you know how ;--) on irc +with feedback and questions. + + + Big greets to : tHATDUDE, madmax!, cH, Teraphy, KillerBee,j0b, + StarDogg Champion,aCP,rANDOM and all the + others i forgot. + + Special greets and thanks to +ORC, fravia and gthorne and rest of +HCU + + + razzia [pc97] + date: 05-08-97 + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/textfiles.com/piracy/CRACKING/wincrack.txt b/textfiles.com/piracy/CRACKING/wincrack.txt new file mode 100644 index 00000000..105bcbe9 --- /dev/null +++ b/textfiles.com/piracy/CRACKING/wincrack.txt @@ -0,0 +1,315 @@ + 888 ,e, + e88'888 888,8, ,"Y88b e88'888 888 ee " 888 8e e88 888 + d888 '8 888 " "8" 888 d888 '8 888 P 888 888 88b d888 888 + Y888 , 888 ,ee 888 Y888 , 888 b 888 888 888 Y888 888 + "88,e8' 888 "88 888 "88,e8' 888 8b 888 888 888 "88 888 + , 88P + Qapla's cracking tutorial, version 0.1 rel 970209 "8",P" + + +1. Introduction +~~~~~~~~~~~~~~~ + +Welcome to my first attempt to write a Windows 95 cracking tutorial. + +This file is not meant as an introduction to either SoftIce, assembler +or cracking in general. I will assume that you have installed SoftIce +2.0 or 3.0 and that you are familiar with it. Some assembler and Win32 +API knowledge is also useful. If you are new to cracking, before +continuing please read some of the files on cracking already available +on the net, for example ED!SON's excellent tutorial. In his tutorial you +will find an introduction to SoftIce, how to load exports and much more. + + +2. The program +~~~~~~~~~~~~~~ + +In this tutorial, I will use a great little program that you probably +will find on the net by doing a simple search for it. The program is +called StartClean, and the version I use is 1.2. The program scans the +Windows 95 Start Menu and removes all shortcuts that don't point to +anything. This is actually a very handy utility for those with a lot +of software passing through their harddisks (like me), so this is one +of the few little utilities I actually use. Another great thing about +this program is that it is only 31kb, so it doesnt hog massive amounts +of my harddrive. You *might* find this program attached to this tutorial. + +When you start the program it will fire up with a little nag-screen asking +you to register it if you use it for more than 30 days. Even if we will +defeat this protection several times in this file, I'm asking you that +if you start using the program, please register it. The author deserves +the money he is asking for it. + + +3. The extremly simplistic approach +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In this section I will use a method that works with this program, +but it wont work with most other programs. I included it here to +show you that there is no need to make anything more difficult then +nessesary. (this is a good philosophy of life by the way :) + +Fire up the program, and press 'Register...' + +The program will show you a small dialog-box, asking you to enter your +name and secret code. Now enter your name and any code. I entered +"Qapla'97" and "115522". Press OK and it will tell you that the code was +incorrect. + +Now comes the interesting part. + +In the explorer press the right mouse button on the file, and select +Quick-View. A window will pop up with a lot of information about the +file. The section we are interested in is the 'Import Table'. Scroll +down until you reach this section. + +You will hopefully see something like this: + +Import Table +------------ + + COMCTL32.dll + Ordinal Function Name + ------- ------------- + + KERNEL32.dll + Ordinal Function Name + ------- ------------- + + 026c lstrcmpiA + 00d7 GetFileAttributesA + 026f lstrcpyA + 0045 DeleteFileA + 0269 lstrcmpA + 01c1 RemoveDirectoryA + . . + . . + . . + +This section displays the API's the file uses. By setting a breakpoint +on any of these you will be able to intercept the program when it uses +them. + +Here comes the good part. The program somewhere in the code probably +compares the code you entered with a pregenerated code, previously +calculated from the name you entered. + +What does the 'lstrcmpA' function do? Lets look in the API-reference +(the file I use is called Win32.hlp from the Win95-SDK, distributed +with most real development environments, for example Borlands excellent +Delphi 2.0) + +--- From Win32.hlp --- + +The lstrcmp function compares two character strings. The comparison is +case sensitive. + + int lstrcmp( + LPCTSTR lpString1, // address of first string + LPCTSTR lpString2 // address of second string + ); + + Parameters + + lpString1 + Points to the first null-terminated string to be compared. + + lpString2 + Points to the second null-terminated string to be compared. + + Return Value + + If the function succeeds and the string pointed to by lpString1 + is less than the string pointed to by lpString2, the return value + is negative; if the string pointed to by lpString1 is greater than + the string pointed to by lpString2, it is positive. If the strings + are equal, the return value is zero. + +---- End --- + + +So, lets try setting a breakpoint on 'lstrcmpA' + +Press ^D, and when the SoftIce screen appears type 'BPX lstrcmpA', +now press ^D again and press OK once more. + +blam, we were kicked back to SoftIce. + +** Break due to KERNEL32!lstrcmp + +Now press F12 to return to the calling function, and you should see +something like this: + . + . + . +0157:004011DD 50 PUSH EAX <- push your code on the stack +0157:004011DE 6830604000 PUSH 406030 <- push the right code on the stack +0157:004011E3 FF1520924000 CALL [KERNEL32!lstrcmp] <- compare them +0157:004011E9 85C0 TEST EAX, EAX +0157:004011EB 0F8580000000 JNZ 00401271 <- check if they were the same + . + . + +At this point we have two options: + +a) Patch the JNZ to NOP's - This will make the program register with + any code. This *may* introduce other + problems, most noteably it might have a + similar unpatched check in another part + of the program that you won't notice. + +b) Find out the code it - This is a much better way of working as + compared your code with you dont need to change the code and the + serial you find will probably work with + the next version of the software as well, + the crack will probably stop working when + you upgrade. + +Alternative (a) is left as an exercise to the reader :) + +Now type 'd 406030' <- this was the address it pushed on the stack, remember? + +The data-window will now display the correct code, in my case 1398-13026- +1211-249 + +As i said in the beginning of this section, setting a breakpoint on +string-compare API's will seldom work, as most programs use their own +routine for doing this. The next section will present another, very +similar approach to the same problem, but it will not rely on the +same API. + + +4. The hmemcpy-bpm approach +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If you registered the program in the following section and wish to +'unregister' it, so you can try this approach as well, you can start +regedit, and delete the following key: + +HKEY_CURRENT_USER\SOFTWARE\Start Clean\Configuration + +Do a 'BC *' to clear all your existing breakpoints, and enter your name +in the registration-box once again. (be sure to use an incorrect code, +as we dont want to register it right now). Don't press OK yet. + +Now enter 'BPX hmemcpy', and press OK in the dialog. We will be back in +SoftIce. Note that we are no longer in the flat addressing mode. This is +protected mode 16bit code, ie in another context. We need to get back into +the flat code before we can search all memory, but before we do that we +will press ^D once again. The program just scanned our name this time, +and we are just interested in is setting a breakpoint to trap access to +the code we entered. + +We will shortly be back into softice again. Now press F12 a few times +until we reach the 32bit code. You will notice this by looking at the +addresses in the code window... + +0137:9EA6 <- this is a segmented 16-bit address. +0157:004011B5 <- this is a 32-bit flat address. + +When you reach this code we can scan for the text we entered in the +code-window. (you entered something unique didn't you, as we will be +searching all physical memory, and a code like 0000 will probably +be found in a lot of unrelated locations) + +Enter "s 0 l ffffffff 'your_code_here'" and press enter. + +Now two things can happen. either it finds your code in a low address, +(and this is what we are looking for), or it will find it somewhere +around 0x80000000 (this is Windows internal memory-space, and not what +we are looking for (Windows reserves the upper 2gig for internal use, +and non ring 0 code will only have access to memory in the lower part +of the address space)) + +When you found what looks like the right place in memory, (I found +it at 015f:0063f580), we will set a breakpoint for memory access there. + +Use 'BPM 0063f580' (or whatever address you found). + +Don't forget to 'BD hmemcpy' as well, as we will not be needing that +breakpoint any more. + +Press ^D and you it will stop right in the function that compares the +two strings. + +This method is usually much better than the previous, as it doesn't assume +that the program uses any specific API's. It is usually safe to set a +breakpoint on hmemcpy as almost all Win32-programs rely on this function +to retrieve information from dialogs. + + +5. Other ways +~~~~~~~~~~~~~ + +So, we have now defeated this program in two similar ways, and at this +point I am starting to realize my bad choice of program as this little +program doesn't contain any strange or non-standard things. It is rather +unusually simplistic. If you feel like making a keymaker, which is the +thing any *real* cracker would do, you can find the entrypoint to the +code-generating routine just above the call to lstrcmp. + + +A. Setting breakpoints +~~~~~~~~~~~~~~~~~~~~~~ + +In ED!SON's tutorial, the author talks about the problems of setting +breakpoints, especially when Norton Commander is active. When you +try to do a BPX GETDLGITEMTEXTA, you might get the 'No LDT' error. +DOS windows, and especially Norton Commander hogs much of the CPU +and if you are running them, there is a good chance you will end up +in a VDM instead of the PROT32-mode you want to be in. SoftIce 3.0 +seems to handle this much smarter, so if you are having problems +try installing the latest version of the debugger. This is an issue +of address-contexts and an extensive discussion on the topic can be +found in the documentation for SoftIce 3.0. If you are trying to set +a breakpoint in the code you are debugging and it doesnt work, try to +break on a general API, and press F12 until you reach the context you +are looking for, and then set the breakpoint. + + +B. Recommended reading +~~~~~~~~~~~~~~~~~~~~~~ + +The reason I wrote this tutorial is that during the last years, I have +read quite a few text on cracking by different authors. I always wanted +to make something similar to make a small contribution to this, and +hopefully make someone reach a higher level of knowledge in cracking. + +I would like to recommend some of the great text on cracking already +available on the net: + +* ED!SON's Cracking Tutorial - This is a great file that contains + an introduction to debugging, SoftIce + and cracking. If you havn't read it + yet, do so now. This file is *very* + recommended for everyone. + +* +ORC's Cracking Tutorials - These files are split up in lessons, + each one talking about a different + approach or side of cracking. Most + of the lessons are very much worth + reading, even if I dont agree with + him in the frequent discussions about + languages like Delphi or the world in + general :) They might be a bit hard + to find as he seems to be a bit + reluctant about placing all of them + on the net. + +C. Thanks +~~~~~~~~~ + +The author would like to thank the following persons for helping him +with debugging the text, and verifying the wannabee-cracker-author's +theory's... + +[prizna], odin- and kOUGER - thanks! + + +D. Contacting me +~~~~~~~~~~~~~~~~ +You dont, but you *might* be able to find me on US-EFnet IRC. +Check for the nick qapla, it might be me. + + +thank you for reading this far, I hope you enjoyed it. (c)1997, Qapla' diff --git a/textfiles.com/piracy/DREAMTEAM.1 b/textfiles.com/piracy/DREAMTEAM.1 new file mode 100644 index 00000000..db82ff5b --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM.1 @@ -0,0 +1,66 @@ + +T E X T F I L E S + +

Piracy Textfiles: The Dream Team

+

+

+ + + + + +
+
Filename
Size
Description of the Textfile
armor.nfo 8109
 THE DREAM TEAM: Armour-Geddon from Psygnosis (December 4th, 1992) +
bloodnet.nfo 6726
 THE DREAM TEAM: Blood-Net from Microprose (November 4th, 1993) +
bwing.nfo 5532
 THE DREAM TEAM: B-Wing Expansion Disk by LucasArts (October 28, 1993) +
candd.nfo 7007
 THE DREAM TEAM: Car and Driver from Electronic Arts (December 17th, 1992) +
crack.nfo 3777
 THE DREAM TEAM: Wild Wheels from Ocean +
dinotrn.nfo 5288
 THE DREAM TEAM: Dino Park Tycoon Trainer (August 14th, 1993) +
dr3.nfo 8578
 THE DREAM TEAM: Dragon's Lair III: the Curse of Mordread from Readysoft (December 5th, 1992) +
dream.nfo 5237
 THE DREAM TEAM: ELF From Ocean (June 10th, 1992) +
dream12.nfo 6960
 THE DREAM TEAM: ROME From Millenium (November 22nd 1992) +
dream2.nfo 5474
 THE DREAM TEAM: The Lost Vikings from Interplay (June 22nd, 1993) +
dream7.nfo 4979
 THE DREAM TEAM: Yo! Joe! From Hudson Software (September 11th, 1993) +
dream9.nfo 7134
 THE DREAM TEAM: Heartlight PC from X-Land (November 27th, 1992) +
euros.nfo 7431
 THE DREAM TEAM: Eurosoccer from Flair Software (December 15th, 1992) +
fireice.nfo 7412
 THE DREAM TEAM: Fire and Ice by Craftsgold (November 22, 1993) +
goblins3.nfo 5233
 THE DREAM TEAM: Goblins 3 English by Coktel Vision (November 16, 1993) +
golf.nfo 4689
 THE DREAM TEAM: International Golf from Ocean (June 10th, 1993) +
harrier.nfo 6903
 THE DREAM TEAM: Harrier Jump Set from Microprose (December 17th, 1992) +
kohan.nfo 6954
 THE DREAM TEAM: Koshan Conspiracy from UbiSoft (January 9th, 1993) +
laura.nfo 5825
 THE DREAM TEAM: Laura Bow II: The Dagger of Amon Ra by Sierra (June 24th, 1992) +
lost.nfo 6826
 THE DREAM TEAM: Lost in Time Part I from Coktel Vision (March 10th, 1993) +
msfs5.nfo 5198
 THE DREAM TEAM: Microsoft Flight Simulator 5.0 Release (August 26th, 1993) +
pinball.nfo 7280
 THE DREAM TEAM: Tristan Pinball from Littlewing (August 31st, 1992) +
premiere.nfo 6262
 THE DREAM TEAM: Premiere Manager from Gremlin Graphics (May 27th, 1993) +
riders.nfo 7619
 THE DREAM TEAM: Time Riders from TLC (August 24th, 1992) +
samurai.nfo 7710
 THE DREAM TEAM: The First Samurai from Vidisoft (October 11th, 1992) +
sextris.nfo 7165
 THE DREAM TEAM: Sex Tetris from Buena Software (September 5th, 1992) +
simphson.nfo 3786
 THE DREAM TEAM: The Simpsons from Konami +
spectre.nfo 6993
 THE DREAM TEAM: Spectre from Velocity (December 10th, 1992) +
sq5.nfo 7701
 THE DREAM TEAM: Space Quest V from Sierra Release (February 18th, 1993) +
tdt0192.nfo 4984
 THE DREAM TEAM: Paperboy II from Mindscape +
tdt0195.nfo 7227
 THE DREAM TEAM: Risky Woods from Electronic Arts (October 7th, 1992) +
tdt0292.nfo 4970
 THE DREAM TEAM: Super Space Invaders from Domark +
tdt0491.nfo 3907
 THE DREAM TEAM: Battle Command +
tdt0592.nfo 5783
 THE DREAM TEAM: Castle Wolfenstein 3-D Release Version (May 5th, 1992) +
tdt0593.nfo 4807
 THE DREAM TEAM: Railroad Tycoon Deluxe (June 13th, 1993) +
tdt0792.nfo 6517
 THE DREAM TEAM: Double Dragon III and Trainer (July 25th, 1992) +
tdt0793.nfo 4579
 THE DREAM TEAM: When 2 Worlds War by Impressions (July 16th, 1993) +
tdt0895.nfo 3023
 THE DREAM TEAM: The Patrician by Readysoft (August 3rd, 1995) +
tdt089~1.nfo 6774
 THE DREAM TEAM: Dinosauri Balls from AMWA Computer Company (August 9th, 1992) +
tdt0993.nfo 4947
 THE DREAM TEAM: The Great War from SSI (September 13th, 1993) +
tdt1092.nfo 7356
 THE DREAM TEAM: Captive from Mindscape Software (October 14th, 1992) +
tdt1192.nfo 6940
 THE DREAM TEAM: Curse of Enchantia from Core Design Limited (November 19th, 1992) +
tdt1291.nfo 4910
 THE DREAM TEAM: World Wrestling Federation from Ocean +
tdt1292.nfo 7300
 THE DREAM TEAM: The Incredible Machine from Sierra (December 2nd, 1992) +
tdt1293.nfo 5184
 THE DREAM TEAM: Star Trek Judgement Rites from Interplay (December 17th, 1993) +
tdtrain.nfo 4535
 THE DREAM TEAM: Flashback Mega Trainer (Hey, he needs an info form!) +
term2029.nfo 6427
 THE DREAM TEAM: Terminator 2029 Weapons Cheat (October 29th, 1992) +
tony3.nfo 6940
 THE DREAM TEAM: Tony La Russa Baseball II from SSI (March 12th, 1993) +
triviap.nfo 6795
 THE DREAM TEAM: Deluxe Trivial pursuit from Domark (November 19th, 1992) +
trodd.nfo 6033
 THE DREAM TEAM: Troddlers from Sales Curve (October 19, 1993) +
zack.nfo 7120
 THE DREAM TEAM: Contraption Zack from Mindcraft (November 28th, 1992) +

There are 51 files for a total of 312,846 bytes.

+ + diff --git a/textfiles.com/piracy/DREAMTEAM/.windex.html b/textfiles.com/piracy/DREAMTEAM/.windex.html new file mode 100644 index 00000000..b9bd7f0d --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/.windex.html @@ -0,0 +1,66 @@ + +T E X T F I L E S + +

Piracy Textfiles: The Dream Team

+

+

+ + + + + +
+
Filename
Size
Description of the Textfile
armor.nfo 8109
 THE DREAM TEAM: Armour-Geddon from Psygnosis (December 4th, 1992) +
bloodnet.nfo 6726
 THE DREAM TEAM: Blood-Net from Microprose (November 4th, 1993) +
bwing.nfo 5532
 THE DREAM TEAM: B-Wing Expansion Disk by LucasArts (October 28, 1993) +
candd.nfo 7007
 THE DREAM TEAM: Car and Driver from Electronic Arts (December 17th, 1992) +
crack.nfo 3777
 THE DREAM TEAM: Wild Wheels from Ocean +
dinotrn.nfo 5288
 THE DREAM TEAM: Dino Park Tycoon Trainer (August 14th, 1993) +
dr3.nfo 8578
 THE DREAM TEAM: Dragon's Lair III: the Curse of Mordread from Readysoft (December 5th, 1992) +
dream.nfo 5237
 THE DREAM TEAM: ELF From Ocean (June 10th, 1992) +
dream12.nfo 6960
 THE DREAM TEAM: ROME From Millenium (November 22nd 1992) +
dream2.nfo 5474
 THE DREAM TEAM: The Lost Vikings from Interplay (June 22nd, 1993) +
dream7.nfo 4979
 THE DREAM TEAM: Yo! Joe! From Hudson Software (September 11th, 1993) +
dream9.nfo 7134
 THE DREAM TEAM: Heartlight PC from X-Land (November 27th, 1992) +
euros.nfo 7431
 THE DREAM TEAM: Eurosoccer from Flair Software (December 15th, 1992) +
fireice.nfo 7412
 THE DREAM TEAM: Fire and Ice by Craftsgold (November 22, 1993) +
goblins3.nfo 5233
 THE DREAM TEAM: Goblins 3 English by Coktel Vision (November 16, 1993) +
golf.nfo 4689
 THE DREAM TEAM: International Golf from Ocean (June 10th, 1993) +
harrier.nfo 6903
 THE DREAM TEAM: Harrier Jump Set from Microprose (December 17th, 1992) +
kohan.nfo 6954
 THE DREAM TEAM: Koshan Conspiracy from UbiSoft (January 9th, 1993) +
laura.nfo 5825
 THE DREAM TEAM: Laura Bow II: The Dagger of Amon Ra by Sierra (June 24th, 1992) +
lost.nfo 6826
 THE DREAM TEAM: Lost in Time Part I from Coktel Vision (March 10th, 1993) +
msfs5.nfo 5198
 THE DREAM TEAM: Microsoft Flight Simulator 5.0 Release (August 26th, 1993) +
pinball.nfo 7280
 THE DREAM TEAM: Tristan Pinball from Littlewing (August 31st, 1992) +
premiere.nfo 6262
 THE DREAM TEAM: Premiere Manager from Gremlin Graphics (May 27th, 1993) +
riders.nfo 7619
 THE DREAM TEAM: Time Riders from TLC (August 24th, 1992) +
samurai.nfo 7710
 THE DREAM TEAM: The First Samurai from Vidisoft (October 11th, 1992) +
sextris.nfo 7165
 THE DREAM TEAM: Sex Tetris from Buena Software (September 5th, 1992) +
simphson.nfo 3786
 THE DREAM TEAM: The Simpsons from Konami +
spectre.nfo 6993
 THE DREAM TEAM: Spectre from Velocity (December 10th, 1992) +
sq5.nfo 7701
 THE DREAM TEAM: Space Quest V from Sierra Release (February 18th, 1993) +
tdt0192.nfo 4984
 THE DREAM TEAM: Paperboy II from Mindscape +
tdt0195.nfo 7227
 THE DREAM TEAM: Risky Woods from Electronic Arts (October 7th, 1992) +
tdt0292.nfo 4970
 THE DREAM TEAM: Super Space Invaders from Domark +
tdt0491.nfo 3907
 THE DREAM TEAM: Battle Command +
tdt0592.nfo 5783
 THE DREAM TEAM: Castle Wolfenstein 3-D Release Version (May 5th, 1992) +
tdt0593.nfo 4807
 THE DREAM TEAM: Railroad Tycoon Deluxe (June 13th, 1993) +
tdt0792.nfo 6517
 THE DREAM TEAM: Double Dragon III and Trainer (July 25th, 1992) +
tdt0793.nfo 4579
 THE DREAM TEAM: When 2 Worlds War by Impressions (July 16th, 1993) +
tdt0895.nfo 3023
 THE DREAM TEAM: The Patrician by Readysoft (August 3rd, 1995) +
tdt089~1.nfo 6774
 THE DREAM TEAM: Dinosauri Balls from AMWA Computer Company (August 9th, 1992) +
tdt0993.nfo 4947
 THE DREAM TEAM: The Great War from SSI (September 13th, 1993) +
tdt1092.nfo 7356
 THE DREAM TEAM: Captive from Mindscape Software (October 14th, 1992) +
tdt1192.nfo 6940
 THE DREAM TEAM: Curse of Enchantia from Core Design Limited (November 19th, 1992) +
tdt1291.nfo 4910
 THE DREAM TEAM: World Wrestling Federation from Ocean +
tdt1292.nfo 7300
 THE DREAM TEAM: The Incredible Machine from Sierra (December 2nd, 1992) +
tdt1293.nfo 5184
 THE DREAM TEAM: Star Trek Judgement Rites from Interplay (December 17th, 1993) +
tdtrain.nfo 4535
 THE DREAM TEAM: Flashback Mega Trainer (Hey, he needs an info form!) +
term2029.nfo 6427
 THE DREAM TEAM: Terminator 2029 Weapons Cheat (October 29th, 1992) +
tony3.nfo 6940
 THE DREAM TEAM: Tony La Russa Baseball II from SSI (March 12th, 1993) +
triviap.nfo 6795
 THE DREAM TEAM: Deluxe Trivial pursuit from Domark (November 19th, 1992) +
trodd.nfo 6033
 THE DREAM TEAM: Troddlers from Sales Curve (October 19, 1993) +
zack.nfo 7120
 THE DREAM TEAM: Contraption Zack from Mindcraft (November 28th, 1992) +

There are 51 files for a total of 312,846 bytes.

+ + diff --git a/textfiles.com/piracy/DREAMTEAM/armor.nfo b/textfiles.com/piracy/DREAMTEAM/armor.nfo new file mode 100644 index 00000000..60c97c86 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/armor.nfo @@ -0,0 +1,121 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents + + ARMOUR-GEDDON FROM PSYGNOSIS + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : /-\ction /\/\an & MUNCHIE - UK BEST + Cracked by : [HARD CORE] - [THE DREAM TEAM 1992] + PROTECTION : PASSWORD LEVEL [1/10] + Date : 4th December 1992 + Graphics : VGA 256 COLORS + Sound : ALL + Game Size : 3 720kb disks, Installation needed + + + Yeah, finally the AWESOME game from PSYGNOSIS is here! Armour-Geddon is an + awesome war strategic action battle simulator with increadible cool graphics + and great sound. + + Mouse and at least 630kb of free memory needed with 256 color setup. You + probably have to use QEMM or DOS=HIGH in your config.sys + + After installation make sure to copy the file ARMOUR.COM to your game + directory... + + Yet another time TDT brings you a QUALITY game...It seems like we are the + only group on the scene right now that stay away from the kiddie games... + THG do it, INC always did it, RAZOR start to do it, and today PYRADICAL did + it. You must admitt that a group reputation wont improve by releasing shit + software... + + If you had problems playing our GOBLINS II ENGLISH earlier today make sure + to grab the file GOB2CRK.ZIP on every TDT bbs! + + Be sure to grab the other (YES there is more to come) game coming tonight + from TDT... + + Greetings goes to : FALLEN ANGEL (Will we get another another one today?) + BIG BALLS (John's car is faster that yours!!!) + MUNCHIE & ACTION MAN (Great job guys) + AXXIX (Welcome in the group + + Have fun and see you later in our next QUALITY crack! + + The Dream Team 1992 - Growing , Improving and KILLING the competition + + Ŀ + If you want the newest and hottest soft very fast please write to. No swap. + Now even more improved/faster/better. If you did write before, try again! + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + If you live in france write to + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ..... USA ...... + Twins ..................... 514-723-4351 ....... 3 Nodes ..... Canada ... + New Central Europe ........ ITS-PRI-VATE .......12 Nodes ..... Germany .. + C.N.S. .................... 414-832-1449 ....... 2 Nodes ..... USA ...... + Crewel Lye ................ 713-432-0779 ..................... USA ...... + Terrordome ................ 416-619-1717 ....... 3 Nodes ..... Canada ... + Lite House Express ........ 407-624-4329 ....... 4 Nodes ..... USA ...... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ..... Italy .... + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ..... USA ...... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ..... USA ...... + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ..... Sweden ... + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ..... Canada ... + The Vertigo File .......... 815-667-4892 ..................... USA ...... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ..... Canada ... + The Deep .................. 305-888-7724 ..................... USA ...... + Vicious Paradise .......... 804-486-1810 ..................... USA ...... + PJ Tower .................. 714-356-9506 ..................... USA ...... + Ultanet Carnage ........... 314-XXX-XXXX ..................... USA ...... + The Inferno BBS ........... 519-884-4960 ..................... Canada ... + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction ........ +(61)-3-571-0700 ....... 4 Nodes ..... Australia. + Free Q8 ................ +(965)-532-4360 ..................... Kuwait ... + Exodus BBS ............. +(352)-42-44-92 ..................... Luxembourg + Checkpoint Charlie ...... +(47)-42-67992 ..................... Norway ... + Parasite's Land ...... +(39)-935-958-196 ..................... Italy .... + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze , The Grim Reaper + Major Theft , Wolverine , Roger Wilco + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 + Redskin , Freebird , Desert Rat , Spread , Black Rider , Nowayout + The Ghost Wind , Stroke , Snidely Whiplash , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. , Sought After + Buckaroo Banzai , Dr Crippen , Pepsi Man , Black Terror , Phil Thrust + Stingray , The Corporal , Great White/The Speed Racer , Dave & Chris + Soul Taker , S.S , AXXIX + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + UNDER RE-CONTRUCTION + + diff --git a/textfiles.com/piracy/DREAMTEAM/bloodnet.nfo b/textfiles.com/piracy/DREAMTEAM/bloodnet.nfo new file mode 100644 index 00000000..b5d90859 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/bloodnet.nfo @@ -0,0 +1,108 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + Ŀ + +:+ Bloodnet (c) Microprose +:+ + Ĵ + Cracker......: N/A Supplier...: MR.TDT + Game Overall.: 100% Date.......: 1993-11-04 + Graphics.....: VGA/MCGA 256 colors Sound......: Adlib/SB + + + A TDT QUALITY RELEASE + + Game notes: This is DEFINITLY the best game i played this YEAR. No biggie + about the graphics or the sound, but the gameplay is DEFINITLY + one kick ass story... + + You are a hacker/cyberpunk, which job is to infiltrate a big net- + work system. Going into Cybernet takes you into the CYBERWORLD + where you can hack systems, get trapped by data-spiders, + implement viruses, meet other hackers etc etc... + + Going around in the futuristic New York, where you can buy + Cyber-equipment, more weapons and trying to figure out why you + are on THE COMPANYS HITLIST, you better watch out for staying + out of trouble. + + Using the mouse you can scroll the New York map up and down, then + click on the target where you want to go. + + If you want to go somewhere in the network, you are asked for a + sequrity code, this is actually a part of the game. While you go + and play it, diffrent people trade or simple gives you diffrent + access codes. + + Also, don't forget to arm your party in time as when you are + standing face to face with a well pissed cyberpunk ready to + launch it lasergun at you, you wont get any chance to equip + yourself with weapons... + + This is looking like a long boring text, but as i played this + game for second day in a row, i wanted to give you guys a few + tips in the start, as the game may look confusing at beggining! + + Have fun a be sure to grab the other TDT releases coming soon... + + Group greetings : Pentagram - The only group together with The Dream Team + showing activities!!! + + Personal greetings: Fallen Angel, Waywayrd, Lefty, Torgall, Warchild & Hoson + + Welcome to : Beawulf our NEWEST US cracker and MARK TWAIN sysop! + + Goodbye's to : DEAD GOON - Fun while it lasted... + + The Dream Team cracking machine... + Ŀ + If you want to GET the latest IBM software then write to + TDT DISKS-BY-MAIL + PO BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + +:+ THE DREAM TEAM FULL BOARD LIST +:+ + ------------------------------ + Ĵ + UNLAWFUL ENTRY...............ITS-PRI-VATE.......8 NODES.......MEMBER/WHQ. + ALPHA 2010...................ITS-PRI-VATE.......6 NODES.......MEMBER..... + BEYOND AKIRA.................416-461-9101.......3 NODES.......MEMBER..... + Ĵ + DA HAUZE.....................ITS-PRI-VATE.......6 NODES.......BENELUX HQ. + ON THE EDGE..................ITS-PRI-VATE.......1 NODE........US HQ...... + SECOND FRONT.................+46-87987584.......2 NODES.......SWEDEN HQ.. + Ĵ + THE DEEP.....................305-888-7724.......2 NODES.......DISTRO..... + THE BACK ROOM................615-245-6617.......2 NODES.......DISTRO..... + REBEL ALLIANCE...............908-738-9281.......2 NODES.......DISTRO..... + REAGGE MUFFIN................+47-798-4551.......1 NODE........DISTRO..... + THE SKYTOPOLIS...............+41-44-31651.......1 NODE........DISTRO..... + GRAVEBEARD'S CASTLE..........601-939-7339.......4 NODES.......DISTRO..... + + + Ŀ + +:+ THE DREAM TEAM FULL MEMBER LIST +:+ + ------------------------------- + + HARD CORE & HOSON + + CYBER, BEN JAMMIN, BEOWULF, DEVIOUS DOZE, DR. MAGIC, EDWARD CHANG + EXCESSIVE KNIGHT, HOT TUNA, LiON, MAC BETH, MAJOR THEFT, MAVERICK + PABLO, REDSKIN, PHARAOH, ROGER WILCO, THE MAGIC ARTIST, THE GHOST WIND + + Ĵ + +:+ THE DREAM TEAM SPREADING TEAM +:+ + ----------------------------- + FIREHEAD + + RADICAL, SHADOW, SUN BLAZER, THE MASTER, THE ACE OF SPADES + ALWAYS DANGEROUS, SKYBUM + + + + TDT GIVES YOU THE BEST TITLES! diff --git a/textfiles.com/piracy/DREAMTEAM/bwing.nfo b/textfiles.com/piracy/DREAMTEAM/bwing.nfo new file mode 100644 index 00000000..3c558a7d --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/bwing.nfo @@ -0,0 +1,85 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + Ŀ + +:+ B-Wing Expansion Disk (c) Lucas Arts +:+ + Ĵ + Cracker......: N/A Supplier...: MR.TDT + Game Overall.: 85% Date.......: 1993-10-28 + Graphics.....: VGA/MCGA 256 colors Sound......: ALL + + + A TDT QUALITY RELEASE + + Crack notes: Here's another expansion for X-Wing, subst and install! + Never was a fav-o-X meself, but maybe some crazy dude + will like this one! + Have fun, I'm off to play Shadow Caster! + + Have fun a be sure to grab some more TDT releases coming your + way! + + Group greetings : PTG - That Shadow Caster was AWESOME! + FLT - Yeah, I figured you got rid of some people! + RAZOR 1911 - Hey, Kjetil! Call me I lost yer numba on + me answering machine! + + - Hoson + + Personal greetings: HARD CORE / WINSTON / DEAD GOON / SANDY / TMA / MAC BETH + + TDT - Satan is my nephew... + Ŀ + If you want to GET the latest IBM software then write to + TDT DISKS-BY-MAIL + PO BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + +:+ THE DREAM TEAM FULL BOARD LIST +:+ + ------------------------------ + Ĵ + UNLAWFUL ENTRY...............ITS-PRI-VATE.......8 NODES.......MEMBER/WHQ. + ALPHA 2010...................ITS-PRI-VATE.......6 NODES.......MEMBER..... + BEYOND AKIRA.................416-461-9101.......3 NODES.......MEMBER..... + EXALTED DEATH................ITS-PRI-VATE.......2 NODES.......MEMBER..... + Ĵ + DA HAUZE.....................ITS-PRI-VATE.......6 NODES.......BENELUX HQ. + ON THE EDGE..................ITS-PRI-VATE.......1 NODE........US HQ...... + MAPHIA.......................ITS-PRI-VATE.......4 NODES.......MEGA HQ.... + Ĵ + WIZARD'S TOWER...............419-874-5143.......3 NODES.......DISTRO..... + THE DEEP.....................305-888-7724.......2 NODES.......DISTRO..... + SECOND FRONT.................+46-87987584.......2 NODES.......DISTRO..... + THE BACK ROOM................615-245-6617.......2 NODES.......DISTRO..... + REBEL ALLIANCE...............908-738-9281.......2 NODES.......DISTRO..... + REAGGE MUFFIN................+47-798-4551.......1 NODE........DISTRO..... + THE SKYTOPOLIS...............+41-44-31651.......1 NODE........DISTRO..... + + + Ŀ + +:+ THE DREAM TEAM FULL MEMBER LIST +:+ + ------------------------------- + + HARD CORE & HOSON + + CYBER, BEN JAMMIN, DEAD GOON, DEVIOUS DOZE, DR. MAGIC, EDWARD CHANG + EXCESSIVE KNIGHT, HOT TUNA, LiON, MAC BETH, MAJOR THEFT, MAVERICK + PABLO, REDSKIN, PHARAOH, ROGER WILCO, THE MAGIC ARTIST + THE GHOST WIND & PIOTR ILNICKI + + Ĵ + +:+ THE DREAM TEAM SPREADING TEAM +:+ + ----------------------------- + + FIREHEAD, RADICAL, SHADOW, SUN BLAZER, THE MASTER, THE ACE OF SPADES + ALWAYS DANGEROUS, SKYBUM + + + + VI E SKEPTISKA! \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/candd.nfo b/textfiles.com/piracy/DREAMTEAM/candd.nfo new file mode 100644 index 00000000..8a715895 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/candd.nfo @@ -0,0 +1,106 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + CAR AND DRIVER FROM ELECTRONIC ARTS + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : ROGER WILCO ............................................... + Date : 17th December 1992 ........................................ + Graphics : 256 VGA ................................................... + Sound : ALL ....................................................... + Game Size : 5 1.44Mb disks, Use Subst or Install From Floppies ........ + + + Another great game from THE DREAM TEAM! + + God, this is getting tedious... + We've been doing about 1 game a day+ for over 3 weeks now... + Hope you guys have liked the last 80+ Megz of games in the last 30 Days... + + This one is a Car and Driver Magazine... Looks worth checking out... + It lets you Test Drive the Top 10 cars in the world... + Good graphics, decent sound... You can even turn on diff radio stations + as you drive these different Exotic cars around the track... + This one came out of Europe, but is going to be distributed by + Electronic Arts in the U.S. ... + + Try it out... + + Greets: Roger Wilco (Thanks), Munchie (Good work, eh?), + Hard Core (You still asleep??), and to White Rose our new Courier... + + 80+ Megz, and more to come... + Had Enuff? + -=TDT=- World Domination '93 + + Ŀ + If you want the newest and hottest soft very fast please write to. No swap. + Now even more improved/faster/better. If you did write before, try again! + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + If you live in france write for the LATEST to: + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ... Major Theft. + Twins ..................... 514-723-4351 ....... 4 Nodes ... Spread ..... + New Central Europe ........ NOW- ON-LINE .......13 Nodes ... Phil Thrust. + Lite House Express ........ ITS-PRI-VATE ....... 4 Nodes ... Freebird ... + Terrordome ................ 416-619-1717 ....... 3 Nodes ... Stingray ... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ............ ITS-PRI-VATE ....... 5 Nodes ... Ironside ... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ... Sparkling F. + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ... Dirty Bush . + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ... Stroke ..... + The Vertigo File .......... 815-667-4892 ....... 2 Nodes ... Vertigo .... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ... Black Terror + The Deep .................. 305-888-7724 ................... Speed Racer. + Vicious Paradise .......... 804-486-1810 ................................ + PJ Tower .................. 714-356-9506 ................................ + Ultimate Carnage .......... 314-949-5823 ................... Devestator . + The Drop Zone ............. 504-769-8880 ................... Milamber ... + The Inferno BBS ........... 519-884-5071 ................................ + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction ........ +(61)-3-571-0700 ....... 4 Nodes ... Yip Yip .... + Free Q8 ................ +(965)-532-4360 ................... Desert Rat . + Exodus BBS ............. +(352)-42-44-92 ................... Redskin .... + Checkpoint Charlie ...... +(47)-42-67992 ................... Vandall .... + + Ŀ + THE DREAM TEAM MEMBERS [16 MEMBERS] + Ĵ + Hard Core + The Grim Reaper - Dr.Q2 - Sought After - Pepsi Man - Buckaroo Banzai + Munchie - Roger Wilco - Offset - ActionMan - Maximilian + S.S - Black Rider - SoulTaker - Dave & Chris - CYBER + Ĵ + THE DREAM TEAM COURIER SYSTEM [8 COURIERS] + Ĵ + Sharp - XAVIER X - Lord Disembowelment - Coyotes Memeber - Freak & Shogun + ROTOX - SKYBUM - White Rose + + + NO UPDATES - NO NONEGLISH GAMES - NO WINDOWS SHIT - NO CD ROM GAMES + + -*- Q U A L I T Y O N L Y -*- diff --git a/textfiles.com/piracy/DREAMTEAM/crack.nfo b/textfiles.com/piracy/DREAMTEAM/crack.nfo new file mode 100644 index 00000000..3b81393d --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/crack.nfo @@ -0,0 +1,70 @@ + + <>/<>/<>/<>/<>/<>/<>/<> THE DREAM TEAM & SKID ROW <>\<>\<>\<>\<>\<>\<>\<> + + P R E S E N T S + + WILD WHEELS FROM OCEAN + + Ŀ + GAME/CRACK INFORMATION + Ĵ + Cracker -> Cum Spreader + Game Supplied by -> Action Man + Protection -> Type Any Garbage + Display Screen -> EGA/VGA 256 + Sound Boards -> Speaker/Adlib/Roland + Game Overall -> 65% + + +Game Notes: After DeathBringer we are here to bring you another qualithy + crack! This game is similar to SPEEDBALL 2, but the diffrence + is that in this game you are driving a car. Many keys and + options are avalible. Just have fun! + + See you soon in our next crack... + + Start the game with the file 'WILD.EXE' + +Greetings : USA/FLT - INC - THG - TRSI + + + The Dream Team Members + are + Hard Core,ActionMan,Sandman,Slayer,Con Artist,Jammer + Roger Wilco,Dr Pepsi,Cum Spreader,Norrin Radd,Ranx,Touch Tone + and all sysops + + Skid Row Members + are + FFC - Stark - SubZero + + Ŀ + The Dream Team/Skid Row [ OUTSIDE US ] + ij + Hard City +46-PRI-VATE Hard Core + Turk 51 Zone +31-104-296515 TDB + NetWork +31-2550-31623 Papillon + Bloom County +46-300-40258 Opus + No Name 358-187-818-316 Snake Man 2 Nodes + Orange Juice +61-3571-1627 Yip Yip 3 Nodes + TWINS 514-723-1712 Spread + WareHouse +358-625-806 Disco + The Star Factory +46-8-7172761 B.B. King + Paint In Black +49-6565-4553 Stoned Warrior 3 Nodes + ij + The Dream Team/Skid Row [ US ] + ij + Motherboard One 714-971-0172 Touch Tone 5 Nodes + Pirates Ship 515-277-1906 Skeleton 2 Nodes + Revelation 301-423-7860 Ghost Wind 4 Nodes + Orions Belt 718-370-8890 Pluto + + + If you want to contact us write to + + TDT SWEDEN + BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/dinotrn.nfo b/textfiles.com/piracy/DREAMTEAM/dinotrn.nfo new file mode 100644 index 00000000..43c4121e --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/dinotrn.nfo @@ -0,0 +1,80 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + DINO PARK TYCOON TRAINER + Ŀ + RELEASE INFO + Ĵ + Trainer......: Dark Overlord Supplier...: TDT + Game Overall.: 60% Date.......: 14TH OF AUGUST 1993 + Graphics.....: 256 COLOURS VGA Sound......: ALL + + + + Well my first release as a TDT member! Load up the TSR and it will + automatically keep your cash at 8 Million and something. I thought + this was the best way so you can buy anything you want and as much + as you want. Great to be aboard a great group - TDT! + + + Personal greetings: Shadow Stalker, The Unknown, Hardcore, + and The Rest Of The TDT guys. + + Group greetings goes to : THG, FAIRLIGHT, RAZ0R + + + The Dream Team - Some things lives forever... + Ŀ + If you want to have the NEWEST and HOTTEST IBM programs then write to + + TDT DISKS-BY-MAIL + PO. BOX 46 + S-37 464 STALOWA WOLA 6 + POLAND + + Ŀ + MEMBER BOARDS + Ĵ + UNLAWFUL ENTRY =*= ITS-AWE-SOME =*= 8 NODES =*= MEMBER + TWINS =*= 514-251-1838 =*= 4 NODES =*= MEMBER + ALPHA 2010 =*= ITS-AWE-SOME =*= 6 NODES =*= MEMBER + UNKNOWN ORIGIN =*= 214-UNK-NOWN =*= 2 NODES =*= MEMBER + EXALTED DEATH =*= 314-966-2270 =*= 2 NODES =*= MEMBER + SPLATTER HOUSE =*= 408-PRI-VATE =*= 1 NODES =*= MEMBER + Ĵ + SHOCK TO THE SYSTEM =*= +39-PRI-VATE =*= 5 NODES =*= ITALIAN HQ + GURU'S DREAM =*= +46-8-282760 =*= 9 NODES =*= SWEDISH HQ + PHONE HENGE =*= 407-586-0634 =*= 2 NODES =*= US HQ + DA HAUZE =*= +31-76719111 =*= 4 NODES =*= BENELUX HQ + LIGHTHOUSE SPEED =*= +49-PRI-VATE =*= 3 NODES =*= GERMAN HQ + Ĵ + THE CITADEL OF DARKNESS =*= +61-38993247 =*= 2 NODES =*= DISTRO + WIZARD'S TOWER =*= 419-874-2704 =*= 3 NODES =*= DISTRO + THE DEEP =*= 305-888-7724 =*= 2 NODES =*= DISTRO + THE LIQUOR CABINET =*= 214-368-7317 =*= 2 NODES =*= DISTRO + + Ŀ + THE DREAM TEAM FULL MEMBER LIST + Ĵ + + HARD CORE, HOSON, THE UNKNOWN, REDSKIN + + BLACK RIDER, BLOODY BUTCHER, BLUE LIQUID, CYBER, COOL HAND, DARK LORD, + DARK OVERLORD, DEAD GOON, DIABLO, EDWARD CHANG, INTREPID, INTREQ, + THE JET, MAC BETH, MAJOR THEFT, MARAUDING GOBLIN, MARTIAL ARTIST, + MAVERICK, NULL SET, ROGER WILCO, S.S, SPREAD, + THE MAGIC ARTIST, X + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + THE DREAM TEAM SPREADING TEAM + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + FIREHEAD, PETER FALK, MYSTIK TIGER, SCOUT, THE MASTER, RADICAL, ROTOX + + + + ONLY FOR THE FAME! + \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/dr3.nfo b/textfiles.com/piracy/DREAMTEAM/dr3.nfo new file mode 100644 index 00000000..9621e15b --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/dr3.nfo @@ -0,0 +1,127 @@ + + + -//- T H E D R E A M T E A M -\\- + + (Who else?!?) Proudly Presents: + + DRAGON'S LAIR III: THE CURSE OF MORDREAD FROM READYSOFT + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : THE GRIM REAPER + Cracked by : [HARD CORE] - [THE DREAM TEAM 1992] + PROTECTION : EASY PASSWORD , WITH A DOUBLE CHECK WHICH THG FAILED ON... + Date : 5th December 1992 + Graphics : VGA 256 COLORS + Sound : ALL + Game Size : 5 1.44Mb's, Unzip into a Directory, and Run... + + + FINAL NOTES: You CANNOT just extract one or two files from our version and + use it on the THG version, they mixed their DATA disks, there- + for you need the whole TDT version! Thank you for choosing TDT! + + What can we say? THG had this one 5 Hours before us, but they !ROYALLY! + fucked up the crack on this one... I meant, it doesn't work for !SHIT!... + You do get to see a nice 5 seconds of play tho... + + So here we are with a 100% Crack... We couldn't re-release a smaller + version and be sure it would work, so here's the complete 100% cracked + version. + + Has been quite some time since Singe's Castle was released... + + In any case, to clear some confusion, Dragon's Lair II was titled: Time Warp + Singe's Castle wasn't released in the Arcades I don't think, so they didn't + call it Dragon's Lair III... This one is titled Dragon's Lair III: The + Curse of Mordread... as said above... and is TOTALLY new... of course... + This version even adds a few new animations not found in the original + Laser Disc Arcade version of DL3. + + So, looks like another big one from Readysoft... Graphics are awesome as + always w/full animation and digitized sound. The playability is + surprisingly a bit better than the old ones... I'd give it an 8/10... + Well worth trying out... + + Greets go out to: THG... Whooops... Your best people have retired... + Hard Core, Fallen Angel, Wolverine, Dr. Q2, + Vertigo, Soultaker, and Sparkling Flash... + + No DEMOs, No Updates, No Windows, No Kiddie Warez, + and No Foreign Language games you can't speak... + Only the BEST... + + Have fun, and see ya in our next QUALITY crack! + + Ŀ + If you want the newest and hottest soft very fast please write to. No swap. + Now even more improved/faster/better. If you did write before, try again! + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + If you live in france write to + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ..... USA ...... + Twins ..................... 514-723-4351 ....... 3 Nodes ..... Canada ... + New Central Europe ........ ITS-PRI-VATE .......12 Nodes ..... Germany .. + C.N.S. .................... 414-832-1449 ....... 2 Nodes ..... USA ...... + Crewel Lye ................ 713-432-0779 ..................... USA ...... + Terrordome ................ 416-619-1717 ....... 3 Nodes ..... Canada ... + Lite House Express ........ 407-624-4329 ....... 4 Nodes ..... USA ...... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ..... Italy .... + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ..... USA ...... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ..... USA ...... + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ..... Sweden ... + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ..... Canada ... + The Vertigo File .......... 815-667-4892 ..................... USA ...... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ..... Canada ... + The Deep .................. 305-888-7724 ..................... USA ...... + Vicious Paradise .......... 804-486-1810 ..................... USA ...... + PJ Tower .................. 714-356-9506 ..................... USA ...... + Ultimate Carnage .......... 314-XXX-XXXX ..................... USA ...... + The Inferno BBS ........... 519-884-4960 ..................... Canada ... + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction ........ +(61)-3-571-0700 ....... 4 Nodes ..... Australia. + Free Q8 ................ +(965)-532-4360 ..................... Kuwait ... + Exodus BBS ............. +(352)-42-44-92 ..................... Luxembourg + Checkpoint Charlie ...... +(47)-42-67992 ..................... Norway ... + Parasite's Land ...... +(39)-935-958-196 ..................... Italy .... + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze , The Grim Reaper + Major Theft , Wolverine , Roger Wilco + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 + Redskin , Freebird , Desert Rat , Spread , Black Rider , Nowayout + The Ghost Wind , Stroke , Snidely Whiplash , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. , Sought After + Buckaroo Banzai , Dr Crippen , Pepsi Man , Black Terror , Phil Thrust + Stingray , The Corporal , Great White/The Speed Racer , Dave & Chris + Soul Taker and S.S + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + UNDER RE-CONTRUCTION + + + "ORIGINAL IDEA - [HARD CORE] - [THE DREAM TEAM 1992]" diff --git a/textfiles.com/piracy/DREAMTEAM/dream.nfo b/textfiles.com/piracy/DREAMTEAM/dream.nfo new file mode 100644 index 00000000..32828ff4 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/dream.nfo @@ -0,0 +1,72 @@ + + + -//- T H E D R E A M T E A M -\\- + + + -*- Proudly Present -*- + + - ELF - FROM OCEAN + + Ŀ + RELEASE INFORMATION + Ĵ + Cracked by : -no protection- + Packaged by : Devious Doze + Supplied by : Roger Wilco/TDT + Released : 10th June 1992 - 12:30 PM EST + Graphics : VGA / EGA / CGA + Sound : Sound Blaster / Adlib / Pc-Speaker + + Ŀ + RELEASE NOTES + + Playtested the game, and found no signs of copy protection... should + anyone find any at later stages then contact one of the Dream Team + members. Anyway the game is very nice.. for all those platform + adventurers. THE DREAM TEAM RULES IN 1992!! + Devious DoZe/THE DREAM TEAM'92!! + Ŀ + The Dream Team is always ready to take in new members. But we want only + the best. If you can supply games, make music (MOD) , or draw graphics + contact us by calling the nearest TDT bbs or write to our post box! + + Also if you are intrested in the newest and hottest make sure to write to + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + ActionMan, Asmodeus, Con Artist, Desert Rat, Devious Doze, Hard Core + IronSide, Jammer, Major Theft, Mr Thompson, Nightman, Offset, Paul, + Redskin, Roger Wilco, Snake Man, Spread, The Ghost Wind, Union Jack, + Yip Yip + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Ace, Black Mischief, Crash Impact, Fallen Angel, Lord Of The Rings, + Mystic Vision, Night Shadow, Overlord, Pixel, Syzzo, Turbo Interceptor, + The Headman, Venom + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 5 Nodes ................ + Akira Project ........ 416-512-8566/8567 ....... 3 Nodes ................ + Revelation ................ 301-PRI-VATE ....... 5 Nodes ................ + East BBS ............... +(46)-8-940-614 ................................ + Twins ..................... 514-723-4351 ....... 2 Nodes ................ + No Name .............. +(49)-523-491-242 ................................ + Ĵ + DRISTRIBUTION SITES + Ĵ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ....... +(39)-362-901-606 ....... 3 Nodes ................ + Orange Juice ........... +(61)-357-10747 ....... 2 Nodes ................ + Hell ...................... 313-349-4933 ....... 2 Nodes ................ + Phase Shift ............... 604-732-4645 ................................ + + diff --git a/textfiles.com/piracy/DREAMTEAM/dream12.nfo b/textfiles.com/piracy/DREAMTEAM/dream12.nfo new file mode 100644 index 00000000..6c495de1 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/dream12.nfo @@ -0,0 +1,99 @@ + + + -//- T H E D R E A M T E A M -\\- + + + Proudly Presents + + R O M E f r o m M i l l e n i u m + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : --*-- R O G E R W I L C O --*-- + Cracked by : ....ooOoo.... HARD CORE ....ooOoo.... + Date : 22nd November 1992 + Graphics : VGA 256 Colors + Sound : Adlib/Soundblaster/Speaker + Game Size : 3 720kb Disks, Installation needed + + + This is another kick ass game with full Soundblaster support and 256 colors + MCGA graphics. + + The Rome was a powerful nation. You are one of the poor slaves in that + society... The game begins when you get a mission from your master. But you + dont pay much attention to your master. You have bigger plans about becoming + the CEASAR of ROME. But the way is very dangerous and difficult. + + Greetings goes to: ICE CUBE - PYRADICAL - PIEMAN - S.S - DOZE - ACTION MAN + + Oh btw, Europeans do it better... + + Have fun and see you later in our next QUALITY crack! + + Ŀ + If you want the newest and hottest soft very fast please write to + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + If you want the best disk-by-mail deal in FRANCE write to + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ..... USA ...... + Revelation ................ ITS-PRI-VATE ....... 5 Nodes ..... USA ...... + Twins ..................... 514-723-4351 ....... 3 Nodes ..... Canada ... + New Central Europe ........ ITS-PRI-VATE .......12 Nodes ..... Germany .. + Central Nervous System .... 414-832-1449 ....... 2 Nodes ..... USA ...... + Crewel Lye ................ 713-432-0779 ..................... USA ...... + Ĵ + EUROPE AND SAUDI ARABIA'N DISTRIBUTION SITES + Ĵ + Orage Juice ........... +(61)-3-571-0700 ....... 4 Nodes ..... Australia + Free Q8 ................ +(965)-532-4360 ..................... Kuwait ... + Exodus BBS ............. +(352)-42-44-92 ..................... Luxembourg + Checkpoint Charlie ...... +(47)-42-67992 ..................... Norway ... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Lite House Express ........ 407-624-4329 ....... 4 Nodes ..... USA ...... + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ..... USA ...... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ..... USA ...... + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ..... Italy .... + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ..... Sweden ... + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ..... Canada ... + The Vertigo File .......... 815-667-4892 ..................... USA ...... + Members Only .............. ITS-PRI-VATE ....... 2 Nodes ..... USA ...... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ..... Canada ... + The Deep .................. 305-888-7724 ..................... USA ...... + Vicious Paradise .......... 804-486-1810 ..................... USA ...... + PJ Tower .................. 714-356-9506 ..................... USA ...... + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze , The Grim Reaper + Major Theft , Wolverine , Roger Wilco , The Corporal + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 + Redskin , Phil Thrust , Desert Rat , Spread , Black Rider + The Ghost Wind , Stroke , Snidely Whiplash , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. , Sought After + Buckaroo Banzai , Dr Crippen , Pepsi Man , Black Terror + Great White/The Speed Racer + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Soul Taker , Sharp , BOO , The Hexmaster , The Devestator + The Black Paladin , Freak & Shogun , Rotox , Q-Tip + \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/dream2.nfo b/textfiles.com/piracy/DREAMTEAM/dream2.nfo new file mode 100644 index 00000000..b77aea05 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/dream2.nfo @@ -0,0 +1,92 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + THE LOST VIKINGS FROM INTERPLAY + Ŀ + RELEASE INFO + Ĵ + Cracked by.. : HARD CORE.... ..... Supplier.. : DARK FORCE......... + Game Overall : 85% ............... Date...... : 22nd June 1993 .... + Graphics.... : VGA 256 COLORS .... Sound..... : All ............... + + + The Lost Vikings "They Just Want to go Home!" + + Well -TDT- is back with it's first release of the Summer. A Simple + doc-check that was quickly taken care of. After a Preview, a Snes and + Amiga version the game has finally come out. Once you get into this game + you will not be able to stop, Puzzles, Action and more. Thats it, Hope + To see you in another TDT Summer release soon. + + * Install Notes * + + - After you install the game, you will have to exit the install + program (either by alt-x or answer the questions wrong). + - Then copy the setup.exe file into the directory and run it. + + + Greetings to - TRSI / THG / RAZOR 1911 / THE UNTOUCHABLES + & PUBLIC ENEMY + + Personal Greetings to - Hard Core, Dr. Detergent, Spread & Major Theft + (May the force be with you all!) + + + * Box-Hype * + + - Prepare for hours of fun with hundreads of mind-blowing puzzles to play + and conquer. + - Jam through over 35 rip-roaring levels. + - Blast your way into different worlds,including Prehistoria, Egypt, The + Great Factory, Wacky World and more. + - Feel the power rush as you control the unique, radical moves of all + threee vikings. + - Each viking has his own definite attitude, too. Powerful runner Erik + The Swift, burly defender Olaf the stout, and the unyielding swordsman + Baleog the Fierce--come alive as the talk to each other in hysterical + cartoon captions. + - An infectious musical score with an incredible beat. + + + The Dream Team '93 - Nothing last forever....exept TDT! + Ŀ + If you want to catch the NEWEST and HOTTEST IBM programs then write to + + TDT DISK-BY-MAIL + PO. BOX 46 + S-37 464 STALOWA WOLA 6 + POLAND + + Ŀ + MEMBER BOARDS + Ĵ + UNLAWFUL ENTRY /./ ITS-PRI-VATE /./ 8 LINES /./ MEMBER + TWINS /./ 514-723-4351 /./ 4 LINES /./ MEMBER + ALPHA 2010 /./ 210-687-9660 /./ 6 LINES /./ MEMBER + FEAR & LOATHING /./ ITS-PRI-VATE /./ 6 LINES /./ MEMBER + Ĵ + HIGHLAND /./ +[39]-PRI-VATE /./ 5 LINES /./ ITALY HQ + GURU'S DREAM /./ +[46]-828-2760 /./ 5 LINES /./ SWEDEN HQ + PHONE HENGE /./ 407-586-0634 /./ 1 LINE /./ US HQ + Ĵ + GRAVE BEARD'S CASTLE /./ 601-939-0634 /./ 3 LINES /./ DISK SITE + THE CITADEL OF DARK. /./+[61]-3-899-3247 /./ 2 LINES /./ DISK SITE + DA HAUZE /./+[31]-76-71-9111 /./ 4 LINES /./ DISK SITE + + Ŀ + THE DREAM TEAM FULL MEMBER LIST + Ĵ + HARD CORE - DARK FORCE - SPREAD - MAJOR THEFT - MARTIAL ARTIST + DARK LORD - ROGER WILCO - REDSKIN - MAVERICK - DR. DETERGENT + DR.Q2 - BLACK RIDER - INTREQ - S.S - MARAUDIN GOBLIN + --------------------------------------------------------------------------- + SPREADERS + --------------------------------------------------------------------------- + [.ROTOX!.] - [.RADICAL.] - [.BUBBLE MAN.] - [.FIREHEAD.] - [.THE MASTER.] + + + -*- NO DUPES /%/ NO WINDOWS /%/ NO FRENCH GAMES /%/ NO KID GAMES -*- + \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/dream7.nfo b/textfiles.com/piracy/DREAMTEAM/dream7.nfo new file mode 100644 index 00000000..9b78e379 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/dream7.nfo @@ -0,0 +1,73 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + YO! JOE! FROM HUDSON SOFTWARE + Ŀ + RELEASE INFO + Ĵ + Cracker......: HARD CORE Supplier...: MR.TDT + Game Overall.: 80% Date.......: 11TH OF SEPTEMBER 1993 + Graphics.....: VGA 256 COLORS Sound......: MOST + + + Here comes another great one from your favourite group: THE DREAM TEAM! + + Yo! Joe from Hudson software is yet another jump&run cool game. The preview + was out a couple of months ago, but here comes the final MULTI-LANG. version! + + Personal greetings: Killerette, Phonestud, Hoson, Radical, Major Theft, + Redskin, Pharaoh, Devious Doze, Firehead! + + Group greetings goes to : THG - TRSI - RAZOR - FAIRLIGHT - PTG - NEXUS + + If you are a courier and is currently looking for a courier JOB in TDT, give + us a call at our mail box number : 404-395-2563 + + The Dream Team - Some things live forever... + Ŀ + If you want to GET the NEWEST and HOTTEST IBM programs then write to + + TDT DISKS-BY-MAIL + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + MEMBER BOARDS + Ĵ + UNLAWFUL ENTRY =*= ITS-AWE-SOME =*= 8 NODES =*= MEMBER + TWINS =*= 514-251-1838 =*= 4 NODES =*= MEMBER + ALPHA 2010 =*= ITS-AWE-SOME =*= 6 NODES =*= MEMBER + EXALTED DEATH =*= 314-966-2270 =*= 2 NODES =*= MEMBER + Ĵ + SHOCK TO THE SYSTEM =*= +39-PRI-VATE =*= 5 NODES =*= ITALIAN HQ + DA HAUZE =*= +31-PRI-VATE =*= 6 NODES =*= BENELUX HQ + BEYOND AKIRA =*= 416-461-9101 =*= 3 NODES =*= CANADIAN HQ + PHORTUNE 500 =*= 217-544-9539 =*= 1 NODE =*= US HQ + ON THE EDGE =*= ITS-PRI-VATE =*= 1 NODE =*= US HQ + Ĵ + WIZARD'S TOWER =*= 419-536-8206 =*= 3 NODES =*= DISTRO + THE DEEP =*= 305-888-7724 =*= 2 NODES =*= DISTRO + THE LIQUOR CABINET =*= 214-368-7317 =*= 2 NODES =*= DISTRO + SECOND FRONT =*= +46-87987584 =*= 2 NODES =*= DISTRO 9 + + Ŀ + THE DREAM TEAM FULL MEMBER LIST + Ĵ + + HARD CORE, HOSON, REDSKIN + + DEAD GOON, DEVIOUS DOZE, EDWARD CHANG, EXCESSIVE KNIGHT, MAC BETH + MAJOR THEFT, MAVERICK, ROGER WILCO, SPREAD, THE MAGIC ARTIST + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + THE DREAM TEAM SPREADING TEAM + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + FIREHEAD, RADICAL, PETER FALK, SCOUT, MASTER, X + + + + NO RULES THIS TIME, SINCE WE MAKE UP THE RULES FOR THE SCENE diff --git a/textfiles.com/piracy/DREAMTEAM/dream9.nfo b/textfiles.com/piracy/DREAMTEAM/dream9.nfo new file mode 100644 index 00000000..d30e551b --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/dream9.nfo @@ -0,0 +1,102 @@ + + + -//- T H E D R E A M T E A M -\\- + + + Proudly Presents + + Heartlight PC from X-LAND + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : THE GRIM REAPER + Cracked by : N\A + Date : 27th November 1992 + Graphics : VGA 256 Colors + Sound : All + Game Size : 2 720kb Disk, Use Subst or Install from floppies + + + Sim Life, from Maxis... Another in the long Sim Series... In this one + you build your own ecosystem from the ground up, and give life to + creatures of your choice. Design plants and animals right at the genetic + level to influence how they look, ace and eventually evolve. + + WELCOME to our new dist site in 416 - TERRORDOME! + + Greets go out to: Noone, I'm in a Rush... + + Have fun and see you later in our next QUALITY crack! + + Ŀ + If you want the newest and hottest soft very fast please write to. No swap. + Now even more improved/faster/better. If you did write before, try again! + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + If you live in france write to + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ..... USA ...... + Twins ..................... 514-723-4351 ....... 3 Nodes ..... Canada ... + New Central Europe ........ ITS-PRI-VATE .......12 Nodes ..... Germany .. + C.N.S. .................... 414-832-1449 ....... 2 Nodes ..... USA ...... + Crewel Lye ................ 713-432-0779 ..................... USA ...... + Terrordome ................ 416-619-1717 ....... 3 Nodes ..... Canada ... + Lite House Express ........ 407-624-4329 ....... 4 Nodes ..... USA ...... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ..... Italy .... + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ..... USA ...... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ..... USA ...... + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ..... Sweden ... + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ..... Canada ... + The Vertigo File .......... 815-667-4892 ..................... USA ...... + Members Only .............. ITS-PRI-VATE ....... 2 Nodes ..... USA ...... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ..... Canada ... + The Deep .................. 305-888-7724 ..................... USA ...... + Vicious Paradise .......... 804-486-1810 ..................... USA ...... + PJ Tower .................. 714-356-9506 ..................... USA ...... + Ultanet Carnage ........... 314-XXX-XXXX ..................... USA ...... + The Inferno BBS ........... 519-884-4960 ..................... Canada ... + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction ........ +(61)-3-571-0700 ....... 4 Nodes ..... Australia + Free Q8 ................ +(965)-532-4360 ..................... Kuwait ... + Exodus BBS ............. +(352)-42-44-92 ..................... Luxembourg + Checkpoint Charlie ...... +(47)-42-67992 ..................... Norway ... + + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze , The Grim Reaper + Major Theft , Wolverine , Roger Wilco + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 + Redskin , Freebird , Desert Rat , Spread , Black Rider + The Ghost Wind , Stroke , Snidely Whiplash , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. , Sought After + Buckaroo Banzai , Dr Crippen , Pepsi Man , Black Terror , Phil Thrust + Stingray , The Corporal , Great White/The Speed Racer , Dave & Chris + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + UNDER RE-CONTRUCTION + + + "ORIGINAL IDEA - [HARD CORE] - [THE DREAM TEAM 1992]" diff --git a/textfiles.com/piracy/DREAMTEAM/euros.nfo b/textfiles.com/piracy/DREAMTEAM/euros.nfo new file mode 100644 index 00000000..cd248c04 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/euros.nfo @@ -0,0 +1,115 @@ + + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + EUROSOCCER FROM FLAIR SOFTWARE + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : ACTION MAN & MUNCHIE ...................................... + Cracked by : HARD CORE ................................................. + Date : 15th December 1992 (Still 16 days left!) .................. + Graphics : VGA 16 COLORS ............................................. + Sound : Speaker/Adlib/Soundblaster ................................ + Game Size : 2 720kb disks , Installation optional ..................... + + + TDT brings you todays crack called : European Soccer. Two player mode is + also avalible if you have a joystick handy. + + EGA or VGA graphics and Soundblaster/Adlib supported. + + You can choose to play with one of the best european soccer teams. After + the FLAIR SOFTWARE intro screen you have to wait like 10 seconds before the + game starts. On the password protection just hit return! Oh btw: Hold your + breath for tomorrow... + + Greetings Goes to CLUB TDT : FFC - ONYX - THE RENEGADE CHEMIST - HYDRO + R/\D/\R - CHAINSAW MASSACRE + + To start the game type EURO.COM + + TDT Scores last 5 days: Spectre + Conquest for Japan + World Wrestling Europe + Doughter Of Serpents + Magic Candle III + + An average of 1 TOP quality Game/Day!!! + + TDT's goal for end of 1992 will be to REsize the group and cut off the DEAD + meat, NO NEW dist sites accepted...If you want to be a part of TDT then you + have to wait until beginning of January 1993! + + Have fun, and see ya in our next QUALITY crack! + + Ŀ + If you want the newest and hottest soft very fast please write to. No swap. + Now even more improved/faster/better. If you did write before, try again! + + -*- The Dream Team. HOT! -*- + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + Vule Vu Koshe Avec Mua Write to Me! + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ... Major Theft. + Twins ..................... 514-723-4351 ....... 3 Nodes ... Spread ..... + New Central Europe ........ NOW- ON-LINE .......13 Nodes ... Phil Thrust. + Lite House Express ........ ITS-PRI-VATE ....... 4 Nodes ... Freebird ... + Terrordome ................ 416-619-1717 ....... 3 Nodes ... Stingray ... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ............ ITS-PRI-VATE ....... 5 Nodes ... Ironside ... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ... Sparkling F. + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ... Dirty Bush . + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ... Stroke ..... + The Vertigo File .......... 815-667-4892 ....... 2 Nodes ... Vertigo .... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ... Black Terror + The Deep .................. 305-888-7724 ................... Speed Racer. + Vicious Paradise .......... 804-486-1810 ................................ + PJ Tower .................. 714-356-9506 ................................ + Ultimate Carnage .......... 314-949-5823 ................... Devestator . + The Drop Zone ............. 504-769-8880 ................... Milamber ... + The Inferno BBS ........... 519-884-5071 ................................ + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction ........ +(61)-3-571-0700 ....... 4 Nodes ... Yip Yip..... + Free Q8 ................ +(965)-532-4360 ................... Desert Rat . + Exodus BBS ............. +(352)-42-44-92 ................... Redskin .... + Checkpoint Charlie ...... +(47)-42-67992 ................... Vandall .... + + Ŀ + THE DREAM TEAM MEMBERS [16 MEMBERS] + Ĵ + Hard Core + The Grim Reaper - Dr.Q2 - Sought After - Pepsi Man - Buckaroo Banzai + Munchie - Roger Wilco - Offset - ActionMan - Maximilian + S.S - Black Rider - SoulTaker - Dave & Chris - CYBER + Ĵ + THE DREAM TEAM COURIER SYSTEM [7 COURIERS] + Ĵ + Sharp - XAVIER X - Lord Disembowelment - Coyotes Memeber - Freak & Shogun + ROTOX - SKYBUM + + + NO UPDATES - NO NONEGLISH GAMES - NO WINDOWS SHIT - NO CD ROM GAMES + + -*- Q U A L I T Y O N L Y -*- diff --git a/textfiles.com/piracy/DREAMTEAM/fireice.nfo b/textfiles.com/piracy/DREAMTEAM/fireice.nfo new file mode 100644 index 00000000..044e445e --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/fireice.nfo @@ -0,0 +1,118 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + Ŀ + +:+ Fire & Ice (c) Craftsgold +:+ + Ĵ + Cracked by.....: - Supplier...: MR.TDT + Packaged by.....: Look below Date.......: 1993-11-22 + + + Game notes/info: Looks great with very smooth scrolling. Has a nice tune & + seems to be one of thoose you a weekend to walk thru. + + Don't forget to grab Time Runners 5 earlier today by TDT + and the other games coming your way soon... + + NOTE! By some weird reason, the game goes thru IO adress + $330. And it may cause the computer freeze. If you + have an Adaptec 1542C or any other SCSI controller + with the IO adress $330 CHANGE it to something like + $200... + It's not our fault, we don't make them, we just + crack them! + + // Hard Core + + If you are CONFUSED with the CHANGES with TDT last week, here's brief info: + + MAPHIA BBS is the NEW WHQ. + If you cannot find your name or BBS in our MEMBER list, it means you got + the boot from the group, since you don't fit in our team. + + Group greetings: TRISTAR & RED SECTOR - PUBLIC ENEMY - FAIRLIGHT - NEXUS + + Personal greets: Maverick - Nice to see UK rock again + Hoson - Why did you shave your hair? + + Dr Magic/Fallen Angel/Brujjo/Candyman/Lion/Mac Beth + + The Dream Team cracking machine... + + Ŀ + If you want to GET the latest IBM software then write to: + + TDT DISKS-BY-MAIL + PO BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + D O Y O U B E L I E V E I N D R E A M S ? + + FOR IMMEDIATE CONTACT WITH TDT, LOGON GREYBEARD'S CASTLE USING THIS A/C; + + login id: THE DREAM TEAM + password: TDT + + LEAVE A (C)OMMENT TO THE SYSOP WITH YOUR VOICE NUMBER AND OTHER INFO YOU + THINK MIGHT INTEREST US. + + YOU MAY ALSO CONTACT HARD CORE OR HOSON ON ANY MAJOR BBS + + Ŀ + +:+ THE DREAM TEAM FULL BOARD LIST +:+ + ------------------------------ + Ĵ + !MAPHIA!.....................ITS-PRI-VATE.......5 NODES.......WORLD HQ... + GREYBEARD'S CASTLE...........601-939-7339.......4 NODES.......COURIER HQ. + Ĵ + ALPHA 2010...................ITS-PRI-VATE.......6 NODES.......USA HQ..... + SO-KRATES....................ITS-PRI-VATE.......4 NODES.......USA HQ..... + Ĵ + SECOND FRONT.................+46-87987584.......2 NODES.......SWEDISH HQ. + UNDERGROUND..................+39-PRI-VATE.......2 NODES.......ITALIAN HQ. + DA HAUZE.....................+31-HARDCORE.......6 NODES.......BENELUX HQ. + THE SKYTOPOLIS...............+41-44-31651.......1 NODE........SWISS HQ... + Ĵ + THE DEEP.....................305-888-7724.......2 NODES.......DISTRO..... + THE BACK ROOM................615-245-6617.......2 NODES.......DISTRO..... + REBEL ALLIANCE...............908-738-9281.......2 NODES.......DISTRO..... + + Ŀ + + +:+ THE DREAM TEAM FULL MEMBER LIST +:+ + ------------------------------- + + HARD CORE.....................................Has a big mustashe + HOSON...................................The only skinhead in TDT + + CYBER...............................................Shot himself + BEOWULF........................................Camping in Alaska + BRUJJO DIHITAL'...............Dreamin about Blackfoots and stuff + DR.MAGIC........................................Has no underwear + EXCESSIVE KNIGHT.....................Likes to buy Techno records + FALLEN ANGEL......................................Likes phonesex + HOT TUNA...................................Finally fixed his car + MAC BETH..........................................& french fries + MAVERICK.................................Likes to fart very loud + PABLO...............................................Never around + THE MAGIC ARTIST...........................Did blow himself away + THE GHOST WIND...............................Changed his haircut + ROGER WILCO..........................Just got back from hospital + LION............................................She has big tits + + Ĵ + + +:+ THE DREAM TEAM SPREADING TEAM +:+ + ----------------------------- + FIREHEAD + + SKYBUM, JUMPIN' JACK, SKYLARK, MOZARELLO, MISTER + RYU, TOADIE, LONE WOLF, TETRIS, SKINNY PUPPY + + + Leaving you with your best memories... diff --git a/textfiles.com/piracy/DREAMTEAM/goblins3.nfo b/textfiles.com/piracy/DREAMTEAM/goblins3.nfo new file mode 100644 index 00000000..bfecb01f --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/goblins3.nfo @@ -0,0 +1,83 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + Ŀ + +:+ Goblins 3 ENGLISH (c) Coktel Vision +:+ + Ĵ + Cracker......: HARD CORE Supplier...: MR.TDT + Game Overall.: 80% Date.......: 1993-11-16 + Graphics.....: VGA/MCGA 256 colors Sound......: Adlib/SB + + + A TDT QUALITY RELEASE + + Game notes: Finally, after our friends at SCOTCH released this one in FRENCH + TDT strikes with the FULLY english version of this fine game! + + Same sick humour, same characters, just new stories and a new + number on the box. + + Have fun a be sure to grab the other TDT releases coming soon... + + CRACK NOTE: To activate the crack, simply copy crack.com to the game + directory and run it, or run setup.exe one extra time once + installed! + + WALL STREET NEWS: TDT STOCK PRICE RISES! + + Personal greetings: Hoson, Firehead, Lefty, Beowulf... + + RF-SUX: How does it feel to be a virgin? Computers could kill your erection... + + The Dream Team cracking machine... + Ŀ + If you want to GET the latest IBM software then write to + TDT DISKS-BY-MAIL + PO BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + +:+ THE DREAM TEAM FULL BOARD LIST +:+ + ------------------------------ + Ĵ + UNLAWFUL ENTRY...............ITS-PRI-VATE.......8 NODES.......MEMBER/WHQ. + ALPHA 2010...................ITS-PRI-VATE.......6 NODES.......MEMBER..... + BEYOND AKIRA.................416-461-9101.......3 NODES.......MEMBER..... + Ĵ + DA HAUZE.....................ITS-PRI-VATE.......6 NODES.......BENELUX HQ. + ON THE EDGE..................ITS-PRI-VATE.......1 NODE........US HQ...... + SECOND FRONT.................+46-87987584.......2 NODES.......SWEDEN HQ.. + Ĵ + THE DEEP.....................305-888-7724.......2 NODES.......DISTRO..... + THE BACK ROOM................615-245-6617.......2 NODES.......DISTRO..... + REBEL ALLIANCE...............908-738-9281.......2 NODES.......DISTRO..... + THE SKYTOPOLIS...............+41-44-31651.......1 NODE........DISTRO..... + GRAVEBEARD'S CASTLE..........601-939-7339.......4 NODES.......DISTRO..... + + + Ŀ + +:+ THE DREAM TEAM FULL MEMBER LIST +:+ + ------------------------------- + + HARD CORE & HOSON + + *CYBER*,*BEN JAMMIN*, BEOWULF, *DEVIOUS DOZE*,*DR. MAGIC*, *EDWARD CHANG* + EXCESSIVE KNIGHT, HOT TUNA,*LiON*, MAC BETH, MAJOR THEFT, MAVERICK + PABLO, *PHARAOH*, *ROGER WILCO*, THE MAGIC ARTIST, THE GHOST WIND + + * - Means we might to kick you out soon + Ĵ + +:+ THE DREAM TEAM SPREADING TEAM +:+ + ----------------------------- + FIREHEAD + + RADICAL, THE SHADOW, SKYBUM, JUMPIN' JACK, MIST + + + + Have fun abusing AT&T...h0h0 diff --git a/textfiles.com/piracy/DREAMTEAM/golf.nfo b/textfiles.com/piracy/DREAMTEAM/golf.nfo new file mode 100644 index 00000000..04b7ea19 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/golf.nfo @@ -0,0 +1,71 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + INTERNATIONAL GOLF FROM OCEAN + Ŀ + RELEASE INFO + Ĵ + Cracked by.. : DR. DETERGENT ..... Supplier.. : HARD CORE (Really?) + Game Overall : 85% ............... Date...... : 10th June 1993 .... + Graphics.... : VGA 256 COLORS .... Sound..... : All ............... + + Another great game from OCEAN, and another Superb. crack from TDT! The + whole TDT crew welcome's Dr. Detergent... + + This is a very cool golf game just brought to you from the shelf! Screens and + sound is very well done. Must be classed as an ACE game for every golf fan + out there. Be sure to grab much more from TDT in near future!!! + + Greetings to the rest of TDT from Dr. Detergent! + + GROUP GREETINGS : Fairlight / Humble Guys / Razor / Untouchables / Trsi + + PERSONALL GREETINGS : ADRIAN & sisters - ( Ouch!) + ADREW ( You want to be next? tak!) + JOHN ( What did i tell you?) + HAMLET ( The German scene can't live without you...) + DIRK ( I think you were smiling too fast!) + + For additional greetings and info check out the intro! + + The Dream Team '93 - QUALITY, NOT QUANTITY... + Ŀ + If you want to catch the NEWEST and HOTTEST IBM programs then write to + + TDT DISK-BY-MAIL + PO. BOX 46 + S-37 464 STALOWA WOLA 6 + POLAND + + Ŀ + MEMBER BOARDS + Ĵ + UNLAWFUL ENTRY /./ ITS-PRI-VATE /./ 7 LINES /./ AMIEXPRESS + TWINS /./ 514-723-4351 /./ 4 LINES /./ AMIEXPRESS + ALPHA 2010 /./ 210-687-9660 /./ 4 LINES /./ PC BOARD + FEAR & LOATION /./ 205-302-0706 /./ 5 LINES /./ PC BOARD + Ĵ + HEADQUARTERS + Ĵ + HIGHLAND /./ +[39]-PRI-VATE /./ 5 LINES /./ PC BOARD + GURU'S DREAM /./ +[46]-828-2760 /./ 5 LINES /./ AMI EXPRESS + PHONE HENGE /./ 407-586-0634 /./ 1 LINE /./ CELERITY + FREE KUWAIT /./ +[965]-PRI-VATE /./ 2 LINES /./ AMI EXPRESS + THE CITADEL OF DARK. /./+[61]-3-899-3247 /./ 2 LINES /./ CELERITY + + Ŀ + THE DREAM TEAM FULL MEMBER LIST + Ĵ + HARD CORE - MAJOR THEFT - SPREAD - DESERT RAT - SILUS GUARDIAN + DARK LORD - ROGER WILCO - REDSKIN - MAVERICK - DR. DETERGENT + DR. Q2 - BLACK RIDER - MAVERICK - S.S - MARAUDIN GOBLIN + --------------------------------------------------------------------------- + SPREADERS + --------------------------------------------------------------------------- + [RADICAL......] - [BUBBLE MAN....] - [FIREHEAD......] - [THE MASTER.....] + + + -*- N O B U L L S H I T -*- \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/harrier.nfo b/textfiles.com/piracy/DREAMTEAM/harrier.nfo new file mode 100644 index 00000000..678887d2 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/harrier.nfo @@ -0,0 +1,103 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + HARRIER JUMP SET FROM MICROPROSE + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : ACTION MAN & MUNCHIE ...................................... + Cracked by : HARD CORE ................................................. + Protection : Easy Password ............................................. + Date : 17th December 1992 (Still 13 days left!) .................. + Graphics : ALL ....................................................... + Sound : ALL ....................................................... + Game Size : 5 1.44Mb disks , Installation from floppies ............... + + + Another great game from THE DREAM TEAM! + + No time to talk babe, play the game, go ahead! + + Requirements are 601kb memory and 750kb EMS memory. + + The protection is as usual an easy password protection... + + Group Greetings: Welp, no greetings this time, no competition!!! + + CRACK INFO: To make the crack work, after installing the game copy the + file FRONTEND.EXE from DISK 1 to your game directory on the + HardDisk! + If you DONT do this, the game wont be unprotected.... + + Have fun, and see ya in our next QUALITY crack! + + Ŀ + If you want the newest and hottest soft very fast please write to. No swap. + Now even more improved/faster/better. If you did write before, try again! + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + If you live in france write for the LATEST to: + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ... Major Theft. + Twins ..................... 514-723-4351 ....... 4 Nodes ... Spread ..... + New Central Europe ........ NOW- ON-LINE .......13 Nodes ... Phil Thrust. + Lite House Express ........ ITS-PRI-VATE ....... 4 Nodes ... Freebird ... + Terrordome ................ 416-619-1717 ....... 3 Nodes ... Stingray ... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ............ ITS-PRI-VATE ....... 5 Nodes ... Ironside ... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ... Sparkling F. + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ... Dirty Bush . + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ... Stroke ..... + The Vertigo File .......... 815-667-4892 ....... 2 Nodes ... Vertigo .... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ... Black Terror + The Deep .................. 305-888-7724 ................... Speed Racer. + Vicious Paradise .......... 804-486-1810 ................................ + PJ Tower .................. 714-356-9506 ................................ + Ultimate Carnage .......... 314-949-5823 ................... Devestator . + The Drop Zone ............. 504-769-8880 ................... Milamber ... + The Inferno BBS ........... 519-884-5071 ................................ + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction ........ +(61)-3-571-0700 ....... 4 Nodes ... Yip Yip .... + Free Q8 ................ +(965)-532-4360 ................... Desert Rat . + Exodus BBS ............. +(352)-42-44-92 ................... Redskin .... + Checkpoint Charlie ...... +(47)-42-67992 ................... Vandall .... + + Ŀ + THE DREAM TEAM MEMBERS [16 MEMBERS] + Ĵ + Hard Core + The Grim Reaper - Dr.Q2 - Sought After - Pepsi Man - Buckaroo Banzai + Munchie - Roger Wilco - Offset - ActionMan - Maximilian + S.S - Black Rider - SoulTaker - Dave & Chris - CYBER + Ĵ + THE DREAM TEAM COURIER SYSTEM [8 COURIERS] + Ĵ + Sharp - XAVIER X - Lord Disembowelment - Coyotes Memeber - Freak & Shogun + ROTOX - SKYBUM - White Rose + + + NO UPDATES - NO NONEGLISH GAMES - NO WINDOWS SHIT - NO CD ROM GAMES + + -*- Q U A L I T Y O N L Y -*- diff --git a/textfiles.com/piracy/DREAMTEAM/kohan.nfo b/textfiles.com/piracy/DREAMTEAM/kohan.nfo new file mode 100644 index 00000000..2646b182 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/kohan.nfo @@ -0,0 +1,102 @@ + + + -//- T H E D R E A M T E A M -\\- + 1 9 9 3 + Proudly Presents: + + KOSHAN CONSPIRACY FROM UBI SOFT + (BAT II ENGLISH) + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by.: THE GRIM REAPER......... Cracked by.: HARD CORE............ + Protection..: Easier Doc Check........ Date.......: 9th January 1993..... + Date........: 9th January 1992........ Sound......: ALL.................. + Graphics....: VGA 480*640 256 colors.. Size.......: 7 1.44MB Disks....... + + + A new kewl game from your favourite team! Once again TDT shows the scene in + which direction the group's should go. Another group did release the french + version of this game which was un-playable with a 150k french text file. + Here come's the FINAL SALES ENGLISH VERSION of BAT II! + + The game is very funny to play, you can walk around on the streets, flight + an air-craft, drive via-car, rob a pizza bar or shoot down old ladies... + + Absolute fun and perfect crack. The crack is included in the game, so just + do install the game and follow further instructions! Make sure your floppies + has label's like disk 1:BATII_1,disk 2:BATII_2 etc... + + Greetings : Redskin - Cool friend (ui ui) + The Grim Reaper - Good job! + Maximillian - Dr.Q2 - Soultaker - Pieman - Strider + + Group Greetings : RAZOR - Play fair + + TDT QUALITY , THE standard on IBM! + + Ŀ + If you want the newest and hottest soft very fast please write to. No swap. + Now even more improved/faster/better. If you did write before, try again! + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + If you live in france write for the LATEST to: + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ... Major Theft. + Twins ..................... 514-723-4351 ....... 4 Nodes ... Spread ..... + New Central Europe ........ NOW- ON-LINE .......13 Nodes ... Phil Thrust. + Lite House Express ........ ITS-PRI-VATE ....... 4 Nodes ... Freebird ... + Terrordome ................ 416-619-1717 ....... 3 Nodes ... Stingray ... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ............ ITS-PRI-VATE ....... 5 Nodes ... Ironside ... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ... Sparkling F. + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ... Dirty Bush . + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ... Stroke ..... + The Pristine Tower ........ 815-667-5088 ....... 2 Nodes ... Vertigo .... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ... Black Terror + The Deep .................. 305-888-7724 ................... Speed Racer. + Vicious Paradise .......... 804-486-1810 ................................ + PJ Tower .................. 714-356-9506 ................................ + Ultimate Carnage .......... 314-949-5823 ................... Devestator . + The Drop Zone ............. 504-769-8880 ................... Milamber ... + The Inferno BBS ........... 519-884-5071 ................................ + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction ........ +(61)-3-571-0700 ....... 4 Nodes ... Yip Yip .... + Free Q8 ................ +(965)-532-4360 ................... Desert Rat . + Checkpoint Charlie ...... +(47)-42-67992 ................... Vandall .... + + Ŀ + THE DREAM TEAM MEMBERS [16 MEMBERS] + Ĵ + Hard Core + The Grim Reaper - Dr.Q2 - Sought After - Pepsi Man - Buckaroo Banzai + Roger Wilco - Offset - ActionMan - Maximilian + Redskin - S.S - Black Rider - SoulTaker - Dave & Chris - CYBER + Ĵ + THE DREAM TEAM COURIER SYSTEM [9 COURIERS] + Ĵ + Sharp - XAVIER X - Lord Disembowelment - Coyotes Memeber - Freak & Shogun + ROTOX - SKYBUM - White Rose - BOO + + + NO UPDATES - NO NONEGLISH GAMES - NO WINDOWS GAMES - NO CD ROM GAMES + + -*- Q U A L I T Y O N L Y -*- diff --git a/textfiles.com/piracy/DREAMTEAM/laura.nfo b/textfiles.com/piracy/DREAMTEAM/laura.nfo new file mode 100644 index 00000000..e1c07158 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/laura.nfo @@ -0,0 +1,89 @@ + + + -//- T H E D R E A M T E A M 1992 -\\- + + + -*- Proudly Present -*- + + LAURA BOW II : THE DAGGER OF AMON RA + + Ŀ + RELEASE INFORMATION + Ĵ + Cracked by : ABACUS ( Cracked for VGA 256 color ) + Supplied by : WOLVERINE + Released : 24th June 1992 + Graphics : VGA / EGA / CGA + Sound : Roland / Soundblaster / Adlib / Pc-Speaker + + Ŀ + RELEASE NOTES + + Another great Sierra games. This is actually a new style of cracking.... + Game takes 10 minutes to install from floppies. + Make sure you have 64000 bytes free on your harddrive before you start! + To pass throu the beginning protection : + (1) copy the two files : DATA.TDT and VIEW.EXE to your SIERRA/RA directory + from DISK 1 + (2) Run the file VIEW.EXE in your sierra directory + (3) Start the game with 'RA' + + Play game and when the protection pops up: + + (1) Read the question and then press 'Q' + (2) Find god with matching word and memorize it + (3) Hit 'W' + (4) Now click on the matching god and continue the game + + Have fun and see you later in our next crack! + + Quick greetings : TRSi , iNC , Razor , THG , FLT + + Ŀ + The Dream Team is always ready to take in new members. But we want only + the best. If you can supply games, make music (MOD) , or draw graphics + contact us by calling the nearest TDT bbs or write to our post box! + + Also if you are intrested in the newest and hottest make sure to write to + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + ABACUS,Ace, ActionMan, Asmodeus, Con Artist, Desert Rat, Devious Doze + Hard Core, IronSide, Jammer, Major Theft, Mr Thompson, Nightman, Offset + Paul, Redskin, Roger Wilco, Snake Man, Spread, The Ghost Wind + Union Jack, Yip Yip + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Black Mischief, Crash Impact, Fallen Angel, Lord Of The Rings + Marauder, Mystic Vision, Night Shadow, Overlord, Pixel, Syzzo + Turbo Interceptor, The Headman, Venom + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 5 Nodes ................ + Akira Project ........ 416-512-8566/8567 ....... 3 Nodes ................ + Revelation ................ 301-PRI-VATE ....... 5 Nodes ................ + East BBS ............... +(46)-8-940-614 ................................ + Twins ..................... 514-723-4351 ....... 3 Nodes ................ + No Name .............. +(49)-523-491-242 ................................ + Ĵ + DRISTRIBUTION SITES + Ĵ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ................ + Orange Juice ........... +(61)-357-10747 ....... 3 Nodes ................ + Hell ...................... 313-349-4933 ....... 2 Nodes ................ + Cimmeria .............. +(90)-1-384-0863 ................................ + Maximum Security .......... 408-867-0747 ....... 3 Nodes ................ + Nirvana ................... 516-364-6257 ........4 Nodes ................ + + + TDT 1992 : Your Dream's Come Alive! diff --git a/textfiles.com/piracy/DREAMTEAM/lost.nfo b/textfiles.com/piracy/DREAMTEAM/lost.nfo new file mode 100644 index 00000000..69b59617 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/lost.nfo @@ -0,0 +1,98 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + LOST IN TIME PART I FROM COKTEL VISION *FRENCH* + Ŀ + RELEASE INFO + Ĵ + Cracked by..: HARD CORE .............. Supplier...: FLT FRANCE .......... + Game Overall: 70% .................... Date.......: 10th March 1993 ..... + Graphics....: VGA/MCGA 256 COLORS .... Sound......: All ................. + + After BAT 2, Ishar, Flashback, Eternam, Inca and lot's of others french games + that TDT had ways ahead of everyone else, but we didn't release them coz + they were french, the majority of TDT decided to make a new direction for TDT + + From this moment, The Dream Team will start to release NON-ENGLISH titles + ONLY when the ENGLISH version has NOT yet been out, and when the game is + still PLAYABLE. The word playable does have a lot of meanings, but this word + fits on this release for sure! + + The game is a point and click. The bad things in this is that the JOKERS + (hints) you are given are in french, and the objects are named in french, + but thats no problem since they are all visible and easy to recognise... + + You can install the game using SUBST from the hard disk, but make sure you + dont choose the advanced option button after all the disks are installed , + it can fuck up your hard disk, as it did for me... + + MAKE sure you copy the LOST.COM to your GAME directory after you have + installed the game, it's the CRACK PATCH for it...(ie to C:\COKTEL\LOST) + + Personal greetings: SPREAD - DR.Q2 - MOBY - REDSKIN - S.S - SILUS GUARDIAN + S.FLASH - MAJOR THEFT and MARTIAL ARTIST + + Greetings goes to : FAIRLIGHT - THG - RAZOR - UNT - TRSI - SKILLION + + THE DREAM TEAM - Friends Forever... + Ŀ + IF you want to contact THE DREAM TEAM then call this BBS: + Call : 612-755-1347 + Use username: APPLICATION + Password : TDT + Hit 'E' and enter message to: HARD CORE + + Ŀ + If you want the newest and hottest soft very fast write to (no swapping) + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-755-1347 .... 7 Nodes ... Major Theft ... + Twins ..................... 514-723-4351 .... 4 Nodes ... Spread ........ + New Central Europe ...... +(49)-TMP-DOWN ....13 Nodes ... Phil Thrust ... + Alpha 2010 ................ 210-687-9660 .... 4 Nodes ... Silus Guardian. + Ĵ + HEADQUARTERS + Ĵ + Highland Board .......... +(39)-PRI-VATE .... 5 Nodes ... Terminator .... + Realm Of Immortality ...... ITS-PRI-VATE .... 3 Nodes ... Sparkling Flash + Guru's Dream ............ +(46)-828-2760 .... 5 Nodes ... Dirty Bush .... + Ĵ + DISTRIBUTION SITES + Ĵ + Big Time .................. 519-TMP-DOWN .... 2 Nodes ... Stroke ........ + The Deep .................. 305-888-7724 .... ....... ... Great White ... + Athens .................... 510-827-1049 NUP: DIABLO. ... Aristotle ..... + GreyBeard's Castle ........ 601-939-7861 .... 2 Nodes ... Mark Twain .... + So'Krates ................. 310-836-0469 .... 2 Nodes ... Philosopher ... + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Free Q8 ................ +(965)-PRI-VATE .... 2 Nodes ... Desert Rat .... + Zero City III .......... +(61)-2724-4152 .... 2 Nodes ... Icepic ........ + DA HAUZE .............. +(31)-767-191-11 .... 4 Nodes ... Moby .......... + Desert Storm ........... +(966)-PRI-VATE .... ....... ... Amigo ......... + + Ŀ + HALL OF FAME + Ĵ + [HARD CORE.....] - [MAJOR THEFT....] - [SPREAD.......] - [ROGER WILCO...] + [DR.Q2.........] - [ACTION MAN.....] - [REDSKIN......] - [THE CORPORAL..] + [SILUS GUARDIAN] - [MOSAIC.........] - [S. FLASH.....] - [HITMAN........] + [S.S...........] - [MAVERICK.......] - [BLACK RIDER..] - [MARTIAL ARTIST] + Ĵ + SPREADERS + Ĵ + XAVIER X - Lord Disembowelment - Skybum - Coyotes Memeber - Freak - ROTOX + + + -*- Q U A L I T Y O N L Y -*- diff --git a/textfiles.com/piracy/DREAMTEAM/msfs5.nfo b/textfiles.com/piracy/DREAMTEAM/msfs5.nfo new file mode 100644 index 00000000..fc621986 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/msfs5.nfo @@ -0,0 +1,76 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + MICROSOFT FLIGHT SIMULATOR 5.0 RELEASE + Ŀ + RELEASE INFO + Ĵ + Cracker......: N/A Supplier...: MR.TDT + Game Overall.: 90% Date.......: 26TH OF AUGUST 1993 + Graphics.....: VGA 256 COLORS Sound......: MOST + + + Here comes another great one from your favourite group: THE DREAM TEAM! + + After many beta versions out there TDT come's with the FINAL RELEASE of this + KICK ASS game...You are probably familiar with this game and know whats it + all about, therefor its no need for a deep description! + + Personal greetings: Killerette, Phonestud, Hoson, Radical, Major Theft, + Redskin, Pharaoh, Devious Doze, Firehead! + + Group greetings goes to : THG - TRSI - RAZOR - FAIRLIGHT - PTG - NEXUS + + If you are a courier and is currently looking for a courier JOB in TDT, give + us a call at our mail box number : 404-395-2563 + + The Dream Team - Some things live forever... + Ŀ + If you want to GET the NEWEST and HOTTEST IBM programs then write to + + TDT DISKS-BY-MAIL + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + We do also carry CHEAP hardware and the latest VHS PAL movies... + + Ŀ + MEMBER BOARDS + Ĵ + UNLAWFUL ENTRY =*= ITS-AWE-SOME =*= 8 NODES =*= MEMBER + TWINS =*= 514-251-1838 =*= 4 NODES =*= MEMBER + ALPHA 2010 =*= ITS-AWE-SOME =*= 6 NODES =*= MEMBER + EXALTED DEATH =*= 314-966-2270 =*= 2 NODES =*= MEMBER + Ĵ + SHOCK TO THE SYSTEM =*= +39-PRI-VATE =*= 5 NODES =*= ITALIAN HQ + PHONE HENGE =*= 407-586-0634 =*= 2 NODES =*= US HQ + DA HAUZE =*= +31-PRI-VATE =*= 6 NODES =*= BENELUX HQ + LIGHTHOUSE SPEED =*= +49-PRI-VATE =*= 3 NODES =*= GERMAN HQ + BEYOND AKIRA =*= 416-461-9101 =*= 3 NODES =*= CANADIAN HQ + Ĵ + WIZARD'S TOWER =*= 419-874-2704 =*= 3 NODES =*= DISTRO + THE DEEP =*= 305-888-7724 =*= 2 NODES =*= DISTRO + THE LIQUOR CABINET =*= 214-368-7317 =*= 2 NODES =*= DISTRO + + Ŀ + THE DREAM TEAM FULL MEMBER LIST + Ĵ + + HARD CORE, HOSON, REDSKIN + + BLACK RIDER, BLUE LIQUID, DIABLO, DEAD GOON, DEVIOUS DOZE, EDWARD CHANG + EXCESSIVE KNIGHT, INTREQ, MAC BETH, MAJOR THEFT, MAVERICK + MARTIAL ARTIST, ROGER WILCO, S.S , SPREAD, THE MAGIC ARTIST + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + THE DREAM TEAM SPREADING TEAM + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + FIREHEAD, RADICAL + DIABLO, PETER FALK, MYSTIK TIGER, SCOUT, THE MASTER, ROTOX, X + + + + NO RULES THIS TIME, SINCE WE MAKE UP THE RULES FOR THE SCENE diff --git a/textfiles.com/piracy/DREAMTEAM/pinball.nfo b/textfiles.com/piracy/DREAMTEAM/pinball.nfo new file mode 100644 index 00000000..47973090 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/pinball.nfo @@ -0,0 +1,108 @@ + + + + + + + + + + + + + + [OFFSET] + + ProudlyPresent + + Tristan Pinball from Littlewing + + Ŀ + RELEASE INFORMATION + Ĵ + Cracked by : ABACUS + Supplied by : U.J + Released : 31th August 1992 + Graphics : 640*480 , 16 or 256 colors + Sound : Speaker/Adlib/Soundblaster + + Ŀ + RELEASE NOTES + + This is a new fresh and sweet pinball game for your IBM! There has not been + much of this type of game's on the IBM, but here we come's with TRISTAN... + It's not as good as Pinball Dreams on the amiga, but still a high quality + pinball game. Thanx must go to U.J for the great supply, good job! + + Another TDT US First... + + Greetings goes to: Irata/TRSI - Thanx for all help + INC - You never fuck up games, yeah right! + REST OF THE SCENE - Where are you? + + Yet another QUALITY release by TDT! + + Have fun and see you later in our next crack! + + Ŀ + If you like this release then write to us! Support the group that makes + this possible for you : THE DREAM TEAM + + Ŀ + The Dream Team is always ready to take in new members. But we want only + the best. If you can supply games, make music (MOD) , or draw graphics + contact us by calling the nearest TDT bbs or write to our post box! + + Also if you are intrested in the newest and hottest make sure to write to + us for a free program diskette + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + ABACUS, Ace, ActionMan, Asmodeus, Desert Rat, Califboy, Devious Doze + Hard Core, IronSide, Major Theft, Mr Thompson, Nightman, Offset + Pablo, Phil Thrust, Redskin, Roger Wilco, Snake Man + Spread, Stroke , The Ghost Wind, Union Jack, Wolverine, Yip Yip + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Fallen Angel , Venom , Boo , Cuca , Marauder, Black Mischief, Pixel + The Headman, Lord Of the Rings, Turbo Interceptor, Syzzo, S.S , O-Z-Z-Y + Black Rider , Avenger , Cellat & Sledge - Freak & Shogun + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 6 Nodes ................ + Revelation ................ 301-PRI-VATE ....... 5 Nodes ................ + Akira Project ............. 416-512-8567 ....... 3 Nodes ................ + East BBS ............... +(46)-8-940-614 ................................ + Twins ..................... 514-723-4351 ....... 3 Nodes ................ + No Name BBS ........... +(49)-ELITE-CALL ................................ + New Central Europe ... +(49)-911-758-383 .......11 Nodes ................ + Central Nervous System .... 414-832-1449 ................................ + Ĵ + DISTRIBUTION SITES NORTH AMERICA + Ĵ + Hell ...................... 313-349-4933 ....... 2 Nodes ................ + The Underworld ............ 916-429-2232 ................................ + Lite House Express ........ 407-624-4329 ....... 2 Nodes ................ + Big Time .................. 519-978-3388 ................................ + The Fifth Dimension ....... 203-589-2269 ................................ + Pandora's Box ............. 313-652-2578 ....... 5 Nodes ................ + Ĵ + DISTRIBUTION SITES EUROPE AND SAUDI ARABIA + Ĵ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ................ + Orange Juice ........... +(61)-357-10747 ....... 3 Nodes ................ + Cimmeria .............. +(90)-1-384-0863 ................................ + Exodus BBS ............. +(352)-42-44-92 ................................ + + + TDT 1992 : Your Dream's Come Alive! diff --git a/textfiles.com/piracy/DREAMTEAM/premiere.nfo b/textfiles.com/piracy/DREAMTEAM/premiere.nfo new file mode 100644 index 00000000..4dfb1030 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/premiere.nfo @@ -0,0 +1,89 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + PREMIERE MANAGER FROM GREMLIN GRAPHICS + Ŀ + RELEASE INFO + Ĵ + Cracked by..: HARD CORE .............. Supplier...: CAVALIER ............ + Game Overall: 40% .................... Date.......: 27th May 1993 ....... + Graphics....: VGA 256 COLORS ......... Sound......: All ................. + + + It's starting to move again for TDT... Your favourite cracking team has + finally woke up and is ready to conquer the world as in the old days! Be sure + to grab the many more cracks from The Dream Team in the near future. + + Skillion: You guys can't crack for shit, must have fucked up every release + you guys had the last 6 months... First lemmings 2, then flashback + and now ishar 2 french, the crack patch DOES NOT WORK. Wake up + or stop releasing fuck ups. + + Personal greetings : Fallen Angel , Maverick , Maximilien , Dr.Q2 and JFK + + Greetings goes to: SKILLION (Ever heard about silamarils before?) + Randall Flagg (Eat more spaghetti instead of bragging) + THG - NOT THIS TIME.. + FAIRLIGHT - RAZOR - TRSI - UNT + + THE DREAM TEAM - Friends Forever... + Ŀ + IF you want to contact THE DREAM TEAM then call this BBS: + Call : 612-755-1347 + Use username: APPLICATION + Password : TDT + Hit 'E' and enter message to: HARD CORE + + Ŀ + If you want to obtain the NEWEST and HOTTEST IBM programs then write to + + The Dream Team + PO. BOX 46 + S-37 464 STALOWA WOLA 6 + POLAND + ij + IF YOU LIVE IN FRANCE WRITE TO: SKID ROW + B.P 13 + 95370 MONTIGNY, FRANCE + + Ŀ + MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-755-1347 .... 7 Nodes ... Major Theft ... + Twins ..................... 514-723-4351 .... 4 Nodes ... Spread ........ + Alpha 2010 ................ 210-687-9660 .... 4 Nodes ... Silus Guardian. + Fear And Loation .......... 205-302-0706 .... 5 Nodes ... The Doctor .... + Ĵ + HEADQUARTERS + Ĵ + Highland Board .......... +(39)-PRI-VATE .... 5 Nodes ... Terminator .... + Realm Of Immortality ...... 415-PRI-VATE .... 3 Nodes ... Sparkling Flash + Guru's Dream ............ +(46)-828-2760 .... 5 Nodes ... Dirty Bush .... + Phone Henge ............... 407-586-0634 .... ....... ... Jinks ......... + Ĵ + DISTRIBUTION SITES + Ĵ + The Deep .................. 305-888-7724 .... ....... ... Great White ... + Athens .................... 510-827-1049 NUP: DIABLO. ... Aristotle ..... + GreyBeard's Castle ........ 601-939-7861 .... 2 Nodes ... Mark Twain .... + So'Krates ................. 310-836-0469 .... 2 Nodes ... Philosopher ... + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Free Q8 ................ +(965)-PRI-VATE .... 2 Nodes ... Desert Rat .... + Vanguardium ............ +(61)-2724-4152 .... 2 Nodes ... Icepic ........ + DA HAUZE .............. +(31)-767-191-11 .... 4 Nodes ... Moby .......... + + Ŀ + HALL OF FAME + Ĵ + [HARD CORE.....] - [MAJOR THEFT....] - [SPREAD.......] - [ROGER WILCO...] + [DR.Q2.........] - [MAVERICK.......] - [REDSKIN......] - [DARK LORD.....] + [SILUS GUARDIAN] - [MAXIMILIEN.....] - [S. FLASH.....] - [HITMAN........] + [S.S...........] - [THE CORPORAL...] - [BLACK RIDER..] - [MARTIAL ARTIST] + + + -*- Q U A L I T Y O N L Y -*- diff --git a/textfiles.com/piracy/DREAMTEAM/riders.nfo b/textfiles.com/piracy/DREAMTEAM/riders.nfo new file mode 100644 index 00000000..d81b3aeb --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/riders.nfo @@ -0,0 +1,117 @@ + + + + + + + + + + + + + + [OFFSET] + + ProudlyPresent + + Time Riders from TLC + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : Wolverine + Released : 24th August 1992 + Graphics : VGA 256 colors + Sound : Roland / Soundblaster / Adlib / Pc-Speaker + + Ŀ + RELEASE NOTES + + Exellent graphics! Full 256 color, many pictures, good story, the game is + a hit... This game is a Sierra/Carmen type game where you walk around and + solve problems. Time Riders is definitely a good game, and if you like to + play the sierra games, go for this one! + + Many thanx goes to everyone that helps TDT to stay as the TOP QUALITY GROUP + + Compliments goes to - INC/FLT/RAZOR for dumping wares on the scene as + Chinese/German/Updates/CD-ROM/Compilations... + + Greetings goes to TRSI - Keeping up the quality + THG - Dont release shit + Extasy - For coming back + + To install this game: Either copy all disks to 4x720 3"1/2 floppies and + run install.exe on disk 1 + Or unzip all 4 disks into one directory, + type : SUBST A: . + Run install.exe + + + Yet another QUALITY release by TDT! + + Have fun and see you later in our next crack! + + Ŀ + If you like this release then write to us! Support the group that makes + this possible for you : THE DREAM TEAM + + Ŀ + The Dream Team is always ready to take in new members. But we want only + the best. If you can supply games, make music (MOD) , or draw graphics + contact us by calling the nearest TDT bbs or write to our post box! + + Also if you are intrested in the newest and hottest make sure to write to + us for a free program diskette + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + ABACUS, Ace, ActionMan, Asmodeus, Desert Rat, Califboy, Devious Doze + Hard Core, IronSide, Major Theft, Mr Thompson, Nightman, Offset + Pablo, Phil Thrust, Redskin, Roger Wilco, Snake Man + Spread, Stroke , The Ghost Wind, Union Jack, Wolverine, Yip Yip + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Fallen Angel , Venom , Boo , Cuca , Marauder, Black Mischief, Pixel + The Headman, Lord Of the Rings, Turbo Interceptor, Syzzo, S.S , O-Z-Z-Y + Black Rider , Avenger , Cellat & Sledge + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 6 Nodes ................ + Revelation ................ 301-PRI-VATE ....... 5 Nodes ................ + Akira Project ............. 416-512-8567 ....... 3 Nodes ................ + East BBS ............... +(46)-8-940-614 ................................ + Twins ..................... 514-723-4351 ....... 3 Nodes ................ + No Name BBS ........... +(49)-ELITE-CALL ................................ + New Central Europe ... +(49)-911-758-383 .......11 Nodes ................ + Central Nervous System .... 414-832-1449 ................................ + Ĵ + DISTRIBUTION SITES NORTH AMERICA + Ĵ + Hell ...................... 313-349-4933 ....... 2 Nodes ................ + The Underworld ............ 916-429-2232 ................................ + Lite House Express ........ 407-624-4329 ....... 2 Nodes ................ + Big Time .................. 519-978-3388 ................................ + The Fifth Dimension ....... 203-589-2269 ................................ + Pandora's Box ............. 313-652-2578 ....... 5 Nodes ................ + Ĵ + DISTRIBUTION SITES EUROPE AND SAUDI ARABIA + Ĵ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ................ + Orange Juice ........... +(61)-357-10747 ....... 3 Nodes ................ + Cimmeria .............. +(90)-1-384-0863 ................................ + Exodus BBS ............. +(352)-42-44-92 ................................ + + + TDT 1992 : Your Dream's Come Alive! diff --git a/textfiles.com/piracy/DREAMTEAM/samurai.nfo b/textfiles.com/piracy/DREAMTEAM/samurai.nfo new file mode 100644 index 00000000..e9f711d6 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/samurai.nfo @@ -0,0 +1,113 @@ + + + -//- T H E D R E A M T E A M -\\- + 1 9 9 2 + + ProudlyPresent + + The First Samurai from VIDI SOFT + + Ŀ + RELEASE INFORMATION + Ĵ + Cracked by : Hard Core + Supplied by : Maximilian + Released : 11th October 1992 + Graphics : VGA 256 colors + Sound : Soundblaster /Aldib/Speaker + + Ŀ + RELEASE NOTES + + Cool game! One of theese fun go around and figure things games. Reminds me + of GODS, but not same great graphics... + + Your master has been killed by an Evil guy who escaped into the future, you + are following him with the help of a magic samurai sword. For each level + you need to pick up 4 magic things. Then to activate them press 'B' when the + blue man is showing up. 'N' shows your status for actual level. Each level + is little bit tricky, and it took me 2 hours to play throu it and find the + copy protection which showed up at the end of each level. + + If you want to make a trainer this may help you (Helped me...): + CS:184 - Transformation On/Off (01/00) + CS:1CF - Guy's Energy E8 03 Should be full power + CS:141 - Sword's Energy E8 03 Should be full power + CS:184 - How many bells you have,put FF...heh.. + CS:394C - Magic Items, should be 4 + + Many thanx goes to our new supplier from europe MAXIMILIAN! + + Greetings goes to: Devious Doze, Bryn Rogers, Onyx, Chevy and Slave Lord + + Yet another QUALITY crack by TDT! + + Have fun and see you later in our next release! + Ŀ + Also if you are intrested in the newest and hottest make sure to write to + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + Want to be a DIST SITE? If you want to be in the BEST organized cracking + team then TDT is your choise. We offer you great support and quick upload + when releases comes. Ask any TDT DIST site on the scene! + CALL : 612-754-0266 (9600Bps only!) + On username ENTER : APPLICATION + Use Password : DISTSITE + Hit 'E' and enter message to : HARD CORE + Now write us your voice number, your name, a few word about your system + and something about what you can do for US...See you on There! + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 6 Nodes ................ + Revelation ................ 301-PRI-VATE ....... 5 Nodes ................ + Akira Project ............. 416-512-8567 ....... 3 Nodes ................ + Twins ..................... 514-723-4351 ....... 3 Nodes ................ + New Central Europe ....... +(49)-PRIVATE .......11 Nodes ................ + Central Nervous System .... 414-832-1449 ................................ + Hell ...................... 313-349-4933 ................................ + Ĵ + NORTH AMERICA DISTRIBUTION SITES + Ĵ + Lite House Express ........ 407-624-4329 ....... 2 Nodes ....HEADQUARTERS + Big Time .................. 519-252-7400 ................................ + The Vertigo File .......... 815-667-4892 ................................ + The Satanic Syndicate ..... 201-301-0952 ................................ + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ................ + Realm of Immortality ...... 415-992-0945 ....... 3 Nodes ................ + Crewel Lye ................ 713-432-0779 ................................ + Members Only .............. 513-PRI-VATE ........2 Nodes ................ + Fort Nox .................. 508-658-6132 ................................ + Ĵ + EUROPE AND SAUDI ARABIA'N DISTRIBUTION SITES + Ĵ + Orage Juice ........... +(61)-3-571-0700 ....... 4 Nodes ................ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ................ + Exodus BBS ............. +(352)-42-44-92 ................................ + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ................ + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze + Major Theft , Wolverine , Roger Wilco , The Corporal + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 , Asmodeus + Union Jack , Redskin , Phil Thrust , Desert Rat , Spread , Snake Man + The Ghost Wind , Stroke , Whiplash Snidley , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Venom , Cuca , Turbo Interceptor , OMEN , BOO , The Hexmaster + Black Rider , Freak & Shogun , Overlord , Rotox , Q-Tip + + + + The Dream Team - Was There Ever A Choise? diff --git a/textfiles.com/piracy/DREAMTEAM/sextris.nfo b/textfiles.com/piracy/DREAMTEAM/sextris.nfo new file mode 100644 index 00000000..ef4a985a --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/sextris.nfo @@ -0,0 +1,107 @@ + + + + + + + + + + + + + + [OFFSET] + + ProudlyPresent + + + SEX TETRIS from Buena Software + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : Roger Wilco + Released : 5rd September 1992 + Graphics : VGA/MCGA + Sound : Speaker + + Ŀ + RELEASE NOTES + + Probably the best tetris you ever played. You will get really stressed when + you can see the picture showing you more and more. Don't spend too much time + on this one, there is another game coming tonight... + + If you think the game is too hard and still want to view the pictures, then + simply run CHEAT.EXE...(If you are at least 21) + + Greetings to: Trsi / Razor 1922 / Firelight / The Handle Guys / INC'r + + + Yet another QUALITY release by TDT! + + Have fun and see you later in our next crack! + + Ŀ + If you like this release then write to us! Support the group that makes + this possible for you : THE DREAM TEAM + + Ŀ + The Dream Team is always ready to take in new members. But we want only + the best. If you can supply games, make music (MOD) , or draw graphics + contact us by calling the nearest TDT bbs or write to our post box! + + Also if you are intrested in the newest and hottest make sure to write to + us for a free program diskette + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + ABACUS, Ace, ActionMan, Asmodeus, Desert Rat, Califboy, Devious Doze + Fallen Angel, Hard Core, IronSide, Major Theft, Mr Thompson + Offset ,Pablo, Phil Thrust, Redskin, Roger Wilco, Snake Man + Spread, Stroke , The Ghost Wind, Union Jack, Wolverine, Yip Yip + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Venom , Boo , Cuca , Marauder, Black Mischief, Pixel + The Headman, Turbo Interceptor, S.S , O-Z-Z-Y + Black Rider , Avenger , Cellat & Sledge - Freak & Shogun - Overlord + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 6 Nodes ................ + Revelation ................ 301-PRI-VATE ....... 5 Nodes ................ + Akira Project ............. 416-512-8567 ....... 3 Nodes ................ + East BBS ............... +(46)-8-940-614 ................................ + Twins ..................... 514-723-4351 ....... 3 Nodes ................ + No Name BBS ........... +(49)-ELITE-CALL ................................ + New Central Europe ... +(49)-911-758-383 .......11 Nodes ................ + Central Nervous System .... 414-832-1449 ................................ + Ĵ + NORTH AMERICA HEADQARTERS + Ĵ + Hell ...................... 313-349-4933 ....... 2 Nodes ................ + The Underworld ............ 916-429-2232 ................................ + Lite House Express ........ 407-624-4329 ....... 2 Nodes ................ + Big Time .................. 519-978-3388 ................................ + The Fifth Dimension ....... 203-589-2269 ................................ + Pandora's Box ............. 313-652-2578 ....... 5 Nodes ................ + Ĵ + EUROPE AND SAUDI ARABIA'N HEADQUARTERS + Ĵ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ................ + Orange Juice ........... +(61)-357-10747 ....... 3 Nodes ................ + Cimmeria .............. +(90)-1-384-0863 ................................ + Exodus BBS ............. +(352)-42-44-92 ................................ + + + TDT 1992 : The Team of Your Dream's! diff --git a/textfiles.com/piracy/DREAMTEAM/simphson.nfo b/textfiles.com/piracy/DREAMTEAM/simphson.nfo new file mode 100644 index 00000000..10ff37c1 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/simphson.nfo @@ -0,0 +1,71 @@ + + <>/<>/<>/<>/<>/<>/<>/<> THE DREAM TEAM & SKID ROW <>\<>\<>\<>\<>\<>\<>\<> + + P R E S E N T S + + THE SIMPHSONS FROM KONAMI + + Ŀ + GAME/CRACK INFORMATION + Ĵ + Cracker : Hard Core + Game Supplied by : Mysterius Goblin + Protection : PW in the intro + Display Screen : EGA/VGA 256 + Sound Boards : Speaker/Adlib + Game Overall : 95% + + +Game Notes: Hahaha...This game is SO fun! Its not 95% for game, but for the + playability.... + Well, if you are a BIG simphsons fan as i am, then you'll + probably LOVE this. + + See you soon in our next crack! + + IF you are a high respected BBS and wants to join a growing + group, contact us on ANY TDT bbs today! + +Greetings : USA/FLT - INC - THG - TRSI + + + The Dream Team Members + are + Hard Core,ActionMan,Sandman,Slayer,Con Artist,Jammer + Roger Wilco,Dr Pepsi,Cum Spreader,Norrin Radd,Ranx,Touch Tone + and all sysops + + Skid Row Members + are + FFC - Stark - SubZero + + Ŀ + The Dream Team/Skid Row [ OUTSIDE US ] + ij + Hard City +46-PRI-VATE Hard Core + Turk 51 Zone +31-104-296515 TDB + NetWork +31-2550-31623 Papillon + Bloom County +46-300-40258 Opus + No Name 358-187-818-316 Snake Man 2 Nodes + Orange Juice +61-3571-1627 Yip Yip 3 Nodes + TWINS 514-723-1712 Spread + WareHouse +358-625-806 Disco + The Star Factory +46-8-7172761 B.B. King + Paint In Black +49-6565-4553 Stoned Warrior 4 Nodes + ij + The Dream Team/Skid Row [ US ] + ij + Motherboard One 714-971-0172 Touch Tone 6 Nodes + Pirates Ship 515-277-1906 Skeleton 2 Nodes + Revelation 301-423-7860 Ghost Wind 4 Nodes + Orions Belt 718-370-8890 Pluto + + + If you want to contact us write to + + TDT SWEDEN + BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/spectre.nfo b/textfiles.com/piracy/DREAMTEAM/spectre.nfo new file mode 100644 index 00000000..0eb8dcad --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/spectre.nfo @@ -0,0 +1,100 @@ + + + -//- T H E D R E A M T E A M -\\- + + (Who else?!?) Proudly Presents: + + SPECTRE FROM VELOCITY + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : THE GRIM REAPER + Date : 10th December 1992 + Graphics : VGA 256 COLORS + Sound : ALL + Game Size : 1 1.44Mb's Use Subst, or Install from Floppy... + + + Looks like a decent one... Check it out... + + No DEMOs, No Updates, No Windows, No Kiddie Warez, + and No Foreign Language games you can't speak... + Only the BEST... + + Greets go out to: Hard Core, Soultaker, Pepsi Man, Rambone, Dr. Q2, + and Stroke + + Have fun, and see ya in our next QUALITY crack! + + Ŀ + If you want the newest and hottest soft very fast please write to. No swap. + Now even more improved/faster/better. If you did write before, try again! + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + If you live in france write to + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ..... USA ...... + Twins ..................... 514-723-4351 ....... 3 Nodes ..... Canada ... + New Central Europe ........ ITS-PRI-VATE .......12 Nodes ..... Germany .. + C.N.S. .................... 414-832-1449 ....... 2 Nodes ..... USA ...... + Crewel Lye ................ 713-432-0779 ..................... USA ...... + Terrordome ................ 416-619-1717 ....... 3 Nodes ..... Canada ... + Lite House Express ........ 407-624-4329 ....... 4 Nodes ..... USA ...... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ..... Italy .... + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ..... USA ...... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ..... USA ...... + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ..... Sweden ... + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ..... Canada ... + The Vertigo File .......... 815-667-4892 ..................... USA ...... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ..... Canada ... + The Deep .................. 305-888-7724 ..................... USA ...... + Vicious Paradise .......... 804-486-1810 ..................... USA ...... + PJ Tower .................. 714-356-9506 ..................... USA ...... + Ultimate Carnage .......... 314-949-5823 ..................... USA ...... + The Inferno BBS ........... 519-884-5071 ..................... Canada ... + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction ........ +(61)-3-571-0700 ....... 4 Nodes ..... Australia. + Free Q8 ................ +(965)-532-4360 ..................... Kuwait ... + Exodus BBS ............. +(352)-42-44-92 ..................... Luxembourg + Checkpoint Charlie ...... +(47)-42-67992 ..................... Norway ... + Parasite's Land ...... +(39)-935-958-196 ..................... Italy .... + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze , The Grim Reaper + Major Theft , Wolverine , Roger Wilco + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 + Redskin , Freebird , Desert Rat , Spread , Black Rider , Nowayout + The Ghost Wind , Stroke , Snidely Whiplash , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. , Sought After + Buckaroo Banzai , Dr Crippen , Pepsi Man , Black Terror , Phil Thrust + Stingray , The Corporal , Great White/The Speed Racer , Dave & Chris + Soul Taker and S.S + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + UNDER RE-CONTRUCTION + + + "ORIGINAL IDEA - [HARD CORE] - [THE DREAM TEAM 1992]" diff --git a/textfiles.com/piracy/DREAMTEAM/sq5.nfo b/textfiles.com/piracy/DREAMTEAM/sq5.nfo new file mode 100644 index 00000000..2dd21a1c --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/sq5.nfo @@ -0,0 +1,112 @@ + + + -//- T H E D R E A M T E A M -\\- + 1993 - 3RD YEAR ANIVERSARY ON IBM +-*- QUALITY FACTORY -*- Proudly Presents: -*- QUALITY FACTORY -*- + + Space Quest V from Sierra RELEASE + Ŀ + RELEASE INFO + Ĵ + Supplier....: THE GRIM REAPER......... Cracker....: ..................... + Protection..: PASSWORD PROTECTED...... Date.......: 18th Feb 1993........ + Graphics....: VGA 320*200 256 colors.. Size.......: 5 1.44Mb Disks....... + + + FINALLY, after 2 BETAS out by two unfamous groups, TDT slams our second + release this week with the RELEASE version of SPACE QUEST 5 from SIERRA!!! + + You've probably seen the previous and been almost dieing to get the final + copy, TDT comes at your resque... + + We didnt find any protection, but when you are about to travel in space, you + will need the coordinates, they are stored in the file SQ5CORDS.TDT, make + sure you get this one, the BETA coordinates are diffrent! + + Not much more to say, just make sure you unzip PKUNZIP -D -$ ZIPNAME A: + + Greetings MUST go to: Aftermath , STRIDER , Lincoln , JFK , OLDIE and all + our new mates out there! + + Group greetings : RAZOR 1911 - Was it quality or quantity? + TRSI - Exepct some more competition now in Germany... + FAIRLIGHT - Good luck with PE + PYRADICK - Blah! + + Check out the intro on DISK 5! + + TDT - Not only QUALITY, but QUALLITY THAT WORKS! + Ŀ + IF you want to contact THE DREAM TEAM then call this BBS: + Call : 612-755-1347 + Use username: APPLICATION + Password : TDT + Hit 'E' and enter message to: HARD CORE + + Ŀ + If you want the newest and hottest soft very fast write to (no swapping) + Why second hand and not from the best? + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + If you live in france write to: + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ... Major Theft. + Twins ..................... 514-723-4351 ....... 4 Nodes ... Spread ..... + New Central Europe ........ ITS-PRI-VATE .......13 Nodes ... Phil Thrust. + Lite House Express ........ ITS-PRI-VATE ....... 4 Nodes ... Freebird ... + Terrordome ................ 416-619-1717 ....... 3 Nodes ... Stingray ... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ............ ITS-PRI-VATE ....... 5 Nodes ... Ironside ... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ... Sparkling F. + Alliance ............ +(49)-30-8885-2713 ....... 4 Nodes ... MICHELANGELO + Guru's Dream ............ +(46)-828-2760 ....... 5 Nodes ... Dirty Bush . + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ... Stroke ..... + The Pristine Tower ........ 815-667-4892 ....... 2 Nodes ... Vertigo .... + The Deep .................. 305-888-7724 ................... Speed Racer. + PJ Tower .................. 714-356-9506 ................................ + Ultimate Carnage .......... 314-949-5823 ................... Devestator . + Infinite Ragnarok ......... 916-XXX-XXXX ....... 2 Nodes ... Jormungand . + Athens .................... 510-XXX-XXXX ................... Aristotele . + GreyBeard's Castle ........ 601-939-7861 ....... 2 Nodes ... Mark Twain . + Cold Fusion ............... 604-XXX-XXXX ................................ + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction .......... +(61)-PRI-VATE ....... 4 Nodes ... Yip Yip .... + Free Q8 ................ +(965)-532-4360 ................... Desert Rat . + Checkpoint Charlie ...... +(47)-426-7992 ................... Vandall .... + Zero City III .......... +(61)-2472-4310 ....... 2 Nodes ................ + + Ŀ + THE DREAM TEAM MEMBERS [13 SOULS] + Ĵ + HARD CORE + THE GRIM REAPER - DR.Q2 - ROGER WILCO - ACTION MAN + MAXIMILIEN - THE CORPORAL - REDSKIN - S.S - BLACK RIDER + BUCKAROO BANZAI - DAVE & CHRIS - MOSAIC + Ĵ + THE DREAM TEAM COURIER SYSTEM [10 DEVILS] + Ĵ + Sharp - XAVIER X - Lord Disembowelment - Coyotes Memeber - Freak + ROTOX - SKYBUM - White Rose - Coke - Centre + + + NO UPDATES - NO NONEGLISH GAMES - NO WINDOWS GAMES - NO FUCK UPS + + -*- Q U A L I T Y O N L Y -*- diff --git a/textfiles.com/piracy/DREAMTEAM/tdt0192.nfo b/textfiles.com/piracy/DREAMTEAM/tdt0192.nfo new file mode 100644 index 00000000..d18f598c --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt0192.nfo @@ -0,0 +1,73 @@ + + [/\/\/\- T H E D R E A M T E A M -/\/\/\] + + Proudly Presents + + Paper Boy II from Mindscape + + Ŀ + RELEASE INFORMATION - + Ĵ + Cracker : - + Game Supplied by : Action Man + Protection : None, but installation removed + Display Screen : EGA/VGA 16 Colors + Sound Boards : Speaker/Adlib/Soundblaster + Game Type : Arcade + + Ŀ + RELEASE COMMENT - + Ĵ + Use all four arrow keys to move the paper kid... Return throws out + the news papers to the subscribers! + Access Codes are 5738 for level 2 and 6479 for level 3! + The original has to be installed from floppies, but we here at TDT + think that thats very lame so we removed it and replaced it with + our own setup program which let's you run the game from harddrive + direct! + Confusion about TDT/SR: Skid Row didnt care so much about the pc + they were just exited to start but wasnt that big deal. So from 1992 + there will be TDT only... + Greetings: THG,INC,USA,FLT,VF,XEROX,TRSI,PE,NEUA, (In Random Order) + + Ŀ + THE DREAM TEAM EUROPEAN SECTION - + Ĵ + MEMBERS : Hard Core - ActionMan - Mr Thompson - TDB + Roger Wilco - The Jammer - Dr Pepsi - Desert Rat + SYSOPS : Opus - Stoned Warrior - Snake Man - B.B.King + COURIERS : BLAZE - Pixel - Yip Yip + Ĵ + BULLETIN BOARD SYSTEMS - + Ĵ + HARD CITY 46-PRI-VATE Hard Core + EAST BBS 46-894-0614 Mr Thompson + TURK 51 ZONE 31-104-296515 TDB + Paint In Black 49-6565-4553 Stoned Warrior 4 Nodes + Juve Rehab 358-187-818316 Snake Man 2 Nodes + Free Q8 965-532-4360 Desert Rat + + Ŀ + THE DREAM TEAM AMERICAN SECTION + Ĵ + MEMBERS : The Surge - Pluto - The Ghost Wind - Sandman - Con Artist + SYSOPS : The Skeleton - Spread - Pluto - Asmodius - Norrin Radd + COURIERS : Union Jack, want to be his partner? + Ĵ + BULLETIN BOARD SYSTEMS + Ĵ + REVELATION 301-423-1442 Ghost Wind 5 Nodes World HQ + TWINS 514-723-4351 Spread 2 Nodes + HELL 313-349-4933 Asmodeus CourierHome + PIRATES SHIP 515-277-1906 Skeleton 2 Nodes + ORIONS BELT 718-370-8890 Pluto + SIDE EFFECTS 408-942-0818 Norrin Radd CourierHome + THE CASINO ROYALE 604-261-3260 The Commandant + + + For getting all the latest cracks write to + The Dream Team + PO BOX 52 + 810 70 AELVKARLEBY + S W E D E N + diff --git a/textfiles.com/piracy/DREAMTEAM/tdt0195.nfo b/textfiles.com/piracy/DREAMTEAM/tdt0195.nfo new file mode 100644 index 00000000..2969ca1f --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt0195.nfo @@ -0,0 +1,107 @@ + + + -//- T H E D R E A M T E A M -\\- + 1 9 9 2 + + ProudlyPresent + + Risky Woods from Electronic Art's + + Ŀ + RELEASE INFORMATION + Ĵ + Cracked by : Hard Core + Supplied by : Roger Wilco + Released : 7th October 1992 + Graphics : VGA 256 colors + Sound : Soundblaster (Pro)/Roland MT-32/Adlib/Speaker + + Ŀ + RELEASE NOTES + + Most of you have probably played the preview of this awesome arcade game! + Music/Sound effects are great, and the scrolling is sweet on a 486 computer + It's a long awaited game and here it comes! + + The game has 9 levels and using the level trainer you can start from other + levels than the first one. + + Greetings goes to: Sought After, Vertigo and Officer of Sorrow, our new + TDT buddies... + INC - Dont steal this one like you did with the preview + We MARKED the game, so we will find out! + + Level trainer run the file 'LEVEL.COM' + + Be also sure to grab King's Quest 6 done by TDT yesterday... + + Yet another QUALITY crack by TDT! + + Have fun and see you later in our next release! + Ŀ + Also if you are intrested in the newest and hottest make sure to write to + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + Want to be a DIST SITE? If you want to be in the BEST organized cracking + team then TDT is your choise. We offer you great support and quick upload + when releases comes. Ask any TDT DIST site on the scene! + CALL : 612-754-0266 (9600Bps only!) + On username ENTER : APPLICATION + Use Password : DISTSITE + Hit 'E' and enter message to : HARD CORE + Now write us your voice number, your name, a few word about your system + and something about what you can do for US...See you on There! + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 6 Nodes ................ + Revelation ................ 301-PRI-VATE ....... 5 Nodes ................ + Akira Project ............. 416-512-8567 ....... 3 Nodes ................ + Twins ..................... 514-723-4351 ....... 3 Nodes ................ + New Central Europe ....... +(49)-PRIVATE .......11 Nodes ................ + Central Nervous System .... 414-832-1449 ................................ + Hell ...................... 313-349-4933 ................................ + Ĵ + NORTH AMERICA DISTRIBUTION SITES + Ĵ + Lite House Express ........ 407-624-4329 ....... 2 Nodes ....HEADQUARTERS + Big Time .................. 519-252-7400 ................................ + The Vertigo File .......... 815-667-4892 ................................ + The Satanic Syndicate ..... 201-301-0952 ................................ + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ................ + Realm of Immortality ...... 415-992-0945 ....... 3 Nodes ................ + Crual Lie ................. 713-432-0779 ................................ + Ĵ + EUROPE AND SAUDI ARABIA'N DISTRIBUTION SITES + Ĵ + Orage Juice ........... +(61)-3-571-0700 ....... 4 Nodes ................ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ................ + Exodus BBS ............. +(352)-42-44-92 ................................ + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ................ + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze + Major Theft , Wolverine , Roger Wilco , The Corporal + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 , Asmodeus + Union Jack , Redskin , Phil Thrust , Desert Rat , Spread , Snake Man + The Ghost Wind , Stroke , Whiplash Snidley , Sparkling Flash + Yip Yip , Dirty Bush , RON + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Venom , Cuca , Black Mischief , Turbo Interceptor + Black Rider , Freak & Shogun , Overlord , Rotox , Q-Tip + + + + The Dream Team - Was There Ever A Choise? + diff --git a/textfiles.com/piracy/DREAMTEAM/tdt0292.nfo b/textfiles.com/piracy/DREAMTEAM/tdt0292.nfo new file mode 100644 index 00000000..e72a38e1 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt0292.nfo @@ -0,0 +1,72 @@ + + -//-//- T H E D R E A M T E A M -\\-\\- + + Proudly Presents + + Super Space Invaders from Domark + and + Super Space Invaders Trainer + + Ŀ + RELEASE INFORMATION _ + Ĵ + Software Surgeon : - + Supplied by : /-\ction /\/\an + Protection : - + Game Graphics : CGA/EGA/VGA 16 colors + Sound Boards : Speaker/Adlib/Roland + Game Type : Shoot'em Up/Arcade + + Ŀ + RELEASE COMMENT - + + Finally the Super Space Invaders game is here! The long awaited legend con- + tinue... The game feature cow savings and 12 level of hot action. We have + also trained the game and played through the whole game with Hard Core's + trainer. To start the game and make the game run with trainer type 'RUNME' + to start play. Another Quality release by TDT! + + Greetings : Big Hairy Camel,Major Theft,Irata,Pieman,Roger Wilco + + NOTE! We are running a TDT-TSHIRT campaign right now, read the TSHIRT.BUY + file for more info... + Ŀ + If you want to get all the newest write to + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + _ -><- THE DREAM TEAM EUROPE -><- _ + Ĵ + Members : Hard Core, ActionMan, Roger Wilco, Jammer,Zelnik,Mr Thompson + Sysops : Stoned Warrior, Snake Man, Deser Rat, TDB + Couriers : Blaze, Pixel, Yip Yip,Stinger + Ĵ + Hard City .............+46-PRI-VATE...Hard Core ................HOME BBS. + East BBS ..............+46-894-0614...Mr Thompson ..............Sweden HQ + Turk 51 Zone ..........+31-104-296515.TDB ......................Holland HQ + Paint In Black ........+49-656-54553..Stoned Warrior ..4 Nodes..Dist Site + Juve Rehab ............358-187-818316.Snake Man .......2 Nodes..Dist Site + Free Q8 ...............965-532-4360...Desert Rat ...............Dist Site + + Ŀ + _ -><- THE DREAM TEAM AMERICAN SECTION -><- _ + Ĵ + Members : The Surge, GOD, Con Artist, Sledge Hammer, Sandman + Sysops : The Skeleton, Spread, Asmodius, The Commandant, Opus + Couriers : Union Jack, QuickSilver, The Unforgiven + Ĵ + Unlawful Entry ........612-754-0266...Major Theft .....5 Nodes..World HQ. + Warez for the Masses ..302-836-6175...Goobug/Perfect ..7 Nodes..USA HQ... + Pirates Ship ..........515-277-1906...Skeleton ........2 Nodes..USA HQ... + Twins .................514-723-4351...Spread ..........2 Nodes..Canada HQ + Head Trauma ...........416-824-7191...Sledge Hammer ...3 Nodes..Canada HQ + Hell ..................313-349-4933...Asmodeus ........2 Nodes..Couriers. + The Casino Royale .....604-261-3260...The Commandant ...........Dist Site + Hornet's Nest .........301-229-8032...Sting/Opus ...............Dist Site + + + If you want to become a Member or Dist Site, contact Hard Core on + Unlawful Entry - The Dream Team World Headquarters diff --git a/textfiles.com/piracy/DREAMTEAM/tdt0491.nfo b/textfiles.com/piracy/DREAMTEAM/tdt0491.nfo new file mode 100644 index 00000000..0265cccd --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt0491.nfo @@ -0,0 +1,67 @@ + NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! + + The Cooperation TDT/TRSI is now broken. It's now TDT and TRSI only... + + NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! NOTE! + + <<>/<<>/<<>/<<> THE DREAM TEAM <>>\<>>\<>>\<>> + PRESENTS + B A T T L E C O M M A N D + + Ŀ + Crack made by : Hard Core + Game Supplied by : Roger Wilco + Protection : Password protection (1 byte crack!) + Display Screen : CGA/EGA/VGA 256 Colors + Sound Boards : Speaker/Adlib/Roland + Game Overall : 75% + + +Game Notes: One of the BEST 3-d games on the market right now. The grafics + is very well done and the vectors are very smooth. It seems + like these programmers has found some good 3-d calculations! + + Opearating keys are: [Q] - Up + [A] - Down + [O] - Left + [P] - Right + [F1] - [F10] - Check by yourself! + [SPACE] - Fire + + Watch our for DreamDox coming soon to a board near you! + +Greetings goes to: Warlord,Stalker,The Pieman,Strider,Silencer + + + The Dream Team members are + Hard Core,Con Artist,Angelface,The Jammer,Ranx + The Sandman,TDB,Spread,Touch Tone,Pluto + ActionMan,Roger Wilco,Skeleton,RADAR + + The Dream Team Spreaders + Alast(408) - Brodde(718) - Doctor Slasher(516) + Symetric Shadow(514) - Cryptic Lance(818) - Pixel(32) + + Ŀ + THE DREAM TEAM [US] SECTION + ij + Motherboard One 215-944-971 Touch Tone 5 Nodes + Beyond Imagination 703-730-1688 MaggotMan 1-800 + Orions Belt 718-966-5930 Pluto + Twins 514-723-17-12 Spread + Steal Haven ITS-NOW-DOWN Norrin Radd + Apocalypse 703-347-5412 POW + Skeleton's BBS 515-277-0016 Skeleton 2 Nodes + Dead Zone 714-520-9945 Radar + ij + THE DREAM TEAM [EUROPEAN] SECTION + ij + Hard City +46-PRI-VATE Hard Core + Turk 51 Zone +31-104-296515 TDB + P.M.C. 358-185-279-18 Snake Man 2 Nodes + + + The Dream Team US The Dream Team Europe + PO BOX 131843 PO BOX 52 + Staten Island, NY 10313 810 70 Aelvkarleby + USA Sweden \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/tdt0592.nfo b/textfiles.com/piracy/DREAMTEAM/tdt0592.nfo new file mode 100644 index 00000000..55d19ef4 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt0592.nfo @@ -0,0 +1,88 @@ + + + -//- T H E D R E A M T E A M -\\- + + + -*- Proudly Present -*- + + Castle Wolfstein 3-D Release Version + Ŀ + RELEASE INFORMATION + Ĵ + Cracked by : - Gfx support: VGA 256 Colors + Protection : - Snd support: Adlib/Sblaster + Supplied by : R/\D/\R Game Type : Arcade W/Pg-13 Rating + Release date: 5th May 1992 Publisher : Apogee + + Ŀ + RELEASE NOTES + + This is the Final release, unlike the beta version $yndicate about + 2-3 weeks ago! great game, and awesome sound + + + Nothing much more to say...Be sure to grab the other TDT releases coming + REALLY soon! + + -*- Welcome back REVELATION -*- + + Greetings : Dr.Q2, Fairlight, Razor, TRSI, Extacy and THG + + + Have fun and see you soon in our next quality release! + + Ŀ + If you want to get all the newest write to + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + THE DREAM TEAM EUROPE + Ĵ + Members : Hard Core, ActionMan, Roger Wilco, Jammer, Zelnik, Paul,Offsat + Sysops : Mr Thompson, Snake Man, Desert Rat, IronSide, Redskin + Couriers : Pixel, Yip Yip, Income, Head Banger, Venom + Ĵ + East BBS ............. +46-894-0614 ... Mr Thompson ............ ........ + Juve Rehab ........... 358-187-818316 . Snake Man .......2 Nodes ........ + Free Q8 .............. 965-532-4360 ... Desert Rat ............. ........ + Highland Board ....... +39-362-901606 . Ironside ........3 Nodes ........ + Bagdad Cafe .......... 352-424-492 .... Redskin ................ ........ + Orange Juice ......... +61-357-10747 .. Yip Yip .........2 Nodes ........ + No Name .............. +49-523-491242 . Paul ................... ........ + + Ŀ + THE DREAM TEAM NORTH AMERICA + Ĵ + Members : Radar, Con Artist, Major Theft, Union Jack, Big Hairy Camel + Sysops : The Ghost Wind, Spread, Asmodeus, Loverboy, Nightman + : Califboy, Pirate Pete + Couriers : Deviouse Doze, Lord of Rings, Turbo Interceptor, The Headman + : Overlord, Night Shadow, Fallen Angel, Black Mischief + Ĵ + UNLAWFUL ENTRY ....... 612-PRI-VARE.... Major Theft ....5 Nodes .TDT WHQ. + Revelation ........... 301-2CO-OL4U.... BHC/TGW ........5 Nodes ......... + Twins ................ 514-723-4351.... Spread .........2 Nodes ......... + Hell ................. 313-349-4933.... Asmodeus .......2 Nodes .Courier. + Involuntary Death .... 708-599-1537.... Loverboy .......2 Nodes ......... + Akira Project ........ 416-512-8567.... Deviouse Doze ..3 Nodes ......... + Purple Dragon II ..... 714-531-9819.... Nightman .......3 Nodes ......... + Phase Shift .......... 604-732-4645.... Pirate Pete ....2 Nodes ......... + The Underworld ....... 916-429-2232.... Califboy .............. ......... + + + If you want to contact us call Unlawful Entry TDT WHQ + To get an account there leave mail on any TDT bbs + + Ŀ + The Five Latest TDT Releases + Ĵ + World Class Rugby 5N ..... VGA[16]/ADLIB .... Audigemic ..... 1st May + Troon North Links Course . VGA[256]/Adlib ... Accolade ...... 27th April + Steel Empire ............. VGA[256]/Soundb .. El Art's ...... 15th April + Sea Rogue 2.95 RELEASE ... VGA[16]/Adl ...... Microprose .... 14th April + Battle Isle English ...... VGA[256]/Adlib ... Blue Byte ..... 13th April + + \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/tdt0593.nfo b/textfiles.com/piracy/DREAMTEAM/tdt0593.nfo new file mode 100644 index 00000000..9a712499 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt0593.nfo @@ -0,0 +1,92 @@ + + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + + Railroad Tycoon Deluxe. + + + + Ŀ + RELEASE INFO + Ĵ + Cracked by.. : Dr. Detergent ..... Supplier.. : ALF and Lefty...... + Game Overall : 80% ............... Date...... : 13th June 1993 .... + Graphics.... : VGA 256 COLORS .... Sound..... : All ............... + + + + Yet another crack... + + The install program should copy the crack file RRT.COM into the directory + that you're installing Railroad Tycoon Deluxe. If it doesn't, then simply + copy the file RRT.COM there - it's needed to crack the game. + + Crack was easy... This crack is the CLEANEST crack, guaranteed to work 100%! + All cracking is done cleanly in memory, no internal file modifications etc. + Whatever answer you select at the doc check, it'll take your answer and + replace it with the good one. So simply press enter when at the doc check. + + + Dat's it! + + + + GROUP GREETINGS : CARDINALS, EASTON, ECR, EXTINCT, FAIRLIGHT, INC, PE, + RAZOR, SKILLION, THG, TRSI, UNT, FC. + + + PERSONALL GREETINGS : ALF, Lefty - thanx 4 the suppliez! + + + Call Digital Systems Transferring - 514-973-6674 14.4 v32bis 2.2 gig + +############################################################################## + + + + The Dream Team '93 - QUALITY, NOT QUANTITY + + + Ŀ + If you want to catch the NEWEST and HOTTEST IBM programs then write to + + TDT DISK-BY-MAIL + PO. BOX 46 + S-37 464 STALOWA WOLA 6 + POLAND + + Ŀ + MEMBER BOARDS + Ĵ + UNLAWFUL ENTRY /./ ITS-PRI-VATE /./ 7 LINES /./ AMIEXPRESS + TWINS /./ 514-723-4351 /./ 4 LINES /./ AMIEXPRESS + ALPHA 2010 /./ 210-687-9660 /./ 4 LINES /./ PC BOARD + FEAR & LOATION /./ 205-302-0706 /./ 5 LINES /./ PC BOARD + Ĵ + HEADQUARTERS + Ĵ + HIGHLAND /./ +[39]-PRI-VATE /./ 5 LINES /./ PC BOARD + GURU'S DREAM /./ +[46]-828-2760 /./ 5 LINES /./ AMI EXPRESS + PHONE HENGE /./ 407-586-0634 /./ 1 LINE /./ CELERITY + FREE KUWAIT /./ +[965]-PRI-VATE /./ 2 LINES /./ AMI EXPRESS + THE CITADEL OF DARK. /./+[61]-3-899-3247 /./ 2 LINES /./ CELERITY + + Ŀ + THE DREAM TEAM FULL MEMBER LIST + Ĵ + HARD CORE - MAJOR THEFT - SPREAD - DESERT RAT - SILUS GUARDIAN + DARK LORD - ROGER WILCO - REDSKIN - MAVERICK - DR. DETERGENT + DR. Q2 - BLACK RIDER - MAVERICK - S.S - MARAUDIN GOBLIN + --------------------------------------------------------------------------- + SPREADERS + --------------------------------------------------------------------------- + [RADICAL......] - [BUBBLE MAN....] - [FIREHEAD......] - [THE MASTER.....] + + + -*- N O B U L L S H I T -*- + + diff --git a/textfiles.com/piracy/DREAMTEAM/tdt0792.nfo b/textfiles.com/piracy/DREAMTEAM/tdt0792.nfo new file mode 100644 index 00000000..f4c55ab5 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt0792.nfo @@ -0,0 +1,98 @@ + + + -//- T H E D R E A M T E A M 1992 -\\- + + + -*- Proudly Present -*- + + Double Dragon III + Trainer + + Ŀ + RELEASE INFORMATION + Ĵ + Trainer by : Hard Core + Released : 25th July 1992 + Graphics : VGA / EGA + Sound : Roland / Soundblaster / Adlib / Pc-Speaker + + Ŀ + RELEASE NOTES + + Yeah! This is really great action. If you think the game is too hard, start + it with the trainer. It gives you unlimited energy and credits. Time limit + still ticks tho. Leaving that for someone else...hehe + + Keys are : [SHIFT] + [ARROW] - Punch + Jump + [RETURN] + [ARROW] - Kick + [RETURN] + [SHIFT] + [ARROW] - Jump and kick + + Greetings must go out to: INC - You release so much shit + IDD - Night Ranger (Don't steal amiga dox and put + your name on it, thats VERY lame) + TRSI - We love you guys + FLT - Great comeback + + Extra greetings : Darwin/Dr No/Zodact - Nice to meet you guys last week... + Hope you guys got a nice trip to + Stockholm! + + Yet another release by TDT! + + Have fun and see you later in our next crack! + + Ŀ + If you like this release then write to us! Support the group that makes + this possible for you : THE DREAM TEAM + Ĵ + Greeting goes to the software companies, dont be sad, we just make you + guys a favour spreading your releases to countries you would never reach + + Ŀ + The Dream Team is always ready to take in new members. But we want only + the best. If you can supply games, make music (MOD) , or draw graphics + contact us by calling the nearest TDT bbs or write to our post box! + + Also if you are intrested in the newest and hottest make sure to write to + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + ABACUS, Ace, ActionMan, Asmodeus, Desert Rat, Devious Doze + Hard Core, IronSide, Major Theft, Mr Thompson, Nightman, Offset + Phil Thrust ,Pablo, Redskin, Roger Wilco, Snake Man, Spread + The Ghost Wind, Union Jack, Yip Yip + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + UNDER ORGANIZATION + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 6 Nodes ................ + Akira Project ........ 416-512-8566/8567 ....... 3 Nodes ................ + Revelation ................ 301-PRI-VATE ....... 5 Nodes ................ + East BBS ............... +(46)-8-940-614 ................................ + Twins ..................... 514-723-4351 ....... 3 Nodes ................ + No Name BBS ........... +(49)-ELITE-CALL ................................ + New Central Europe ...... +(49)-PRI-VATE ....... 7 Nodes ................ + Ĵ + DISTRIBUTION SITES + Ĵ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ................ + Hell ...................... 313-349-4933 ....... 2 Nodes ................ + Orange Juice ........... +(61)-357-10747 ....... 3 Nodes ................ + Hell ...................... 313-349-4933 ....... 2 Nodes ................ + Cimmeria .............. +(90)-1-384-0863 ................................ + Exodus BBS ............. +(352)-42-44-92 ................................ + Big Time .................. 519-978-3388 ................................ + + + TDT 1992 : Your Dream's Come Alive! + diff --git a/textfiles.com/piracy/DREAMTEAM/tdt0793.nfo b/textfiles.com/piracy/DREAMTEAM/tdt0793.nfo new file mode 100644 index 00000000..4d56fa25 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt0793.nfo @@ -0,0 +1,73 @@ + + -> > > T H E D R E A M T E A M ' 91-93 < < <- + + + + + + + + + Proudly Presents - When 2 Worlds War U.S Release By Impressions + + Ŀ + Release Information Game Information + Ĵ + Cracked By : N/A................ Graphics : EGA/VGA............ + Supplied By : DARK FORCE......... Sound Cards : Ad-lib/Sb.......... + Release Date : July 16th 1993..... # of Disks : 2 HD's............. + + + Well here it is the USA Release of this great Strategy game, We at + First didnt think this was going to be worth our while but after comparing + this release to the 1 meg Razor release we decided to put it out.Anyone + could of had this, but by fluke we checked it and bam! Here is us, Updated, + complete and final. Hope you enjoy this release, hope to see you soon in + our next release. + + Greetings to - TRSI / THG / PE / RAZOR & FAIRLIGHT! + + Personal Greets to - Rygar, Hydro, Doze, Killer, Tiger & Shadolok! + + Anyone want good deals on Copiers? Leave me on Unlawful To FA!, and you + can get the best prices! + + + Ŀ + If you want to catch the NEWEST and HOTTEST IBM programs then write to + + TDT DISK-BY-MAIL + PO. BOX 46 + S-37 464 STALOWA WOLA 6 + POLAND + + Ŀ + > > > T H E D R E A M T E A M - B U L L E T I N B O A R D S < < < + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ..... 8 Nodes ..... World HQ + Twins ..................... 514-723-4351 ..... 4 Nodes ..... Canadian HQ + Alpha 2010 ................ 210-687-9660 ..... 6 Nodes ..... US Mega-HQ + Fear & Loathing ........... ITS-PRI-VATE ..... 6 Nodes ..... US Mega-HQ + Ĵ + Ĵ + Highland .................. +39-PRI-VATE ..... 5 Nodes ..... Italian HQ + Guru's Dream .............. +46-828-2760 ..... 5 Nodes ..... Swedish HQ + Phone Henge ............... 407-586-0634 ..... 1 Nodes ..... American HQ + Ĵ + Ĵ + Grave Beard's Castle ...... 601-939-7861 ..... 3 Nodes ..... Dist Site + The Citadel of Dark ....... +61-38993247 ..... 2 Nodes ..... Dist Site + Da Hauze .................. +31-76719111 ..... 4 Nodes ..... Dist Site + + Ŀ + > > > T H E D R E A M T E A M - M E M B E R L I S T < < < + Ĵ + Hard Core, Spread, Major Theft, Roger Wilco, + Dark Force, Martial Artist, Dark Lord, Redskin, Maverick, Dr.Q2 + Dr. Detergent, Black Rider, Intreq, S.S, & Marauding Goblin + + Ŀ + COURIERS - Rotox, Radical, Bubble Man, Firehead, The Master & Mystik Tiger + + + \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/tdt0895.nfo b/textfiles.com/piracy/DREAMTEAM/tdt0895.nfo new file mode 100644 index 00000000..7aa2f047 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt0895.nfo @@ -0,0 +1,59 @@ + + + -//- T H E D R E A M T E A M -\\- + + PROUDLY PRESENT: + + **> * THE PATRICIAN *VESA* vG2 (C) READYSOFT [X/3] * <** +Ŀ + RELEASE INFORMATION - +Ĵ + Cracked By..: MR.TDT.................. Supplier...: DARK FORCE........... + Packaged....: THE SNIPER.............. Date.......: 3rd AUG 1995....... . + Graphics....: SVGA/VGA 256 COLORS..... Size.......: 3 x 1.44mb DISKS..... + + + RELEASE NOTES - + + Welcome folks to another cool release from the Team of your Dreams. + This one is a beauty! Finally, from the makers of Space Ace and Dragons + Lair, comes The Patrician VESA Version G2. Readysoft, actually, wasn't + intending on releasing this version due to some minor glitches, but we + managed to get our hands on it anyway. See you in our next fine release! + + Make a directory called PATR and unzip the files with the -d option. + + There were 5 original disks for this release, but for cracking reasons + they had to be installed and re-zipped with compression, thus giving us 3. + + + GAME NOTES - + + Set over two centuries of European history, The Patrician is an epic + saga of power and money. As a successful Patrician you must rise to the + top of the might Hanseatic League, the most powerful commercial + organization of the time. In the quest for power and wealth you must + run an international trading organisation and become a social force in + your community. + + + Enjoy, and look for more fine releases in the future! + + + PERSONAL GREETS - THE SPEED RACER, HOSON, HARD CORE & DARK FORCE. + + + ** To All Old TDT Members, The Dream Is Back. ** + ** Contact Us And You Can Re-Live The Experience ** + ** That The World Will Never Soon Forget, TDT. ** + + + THE DREAM TEAM - Friends Forever... + Ŀ + HALL OF FAME (ACTIVE MEMBERS) [X POSITIONS] + Ĵ + [..............] - [...............] - [.............] - [..............] + [ ** UNDER CONSTRUCTION AS OF 1995 ** ] + [..............] - [...............] - [.............] - [..............] + + -*- IN THE AGE OF DREAMS, A LONE FORCE RISES FROM THE ASHES, TDT -*- diff --git a/textfiles.com/piracy/DREAMTEAM/tdt089~1.nfo b/textfiles.com/piracy/DREAMTEAM/tdt089~1.nfo new file mode 100644 index 00000000..ae0a72a6 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt089~1.nfo @@ -0,0 +1,101 @@ + + + + + + + + + + + + + + [OFFSET] + + ProudlyPresent + + Dinosauri Balls from AMWA Computer Co. + + Ŀ + RELEASE INFORMATION + Ĵ + Cracked by : - + Released : 9th August 1992 + Graphics : VGA 256 colors + Sound : Pc-Speaker / Adlib ? + + Ŀ + RELEASE NOTES + + Dino Balls gives you a lesson in dinosouri history. The scanned background + is good looking, and the game gives you full 256 colors. Playing the game + reminds me of bubble bobble. After shooting the ball into pieces small + objects are falling which you can pick up and use... + + Greetings goes to : IRATA - FIREFOX - BLACK RIDER - OUR NEW FRIEND IN HK! + + Also, there is a new intro out... + + Yet another QUALITY release by TDT! + + Have fun and see you later in our next crack! + + Ŀ + If you like this release then write to us! Support the group that makes + this possible for you : THE DREAM TEAM + Ĵ + Greeting goes to the software companies, dont be sad, we just make you + guys a favour spreading your releases to countries you would never reach + + Ŀ + The Dream Team is always ready to take in new members. But we want only + the best. If you can supply games, make music (MOD) , or draw graphics + contact us by calling the nearest TDT bbs or write to our post box! + + Also if you are intrested in the newest and hottest make sure to write to + us for a free program diskette + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + ABACUS, Ace, ActionMan, Asmodeus, Desert Rat, Califboy, Devious Doze + Hard Core, IronSide, Major Theft, Mr Thompson, Nightman, Offset + Pablo, Phil Thrust, Redskin, Roger Wilco, Snake Man + Spread, Stroke , The Ghost Wind, Union Jack, Wolverine, Yip Yip + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Fallen Angel , Venom , Boo , Cuca , Marauder, Black Mischief, Pixel + The Headman, Lord Of the Rings, Turbo Interceptor, Syzzo, S.S + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 6 Nodes ................ + Revelation ................ 301-PRI-VATE ....... 5 Nodes ................ + Akira Project ............. 416-512-8567 ....... 3 Nodes ................ + East BBS ............... +(46)-8-940-614 ................................ + Twins ..................... 514-723-4351 ....... 3 Nodes ................ + No Name BBS ........... +(49)-ELITE-CALL ................................ + New Central Europe ... +(49)-911-758-383 .......10 Nodes ................ + Ĵ + DISTRIBUTION SITES + Ĵ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ................ + Hell ...................... 313-349-4933 ....... 2 Nodes ................ + The Underworld ............ 916-429-2232 ................................ + Orange Juice ........... +(61)-357-10747 ....... 3 Nodes ................ + Cimmeria .............. +(90)-1-384-0863 ................................ + Exodus BBS ............. +(352)-42-44-92 ................................ + Big Time .................. 519-978-3388 ................................ + Lite House Express ........ 407-624-4329 ....... 2 Nodes ................ + + + TDT 1992 : Your Dream's Come Alive! diff --git a/textfiles.com/piracy/DREAMTEAM/tdt0993.nfo b/textfiles.com/piracy/DREAMTEAM/tdt0993.nfo new file mode 100644 index 00000000..4f085b67 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt0993.nfo @@ -0,0 +1,73 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + THE GREATE WAR FROM SSi + Ŀ + RELEASE INFO + Ĵ + Cracker......: N/A Supplier...: MR.TDT + Game Overall.: 85% Date.......: 13TH OF SEPTEMBER 1993 + Graphics.....: VGA 256 COLORS Sound......: MOST + + + Here comes another great one from your favourite group: THE DREAM TEAM! + + This is a SUPERB new HOT SSi release... The game is about the second world + war with great animation's and playgame etc. To play the diffrent scenario's + the manual give's you special passwords, they are included in the file: + PASSWORD inside disk one... + + Personal greetings: Ben Jammin, Lord Cyric, Lefty, Killer, Warchild... + + Group greetings goes to : PTG - RAZOR - TRSI - FLT - THG + + If you are a supplier and want to supply TDT, give us a call at: 404-395-2563 + + The Dream Team - Some things live forever... + Ŀ + If you want to GET the NEWEST and HOTTEST IBM programs then write to + + TDT DISKS-BY-MAIL + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + MEMBER BOARDS + Ĵ + UNLAWFUL ENTRY =*= ITS-AWE-SOME =*= 8 NODES =*= MEMBER + TWINS =*= 514-251-1838 =*= 4 NODES =*= MEMBER + ALPHA 2010 =*= ITS-AWE-SOME =*= 6 NODES =*= MEMBER + EXALTED DEATH =*= 314-966-2270 =*= 2 NODES =*= MEMBER + Ĵ + SHOCK TO THE SYSTEM =*= +39-PRI-VATE =*= 5 NODES =*= ITALIAN HQ + DA HAUZE =*= +31-PRI-VATE =*= 6 NODES =*= BENELUX HQ + BEYOND AKIRA =*= 416-461-9101 =*= 3 NODES =*= CANADIAN HQ + CDS =*= 217-544-9539 =*= 1 NODE =*= US HQ + ON THE EDGE =*= ITS-PRI-VATE =*= 1 NODE =*= US HQ + Ĵ + WIZARD'S TOWER =*= 419-536-8206 =*= 3 NODES =*= DISTRO + THE DEEP =*= 305-888-7724 =*= 2 NODES =*= DISTRO + THE LIQUOR CABINET =*= 214-368-7317 =*= 2 NODES =*= DISTRO + SECOND FRONT =*= +46-87987584 =*= 2 NODES =*= DISTRO + + Ŀ + THE DREAM TEAM FULL MEMBER LIST + Ĵ + + HARD CORE, HOSON, REDSKIN + + BEN JAMMIN, DEAD GOON, DEVIOUS DOZE, EDWARD CHANG, EXCESSIVE KNIGHT + MAC BETH, MAJOR THEFT, MAVERICK, ROGER WILCO, THE MAGIC ARTIST + TRC (Sr) + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + THE DREAM TEAM SPREADING TEAM + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + FIREHEAD, RADICAL, PETER FALK, SCOUT, MASTER, X + + + + NO RULES THIS TIME, SINCE WE MAKE UP THE RULES FOR THE SCENE diff --git a/textfiles.com/piracy/DREAMTEAM/tdt1092.nfo b/textfiles.com/piracy/DREAMTEAM/tdt1092.nfo new file mode 100644 index 00000000..33163b18 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt1092.nfo @@ -0,0 +1,108 @@ + + + -//- T H E D R E A M T E A M -\\- + 1 9 9 2 + + ProudlyPresent + + Captive from Mindscape Software + + Ŀ + RELEASE INFORMATION + Ĵ + Cracked by : Hard Core + Supplied by : Munchie & Oldie + Released : 14th October 1992 + Graphics : VGA 256 colors + Sound : Soundblaster /Aldib/Speaker + + Ŀ + RELEASE NOTES + + Great game and superb story! We did playtest this game for 2 hours like the + First Samurai! The game has a password when you enter the computer, just + enter anything... We did also type in quick dox (Done by Munchie) so you + could easily finish the first level. + + Read the file README.TDT to get some quick dox, or even better,print it out! + + A short story, you have been banned for 250 years to the space, and your + mission is to find out where you are and why they did it to you, the quick + dox helps you finish the first level! + + + Greetings goes to: Fallen Angel - I told you we are back! + Munchie & Oldie - Good Job + All you fun guys from the application forms...heh + + + Yet another QUALITY crack by TDT! + + Have fun and see you later in our next release! + Ŀ + Also if you are intrested in the newest and hottest make sure to write to + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + Want to be a DIST SITE? + Well, its kinda too late now, we have got over 50! Applications within 2 + so we are VERY pleased with the response from you guys, the account on Un- + lawful will be close now and thanx to all of you for showing the intreset! + There is a lot of calls to be made so be patience... + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 6 Nodes ................ + Revelation ................ 301-PRI-VATE ....... 5 Nodes ................ + Akira Project ............. 416-512-8567 ....... 3 Nodes ................ + Twins ..................... 514-723-4351 ....... 3 Nodes ................ + New Central Europe ....... +(49)-PRIVATE .......11 Nodes ................ + Central Nervous System .... 414-832-1449 ................................ + Hell ...................... 313-349-4933 ....... 2 Nodes ................ + Ĵ + EUROPE AND SAUDI ARABIA'N DISTRIBUTION SITES + Ĵ + Orage Juice ........... +(61)-3-571-0700 ....... 4 Nodes ................ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ................ + Exodus BBS ............. +(352)-42-44-92 ................................ + Ĵ + NOTRH AMERICAN HEADQUARTERS + Ĵ + Lite House Express ........ 407-624-4329 ....... 2 Nodes ................ + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ................ + Realm Of Immortality ...... 415-992-0945 ....... 3 Nodes ................ + Guru's Dream ...........+(46)-8-28-27-60 ....... 5 Nodes ................ + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ................................ + The Vertigo File .......... 815-667-4892 ................................ + The Satanic Syndicate ..... 201-301-0952 ................................ + Crewel Lye ................ 713-432-0779 ................................ + Members Only .............. 513-PRI-VATE ........2 Nodes ................ + Fort Nox .................. 508-658-6132 ................................ + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze + Major Theft , Wolverine , Roger Wilco , The Corporal + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 , Asmodeus + Union Jack , Redskin , Phil Thrust , Desert Rat , Spread , Snake Man + The Ghost Wind , Stroke , Snidely Whiplash , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Venom , Cuca , Turbo Interceptor , OMEN , BOO , The Hexmaster + Black Rider , Freak & Shogun , Overlord , Rotox , Q-Tip , Firefly + + + + The Dream Team - Was There Ever A Choise? diff --git a/textfiles.com/piracy/DREAMTEAM/tdt1192.nfo b/textfiles.com/piracy/DREAMTEAM/tdt1192.nfo new file mode 100644 index 00000000..c59b13e5 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt1192.nfo @@ -0,0 +1,97 @@ + + + -//- T H E D R E A M T E A M -\\- + IS BACK TO KICK ASS + -*- WITH -*- + CURSE OF ENCHANTIA FROM CORE DESIGN LIMITED + Ŀ + RELEASE INFORMATION + Ĵ + Released : 19th November 1992 + Graphics : VGA 256 COLORS + Sound : Adlib/Soundblaster/Speaker + Game Size : 4 1.44Mb Disks, Installation needed + + + Just when you guys thought we were gonna run out of games with 5 kick ass + releases in just 1 week, we are back again! + + This time with a killing graphics game from Core Design Limited. This game + is an point and click sierra type game. Its start's out when you are in + prison. Go around and watch everything, every corner etc...This is + definitly worth the download bytes.... + + To all of you that wonder where we got it from (its coming out tomorrow), + make a GUESS! + + Group greetings goes to: RAZOR 1911 - The only other group on the scene with + a pulse...even if you guy fuck up + sometimes! + + Have fun and see you later in our next QUALITY crack! + + Ŀ + If you want the newest and hottest soft very fast please write to + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + If you want the best disk-by-mail deal in FRANCE write to + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ YOU-CAN-DREAM....... 7 Nodes ..... USA ...... + Revelation ................ YOU-CAN-DREAM....... 5 Nodes ..... USA ...... + Twins ..................... 514-723-4351 ....... 3 Nodes ..... Canada ... + New Central Europe ........ YOU-CAN-DREAM.......12 Nodes ..... Germany .. + Central Nervous System .... 414-832-1449 ....... 2 Nodes ..... USA ...... + Crewel Lye ................ 713-432-0779 ..................... USA ...... + Ĵ + EUROPE AND SAUDI ARABIA'N DISTRIBUTION SITES + Ĵ + Orage Juice ........... +(61)-3-571-0700 ....... 4 Nodes ..... Australia + Free Q8 ................ +(965)-532-4360 ..................... Kuwait ... + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ..... Italy .... + Exodus BBS ............. +(352)-42-44-92 ..................... Luxembourg + Checkpoint Charlie ...... +(47)-42-67992 ..................... Norway ... + Ĵ + NORTH AMERICAN HEADQUARTERS + Ĵ + Lite House Express ........ 407-624-4329 ....... 4 Nodes ..... USA ...... + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ..... USA ...... + Realm Of Immortality ...... YOU-CAN-DREAM....... 3 Nodes ..... USA ...... + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ..... Sweden ... + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ..... Canada ... + The Vertigo File .......... 815-667-4892 ..................... USA ...... + Members Only .............. YOU-CAN-DREAM....... 2 Nodes ..... USA ...... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ..... Canada ... + The Deep .................. 305-888-7724 ..................... USA ...... + Vicious Paradise .......... 804-486-1810 ..................... USA ...... + PJ Tower .................. 714-356-9506 ..................... USA ...... + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze , The Grim Reaper + Major Theft , Wolverine , Roger Wilco , The Corporal + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 + Redskin , Phil Thrust , Desert Rat , Spread , Black Rider + The Ghost Wind , Stroke , Snidely Whiplash , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. , Sought After + Buckaroo Banzai , Dr Crippen , Pepsi Man , Black Terror + Great White/The Speed Racer + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Soul Taker , Sharp , BOO , The Hexmaster , The Devestator + The Black Paladin , Freak & Shogun , Rotox , Q-Tip + \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/tdt1291.nfo b/textfiles.com/piracy/DREAMTEAM/tdt1291.nfo new file mode 100644 index 00000000..f088902c --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt1291.nfo @@ -0,0 +1,74 @@ + + <>/<>/<>/<>/<>/<>/<>/<> THE DREAM TEAM & SKID ROW <>\<>\<>\<>\<>\<>\<>\<> + + P R E S E N T S + + World Wrestling Federation from Ocean + + Ŀ + RELEASE INFORMATION + Ĵ + Cracker : Silicon Mage + Game Supplied by : Action Man + Protection : Password + Display Screen : EGA/VGA 16 Colors + Sound Boards : Speaker/Adlib + Game Overall : 70% + + Ŀ + RELEASE COMMENT + Ĵ + Yeah, i love to kick butt.... If you like to do the same, then go + get some food, shut the window, close the door and start up this + kick ass game! Its really hot for playing, not for the graphics(Yes + it goot), not for the sound (Thats ok too), but for the arcade feel- + ing... Have fun and see you soon in our next QUALITHY crack! + Don't forget to call HELL and SIDE EFFECTS our courier home + To contact us call out WHQ REVELETION, 5 nodes, 3+ gig... + + Ŀ + THE DREAM TEAM EUROPEAN SECTION + Ĵ + MEMBERS : Hard Core - ActionMan - Mr Thompson - TDB + Roger Wilco - The Jammer - Dr Pepsi - Desert Rat + SYSOPS : Opus - Stoned Warrior - Snake Man - B.B.King + COURIERS : BLAZE - Pixel - Yip Yip + Ĵ + BULLETIN BOARD SYSTEMS + Ĵ + HARD CITY 46-PRI-VATE Hard Core + EAST BBS 46-894-0614 Mr Thompson + BLOOM COUNTY 46-300-40258 Opus + The Star Factory 46-8-7172761 B.B. King + TURK 51 ZONE 31-104-296515 TDB + Paint In Black 49-6565-4553 Stoned Warrior 4 Nodes + ORANGE JUICE 61-357-11627 Yip Yip 3 Nodes + Jeriho Juventus 358-187-818316 Snake Man 2 Nodes + Free Q8 965-532-4360 Desert Rat + + Ŀ + THE DREAM TEAM AMERICAN SECTION + Ĵ + MEMBERS : The Surge - Pluto - The Ghost Wind - Sandman - Con Artist + SYSOPS : The Skeleton - Spread - Pluto - Esmodius - Norrin Radd + COURIERS : Reckless - LL Cool J - Union Jack + Ĵ + BULLETIN BOARD SYSTEMS + Ĵ + REVELATION 301-423-1442 Ghost Wind 5 Nodes + TWINS 514-723-1712 Spread + HELL 313-349-4933 Asmodeus + PIRATES SHIP 515-277-1906 Skeleton 2 Nodes + ORIONS BELT 718-370-8890 Pluto + SIDE EFFECTS 408-942-0818 Norrin Radd + + + For buying the latest games write to + + TDT UK + P.O. BOX 2416 + BROXBOURNE + HERTS. + EN10-6NF + THE UNITED KINGDOM + \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/tdt1292.nfo b/textfiles.com/piracy/DREAMTEAM/tdt1292.nfo new file mode 100644 index 00000000..f897f4aa --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt1292.nfo @@ -0,0 +1,106 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents + + THE INCREDIBLE MACHINE From SIERRA + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : THE GRIM REAPER + Cracked by : HARD CORE + Date : 2nd December 1992 + Graphics : SVGA 16 + Sound : ALL + Game Size : 1 1.2 MB, Install from Floppy, or use Subst... + + + THE INCREDIBLE MACHINE From Sierra + This game looks pretty cool... Different from all of the same old same + old stuff we've been seeing lately... + + Want to build a better mousetrap? All it takes are bike-riding monkeys, + treadmill mice and a few bowling balls. Genius and junk are combined to + solve the convoluted contraptions in The Incredible Machine... + + Greets go out to: HARD CORE - Munchie - ActionMan - Pepsi Man + + RAZOR - We doubled them, you doubled us, they doubled you, we doubled us, + they doubled them...who really cares?! As long as the CRACKS are + WORKING!!! + + PYRADICAL - Step back! + + Have fun and see you later in our next QUALITY crack! + + Ŀ + If you want the newest and hottest soft very fast please write to. No swap. + Now even more improved/faster/better. If you did write before, try again! + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + If you live in france write to + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ..... USA ...... + Twins ..................... 514-723-4351 ....... 3 Nodes ..... Canada ... + New Central Europe ........ ITS-PRI-VATE .......12 Nodes ..... Germany .. + C.N.S. .................... 414-832-1449 ....... 2 Nodes ..... USA ...... + Crewel Lye ................ 713-432-0779 ..................... USA ...... + Terrordome ................ 416-619-1717 ....... 3 Nodes ..... Canada ... + Lite House Express ........ 407-624-4329 ....... 4 Nodes ..... USA ...... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ..... Italy .... + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ..... USA ...... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ..... USA ...... + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ..... Sweden ... + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ..... Canada ... + The Vertigo File .......... 815-667-4892 ..................... USA ...... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ..... Canada ... + The Deep .................. 305-888-7724 ..................... USA ...... + Vicious Paradise .......... 804-486-1810 ..................... USA ...... + PJ Tower .................. 714-356-9506 ..................... USA ...... + Ultanet Carnage ........... 314-XXX-XXXX ..................... USA ...... + The Inferno BBS ........... 519-884-4960 ..................... Canada ... + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction ........ +(61)-3-571-0700 ....... 4 Nodes ..... Australia. + Free Q8 ................ +(965)-532-4360 ..................... Kuwait ... + Exodus BBS ............. +(352)-42-44-92 ..................... Luxembourg + Checkpoint Charlie ...... +(47)-42-67992 ..................... Norway ... + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze , The Grim Reaper + Major Theft , Wolverine , Roger Wilco + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 + Redskin , Freebird , Desert Rat , Spread , Black Rider + The Ghost Wind , Stroke , Snidely Whiplash , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. , Sought After + Buckaroo Banzai , Dr Crippen , Pepsi Man , Black Terror , Phil Thrust + Stingray , The Corporal , Great White/The Speed Racer , Dave & Chris + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + UNDER RE-CONTRUCTION + + + "ORIGINAL IDEA - [HARD CORE] - [THE DREAM TEAM 1992]" diff --git a/textfiles.com/piracy/DREAMTEAM/tdt1293.nfo b/textfiles.com/piracy/DREAMTEAM/tdt1293.nfo new file mode 100644 index 00000000..cda83efa --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdt1293.nfo @@ -0,0 +1,89 @@ + + + -//- T H E D R E A M T E A M -\\- + + + Proudly Presents: + + Ŀ + Release Title: Star Trek: Judgement Rites Cracked By...: -- + Copyright (c): Interplay Supplied By..: MR.TDT/MAS + Released On..: 17 Dec 1993 Packaged By..: SOME DUDE + + + + [/] GAME NOTES [\] + + 11 disks, won't work under windows, docs forthcoming, etc. + + Very cool Star Trek game! Yeah! + + Sorry, this NFO is way out of date, updated version + coming in docs i hope, ya? + + + Group greetings: TRISTAR & RED SECTOR - RAZOR 1911 - PUBLIC ENEMY - PTG + +(generic) + Personal greets: Hard Core - GRiM - Nitro - NiKO - The Ghost Wind - LiON + + Extra greets to: Celestial Wizard! Call our new TDT board Celestial Tower! + +(some dude sez:) + yoyo to satanic rob, ben out of jail, art, kevin, jon, russell, robert, + jesus, and a bunch of other people. + + + + + [/] THE DREAM TEAM [\] + Ŀ + Write to us! If you want the greatest and hottest titles on the IBM, + just write to: (don't forget to include your phonenumber!) + + TDT DISKS-BY-MAIL + Box 52 + 811 70 AELVKARLEBY + SWEDEN + + + + + [/] USA BOARDS [\] + Ŀ + Ĵ + [/] EUROPEAN BOARDS [\] + Ĵ + Ĵ + [/] DiSTRiBUTiON SiTES [\] + Ĵ + + + + [/] CURRENT MEMBERS [\] + Ŀ + (in alphabetical order) + + HARD CORE 'n HOSON + + Beowulf, Brujjo Dihital', Cyber, Dr.MAGIC, Excessive Knight, + Fallen Angel, Hot Tuna, LiON, Mac Beth, Maverick, Pablo, + Roger Wilco, The Ghost Wind, and The Magic Artist + + + + + [/] COURiERS [\] + Ŀ + (in order of appearance) + + FIRE HEAD + + Skybum, Jumpin' Jack, Skylark, Mozarello, Mister, RYU, Toadie, Tetris, + Lone Wolf, and Skinny Puppy + + + + + We are searching for traders that work with 3 or more lines... Interested? + Then write a message to 'HOSON' on any major BBS in the USA. diff --git a/textfiles.com/piracy/DREAMTEAM/tdtrain.nfo b/textfiles.com/piracy/DREAMTEAM/tdtrain.nfo new file mode 100644 index 00000000..c19376b6 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tdtrain.nfo @@ -0,0 +1,106 @@ +Hey I NEED AN INFO FORM!!! + +Flash Back Mega Trainer.. By Martial Artist / TDT (Yeah!) + +To whom it may concern... +This is a really cool game. Play it, the trainer makes it REALLY FUN. +This Trainer may be a little late, that is because of a few reasons. +1) Just joined TDT +2) waited to get a trainer loader screen going (didn't happen) +3) screwing around with the game made it even better + +Included in this package are. +FBTRN.COM < the trainer itself +FBPATCH.EXE < a crack patch. + +I included a crack patch, because I noticed that a ways through the game +it does another SECURITY CHECK.. My crack patch solves this. + +INSTRUCTIONS: + +FBPATCH.EXE < put this file in your Flash Back Directory and run it + This will patch the FB.EXE file so that you will get by + the SECOND (FLT?? nice one!) DOC CHECK in the game. + +FBTRN.COM < put this file in your Flash Back Directory and run it. + This will enable you to use the following keys during game play. + + F1: pressing this key moves yer little guy 16 pixels to the right. + this is great because it lets you go through unopened doors. + it even puts you through walls. + + F2: pressing this key moves yer dude 16 pixels to the left. + + F3: pressing this key moves yer boy 16 pixels down. + + F4: pressing this key moves yer man 32 pixels up. + if there is a platform above you, move yer guy in the direction + of the platform while you keep hitting F4, this will make yer + guy walk up and diagonally, so you can get to anywhere in the + screen.. + + Insert: Pressing this moves yer man to the upper left corner of the + screen. + Delete: Pressing this moves yer man to the lower left corner of the + screen. + Home: Pressing this moves yer man to the upper right corner of the + screen. + End: Pressing this moves yer man to the lower right corner of the + screen. + These are all very useful keys, as it gets you places instantly, and gets + you out of a lot of jams too. + +The above keys are really fun and very useful, they can also be very dangerous. +Be careful how you use them or you might find yourself on another planet. +Remember what keys to what. + + F5: Pressing this key gives yer little dude 254 health points.. + you can press it anytime to regenerate the points. + +Well that is it.. The keys make it REALLY fun, TRUST ME!!!! + +INFORMATION FROM MARTIAL ARTIST!!!!!!! +Well I guess this is my official resignation to Public Enemy, as you can see +I joined the Legendary TDT. +Why do I resign PE?? well a lot of reasons, some of which you don't need to +know, but things are just too chaotic over there, I don't even know who +the hell I would call to tell that I am resigning. +But doesn't matter, I am with a group now I can feel I can live with. +No hard feelings to anyone, + +Hawk >> hmmm just didn't call me, you understand this more than anyone... + +I would mention other PE members, but the only other one I talked to was +Flash, and he was always sleeping on the phone.. + +I am glad you let me in Hard Core!!!!! hopefully we can get some cool shit +out like this trainer.... + +Personal Greetings>> + +Hard Core > Right on man.. so those logos?? gotta get the trainer loader goin. +The Hawk > gimme a call and I will tell you why I left. +Network > RAVE ON! hey I told you to get the fuck outta my .nfo files +Butcher > Hey you ugly piece of texan meat... hows it goin man... +DEATHLOK > my apprentice, to be making trainers soon as well. +Seismic Interference > left right left right, halt... 3 more years bwahahah +Hare > whathappenedtoyou +Warchild > hope all goes well with yer plans +Skillion > like da invincibilty in yer Flash Back trainer. like mine better tho +The Witch King > what happened to you????? i have a fone you know. +Renegade Chemist > at least Razor foned me once in awhile. 4.0??? +Zeus > (My dog, thought I would greet him, great dane.. cool huh) not rily +Group Greet to IEC (Chaos9, Sir Shadowcat, Consolidated) + + +By the way, for those of you who care.. orthogonal means perpendicular, which +means the cross product of the 2 vectors are zero DAMNIT!!!!!!!!!!! + +FUCK I GOT BUSTED FOR DRINKING AND DRIVING LAST WEEEEKK AAARRRHGHGGHGHGHGH +that's a year of no driving... shit... Deathlok will hafta cart me around! + +Later... +Call The Faultline (403)-288-8402 (403)-258-2534 + + + diff --git a/textfiles.com/piracy/DREAMTEAM/term2029.nfo b/textfiles.com/piracy/DREAMTEAM/term2029.nfo new file mode 100644 index 00000000..6e0b4715 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/term2029.nfo @@ -0,0 +1,94 @@ + + + -//- T H E D R E A M T E A M -\\- + 1 9 9 2 + + ProudlyPresent + + Terminator 2029 weapons cheat + + Ŀ + RELEASE INFORMATION + Ĵ + Written by : Buckaroo Banzai + Released : 29th October 1992 + + Ŀ + RELEASE NOTES + + This is the only trainer for T2029 that I have seen. It takes away all of + those annoying features like heat drain and gives you unlimited missles and + gerenades. + + Simply change the 2029.BAT to say 2029CHT.COM instead of TERM.EXE but keep + all of the command line information the same. + + Look for more great cheats and TDT and Echo Mirage + + Have fun and see you later in our next release! + Ŀ + Also if you are intrested in the newest and hottest make sure to write to + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + Want to be a DIST SITE? If you want to be in the BEST organized cracking + team then TDT is your choise. We offer you great support and quick upload + when releases comes. Ask any TDT DIST site on the scene! + CALL : 612-754-0266 (9600Bps only!) + On username ENTER : APPLICATION + Use Password : DISTSITE + Hit 'E' and enter message to : HARD CORE + Now write us your voice number, your name, a few word about your system + and something about what you can do for US...See you on There! + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ 612-PRI-VATE ....... 6 Nodes ................ + Revelation ................ HAVE-PROBLEM ....... 5 Nodes ................ + Akira Project ............. 416-512-8567 ....... 3 Nodes ................ + Twins ..................... 514-723-4351 ....... 3 Nodes ................ + New Central Europe ....... +(49)-PRIVATE .......11 Nodes ................ + Central Nervous System .... 414-832-1449 ................................ + Hell ...................... 313-349-4933 ................................ + Ĵ + NORTH AMERICA DISTRIBUTION SITES + Ĵ + Lite House Express ........ 407-624-4329 ....... 2 Nodes ....HEADQUARTERS + Big Time .................. 519-252-7400 ................................ + Beyond Gates of Hell ...... 203-589-2269 ................................ + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ................ + Realm of Immortality ...... 415-992-0945 ....... 3 Nodes ................ + Ĵ + EUROPE AND SAUDI ARABIA'N DISTRIBUTION SITES + Ĵ + Orage Juice ........... +(61)-3-571-0700 ....... 4 Nodes ................ + Juve Rehab .......... +(358)-187-818-316 ....... 2 Nodes ................ + Free Q8 ................ +(965)-532-4360 ................................ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ................ + Exodus BBS ............. +(352)-42-44-92 ................................ + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ................ + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze + Major Theft , Wolverine , Roger Wilco , The Corporal + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 , Asmodeus + Union Jack , Redskin , Phil Thrust , Desert Rat , Spread , Snake Man + The Ghost Wind , Stroke , War Hammer , Whiplash Snidley , Sparkling Flash + Yip Yip , Dirty Bush , RON , Buckaroo Banzai + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Venom , Cuca , Black Mischief , Turbo Interceptor + Black Rider , Freak & Shogun , Overlord , Rotox , Q-Tip + + + + The Dream Team - Was There Ever A Choise? + + \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/tony3.nfo b/textfiles.com/piracy/DREAMTEAM/tony3.nfo new file mode 100644 index 00000000..1ee89ce5 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/tony3.nfo @@ -0,0 +1,102 @@ + + + -//- T H E D R E A M T E A M -\\- + 1993 - 3RD YEAR ANIVERSARY ON IBM +-*- QUALITY FACTORY -*- Proudly Presents: -*- QUALITY FACTORY -*- + + TONY LA RUSSA BASEBALL II FROM SSI! + Ŀ + RELEASE INFO + Ĵ + Cracker.....: HARD CORE............... Supplier...: NAMYOT............... + Protection..: PASSWORD................ Date.......: 12th March 1993...... + Graphics....: EGA/VGA................. Size.......: 6 1.44Mb Disks....... + + + Tony La Russa Strikes back with another one in his BASEBALL series...1993's + SUPER BOWL became pretty popular in the whole world! Releasing this second + part was quite understanding after all... + + Read the KEYS in the file TONY.KEY + + The crack was pretty easy and is stoored in the game, therefor no stinking + patch-file needed! + + Make sure when you install the game that you will use: PKUNZIP -D -$ zipfile + The game will be looking for the volume labels.. + + Have fun guys and see you soon around! + + Special greetings goes to: S.S - HITMAN - AMIGO - GML/TU - MOBY - DAVE&CHRIS + + GROUP GREETINGS : THE HUMBLE GUYS - RAZOR 1911 - SKILLION - UNTOUCHABLES + + TDT '93 - BRINGING YOU CLASSIC GAMES... + Ŀ + IF you want to contact THE DREAM TEAM then call this BBS: + Call : 612-755-1347 + Use username: APPLICATION + Password : TDT + Hit 'E' and enter message to: HARD CORE + + Ŀ + If you want the newest and hottest soft very fast write to (no swapping) + Why second hand and not from the best? + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE .... 7 Nodes ... Major Theft.... + Twins ..................... 514-723-4351 .... 4 Nodes ... Spread ........ + New Central Europe ........ ITS-PRI-VATE ....13 Nodes ... Phil Thrust.... + Lite House Express ........ ITS-PRI-VATE .... 4 Nodes ... Freebird ...... + Terrordome ................ 416-619-1717 .... 3 Nodes ... Stingray ...... + Alpha 2010 ................ 210-687-9660 .... 4 Nodes ... Silus Guardian. + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ............ ITS-PRI-VATE .... 5 Nodes ... Ironside ...... + Realm Of Immortality ...... ITS-PRI-VATE .... 3 Nodes ... Sparkling Flash + Guru's Dream ............ +(46)-828-2760 .... 5 Nodes ... Dirty Bush .... + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-254-6377 .... 2 Nodes ... Stroke ........ + The Deep .................. 305-888-7724 ................ Great White ... + Ultimate Carnage .......... 314-949-5823 ................ Devestator .... + Athens .................... 510-827-1049 .... DIABLO..... Aristotle ..... + GreyBeard's Castle ........ 601-939-7861 .... 2 Nodes ... Mark Twain .... + Cold Fusion ............... 604-XXX-XXXX .................Agape ......... + THE BOARD ................. 310-836-0469 .... 2 Nodes ... Philosopher ... + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Free Q8 ................ +(965)-532-4360 ................ Desert Rat .... + Checkpoint Charlie ...... +(47)-426-7992 ................ Vandall ....... + Zero City III .......... +(61)-2724-4152 .... 2 Nodes ... Icepick........ + Bevery Hills BBS ..... +(49)-893-143-165 .... 4 Nodes ... Dave&Chris .... + THE BOARD ............. +(31)-767-191-11 .... 4 Nodes ... Moby .......... + + Ŀ + THE DREAM TEAM MEMBERS [14 SOULS] + Ĵ + HARD CORE + THE GRIM REAPER - DR.Q2 - ROGER WILCO - ACTION MAN + MAXIMILIEN - THE CORPORAL - REDSKIN - S.S - BLACK RIDER + MICHELANGELO - MOSAIC - CYBER - HITMAN + Ĵ + THE DREAM TEAM COURIER SYSTEM [10 DEVILS] + Ĵ + White Rose - XAVIER X - Lord Disembowelment - Warchild - Skybum + Coyotes Memeber - Freak - ROTOX - Coke - Centre + + + NO UPDATES - NO NON-ENGLISH GAMES - NO WINDOWS GAMES - NO FUCK'UPS + + -*- Q U A L I T Y O N L Y -*- diff --git a/textfiles.com/piracy/DREAMTEAM/triviap.nfo b/textfiles.com/piracy/DREAMTEAM/triviap.nfo new file mode 100644 index 00000000..13e733cd --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/triviap.nfo @@ -0,0 +1,91 @@ + + + -//- T H E D R E A M T E A M -\\- + IS BACK TO KICK ASS + -*- WITH -*- + DELUXE TRIVIAL PURUIT FROM DOMARK + Ŀ + RELEASE INFORMATION + Ĵ + Cracked by : N/A + Supplied by : MUNCHIE + Released : 19th November 1992 + Graphics : EGA/VGA + Sound : ADLIB/SPEAKER + + + TDT is back again today, with Domark's Deluxe Trvial Puruit. VGA and + ADLIB sound make this an exciting game, however playing among friends seems + to be the best way, as answers are revealed after you give up on the + question. You and your friends are on your honor when asked if you got the + question right. Anyways a nice game, hope you enjoy it and see you soon in + our next release. + + Just unzip the file(s) into a directory and run TP! + + Greetings to - TRSI (Welcome Home Big Balls) and DOZE good luck! + Ŀ + If you want the newest and hottest soft very fast please write to + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + Ŀ + If you want the best disk-by-mail deal in FRANCE write to + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ YOU-CAN-DREAM....... 7 Nodes ..... USA ...... + Revelation ................ YOU-CAN-DREAM....... 5 Nodes ..... USA ...... + Twins ..................... 514-723-4351 ....... 3 Nodes ..... Canada ... + New Central Europe ........ YOU-CAN-DREAM.......12 Nodes ..... Germany .. + Central Nervous System .... 414-832-1449 ....... 2 Nodes ..... USA ...... + Crewel Lye ................ 713-432-0779 ..................... USA ...... + Ĵ + EUROPE AND SAUDI ARABIA'N DISTRIBUTION SITES + Ĵ + Orage Juice ........... +(61)-3-571-0700 ....... 4 Nodes ..... Australia + Free Q8 ................ +(965)-532-4360 ..................... Kuwait ... + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ..... Italy .... + Exodus BBS ............. +(352)-42-44-92 ..................... Luxembourg + Checkpoint Charlie ...... +(47)-42-67992 ..................... Norway ... + Ĵ + NORTH AMERICAN HEADQUARTERS + Ĵ + Lite House Express ........ 407-624-4329 ....... 4 Nodes ..... USA ...... + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ..... USA ...... + Realm Of Immortality ...... YOU-CAN-DREAM....... 3 Nodes ..... USA ...... + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ..... Sweden ... + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ..... Canada ... + The Vertigo File .......... 815-667-4892 ..................... USA ...... + Members Only .............. YOU-CAN-DREAM....... 2 Nodes ..... USA ...... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ..... Canada ... + The Deep .................. 305-888-7724 ..................... USA ...... + Vicious Paradise .......... 804-486-1810 ..................... USA ...... + PJ Tower .................. 714-356-9506 ..................... USA ...... + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze , The Grim Reaper + Major Theft , Wolverine , Roger Wilco , The Corporal + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 + Redskin , Phil Thrust , Desert Rat , Spread , Black Rider + The Ghost Wind , Stroke , Snidely Whiplash , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. , Sought After + Buckaroo Banzai , Dr Crippen , Pepsi Man , Black Terror + Great White/The Speed Racer + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + Soul Taker , Sharp , BOO , The Hexmaster , The Devestator + The Black Paladin , Freak & Shogun , Rotox , Q-Tip +  \ No newline at end of file diff --git a/textfiles.com/piracy/DREAMTEAM/trodd.nfo b/textfiles.com/piracy/DREAMTEAM/trodd.nfo new file mode 100644 index 00000000..8b39b11b --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/trodd.nfo @@ -0,0 +1,96 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents: + + Ŀ + +:+ Troddlers (c) Sales Curve +:+ + Ĵ + Cracker......: HARD CORE Supplier...: MR.TDT + Game Overall.: 85% Date.......: 1993-10-19 + Graphics.....: VGA/MCGA 256 colors Sound......: Adlib/SB + + + A TDT QUALITY RELEASE + + Game notes: After Lemmings, Humans, One Step Beyond etc the new version of + this type of games is here... Troddlers is based on same idea as + thoose other games + + On the manual-protection just hit RETURN to bybass it... + + We did also include all the level passwords in the file:PASSWORD + + Watch out for more fine releases from your favourite crackers + coming your way later today! + + Make sure to run TDTINTRO.EXE to check out our newest production! + + Have fun... + + Group greetings : TRSI - Good job on Jurrasic Park (We got beaten by 1 hour) + PTG - Global Domination nice game + FLT - Lame comeback - 2 fuckups + RAZ0R - Quarterpole, still only 10% of the releases...h0h0 + THG - Good job on the latest SSi game + + Personal greetings: HOS0N / TGW / BLUEWATER / MOBY / SKYLARK / LES MANLEY + BEN JAMMIN - What is going on??? + + Hydro & Fallen Angel : On IBM & CONSOLE - WE rule Canada. It's fucken lame + (MEGA COOP h0h0h0) calling our supplier while he is uploading to Unlawful + Entry and trying to make him stop the upload. JERKOFFS + + The Dream Team cracking machine... + Ŀ + If you want to GET the latest IBM software then write to + TDT DISKS-BY-MAIL + PO BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + +:+ THE DREAM TEAM FULL BOARD LIST +:+ + ------------------------------ + Ĵ + UNLAWFUL ENTRY...............ITS-PRI-VATE.......8 NODES.......MEMBER/WHQ. + ALPHA 2010...................ITS-PRI-VATE.......6 NODES.......MEMBER..... + BEYOND AKIRA.................416-461-9101.......3 NODES.......MEMBER..... + EXALTED DEATH................ITS-PRI-VATE.......2 NODES.......MEMBER..... + Ĵ + DA HAUZE.....................ITS-PRI-VATE.......6 NODES.......BENELUX HQ. + ON THE EDGE..................ITS-PRI-VATE.......1 NODE........US HQ...... + MAPHIA.......................ITS-PRI-VATE.......4 NODES.......MEGA HQ.... + Ĵ + WIZARD'S TOWER...............419-874-5143.......3 NODES.......DISTRO..... + THE DEEP.....................305-888-7724.......2 NODES.......DISTRO..... + SECOND FRONT.................+46-87987584.......2 NODES.......DISTRO..... + THE BACK ROOM................615-245-6617.......2 NODES.......DISTRO..... + BRAD'S BBS...................908-738-9281.......2 NODES.......DISTRO..... + REAGGE MUFFIN................+47-798-4551.......1 NODE........DISTRO..... + THE SKYTOPOLIS...............+41-44-31651.......1 NODE........DISTRO..... + + + Ŀ + +:+ THE DREAM TEAM FULL MEMBER LIST +:+ + ------------------------------- + + HARD CORE & HOSON + + CYBER, BEN JAMMIN, DEAD GOON, DEVIOUS DOZE, DR. MAGIC, EDWARD CHANG + EXCESSIVE KNIGHT, HOT TUNA, LiON, MAC BETH, MAJOR THEFT, MAVERICK + PABLO, REDSKIN, PHARAOH, ROGER WILCO, THE MAGIC ARTIST + THE GHOST WIND & PIOTR ILNICKI + + Ĵ + +:+ THE DREAM TEAM SPREADING TEAM +:+ + ----------------------------- + + FIREHEAD, RADICAL, SHADOW, SUN BLAZER, THE MASTER, THE ACE OF SPADES + ALWAYS DANGEROUS, SKYBUM + + + + DAS ROLLING COMPANY! diff --git a/textfiles.com/piracy/DREAMTEAM/zack.nfo b/textfiles.com/piracy/DREAMTEAM/zack.nfo new file mode 100644 index 00000000..ddc87088 --- /dev/null +++ b/textfiles.com/piracy/DREAMTEAM/zack.nfo @@ -0,0 +1,104 @@ + + + -//- T H E D R E A M T E A M -\\- + + Proudly Presents + + CONTRAPTION ZACK FROM MINDCRAFT + + Ŀ + RELEASE INFORMATION + Ĵ + Supplied by : THE GRIM REAPER + Date : 28th November 1992 + Graphics : VGA 256 Colors + Sound : ALL + Game Size : 2 1.2Mb Disks, installation needed + + + CONTRAPTION From Mindcraft + This is a build your own invention type game that is supposed to be the + equivalent of Sierra's upcoming The Incredible Machine... + + Be sure to grab the other Latest Releases from -=TDT=-: + + Aces Of The Pacific: World War II 1946 + Links 386 Pro Mauna Kea: The Island of Hawaii + Sim Life + AV-8B Harrier Assault + and More On The Way!!! + + Greets go out to: HARD CORE - Munchi - Action Man - Wolverine - Pepsi Man + + Have fun and see you later in our next QUALITY crack! + + Ŀ + If you want the newest and hottest soft very fast please write to. No swap. + Now even more improved/faster/better. If you did write before, try again! + + The Dream Team + PO. BOX 52 + 810 70 AELVKARLEBY + SWEDEN + + + Ŀ + If you live in france write to + B.P.13 + 95370 MONTIGNY, FRANCE + + Ŀ + THE DREAM TEAM MEMBER BOARDS + Ĵ + Unlawful Entry ............ ITS-PRI-VATE ....... 7 Nodes ..... USA ...... + Twins ..................... 514-723-4351 ....... 3 Nodes ..... Canada ... + New Central Europe ........ ITS-PRI-VATE .......12 Nodes ..... Germany .. + C.N.S. .................... 414-832-1449 ....... 2 Nodes ..... USA ...... + Crewel Lye ................ 713-432-0779 ..................... USA ...... + Terrordome ................ 416-619-1717 ....... 3 Nodes ..... Canada ... + Lite House Express ........ 407-624-4329 ....... 4 Nodes ..... USA ...... + Ĵ + THE DREAM TEAM HEADQUARTERS + Ĵ + Highland Board ........ +(39)-362-554422 ....... 4 Nodes ..... Italy .... + Pandora's Box ............. 313-652-6137 ....... 5 Nodes ..... USA ...... + Realm Of Immortality ...... ITS-PRI-VATE ....... 3 Nodes ..... USA ...... + Guru's Dream .......... +(46)-8-28-27-60 ....... 5 Nodes ..... Sweden ... + Ĵ + NORTH AMERICAN DISTRIBUTION SITES + Ĵ + Big Time .................. 519-252-7400 ....... 2 Nodes ..... Canada ... + The Vertigo File .......... 815-667-4892 ..................... USA ...... + Members Only .............. ITS-PRI-VATE ....... 2 Nodes ..... USA ...... + Asynchrone Entry .......... 418-661-8321 ....... 2 Nodes ..... Canada ... + The Deep .................. 305-888-7724 ..................... USA ...... + Vicious Paradise .......... 804-486-1810 ..................... USA ...... + PJ Tower .................. 714-356-9506 ..................... USA ...... + Ultanet Carnage ........... 314-XXX-XXXX ..................... USA ...... + The Inferno BBS ........... 519-884-4960 ..................... Canada ... + Ĵ + WORLD FAMOUS DISTRIBUTION SITES + Ĵ + Pure Addiction ........ +(61)-3-571-0700 ....... 4 Nodes ..... Australia. + Free Q8 ................ +(965)-532-4360 ..................... Kuwait ... + Exodus BBS ............. +(352)-42-44-92 ..................... Luxembourg + Checkpoint Charlie ...... +(47)-42-67992 ..................... Norway ... + + Ŀ + THE DREAM TEAM MEMBERS + Ĵ + Hard Core , Devious Doze , The Grim Reaper + Major Theft , Wolverine , Roger Wilco + Fallen Angel , Offset , Ironside , ActionMan , Dr. Q2 + Redskin , Freebird , Desert Rat , Spread , Black Rider + The Ghost Wind , Stroke , Snidely Whiplash , Sparkling Flash + Maximilian , Yip Yip , Dirty Bush , RON , Electron.. , Sought After + Buckaroo Banzai , Dr Crippen , Pepsi Man , Black Terror , Phil Thrust + Stingray , The Corporal , Great White/The Speed Racer , Dave & Chris + Ĵ + THE DREAM TEAM COURIER SYSTEM + Ĵ + UNDER RE-CONTRUCTION + + + "ORIGINAL IDEA - [HARD CORE] - [THE DREAM TEAM 1992]" diff --git a/textfiles.com/piracy/FAIRLIGHT.1 b/textfiles.com/piracy/FAIRLIGHT.1 new file mode 100644 index 00000000..0a86122c --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT.1 @@ -0,0 +1,62 @@ + +T E X T F I L E S + +

Piracy Textfiles: Fairlight

+

+"Where Dreams Come True", until they were busted in 1992. +

+ + + + + +
+
Filename
Size
Description of the Textfile
big22.nfo 7749
 FAIRLIGHT: Big 22 (January 5, 1993) +
elitetrn.nfo 10483
 FAIRLIGHT: Elite II Trainer (October 27, 1993) +
eob2edit.nfo 9773
 FAIRLIGHT: Eye of the Beholder II Character Editor by Buckaroo Banzai +
flash100.nfo 4813
 FAIRLIGHT: Flashback 100 Percent Crackpatch and English Text (April 25, 1993) +
flt.nf1 6204
 FAIRLIGHT: Dungeon Master (July 18, 1992) +
flt.nfo 10673
 FAIRLIGHT: A Line in the Sand by SSI +
flt0592.nfo 7275
 FAIRLIGHT: Out of This World by Interplay (May 2, 1992) +
flt059~1.nfo 8203
 FAIRLIGHT: Tubular Worlds from Dongleware Trainer (May 7, 1994) +
flt1.nfo 9990
 FAIRLIGHT: Cool World by Ocean (November 19, 1992) +
flt1092.nfo 8116
 FAIRLIGHT: King's Quest VI Complete Solve +
flt1093.nfo 6876
 FAIRLIGHT: Positronic Bridge (October 13, 1993) +
flt1291.nfo 11083
 FAIRLIGHT: SupaPlex from Digital Integration LTD (Plus News) +
flt3.nfo 8422
 FAIRLIGHT: Cyber Empires by SSI (September 14, 1992) +
flt4.nfo 10897
 FAIRLIGHT: LA Law by Capstone (December 3, 1992) +
flt5.nfo 6604
 FAIRLIGHT: Barbie by H-Tech Expressions (July 10, 1992) +
fltpc.nfo 8060
 FAIRLIGHT: Castle of Dr. Brain Codes from Sierra On-Line +
global.nfo 7057
 FAIRLIGHT: Global Effect by Millenium (June 1st, 1992) +
gnb.nfo 8580
 FAIRLIGHT: Great Naval Battles by SSI (September 26, 1992) +
goblins.nfo 10361
 FAIRLIGHT: Goblins from CVS +
hoy3vga.nfo 8892
 FAIRLIGHT: Hoyles Book of Games III from Sierra On-Line +
hunt.nfo 3680
 FAIRLIGHT: Hunt for Red October +
infernal.nfo 10623
 INFERNAL AFFAIRS: Prince of Persia 2 Trainer and Dox (April 27, 1993) +
luigi.nfo 7617
 FAIRLIGHT: Luigi and Spaghetti from Spain (January 4, 1993) +
mael.nfo 8532
 FAIRLIGHT: Maelstrom (November 18, 1992) +
obitus.nfo 8669
 FAIRLIGHT: Obitus, from Psygnosis (January 27, 1991) +
obitusdx.nfo 8033
 FAIRLIGHT: Obitus Complete Documentation from Psygnoisis (January 28, 1991) +
pq3-dox.nfo 4268
 FAIRLIGHT: Complete Police Quest III Documentation (And Board List) +
pq3hints.nfo 4543
 FAIRLIGHT: Police Quest III Hints and Solutions from Sierra +
shadow.nfo 6046
 FAIRLIGHT: Shadowgate for Windows from Electronic Arts (December 5, 1992) +
shadow2.nfo 11356
 FAIRLIGHT: Shadowgate for Windows from Electronic Arts (December 5, 1992) +
siege.nfo 6204
 FAIRLIGHT: Siege by Mindcraft (July 18, 1992) +
simparc.nfo 11415
 FAIRLIGHT: The Simpsons Arcade Game from Konami +
steel.nfo 8670
 FAIRLIGHT: Steel Empire from Silicon Knights (April 15, 1992) +
steel2.nfo 7284
 FAIRLIGHT: Steel Empire from Silicon Knights (April 15, 1992) +
trn.nfo 8523
 FAIRLIGHT: Cannon Fodder from Sensible Software Trainer (May 1, 1994) +
vegas.nfo 16660
 FAIRLIGHT: Vegas Games for Windows by New World Computing (July 15, 1992) +
vegas2.nfo 6523
 FAIRLIGHT: Vegas Games for Windows by New World Computing (July 15, 1992) +
vrs-dox.nfo 9982
 FAIRLIGHT: Complete Virtual Reality Studio Dox from Domark +
willhnts.nfo 9528
 FAIRLIGHT: Willy Beamish Hints and Solve +
word-dox.nfo 3298
 FAIRLIGHT: Complete Wordtris Documentation +
wordtris.nfo 4924
 FAIRLIGHT: Wordtris by Spectrum Holobyte +

There are 41 files for a total of 336,489 bytes.

+Important Credit: A portion of these files came from a site called the +Defacto2 Scene Archive, +and were acquired and saved by the folks of that group. They've done a +wonderful job on the site, and it is highly reccommended that you check +it out. + + diff --git a/textfiles.com/piracy/FAIRLIGHT/.windex.html b/textfiles.com/piracy/FAIRLIGHT/.windex.html new file mode 100644 index 00000000..8f96c23d --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/.windex.html @@ -0,0 +1,62 @@ + +T E X T F I L E S + +

Piracy Textfiles: Fairlight

+

+"Where Dreams Come True", until they were busted in 1992. +

+ + + + + +
+
Filename
Size
Description of the Textfile
big22.nfo 7749
 FAIRLIGHT: Big 22 (January 5, 1993) +
elitetrn.nfo 10483
 FAIRLIGHT: Elite II Trainer (October 27, 1993) +
eob2edit.nfo 9773
 FAIRLIGHT: Eye of the Beholder II Character Editor by Buckaroo Banzai +
flash100.nfo 4813
 FAIRLIGHT: Flashback 100 Percent Crackpatch and English Text (April 25, 1993) +
flt.nf1 6204
 FAIRLIGHT: Dungeon Master (July 18, 1992) +
flt.nfo 10673
 FAIRLIGHT: A Line in the Sand by SSI +
flt0592.nfo 7275
 FAIRLIGHT: Out of This World by Interplay (May 2, 1992) +
flt059~1.nfo 8203
 FAIRLIGHT: Tubular Worlds from Dongleware Trainer (May 7, 1994) +
flt1.nfo 9990
 FAIRLIGHT: Cool World by Ocean (November 19, 1992) +
flt1092.nfo 8116
 FAIRLIGHT: King's Quest VI Complete Solve +
flt1093.nfo 6876
 FAIRLIGHT: Positronic Bridge (October 13, 1993) +
flt1291.nfo 11083
 FAIRLIGHT: SupaPlex from Digital Integration LTD (Plus News) +
flt3.nfo 8422
 FAIRLIGHT: Cyber Empires by SSI (September 14, 1992) +
flt4.nfo 10897
 FAIRLIGHT: LA Law by Capstone (December 3, 1992) +
flt5.nfo 6604
 FAIRLIGHT: Barbie by H-Tech Expressions (July 10, 1992) +
fltpc.nfo 8060
 FAIRLIGHT: Castle of Dr. Brain Codes from Sierra On-Line +
global.nfo 7057
 FAIRLIGHT: Global Effect by Millenium (June 1st, 1992) +
gnb.nfo 8580
 FAIRLIGHT: Great Naval Battles by SSI (September 26, 1992) +
goblins.nfo 10361
 FAIRLIGHT: Goblins from CVS +
hoy3vga.nfo 8892
 FAIRLIGHT: Hoyles Book of Games III from Sierra On-Line +
hunt.nfo 3680
 FAIRLIGHT: Hunt for Red October +
infernal.nfo 10623
 INFERNAL AFFAIRS: Prince of Persia 2 Trainer and Dox (April 27, 1993) +
luigi.nfo 7617
 FAIRLIGHT: Luigi and Spaghetti from Spain (January 4, 1993) +
mael.nfo 8532
 FAIRLIGHT: Maelstrom (November 18, 1992) +
obitus.nfo 8669
 FAIRLIGHT: Obitus, from Psygnosis (January 27, 1991) +
obitusdx.nfo 8033
 FAIRLIGHT: Obitus Complete Documentation from Psygnoisis (January 28, 1991) +
pq3-dox.nfo 4268
 FAIRLIGHT: Complete Police Quest III Documentation (And Board List) +
pq3hints.nfo 4543
 FAIRLIGHT: Police Quest III Hints and Solutions from Sierra +
shadow.nfo 6046
 FAIRLIGHT: Shadowgate for Windows from Electronic Arts (December 5, 1992) +
shadow2.nfo 11356
 FAIRLIGHT: Shadowgate for Windows from Electronic Arts (December 5, 1992) +
siege.nfo 6204
 FAIRLIGHT: Siege by Mindcraft (July 18, 1992) +
simparc.nfo 11415
 FAIRLIGHT: The Simpsons Arcade Game from Konami +
steel.nfo 8670
 FAIRLIGHT: Steel Empire from Silicon Knights (April 15, 1992) +
steel2.nfo 7284
 FAIRLIGHT: Steel Empire from Silicon Knights (April 15, 1992) +
trn.nfo 8523
 FAIRLIGHT: Cannon Fodder from Sensible Software Trainer (May 1, 1994) +
vegas.nfo 16660
 FAIRLIGHT: Vegas Games for Windows by New World Computing (July 15, 1992) +
vegas2.nfo 6523
 FAIRLIGHT: Vegas Games for Windows by New World Computing (July 15, 1992) +
vrs-dox.nfo 9982
 FAIRLIGHT: Complete Virtual Reality Studio Dox from Domark +
willhnts.nfo 9528
 FAIRLIGHT: Willy Beamish Hints and Solve +
word-dox.nfo 3298
 FAIRLIGHT: Complete Wordtris Documentation +
wordtris.nfo 4924
 FAIRLIGHT: Wordtris by Spectrum Holobyte +

There are 41 files for a total of 336,489 bytes.

+Important Credit: A portion of these files came from a site called the +Defacto2 Scene Archive, +and were acquired and saved by the folks of that group. They've done a +wonderful job on the site, and it is highly reccommended that you check +it out. + + diff --git a/textfiles.com/piracy/FAIRLIGHT/big22.nfo b/textfiles.com/piracy/FAIRLIGHT/big22.nfo new file mode 100644 index 00000000..9ab6ce2e --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/big22.nfo @@ -0,0 +1,146 @@ + + + . + + + + ߲۲ ۲ ۲ ۲ ۲ ۲ ۲ ۲۲۲ + ܲ ߲ + ߱ ߱ ߱ + + + When Dreams Come True + + + + + + + + + + + + -PROUDLY PRESENTS- +ķ + BIG 22 +Ķ + Supplied by: THE PATTON Written by: ?????? + Cracked by: The TERMINATOR Protection: DOC CHECK + Packaged by: BLADE RUNNER Graphics/Sound: VGA/SB & ADLIB + Release Date: 1/05/93 12am Game Type: Card Game + Rating: CARD GAME YEAh # of Disks: 3 +Ķ + Game Notes: Well this is an Asian CARD game we put it out because it + is easy to play. Just type 'Crack' and a way you go. + THE Truth: The truth about Sinisiter is that it is only a courier group + The two main Courier leaders left FLT to make a new group, + they took many our couriers and with them many of our sites + Many of our site were miss informed by Sin. Members that + Say that Flt is dead.. Well we are not! NO FLT SUPPLIERS + Left the group. Just the couriers did. So all the that were + Misinformed Will be getting FLT support... Sinisiter IS JUST + Another Courier group.. To sinisiter I just say thanxs!!!! + You Guys make our work much easier.... You cut the useless + FAT out.. THANXS FOR PUTTING US ON A DIET. PEACE IN '93 +Ķ + Greets go out to: FAIRLIGHT AMIGA and THE HUMBLE GUYS +Ľ + + + ķ + Ķ -FLT- President + Ľ + + - Ford Perfect - + + ķ + Ķ -FLT- Senior Staff + Ľ + + Blade Runner, Orion, THE HAWK, VenoM + + ķ + Ķ -FLT- Members + Ľ + + Berserker, Beach Bum, FILA, Gank Master + Nemsis Enforcer, Night Ranger, Jack, Onyx + Silencer, Sicko, The Patton, Tom Brokaw + Macblue, Dark Bader, Hologram + The Terminator + + ķ + Ķ -FLT- Cheats/Trainers + Ľ + + Hare Krishna, Patch, Phoniex + Rescue Raider + + ķ + Ķ -FLT- Senior Couriers + Ľ + + Flyboy, Jester, Avalanche, Master Disaster + + ķ + Ķ -FLT- Couriers + Ľ + + Doom, Night Blade, Overseerer, Shadow Lord, + Butter Ball, Olan, Lion, Budsky, Mad Dog + Steel Thunder, Natas, Ranks + + + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + The Bog World HQ 312/???.???? Sicko + Digital Wasteland U.K. HQ +44-81BACKUP! Night Ranger + My Boomin' System (4 Nodes) Canadian HQ 514/PRI.VATE Blade Runner +Ķ + Body Count Member Board DIEGRIMREAPER VenoM + Rising Sun Member Board 813/YOU.WISH Orion + The Hood (2 Nodes) Member Board 416/YOU.WISH Berserker +Ľ + Def Con 4 Dist. Site 201/XXX.XXXX Devastor + Fourth Reich Dist. Site 916/XXX.XXXX Prince of Sin + Twilight Zone Dist. Site 504/XXX.XXXX Jack Flash + Tower Knowledge Dist. Site 404/XXX.XXXX The Sage + + + + + + + + + + + + +ķ + FAIRLIGHT is currently accepting Dist. Sites call Lithium logon on as + FAIRLIGHT APPLY password FAIRLIGHT. Leave your board #, voice #, and + best time to get in touch with you. + get in touch with you. + + FAIRLIGHT is looking for good couriers, if you are interested then logon + MBS with the account mentioned above. And leave your alias, name, + voice # and time to call. + + FAIRLIGHT is also looking for people that can Scan Docs, Code Loaders, + Make MODS, Crack, and Supply. If you are one of these people then call + Lithium with the FAIRLIGHT APPLY account and leave what you can do and + how to get ahold of you. + + CALL 514-937-2005 + + FAIRLIGHT 'When Dreams Come True' +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** + + diff --git a/textfiles.com/piracy/FAIRLIGHT/elitetrn.nfo b/textfiles.com/piracy/FAIRLIGHT/elitetrn.nfo new file mode 100644 index 00000000..bec2dc98 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/elitetrn.nfo @@ -0,0 +1,190 @@ + + + + + + + + + + + + + + + + + + ANSiJED + + + + + ķ + Elite II Trainer + Ķ + Trained By: Martial Artist / FLT Written By: Gametek + Release Date: 10/27/93 Graphics: VGA + Packaged By: Martial Artist + Ķ + Ķ + Greets: Ben Jammin, The Shapeshifter, Ironbrand, Storm Lord, CRiMSON, + Mr. Goodwrench + Ľ + + Yo hey, Well I hope there are not too many more of these out there now + I liked this game on the C64, Never really understood it.. still don't + This trainer would have been much faster and BETTER if I really knew what + the point of this game was. But whatever, here it is anyhow... + + Place the file 'elitetrn.com' in your ELITE II directory + type ELITETRN to run the trainer.. + + While in the game, you can press Keypad-5 to get a help screen + Press Keypad-5 to get out of the help screen. + + Keypad-1 - Increases your money by the millions every time you press it + I cannot remember the number it gives you about + 1,600,000 $$$ when you press it.. it would be a normal figure + but they are using some stupid type of floating point decimal. + + Keypad-2 This gives you unlimited missiles.. + It used to give you dummymine, proximitymine, homing missile + smart missile, naval missile and a nuclear missile... + but That was unstable because it is differen't for all ships. + + Keypad-3 This increases your ships HOLDS by 1 everytime pressed + It is not updated on the screen immediately + + Keypad-4 ** this works when you start at the beginning, when you choose 1 + and start in the ROSS 154 system with an Eagle Long Range Fighter. + (might work with other ships.. not quite sure, dont have the + patience) + anyhow.. when you are in a front view and you press this key + (maybe a few times) you should see your % of shields being raised + if you don't then it probably isnt wise to use it... + This is best for beginners, so you dont die immediately.. + + + Anyhow, that's about it.. it took awile, there were some bugs, but I found them + fairly fast when I figured out they were with the memory re-allocation.. + (lame fucking bugs) + + Sooo Personal Greetings to: + + Hi.T.Moonweed - Thanx for the source to your FLAMES that I could destroy + and kill and maim to make my own creation in the trainer + screen.. and for the senseless fone calls.. Bollox + + Billy Wizz - CALL ME, I lost your address.. those tapes got fucked up + (Haggis peice of shit) + + Ben Jammin - Wow, looks like I joined ITU after all???? + + Warchild - Hey man, well looks like I joined you as well after all!!? + + Network - You Raving bastard, what's up, if you ever phreak gimme + a call, I still have those QEDIT macros you want + + Hard Core - Well man, it's a shame you couldn't get me a courier... + missin out on all these trainers... + (why the fuck would you let a cock sucker like hoson + Take over TDT???? bad move) + + Devious Doze - I Will be in Toronto some time soon.. for new years + Then I can finally meet you. + + Mystik Tiger - Hey man.. Want to hear from you soon.. gotta talk about + Mystik.. + + VLA - Think I will be joining you guys soon to release source + Code of lot's of shit.. should be cool.. + + Factory - Thanx for the stuff man.. + + Shadow Master - Can't you phreak yourself (always using people geeeeze) + + Digital Fuhrer- Well here it is.. LATE but it's here (hey I gotta sleep) + + Quazar - Yo hey, so those ansi's suuure would be nice + + Chaos 9 - My friend.. we will rock halloween. + + Renegade Chemist - What's up man... how's college + + Butcher - It's been a long time.. how's the industrial parts going? + + Witch Kind - Gimme a call.. or did your phreak nigger (Gangsta Rok) + die or something + + Gangsta Rok - just kidding your not a nigger (unless Ken gets ahold of you) + + TO ALL Call my bbs, cauze it's dieing.. + The Faultine (see number below) + + + + Ŀ + Ĵ -= FLT Staff =- + + Strider, Warchild, + War Master, Bainster, Fourth Reich, Forced Entry, + General Zennor, Icepic, Rupert, Avalon, Lightning Hopkins, + Cetis, White Rose, + + + Ŀ + Ĵ -= FLT Trainer/Dox =- + + Digital Fuhrer, Shadow Master, Quazar, + Martial Artist, Mason King, + Byte Spiker, Factory + + Ŀ + Ĵ -=FLT=- Couriers + + + Nueromage, Vanilla Ice, Blitzkreig, Holo Dream, + Duke, Sassy, The Dutchmen + + ķ + - Fairlight Boards - + Ķ + BOARD NAME POSITION NUMBER SYSOP + Ķ + World HQ /PRI.VATE + Courier HQ /PRI.VATE + Craftworld Can HQ /PRI.VATE Slum Dweller + The City U.S.H.Q. 813/PRI.VATE Bainster + Vangaardium Aust HQ +61 /PRI.VATE Icepic + The CyberReich Trainer HQ 404/PRI.VATE Digital Fuhrer + Ķ + Legion of Doom Dist Site 203/XXX.XXXX The Phantom + Mechanical Resistance Dist Site 708/XXX.XXXX Mr. Goodwrench + Hemispheres Dist Site 404/XXX.XXXX Radar + Annihilation Nation Dist Site 403/XXX.XXXX Liquid Flesh + X Factor Dist Site /XXX.XXXX Manufactor + Devil's Nightmare Dist Site /XXX.XXXX Elminator + Demilitarized Zone Dist Site /XXX.XXXX Mercenary + Mother Load Dist Site ITS/PRI.VATE + Muscle Beach Dist Site 203/XXX.XXXX Jp + Ľ + ķ + - Trainer Division - + Ķ + BOARD NAME POSITION NUMBER SYSOP + Ķ + The Fault Line Canadian HQ 403/288.5635 Martial Artist + 403/288.8402 + Ķ + Hydrogen Palace Dist Site 613/XXX.XXXX LoRD NuKE + APPLY NOW! Dist Site XXX/XXX.XXXX + APPLY NOW! Dist Site XXX/XXX.XXXX + Ľ + + ķ + + Fairlight / FLT Trainers are looking for DISTRIBUTION SITES.. Apply NOW! + If you're not satisfied with your current group, then let us know! + + Ľ diff --git a/textfiles.com/piracy/FAIRLIGHT/eob2edit.nfo b/textfiles.com/piracy/FAIRLIGHT/eob2edit.nfo new file mode 100644 index 00000000..1fd686d3 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/eob2edit.nfo @@ -0,0 +1,160 @@ + Ŀ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + USA Cheats Department + + Proudly Presents + + Eye of The Beholder ][ Character Editor + + By + + USA/FLT Buckaroo Banzai USA/FLT + +Ŀ + + Cheat Notes: Read the eob2edit.dox for all the info. Thanks Buckaroo! + + +Ŀ + + What's Up With USA/FLT? + ~~~~~~~~~~~~~~~~~~~~~~~ + Still need more couriers... Fill out an app and get it to us. + + +Ŀ + + Greets: INC, TC, CH + + + + - USA/FLT Senior Staff - + + Genesis, Silencer, The NotSoHumble Babe + + + - USA/FLT Members - + + Black Jack, Buckaroo Banzai, Fire, General Zennor, HAL9000, Harry Lime, + Lord Blix, Lord Sterling, Marko Ramius, Minor Threat, R. Bubba + Magillicutty, Repo Man, Static, The Guch and The Necromancer + + + - FairLight PC Members - + + Strider + + + - The USA-DoX Team - + + Caramon, FAThead, Genesis, Kublai Khan, Repo Man + + + - USA/FLT Couriers - + + -Senior- + + Heavy Metal and Tomkat + + -Normal- + + Alexis Machine, Dr. Crippen, Morpheus and Scorch + + -Trial- + + Egocentrix and Electric Element + +Ŀ + - USA/FLT Boards - +Ĵ + BOARD NAME POSITION NUMBER SYSOP +Ĵ + BBS-A-Holic Western Home 213/PRI.VATE Genesis + Enterprize Elite Eastern Home 313/PRI.VATE Static / The NSH Babe +Ĵ + The Mudd Club Member Board 713/347.1416 Lord Blix + The Inferno Member Board 416/493.9927 Harry Lime + The Rush Board Member Board 313/348.6057 The Necromancer + House Of Lords Member Board 714/681.9219 Lord Sterling + Radioactive Decay Member Board 213/923.4447 Repo Man + Infinity Member Board 914/229.8483 Fire + High Intensity Member Board 512/385.4912 Marko Ramius +Ĵ + World of Mirage Dist Site 718/898.8421 The Widowmaker + The Richter Scale Dist Site 516/754.6402 Earthquake + Elysium BBS Dist Site 508/468.7636 Squire + Khaotic Attractor Dist Site 508/970.5306 Mr Wyzard + The Powerdome Dist Site 901/872.3715 Electron + Modular Madness Dist Site 512/219.8045 Fatal Error + The Paki's Smell Dist Site 604/261.8182 Skeleton Secretary + Cloak & Dagger Dist Site 516/791.2156 Surak + The 4th Dimension Dist Site 813/948.1635 Time Traveler + The Krack House Dist Site 614/882.5546 Rainman + + +Ŀ + - USA/FLT Support Nodes - +Ĵ + + The World Of Krynn - Down River Elite - Amiga World - The End + + + + So you wanna be a USA Dist Site or Member huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. This means + they all help the group in some way. If you can't or don't want to do + anything to help out, and just want to sit there and run a dist site, + then forget it. But if think you have something to offer and you want + to help the newest up and coming group reach the top, give us a call. + USA/FLT Support Nodes are also available, inquire any Senior Staff + Member for details, or call the VMB and leave your info. + + + So you wanna be a USA Courier huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Fill out a USA/FLT courier application and send it up to + BBS-A-Holic, private for Genesis. + +Ŀ + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/Fairlight + 35526 Grand River, Suite 121 + Farmington Hills, MI 48335 + + OR + + Fairlight + P.O. Box 6 + 23600 Hollviken + Sweden + +Ĵ + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The USA/Fairlight VMB + + 716-987-1151 + +Ĵ + + *** S P E C I A L O F F E R *** + + VHS Movies Available - Write To Address Below For Info: + + Skid Row + Postrestante + 8450 Hammel + Denmark + + + diff --git a/textfiles.com/piracy/FAIRLIGHT/flash100.nfo b/textfiles.com/piracy/FAIRLIGHT/flash100.nfo new file mode 100644 index 00000000..80782175 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flash100.nfo @@ -0,0 +1,76 @@ + + + + + + + + + + + + + + + + + ANSiJED + + + + + +ķ + PRESENTS: FlashBack 100% crackpatch and English Text +Ķ + Supplied By: - Written By: Black Shadow + Cracked By: Black Shadow Graphics: 8/10 + Packaged By: Black Shadow Sound: 7/10 + Release Date: 04/25/93 Rating: 10/10 +Ķ + + Game Notes: Well, well.. I guess there was a second protection afterall. + Just copy 'FLTFLASH.COM' to the FB directory and then copy + 'FR_CINE.TXT' to the DATA directory, and then run the + FLTFLASH.COM proggy to completely crack the game.. + Have fun with this... /Black Shadow + + PS. A full 100% English version will be released soon... + PPS. A file with the levelcodes is also included... + +Ķ + Greets: The Dream Team,Razor 1911,Hybrid +Ľ + + + Ŀ + Ĵ PROUD FAiRLiGHT MEMBERS: + + + STRIDER, BLACK SHADOW + + Dragon, Will Stanton, Axel & Striker + + +ķ + PROUD FAiRLiGHT BULLETIN BOARDS: +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Seventh Heaven European HQ +46-40-303408 Black Shadow + Dragon's Lair - Node 1 Swedish HQ +46-42-162417 Dragon + - Node 2 +46-42-162419 + Dyer's Eve Swedish HQ +46-8-7618456 Will Stanton +Ķ + Road to Nowhere (4 Nodes) Support Board 310-947-3299 The Legend +Ķ + ** SPACE FOR RENT ** Distrib. Site ** YOUR NUMBER HERE ** +Ľ + +ķ + FAiRLiGHT is looking for LOYAL MEMBERS who are dedicated to QUALITY! + Call : 7th Heaven - EHQ - +46-40-303408 or + Write to : FAiRLiGHT , P.O. Box 6 , 236 00 Hollviken, Sweden +Ľ + + *** IF YOU LIKE THIS SOFTWARE, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** diff --git a/textfiles.com/piracy/FAIRLIGHT/flt.nf1 b/textfiles.com/piracy/FAIRLIGHT/flt.nf1 new file mode 100644 index 00000000..4b078371 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt.nf1 @@ -0,0 +1,105 @@ + + + + + + + + + + + + + + + + + ANSiJED + + + + + +ķ + PRESENTS: Dungeon Master +Ķ + Supplied By: Mournblade/Flashback Written By: FTL + Cracked By: N/A Graphics: VGA/EGA + Packaged By: Heretic Sound: SB/Adlib/Tandy/SS/PC + Release Date: 07/18/92 Rating: 7/10 +Ķ + + Game Notes: This is not quite as good as the amiga version, but here it + is anyway. A good D&D type game. We played it for an hour + or so and found no protection. + + Bragging to put you into one of the most detailed dungeons + ever, this is sure to be a favorite of the adventure game + players. + +Ķ + Greets: Catalyst, Grimstalk, Strider and Mournblade! +Ľ + + + + Ŀ + Ĵ -=FLT=- Senior Staff + + + Heretic, Mournblade, Strider + + Ŀ + Ĵ -=FLT=- Members + + + Grimstalk (Courier Co-Ordinator), Lord Blix, VenoM, + R. Bubba Magillicutty, FlashBack, Ryec, Kintaro, Doc Holiday, + Hagbard Celine, Skeleton Secretary & Wolverine + + Ŀ + Ĵ -=FLT=- Couriers + + + Catalyst, Coyotes Member, Felonius Monk, Gank Master, + Lord Nelson, Mind Bomb, Pharoah & The Sleepwalker + + Ŀ + Ĵ -=FLT=- Docs & Cheats + + + EarthQuake, Tank + + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Whirlwind World HQ 416/PRI.VATE Heretic + The BANE Of The BLACK SWORD Courier H.Q. XXX/PRI.VATE Mournblade + Apocalypse (3 Nodes) U.S. HQ 703/PRI.VATE P.O.W. +Ķ + Body Count Member Board 516/PRI.VATE VenoM + Marvel Universe Member Board 215/PRI.VATE Wolverine + Neo-Tokyo Member Board 604/PRI.VATE Skeleton Sec. + The Outer Limits Member Board 313/PRI.VATE FlashBack +Ķ + D'M0B Dist Site 604/XXX.XXXX Chaos Master + Pirate Mind Station Dist Site 314/567.3833 Felonius Monk + Purple Haze Dist Site 313/XXX.XXXX Speedball + Psychonuerosis Dist Site 301/946.3835 Gank Master + The Prison Dist Site 615/758.8731 The Warden + The Richter Scale Dist Site 516/XXX.XXXX EarthQuake + The World of Krynn Dist Site 313/XXX.XXXX Caramon + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + +ķ + + Fairlight needs good people. Couriers, Distribution Sites etc. If you're + not satisfied with your current job let us know! FLT Rockin' 92'! + +Ľ + + \ No newline at end of file diff --git a/textfiles.com/piracy/FAIRLIGHT/flt.nfo b/textfiles.com/piracy/FAIRLIGHT/flt.nfo new file mode 100644 index 00000000..ace505c9 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt.nfo @@ -0,0 +1,185 @@ + + + . + + + + ߲۲ ۲ ۲ ۲ ۲ ۲ ۲ ۲۲۲ + ܲ ߲ + ߱ ߱ ߱ + + + When Dreams Come True + + + + + + + + + + + + -PROUDLY PRESENTS- +ķ + A Line in the Sand +Ķ + Supplied by: FORD PERFECT Written by: SSI + Cracked by: SIR TERMINATOR Protection: Doc Check + Packaged by: SIR Blade Runner Graphics/Sound: ALL + Release Date: Dec 17. Game Type: Strategy + Rating: 5/10 # of Disks: 1 +Ķ + + + Game Note: This is another release by FLT. + + + +Ķ + Greets go out to: All FLT COURIERS... PEACE to all the OP's +Ľ + + ķ + Ķ -FLT- Main Organizers + Ľ + + FLT Euro Division - STRIDER + FLT USA Division - Ford Perfect + + ķ + Ķ -FLT- Senior Staff + Ľ + + Blade Runner, Nuclear War, ORION + THE HAWK, VenoM + + ķ + Ķ -FLT- Members + Ľ + + ACE, Berserker, Beach Bum, Black Shadow, Califboy + Dennis the Menace, Nuclear War, Doctor Bombay, Flashback + FILA, Iceberg, Jack, Kingpin, Larual & Hardy, MICHELANGELO + New Kids, Night Ranger UK, Orion, RADAR, Rifleman, Selim & Rudi + Shadow Angel, Silencer, SkaTeMasTer, Sparky, Subzero + The Terminator, Tom Brokaw, Ufonaut, Union Jack + + ķ + Ķ -FLT- Senior Couriers + Ľ + + Dirty Frank, Doctor Bombay, Dorian Hawkmoon + Fourth Reich, Gank Master, Mind Bomb + Overlord, Pagan + + ķ + Ķ -FLT- Couriers + Ľ + + Always Dangerous, Arch Angel, Armoured Saint, Avalanche + Darkstar, Doom, Enforcer, Fear, Flyboy, Fresh Kid Ice, Fugazi + Fugazi, Genicide, Genocide, Ghost Pilot, Godfather, Havok, Insector X + James Bomb, JC Poon, Jester, King Meat, Lips, Malachai, Master of Diaster + Nightblade, Oolan, Pagan, Plague, Raging Bull, Raven, Rick Hunter, Rougue + Sai Kotic, Shadowlord, Stalker, Steel Thunder, The Destroyer, The Judge + The Outcast, Touchtone, Traumatic Breakdown, Unsettled Soul, Viper + X-Man, Zakafein + + ķ + Ķ -FLT- Cheats/Trainers + Ľ + + The Phoney Coders + Hare Krishna, Patch + Rescue Raider, The Phrophet, The Weasel + + + ķ + Ķ -FLT- DOXS + Ľ + + Crystal Warrior & Kublai Khan + Fourth Reich, Hellspawn, Hell Bound + HELLION + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Body Count World HQ 516/DIE.MIKE VenoM + Digital Wasteland U.K. HQ +44-81BACKUP! Night Ranger + Unlimited Access (3 Nodes) German HQ +49-30BACKUP! Sparky + My Boomin' System (4 Nodes) Canadian HQ 514/PRI.VATE Blade Runner + HMS Bounty (4 Nodes) US West Cour HQ 714/PRI.VATE Fletcher + Sin City (6 Nodes) US East Cour HQ 813/PRI.VATE Hellion +Ķ + Crime Ring Member Board 714/YOU.WISH Kingpin + Golden Spires Member Board 416/YOU.WISH Master-Tech + Harmony Skates (2 Nodes) Member Board 718/ViS.iONX SkateMaster + Lithium Member Board 813/YOU.WISH Shadow Angel + Manhattan Project (2 Nodes) Member Board 503/YOU.WISH Rifleman + Narcotik Illusion Member Board 703/YOU.WISH Con Artist + Pirate Mind Station Member Board 314/YOU.WISH Felonius Monk + Rising Sun Member Board 813/YOU.WISH Orion + The Outer Limits (2 Nodes) Member Board 313/YOU.WISH FlashBack + The Hood (2 Nodes) Member Board 416/YOU.WISH Berserker + UnderWorld Member Board 916/YOU.WISH Califboy +Ķ + After Midnight Dist Site 310/XXX.XXXX The Painter + Bubba Land Dist Site 407/XXX.XXXX Bubba + Covert Action ][ Dist Site 818/XXX.XXXX Contra + CyberWars Dist Site 908/XXX.XXXX Fearless Leadr + Eldar's Craftworld Dist Site 418/XXX.XXXX Slum Dweller + Enigma Dist Site 201/XXX.XXXX Holy Avenger + Fourth Reich Dist Site 916/XXX.XXXX Prince of Sin + Gator Crator Dist Site 318/XXX.XXXX Gatorman + Infinite Ragnarok Dist Site 916/XXX.XXXX Jormungand + Private Collection Dist Site 305/XXX.XXXX Wild Child + Park Centeral Dist Site 708/XXX.XXXX Silver V + Second Sight Dist Site 416/XXX.XXXX Phalon + The City Dist Site 813/XXX.XXXX The Bainster + The Game Grid Dist Site 513/XXX.XXXX Tron + The Prison Dist Site 615/XXX.XXXX The Warden + The Sewer Dist Site +47/67.33292 Phoenix + The Wooden Boxcar Dist Site 606/XXX.XXXX Packrat + Tower of Knowledge Dist Site 404/XXX.XXXX The Sage + Twilight Zone Dist Site 504/XXX.XXXX Jack Flash + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + + + + + + + + + + + + +ķ + FAIRLIGHT is currently accepting Dist. Sites call Lithium logon on as + FAIRLIGHT APPLY password FAIRLIGHT. Leave your board #, voice #, and + best time to get in touch with you. + get in touch with you. + + FAIRLIGHT is looking for good couriers, if you are interested then logon + Lithium with the account mentioned above. And leave your alias, name, + voice # and time to call. + + FAIRLIGHT is also looking for people that can Scan Docs, Code Loaders, + Make MODS, Crack, and Supply. If you are one of these people then call + Lithium with the FAIRLIGHT APPLY account and leave what you can do and + how to get ahold of you. + + Lithium - 813-799-4417 + + FAIRLIGHT 'When Dreams Come True' +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** + + diff --git a/textfiles.com/piracy/FAIRLIGHT/flt0592.nfo b/textfiles.com/piracy/FAIRLIGHT/flt0592.nfo new file mode 100644 index 00000000..efd809b8 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt0592.nfo @@ -0,0 +1,113 @@ + + + + + + + + + + + P R O U D L Y P R E S E N T S + + .....OUT OF THIS WORLD..... + + Ŀ + Program By: InterPlay Graphic Support: MOST + Ĵ + Cracked By: R. Bubba Magillicutty Sound Supported: FULL/ALL + Ĵ + Date of Release: May 2nd ,1992 Controls: Keyboard/Mouse/Joystick + Ĵ + + Protection: All Scripts. Only Mr. Bubba's Touch was good enough. + ~~~~~~~~~~ + + + + Game Hype: This is the US version and has 30 more screens (we heard) + ~~~~~~~~~~ and full sound and graphics support. A definite Keeper! + We kept it for a few days to check it out....... + + + Installation: Same as Another World. + ~~~~~~~~~~~~~ + + Shout outs: Go out to Ice Nine for Supplying and couriering, and + ~~~~~~~~~ not being at the prom! + + + + + Fairlight PC Division Staff + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Senior Staff: STRIDER, NEMESIS ENFORCER, TRICK LORD + HERETIC, BLADE RUNNER + + Members: PSYLOCKE, THE TERMINATOR, GRIMSTALK + FIRE, NIGHTSTICK, BUCKAROO BANZAI + MARKO RAMIUS, BLACK JACK, MINOR THREAT + HEAVY METAL, DOCTOR CRIPPEN, HARDWIRE + THE NECROMANCER, COYOTES MEMBER, MR. MIXTY + ALEXIS MACHINE, SILENT ASSASSIN, LORD STERLING + MIDNIGHT MODIFIER, ICE NINE + + + + FAIRLIGHT PC DISTRIBUTION ۲ + Ŀ + Board Name Phone Number SysOp INFO/NUP + Ĵ + Rivendell 217/PRI.VATE Trick Lord World HQ + Whirlwind 416/PRI.VATE Heretic Canada HQ + My Boomin'System 514/PRI.VATE Blade Runner Courier HQ + F/X 914/PRI.VATE Fire Eastern HQ + Ĵ + Paki's Smell 604/PRI.VATE Skeleton Secretary + Modular Madness 512/PRI.VATE Fatal Error + Dark Star ITS/PRI.VATE Warhawk + Power Surge ITS/PRI.VATE Ice Nine + Pirate Domain 416/762.1765 Union Jack + Quaratine ITS/PRI.VATE Night Stick + Virtual Reality ITS/PRI.VATE Midnight Modifier + Siren of Death ITS/PRI.VATE Darkman + d'M0b ITS/PRI.VATE Chaos Master + Richter Scale 516/754.6402 Earthquake + Street Spyders 713/266.8330 Maverick 'Beam Me Up' + The Lab 514/858.1326 Pr. Sinister + Marvel Universe 215/758.8644 Wolverine + + + Look for our new Trainers and Cheats division coming to + a theater near you! We just keep getting better and better... + ************* + + -->>> NEED A LIFE? WELL.... <<<-- + Call our WORLD HEADQUARTERS listed above. + The NUP for Rivendell-217 is 'originals'. + Now accepting new users...maybe. + + Ŀ + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + -->>FAIRLIGHT PC<<-- -->FLT AMIGA/PC<-- -->>FLT AMIGA<<-- + =================================================================== + FAIRLIGHT PC AMERICA FAIRLIGHT WORLD HQ FAIRLIGHT AMERICA + PO BOX 6864 PO BOX 6 PO BOX 268 + CHAMPAIGN, IL 61826-6864 23600 HOLLVIKEN AMISSVILLE, VA 22002 + U.S.A. SWEDEN U.S.A. + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + 716-987-1151 + + + + + Look for some wicked Fairlight Releases coming to an INC site near YOU! + + \ No newline at end of file diff --git a/textfiles.com/piracy/FAIRLIGHT/flt059~1.nfo b/textfiles.com/piracy/FAIRLIGHT/flt059~1.nfo new file mode 100644 index 00000000..2cbf315d --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt059~1.nfo @@ -0,0 +1,125 @@ + + + + + + + + + + + + + + + + + + + ANSiJED + + + + + +ķ + PRESENTS: TUBULAR WORLDS FROM DONGLEWARE [+1] TRAINER +Ķ + Supplied By: TRSI Written By: Fornicator + Cracked By: - Graphics: -/10 + Packaged By: Ken Buddha Sound: -/10 + Release Date: 05/07/94 Rating: -/10 +Ķ + Decent game. + + FairLight is re-structuring for maximum efficiency! FairLight is dedicated + to quality and not quantity. We extend a courteous hand to fellow groups + in the pirate community. Always looking for talented and loyal people. + + If you are interested in contributing call the FairLight 24HR VMB at + + 619-497-1580 + +Ķ + Greets go out to all cool FairLight members and to all other cool people +Ľ + + Ŀ + Ĵ FAiRLiGHT PC PRESIDENT + + + BLACK SHADOW + + Ŀ + Ĵ FAiRLiGHT PC VICE PRESIDENT + + + STRIDER + + Ŀ + Ĵ FAiRLiGHT PC MEMBERS + + + Judge, Ken Buddha, Moocher, Genius, Exolon, + Fornicator, Coroner, Lust Lord, Ranx, + Splatt, Skol and JBM + + Ŀ + Ĵ FAiRLiGHT PC COURIER TEAM + + + Rebound,Screwball + +ķ + PROUD FAiRLiGHT BULLETIN BOARDS: +Ķ + BOARD NAME POSITION NODES NUMBER SYSOP +Ķ + 7th Heaven European HQ 2 +46-Private Black Shadow + +46-Private (With TERBO!) + 2nd Phobia Member Board 1 +46-Private Judge + Realms of Death Member Board 1 +xx-Private Unlisted + +Ķ + ** SPACE FOR RENT ** Distrib. Site ** YOUR NUMBER HERE ** +Ľ +ķ + + FAIRLIGHT TRADING, INC IS YOUR BEST SOURCE FOR CONSOLE BACK-UP UNITS + AND IS THE LARGEST DISTRIBUTOR FOR FRONT FAR EAST CORP. WE STOCK + THE FOLLOWING UNITS ; SUPER WILD CARD & SUPER MAGIC DRIVE! + + WE ARE LOOKING FOR RE-SELLERS WORLDWIDE! CALL US *NOW* : + + U.S.A. ; 1-800-FAIRLIGHT + INTERNATIONAL ; 1-619-282-5311 + 24HRS FAX ; 1-619-282-1780 + +Ľ +ķ + + Call the FairLight Party-Girls 24 hrs! Live 1-on-1 action!! + + 1-900-288-9155 + 9735 + + $3.99 per min. Must be 18 yrs. Procall Co. (602) 631-0615 + +Ľ +ķ + + Write to FairLight : + + FairLight, P.O. Box 5, 1410 Waterloo, Belgium + +Ľ +ķ + FAiRLiGHT is looking for LOYAL MEMBERS who are dedicated to QUALITY! + Call : 7th Heaven - EHQ + Write to : FAiRLiGHT PC, P.O. Box 6 , 236 00 Hollviken, Sweden + Don't write if you want to have games and stuff, only membership + applications and such will be looked at, all other mail will be + trashed... And we don't SELL games so don't even think about it! +Ľ + + *** IF YOU LIKE THIS SOFTWARE, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** + \ No newline at end of file diff --git a/textfiles.com/piracy/FAIRLIGHT/flt1.nfo b/textfiles.com/piracy/FAIRLIGHT/flt1.nfo new file mode 100644 index 00000000..968f3e2e --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt1.nfo @@ -0,0 +1,174 @@ + + + . + + + + ߲۲ ۲ ۲ ۲ ۲ ۲ ۲ ۲۲۲ + ܲ ߲ + ߱ ߱ ߱ + + + When Dreams Come True + + + + + + + + + + + + -PROUDLY PRESENTS- +ķ + Cool World +Ķ + Supplied by: FILA/New Kids Written by: OCEAN + Cracked by: ONYX Protection: Copy Lock 2 + Packaged by: THE HAWK Grahpics/Sound: VGA 16/256 + Release Date: 11/19/92 Game Type: ARCADE + Rating: COOL # of Disks: 2 (1.2 Megs) +Ķ + Game Notes: This is a pretty cool jump & run arcade game and fun + to play. It even has SMOOTH scrolling on my 486/33. + Look for a trainer out tonight. + + + Group Notes: Anyone interested in joining PhelonyNet (FIDO compatible) + send EMail to Crusher or SkateMaster. + + + Personal Greets: ONYX, Blade Runner/THE TERMINATOR (Having Fun GUYS??) +Ķ + Greets go out to: TriStar RedSector, The Humble Guys, and XEROX +Ľ + + ķ + Ķ -FLT- Main Organizers + Ľ + + FLT Euro Division - STRIDER + FLT USA Division - Ford Perfect + + ķ + Ķ -FLT- Senior Staff + Ľ + + Blade Runner, Con Artist, Silent Stalker + THE HAWK , VenoM + + ķ + Ķ -FLT- Members + Ľ + + ACE, Berserker, Beach Bum, Black Shadow, Califboy, Crusher + Dennis the Menace, Doctor Bombay, Flashback, FILA, Iceberg + Jack, Kingpin, Larual & Hardy, MICHELANGELO, Night Ranger UK + Orion, RADAR, Rifleman, Selim & Rudi, Shadow Angel, SkaTeMasTer + Sparky, Subzero, The Terminator, Tom Brokaw, Ufonaut, Union Jack + + ķ + Ķ -FLT- Senior Couriers + Ľ + + Dirty Frank, Doctor Bombay, Dorian Hawkmoon + Fourth Reich, Gank Master, Overlord + + ķ + Ķ -FLT- Couriers + Ľ + + Always Dangerous, Arch Angel, Avalanche, Budski + Confucious, Dark Star, Destroyer, Doom, Enforcer, Flyboy + Ghost Pilot, Godfather, Havok, James Bomb, Jester, King Meat + Master of Diaster, Night Blade, Pagan, Plague, Raging Bull + Rick Hunter, SaiKotic, Stalker, Steel Thunder, The Destroyer + The Outcast, Touchtone, Traumatic Breakdown + Unsettled Soul, Viper, X-Man, Zakafein + + ķ + Ķ -FLT- Cheats/Trainers + Ľ + + The Phoney Coders + Hare Krishna, Patch + The Phrophet, The Weasel + + ķ + Ķ -FLT- DOXS + Ľ + + Crystal Warrior & Kublai Khan + Fourth Reich, Hellspawn, Hell Bound + HELLION +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Body Count World HQ 516/DIE.MIKE VenoM + Golden Spires Canadian HQ 416/PRI.VATE Master-Tech + Unlimited Access (3 Nodes) German HQ +49-30BACKUP! Sparky + My Boomin' System (4 Nodes) Can. Courier HQ 514/PRI.VATE Blade Runner + HMS Bounty (4 Nodes) US West Cour HQ 714/PRI.VATE Fletcher + Sin City (6 Nodes) US East Cour HQ 813/PRI.VATE Hellion +Ķ + Crime Ring Member Board 714/YOU.WISH Kingpin + Eyes Of The Dragon Member Board 207/YOU.WISH Crusher + Harmony Skates (2 Nodes) Member Board 718/ViS.iONX SkateMaster + Lithium Member Board 813/YOU.WISH Shadow Angel + Manahattan Project Member Board 502/YOU.WISH Rifleman + Rising Sun Member Board 813/YOU.WISH Orion + The Outer Limits (2 Nodes) Member Board 313/YOU.WISH FlashBack + The Hood (2 Nodes) Member Board 416/YOU.WISH Berserker +Ķ + After Midnight Dist Site 310/XXX.XXXX The Painter + Bubba Land Dist Site 407/XXX.XXXX Bubba + Covert Action ][ Dist Site 818/XXX.XXXX Contra + CyberWars Dist Site 908/XXX.XXXX Fearless Leadr + Eldar's Craftworld Dist Site 418/XXX.XXXX Slum Dweller + Enigma Dist Site 201/XXX.XXXX Holy Avenger + Fourth Reich Dist Site 916/XXX.XXXX Prince of Sin + Gator Crator Dist Site 318/XXX.XXXX Gatorman + Infinite Ragnarok Dist Site 916/XXX.XXXX Jormungand + Park Centeral Dist Site 708/XXX.XXXX Silver X + Second Sight Dist Site 416/XXX.XXXX Phalon + The Game Grid Dist Site 513/XXX.XXXX Tron + The Prison Dist Site 615/XXX.XXXX The Warden + The Sewer Dist Site +47/67.33292 Phoenix + Twilight Zone Dist Site 504/XXX.XXXX Jack Flash + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + + + + + + + + + + + + +ķ + FAIRLIGHT is currently accepting Dist. Sites call Sin City, logon on as + VISITOR password FAIRLIGHT. Leave your board #, voice #, and best time to + get in touch with you. + + FAIRLIGHT is looking for good couriers, if you are interested then logon + Sin City with the account mentioned above. And leave your alias, name, + voice # and time to call. + + FAIRLIGHT is also looking for people that can Scan Docs, Code Loaders, + Make MODS, Crack, and Supply. If you are one of these people then call + Sin City with the VISITOR account and leave what you can do and how to + get ahold of you. + + FAIRLIGHT 'When Dreams Come True' +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** + + diff --git a/textfiles.com/piracy/FAIRLIGHT/flt1092.nfo b/textfiles.com/piracy/FAIRLIGHT/flt1092.nfo new file mode 100644 index 00000000..13a3a46e --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt1092.nfo @@ -0,0 +1,130 @@ + + + + + + + + + + + + + + + + ANSiJED + + + + + +ķ + PRESENTS: King's Quest VI Complete SOLVE +Ķ + Supplied By: Kublai Khan Written By: Sierra + Cracked By: N/A Graphics: 256 VGA + Packaged By: Kublai Khan Sound: ALL + Release Date: 10/05/92 Rating: N/A +Ķ + + Doc Notes: Well, here is the complete Solve/Walkthru for the 'not + yet' released King's Quest VI: Heir Today, Gone Tommorow. + Check out our new Dox viewer system! + + + + + Group Notes: Wonder who's gonna release it. (Duh?) + + + +Ķ + Greets: SkaTeMasTer, Black Spyrit, and the rest... +Ľ + + + Ŀ + Ĵ -=FLT=- Senior Staff + + + MOURNBLD, Strider + + Ŀ + Ĵ -=FLT=- Members + + + Blade Runner, Con Artist, Crusher, FlashBack, Ford Perfect + The Gh0dess, Hannibal Lektor, The Hawk, Lord Blix, Night Ranger + Night Ranger UK, Orion, Skeleton Secretary + The Terminator, VenoM, Wolverine + + Ŀ + Ĵ -=FLT=- Senior Couriers + + + Berserker, Doctor Bombay, Shadow Angel, SkaTeMasTer + + Ŀ + Ĵ -=FLT=- Couriers + + + Arch Angel, Battle Axe, Coyotes Member, Cross, Destroyer + Dirty Frank, Feedback, Hellion, James Bomb, Kinetic Energy + Lethal Injection, Mind Bomb, Mystic Whiz + Prince of Sin, Sherlock Ohms + + Ŀ + Ĵ -=FLT=- Docs, Cheats & VGA + + + Dr. Crippen, Eloi, Hare Krishna, Network, + Revelation, Tank, The Weasel + + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + The BANE Of The BLACK SWORD World HQ XXX/PRI.VATE MOURNBLD + Golden Spires Canadian HQ 416/PRI.VATE Master-Tech + My Boomin' System (4 Nodes) Can. Courier HQ 514/PRI.VATE Blade Runner + HMS Bounty (4 Nodes) U.S. Courier HQ 714/PRI.VATE Fletcher +Ķ + Body Count Member Board 516/DIE.FEDS VenoM + Eyes Of The Dragon Member Board 207/YOU.WISH Crusher + Marvel Universe Member Board 215/YOU.WISH Wolverine + Neo-Tokyo Member Board 604/YOU.WISH Skeleton Sec. + Nuclear Wastelandz Member Board 011/YOU.WISH Night Rang UK + The Nectar Base Member Board 602/YOU.WISH The Gh0dess + The Outer Limits (2 Nodes) Member Board 313/YOU.WISH FlashBack +Ķ + Beyond The Realm Of Reality Dist Site 310/869.9484 Legend Master + Bubba Land Dist Site 407/XXX.XXXX Bubba + The Burrows Dist Site 310/XXX.XXXX Weasel + CyberWars Dist Site 908/654.1290 Fearless Leade + Eldar's Craftworld Dist Site 418/XXX.XXXX Slum Dweller + Enigma Dist Site 201/XXX.XXXX Holy Avenger + Hydrogen Palace Dist Site 613/XXX.XXXX LoRD NuKE + Medieval Crypt Dist Site 214/XXX.XXXX Medieval Magi + Infinite Ragnarok Dist Site 916/863.1040 Jormungand + Inn Of The Last Home Dist Site 705/XXX.XXXX Caramon Majere + Pirate Mind Station Dist Site 314/567.3833 Felonius Monk + Rest In Peace Dist Site 513/XXX.XXXX Nuclear War + Rising Sun Dist Site 813/XXX.XXXX Orion + Second Sight Dist Site 416/XXX.XXXX Phalon + The Prison Dist Site 615/XXX.XXXX The Warden + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + +ķ + + Fairlight is looking for DISTRIBUTION SITES... Apply NOW at the VMB!!! + If you're not satisfied with your current group, then let us know!!! + Fairlight P.O. BOX 43 Flat Rock, MI 48134 -=FLT=- Rockin '92 + The Fairlight VMB 1(800) 888-4117 Box 6958# + +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** + \ No newline at end of file diff --git a/textfiles.com/piracy/FAIRLIGHT/flt1093.nfo b/textfiles.com/piracy/FAIRLIGHT/flt1093.nfo new file mode 100644 index 00000000..46964238 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt1093.nfo @@ -0,0 +1,122 @@ + + + + + + + + + + + + + + + + + + + ANSiJED + + + + +ķ + Positronic Bridge +Ķ + Supplied By: TRC/Wolfric Written By: Positronic Software + Cracked By: Gron Graphics: SVGA + Packaged By: CyberChrist Sound: None + Release Date: 10/13/93 Rating: 6/10 +Ķ + Well, this is a nice-looking bridge game if you are into card games. Just + unzip into a directory and install. The game doesn't have much in the way + of sound, but the graphics are nice. Look out for more games from us in + the next few days! -CC +Ķ + Greets: Warchild, Der Schatten, Spaceman Spiff, Heretic, Black Mischief + Shardik, Disk Killer, Rifleman, Avalon. +Ľ + + + Ŀ + Ĵ -=FLT=- President + + + Heretic + + Ŀ + Ĵ -=FLT=- Vice-President + + + CyberChrist + + Ŀ + Ĵ -=FLT=- Senior Staff + + + The Renegade Chemist, Shardik, Warchild, Raider, Der Schatten, + Disk Killer, Fourth Reich, Forced Entry + + + Ŀ + Ĵ -=FLT=- Euro Division + + + Strider, Black Shadow + + Ŀ + Ĵ -=FLT=- Members + + + Wizard, Escape Key, WarMaster, Dream Wraith, Vengeance + Avalon, Rupert, Lightning Hopkins, Cetis, Catalyst + PerSuader, Endeveron, General Zennor, Gron + Mad Doctor, Bash, Rip Torn, Merlin + + Ŀ + Ĵ -=FLT=- Courier Coordinators + + + Black Mischief + + Ŀ + Ĵ -=FLT=- Couriers + + + Nueromage, BloodWych, Sensei, Grandmaster Flash, Black Stealth + Vanilla Ice, 96 Faces, Blitzkreig, Holo Dream, Duke + Sassy, Ralph, Zork, Donatello, The Dutchmen + +ķ + - Fairlight Boards - +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + T.N.T World HQ 503/PRI.VATE Disk Killer + M.L.o.R. Courier HQ 804/PRI.VATE Escape Key + Unlimited Power Can HQ 905/PRI.VATE Raider + Data Security Consultants U.S.H.Q. 217/PRI.VATE TRC + Vangaardium Aust HQ +61 /PRI.VATE Ice Pick +Ķ + Legion of Doom Dist Site 203/XXX.XXXX The Phantom + The Tower of Knowledge Dist Site 404/XXX.XXXX The Sage + Rebel Alliance Dist Site 914/XXX.XXXX Red Raider + The Prison Dist Site 615/XXX.XXXX The Warden + Orange Road Dist Site 604/XXX.XXXX Skeleton Scty + Mechanical Resistance Dist Site 708/XXX.XXXX Mr. Goodwrench + Alien Nation Dist Site 813/XXX.XXXX Evil Enforcer + Hemispheres Dist Site 404/XXX.XXXX Radar + The Arcade Dist Site 914/XXX.XXXX Robocop + Annihilation Nation Dist Site 403/XXX.XXXX Liquid Flesh + Metal Works Dist Site 318/XXX.XXXX Heavy Metal +Ľ + +ķ + + Fairlight is looking for DISTRIBUTION SITES... Apply NOW! + If you're not satisfied with your current group, then let us know! + Fairlight P.O. Box 68059 Blakely PO, Hamilton, ONT, L8M 3M7 + +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** diff --git a/textfiles.com/piracy/FAIRLIGHT/flt1291.nfo b/textfiles.com/piracy/FAIRLIGHT/flt1291.nfo new file mode 100644 index 00000000..db8679ba --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt1291.nfo @@ -0,0 +1,176 @@ + Ŀ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + + Proudly Presents + + SupaPlex + + From + + USA/FLT Digital Integration, LTD. USA/FLT + +Ŀ + + Supplied: The Dreamer + Cracked: The Dreamer + + Game Notes: This game is a trip, you'll really dig it. Don't be fooled + by the size of this file, this game has some awesome VGA + graphics, soundblaster and roland support and some intense + action! The game is like a fast-paced, balls-out version + of pac-man in 3-D. Well it's sorta like that, but there's + much, much more to it. A few weird things about the game: + It didn't work for me unless I had my mouse driver loaded, + and with the mouse I could only control the pointer on the + set up screen, not the game itself. While playing the game + you need to use either the joystick or the keyboard. Also, + before playing make sure you select the controls option + from the main screen to set up your sound board and controls. + This is an import, so don't expect any original dox. Just + play the game awhile and you will get the hang of it... It's + a pretty addictive and enjoyable game anyway. + + +Ŀ + + What's Up With USA/FLT? + ~~~~~~~~~~~~~~~~~~~~~~~ + Still need more couriers... Fill out an app and get it to us. + + +Ŀ + + Greets: INC, TC, CH + + + + - USA/FLT Senior Staff - + + Genesis, Silencer, The NotSoHumble Babe + + + - USA/FLT Members - + + Black Jack, Buckaroo Banzai, Fire, General Zennor, HAL9000, Harry Lime, + Lord Blix, Lord Sterling, Marko Ramius, Minor Threat, R. Bubba + Magillicutty, Repo Man, Static, The Guch and The Necromancer + + + - FairLight PC Members - + + Strider + + + - The USA-DoX Team - + + Caramon, FAThead, Genesis, Kublai Khan, Repo Man + + + - USA/FLT Couriers - + + -Senior- + + Heavy Metal and Tomkat + + -Normal- + + Alexis Machine, Dr. Crippen, Morpheus and Scorch + + -Trial- + + Egocentrix and Electric Element + +Ŀ + - USA/FLT Boards - +Ĵ + BOARD NAME POSITION NUMBER SYSOP +Ĵ + BBS-A-Holic Western Home 213/PRI.VATE Genesis + Enterprize Elite Eastern Home 313/PRI.VATE Static / The NSH Babe +Ĵ + The Mudd Club Member Board 713/347.1416 Lord Blix + The Inferno Member Board 416/493.9927 Harry Lime + The Rush Board Member Board 313/348.6057 The Necromancer + House Of Lords Member Board 714/681.9219 Lord Sterling + Radioactive Decay Member Board 213/923.4447 Repo Man + Infinity Member Board 914/229.8483 Fire + High Intensity Member Board 512/385.4912 Marko Ramius +Ĵ + World of Mirage Dist Site 718/898.8421 The Widowmaker + The Richter Scale Dist Site 516/754.6402 Earthquake + Elysium BBS Dist Site 508/468.7636 Squire + Khaotic Attractor Dist Site 508/970.5306 Mr Wyzard + The Powerdome Dist Site 901/872.3715 Electron + Modular Madness Dist Site 512/219.8045 Fatal Error + The Paki's Smell Dist Site 604/261.8182 Skeleton Secretary + Cloak & Dagger Dist Site 516/791.2156 Surak + The 4th Dimension Dist Site 813/948.1635 Time Traveler + The Krack House Dist Site 614/882.5546 Rainman + + +Ŀ + - USA/FLT Support Nodes - +Ĵ + + The World Of Krynn - Down River Elite - Amiga World - The End + + + + So you wanna be a USA Dist Site or Member huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. This means + they all help the group in some way. If you can't or don't want to do + anything to help out, and just want to sit there and run a dist site, + then forget it. But if think you have something to offer and you want + to help the newest up and coming group reach the top, give us a call. + USA/FLT Support Nodes are also available, inquire any Senior Staff + Member for details, or call the VMB and leave your info. + + + So you wanna be a USA Courier huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Fill out a USA/FLT courier application and send it up to + BBS-A-Holic, private for Genesis. + +Ŀ + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/Fairlight + 35526 Grand River, Suite 121 + Farmington Hills, MI 48335 + + OR + + Fairlight + P.O. Box 6 + 23600 Hollviken + Sweden + +Ĵ + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The USA/Fairlight VMB + + 716-987-1151 + +Ĵ + + *** S P E C I A L O F F E R *** + + VHS Movies Available - Write To Address Below For Info: + + Skid Row + Postrestante + 8450 Hammel + Denmark + + + diff --git a/textfiles.com/piracy/FAIRLIGHT/flt3.nfo b/textfiles.com/piracy/FAIRLIGHT/flt3.nfo new file mode 100644 index 00000000..6afd4522 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt3.nfo @@ -0,0 +1,130 @@ + + + + + + + + + + + + + + + + + ANSiJED + + + + + +ķ + PRESENTS: Cyber Empires +Ķ + Supplied By: Ford Perfect Written By: SSI + Cracked By: HAL9000 Graphics: 256 VGA + Packaged By: Crusher Sound: ALL + Release Date: 09/14/92 Rating: 9/10 +Ķ + + Game Notes: This is the latest from SSI. Cyber Empires is a strategic + game of world conquest full of explosive action. It + features cybernetic arcade action in a global style. Hope + you all enjoy this one... + + Thanks again go out to KingPin for the Killer FLT V-X Menus. + + + Group Notes: FAIRLIGHT, here to stay and DOMINATE!!! + + Special Greets: HAL9000 - Thanks for removing the doc check for us! + +Ķ + Greets: Ford Perfect, Orion, Shadow Angel, VenoM, The Hawk, FLT Couriers +Ľ + + + + Ŀ + Ĵ -=FLT=- Senior Staff + + + MOURNBLD, Strider + + Ŀ + Ĵ -=FLT=- Members + + + Blade Runner, Con Artist, Crusher, FlashBack, Ford Perfect + The Gh0dess, The Hawk, Heretic, Lord Blix, The Madman + Night Ranger, Skeleton Secretary, The Terminator + VenoM, Wolverine + + Ŀ + Ĵ -=FLT=- Senior Couriers + + + Orion, RoboCop, Shadow Angel, Warlock Bones + + Ŀ + Ĵ -=FLT=- Couriers + + + ArchAngel, Battle Axe, Berserker, Coyotes Member, Cross + Destroyer, Dirty Frank, Dr. Bombay, Eliott Nes, Felonius Monk + Hellion, Kinetic Energy, Lethal Injection, Mind Bomb + Sherlock Ohms, Skatemaster + + Ŀ + Ĵ -=FLT=- Docs, Cheats & VGA + + + Dr. Crippen, Hare Krishna, Revelation, Tank + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + The BANE Of The BLACK SWORD World HQ XXX/PRI.VATE MOURNBLD + Golden Spires Canadian HQ 416/PRI.VATE Master-Tech + My Boomin' System (4 Nodes) Can. Courier HQ 514/PRI.VATE Blade Runner + HMS Bounty (4 Nodes) U.S. Courier HQ 714/PRI.VATE Fletcher +Ķ + Body Count Member Board 516/DIE.FEDS VenoM + Eyes Of The Dragon Member Board 207/YOU.WISH Crusher + Marvel Universe Member Board 215/YOU.WISH Wolverine + Neo-Tokyo Member Board 604/YOU.WISH Skeleton Sec. + The Nectar Base Member Board 602/YOU.WISH The Gh0dess + The Outer Limits (2 Nodes) Member Board 313/YOU.WISH FlashBack +Ķ + Battle Field Dist Site 706/XXX.XXXX Buck Blazer + Beyond The Realm Of Reality Dist Site 310/869.9484 Legend Master + The Burroughs Dist Site 310/XXX.XXXX Weasel + Carbon Nation Dist Site 708/965.8965 Pepsi Man + Cygnus-X Dist Site 305/XXX.XXXX Spike + CyberWars Dist Site 908/654.1290 Fearless Leade + Eldar's Craftworld Dist Site 418/XXX.XXXX Slum Dweller + Enigma Dist Site 201/XXX.XXXX Holy Avenger + Hydrogen Palace Dist Site 613/XXX.XXXX LoRD NuKE + Infinite Ragnarok Dist Site 916/XXX.XXXX Jormungand + Inn Of The Last Home Dist Site 705/XXX.XXXX Caramon Majere + Pirate Mind Station Dist Site 314/567.3833 Felonius Monk + Rest In Peace Dist Site 513/XXX.XXXX Nuclear War + Second Site Dist Site 416/XXX.XXXX Phalon + The Prison Dist Site 615/XXX.XXXX The Warden + The World Of Krynn Dist Site 313/XXX.XXXX Caramon + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + +ķ + + Fairlight is looking for DISTRIBUTION SITES... Apply NOW at the VMB!!! + If you're not satisfied with your current group, then let us know!!! + Fairlight P.O. BOX 43 Flat Rock, MI 48134 -=FLT=- Rockin '92 + The Fairlight VMB 1(800) 356-1547 Box 4221# + +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** diff --git a/textfiles.com/piracy/FAIRLIGHT/flt4.nfo b/textfiles.com/piracy/FAIRLIGHT/flt4.nfo new file mode 100644 index 00000000..d671f3e9 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt4.nfo @@ -0,0 +1,188 @@ + + + . + + + + ߲۲ ۲ ۲ ۲ ۲ ۲ ۲ ۲۲۲ + ܲ ߲ + ߱ ߱ ߱ + + + When Dreams Come True + + + + + + + + + + + + -PROUDLY PRESENTS- +ķ + L.A. Law +Ķ + Supplied by: THE HAWK Written by: Capstone + Cracked by: N/A Protection: Shrink Wrap + Packaged by: THE HAWK Graphics/Sound: VGA/SB & ADLIB + Release Date: 12/03/92 Game Type: Adventure Type + Rating: 8/10 # of Disks: 3(720k) +Ķ + Game Notes: Well the game pretty cool, you basically go around tring to + solve your court cases and prove that your client is incoennt + The game has some pretty cool digitized pictures. + Look for more FAiRLiGHT Releases today!!! + + + Group Notes: To those you thought/wished we were dead??? DREAM ON! + + + Personal Greets: Perptual Demise, Orion, Sicko, R/\D/\R, and Silencer +Ķ + Greets go out to: Pyradical, TRSi, Crystal, and MiNiSTRY. +Ľ + + ķ + Ķ -FLT- Main Organizers + Ľ + + FLT Euro Division - STRIDER + FLT USA Division - Ford Perfect + + ķ + Ķ -FLT- Senior Staff + Ľ + + Blade Runner, Con Artist, Silent Stalker + THE HAWK, VenoM + + ķ + Ķ -FLT- Members + Ľ + + ACE, Berserker, Beach Bum, Califboy, Flashback, FILA + Iceberg, ICE-T, Jack, Kingpin, MICHELANGELO, New Kid + Night Ranger, Orion, RADAR, Rifleman, Shadow Angel + SkaTeMasTer, Sparky, The Terminator + Tom Brokaw, Ufonaut, Union Jack + + ķ + Ķ -FLT- Senior Couriers + Ľ + + Dirty Frank, Doctor Bombay, Dorian Hawkmoon + Fourth Reich, Gank Master, Mind Bomb + Overlord, Pagan + + ķ + Ķ -FLT- Couriers + Ľ + + Always Dangerous, Arch Angel, Armoured Saint, Avalanche + Darkstar, Doom, Enforcer, Fear, Flyboy, Fresh Kid Ice, Fugazi + Fugazi, Genicide, Genocide, Ghost Pilot, Godfather, Havok, Insector X + James Bomb, JC Poon, Jester, King Meat, Lips, Malachai, Master of Diaster + Nightblade, Oolan, Plague, Raging Bull, Raven, Rick Hunter, Rougue + Sai Kotic, Shadowlord, Stalker, Steel Thunder, The Destroyer, The Judge + The Outcast, Touchtone, Traumatic Breakdown, Unsettled Soul, Viper + X-Man, Zakafein + + ķ + Ķ -FLT- Cheats/Trainers + Ľ + + The Phoney Coders + Hare Krishna, Patch + Rescue Raider, The Phrophet, The Weasel + + + ķ + Ķ -FLT- DOXS + Ľ + + Crystal Warrior & Kublai Khan + Fourth Reich, Hellspawn, Hell Bound + HELLION + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Body Count World HQ 516/DIE.MIKE VenoM + Digital Wasteland U.K. HQ +44-81BACKUP! Night Ranger + Unlimited Access (3 Nodes) German HQ +49-30BACKUP! Sparky + My Boomin' System (4 Nodes) Canadian HQ 514/PRI.VATE Blade Runner + HMS Bounty (4 Nodes) US West Cour HQ 714/PRI.VATE Fletcher + Sin City (6 Nodes) US East Cour HQ 813/PRI.VATE Hellion +Ķ + Crime Ring Member Board 714/YOU.WISH Kingpin + Golden Spires Member Board 416/YOU.WISH Master-Tech + Harmony Skates (2 Nodes) Member Board 718/ViS.iONX SkateMaster + Lithium Member Board 813/YOU.WISH Shadow Angel + Manhattan Project (2 Nodes) Member Board 503/YOU.WISH Rifleman + Narcotik Illusion Member Board 703/YOU.WISH Con Artist + Pirate Mind Station Member Board 314/YOU.WISH Felonius Monk + Rising Sun Member Board 813/YOU.WISH Orion + The Outer Limits (2 Nodes) Member Board 313/YOU.WISH FlashBack + The Hood (2 Nodes) Member Board 416/YOU.WISH Berserker + UnderWorld Member Board 916/YOU.WISH Califboy +Ķ + After Midnight Dist Site 310/XXX.XXXX The Painter + Bubba Land Dist Site 407/XXX.XXXX Bubba + Covert Action ][ Dist Site 818/XXX.XXXX Contra + CyberWars Dist Site 908/XXX.XXXX Fearless Leadr + Eldar's Craftworld Dist Site 418/XXX.XXXX Slum Dweller + Enigma Dist Site 201/XXX.XXXX Holy Avenger + Fourth Reich Dist Site 916/XXX.XXXX Prince of Sin + Gator Crator Dist Site 318/XXX.XXXX Gatorman + Infinite Ragnarok Dist Site 916/XXX.XXXX Jormungand + Private Collection Dist Site 305/XXX.XXXX Wild Child + Park Centeral Dist Site 708/XXX.XXXX Silver V + Second Sight Dist Site 416/XXX.XXXX Phalon + The City Dist Site 813/XXX.XXXX The Bainster + The Game Grid Dist Site 513/XXX.XXXX Tron + The Prison Dist Site 615/XXX.XXXX The Warden + The Sewer Dist Site +47/67.33292 Phoenix + The Wooden Boxcar Dist Site 606/XXX.XXXX Packrat + Tower of Knowledge Dist Site 404/XXX.XXXX The Sage + Twilight Zone Dist Site 504/XXX.XXXX Jack Flash + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + + + + + + + + + + + + +ķ + FAIRLIGHT is currently accepting Dist. Sites call Lithium logon on as + FAIRLIGHT APPLY password FAIRLIGHT. Leave your board #, voice #, and + best time to get in touch with you. + get in touch with you. + + FAIRLIGHT is looking for good couriers, if you are interested then logon + Lithium with the account mentioned above. And leave your alias, name, + voice # and time to call. + + FAIRLIGHT is also looking for people that can Scan Docs, Code Loaders, + Make MODS, Crack, and Supply. If you are one of these people then call + Lithium with the FAIRLIGHT APPLY account and leave what you can do and + how to get ahold of you. + + Lithium - 813-799-4417 + + FAIRLIGHT 'When Dreams Come True' +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** + + diff --git a/textfiles.com/piracy/FAIRLIGHT/flt5.nfo b/textfiles.com/piracy/FAIRLIGHT/flt5.nfo new file mode 100644 index 00000000..bbe1e840 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/flt5.nfo @@ -0,0 +1,109 @@ + + + + + + + + + + + + + + + + + ANSiJED + + + + + +ķ + PRESENTS: Barbie +Ķ + Supplied By: Mournblade,Flashback Written By: HI-TECH Expressions + Cracked By: N/A Graphics: EGA/CGA/TGA/MCGA + Packaged By: VenoM Sound: PC Speaker + Release Date: 07/10/92 Rating: 5/10 +Ķ + + Game Notes: Although this is not for everybody, I am sure that this will + make someone's child very happy, and they count too. As a + matter of policy, Fairlight will support Children's Programs + as well as the regular games. + + To play the game run START.BAT. If you own a Tandy computer, + type GAME.EXE TANDY, from the DOS prompt. To Jump press + 'Ctrl' or 'Shift'. To select charms press the Space Bar, + and to use them hit the Space Bar. + + + +Ķ + Greets: Heretic, Crash Impact, and -=TDT=- +Ľ + + + + Ŀ + Ĵ -=FLT=- Senior Staff + + + Heretic, Kintaro, Mournblade, Strider + + Ŀ + Ĵ -=FLT=- Members + + + Grimstalk (Courier Co-Ordinator), R. Bubba Magillicutty, + Lord Blix, Hagbard Celine, VenoM, FlashBack, + Ryec, Wolverine, & Doc Holiday + + Ŀ + Ĵ -=FLT=- Couriers + + + Catalyst, Coyotes Member, Gank Master, Jam Jobe, Lord Nelson + Mind Bomb, Felonius Monk, Lord Toxin & The Sleepwalker + + Ŀ + Ĵ -=FLT=- Docs & Cheats + + + EarthQuake, Tank + + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Whirlwind World HQ 416/XXX.XXXX Heretic + Lysergic Delusions U.S. HQ West 510/XXX.XXXX Kintaro + The Bane of the Black Sword Coming Soon XXX/XXX.XXXX Mournblade + Apocalypse (3 Nodes) U.S. HQ East 703/XXX.XXXX P.O.W. +Ķ + Body Count Member Board 516/XXX.XXXX VenoM + Marvel Universe Member Board 215/XXX.XXXX Wolverine + The Outer Limits Member Board 313/XXX.XXXX FlashBack +Ķ + D'M0B Dist Site 604/XXX.XXXX Chaos Master + Neo-Tokyo Dist Site 604/XXX.XXXX Skeleton Sec. + Pirate Mind Station Dist Site 314/XXX.XXXX Felonius Monk + Purple Haze Dist Site 313/XXX.XXXX Speedball + Psychonuerosis Dist Site 301/XXX.XXXX Gank Master + The Prison Dist Site 615/XXX.XXXX The Warden + The Richter Scale Dist Site 516/XXX.XXXX EarthQuake + The World of Krynn Dist Site 313/XXX.XXXX Caramon + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + +ķ + + We are currently looking for a few good Couriers. Send all applications + to Grimstalk at Whirlwind, or look for our 1-800 VMB coming soon. + +Ľ + diff --git a/textfiles.com/piracy/FAIRLIGHT/fltpc.nfo b/textfiles.com/piracy/FAIRLIGHT/fltpc.nfo new file mode 100644 index 00000000..3c9815ba --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/fltpc.nfo @@ -0,0 +1,181 @@ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + + Proudly Presents + + Castle of Dr. Brain Codes + + From + + Sierra On-Line + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Code Notes: Well Sierra does it again... Once agian they managed to + integrate some type of sneaky copy protection into the game. + The copy protection is integrated as part of one of the + puzzles. The first time it comes up is when you are + inside the Castle and try to get through one of the doors. + You get keywords from solving the puzzles, then when you + try to get through the main door, you have to decode the + keywords into a code with funky symbols and input the + code to pass the door. The enclosed GIF is a scan of + the decoder part of the manual. Print it out and use + it to decode the keywords you are given. This shit + might pop up in other parts of the game too, we don't + know yet, but this GIF will get you past it wherever + it shows up. + + Before any of you go off half-cocked and bitch about us + not cracking this, keep in mind that to crack this game + would mean to solve the puzzle. That would make the + game just a bit pointless, since it is a puzzle game. + + We still need Christmas Couriers! Only a few courier positions + left! We are in need of couriers available in the DAYTIME. If + you are available during weekdays and interested in couriering + for USA/FLT, please fill out the enclosed USACOUR.APP and send + it on up to BBS-A-Holic. + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Greets: INC, Razor, TDT/SR, TRSI + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + - USA Members - + + The NotSoHumble Babe, Silencer, Genesis, Lord Blix, Harry Lime, Static, + The Necromancer, R. Bubba Magillicutty, Mad Gib, The Guch, + Lord Sterling and Repo Man + + + - FairLight PC Members - + + Strider + + + - The USA-DoX Team - + + Genesis, Repo Man, FAThead, Kublai Khan + + + - USA/FLT Couriers - + + Morpheus, Crime Slave, Dr. Crippen, Heavy Metal, Prizm, Live Wire, + Scorch, Ice Cube, TomKat + + + - USA/FLT Boards - + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BOARD NAME POSITION NUMBER SYSOP +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BBS-A-Holic Western Home 213-PRI-VATE Genesis + Enterprize Elite Eastern Home 313-PRI-VATE Static / The NSH Babe + The Mudd Club Member Board 713-347-1416 Lord Blix + The Inferno Member Board 416-493-9927 Harry Lime + The Rush Board Member Board 313-348-6057 The Necromancer + House Of Lords Member Board 714-681-9219 Lord Sterling + Radioactive Decay Member Board 213-923-4447 Repo Man + tHe CrAcK iN tImE Dist Site 2o1-573-o449 The Punisher + Support HQ Dist Site 415-692-6037 X-Terminator + The Red Sector Dist Site 713-952-7682 The Guardian + World of Mirage Dist Site 718-898-8421 The Widowmaker + The Richter Scale Dist Site 516-754-6402 Earthquake + Elysium BBS Dist Site 508-468-7636 Squire + Khaotic Attractor Dist Site 508-970-5306 Mr Wyzard + The Powerdome Dist Site 901-872-3715 Electron + Digital Reich Dist Site 716-621-7240 Live Wire +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + -*****************************************- + = SPECIAL ANNOUNCEMENT FROM LORD STERLING = + -*****************************************- + + As you may have noticed, my name has been showing up in both THG's + and USA's .NFO files. Effectively, this obviously concocted much + confusion. Personally, I don't know what's going on. My guess, + it's a canny way of THG's endeavor to ask me back, I wish I knew! + + Since THG's Member eradication, which included me, I have NOT + been in contact with ANY of the THG Members neither directly nor + indirectly. When USA formed, I was right there with them. Almost + immediately after THG learned I was in this new Ex-THG Member's + Group, I was conveniently put right back into the THG .NFO file as + a Member; like nothing happened, right? My name has been popping + in and out of the THG .NFO since the beginning of USA's + establishment. It's thoroughly confused me as well as all of you + that have been paying attention. I'll continue to support ONLY + one group ... USA/FLT! + + Regards, + + Lord Sterling + + To the Head Honcho at THG: + + Please save us all the confusion. From now on, omit me from your + .NFO files. Much Appreciated! + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + + So you wanna be a USA Dist Site or Member huh? + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. If you can't + or don't want to do anything to help out, and just want to sit there + and run a dist site, then forget it. But if think you have something to + offer and you want to help the newest up and coming group reach the top, + give us a call. + + + So you wanna be a USA Courier huh? + + Fill out a USA/FLT courier application and send it up to + BBS-A-Holic, private for Genesis. + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + You may contact us by mail at: + + USA/Fairlight + 35526 Grand River, Suite 121 + Farmington Hills, MI 48335 + + -OR- + + Fairlight + P.O. Box 6 + 23600 Hollviken + Sweden + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + You may contact us by phone at: + + The USA/Fairlight VMB + + 716-987-1151 + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + *** S P E C I A L O F F E R *** + + VHS Movies Available - Write To Address Below For Info: + + Skid Row + Postrestante + 8450 Hammel + Denmark + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + "All's Fair In Love And Warez" + (Except Stealing Other Groups Releases) + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- diff --git a/textfiles.com/piracy/FAIRLIGHT/global.nfo b/textfiles.com/piracy/FAIRLIGHT/global.nfo new file mode 100644 index 00000000..4c5881b6 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/global.nfo @@ -0,0 +1,111 @@ + + + + + + + + + + + P R O U D L Y P R E S E N T S + + Global Effect + + Ŀ + Program By: Millennium Graphic Support: VGA + Ĵ + Cracked By: The Terminator Sound Supported: Adlib/SB/Roland + Ĵ + Date of Release: June 1st, 1992 Controls: Mouse + Ĵ + + Protection: Waste of time. Less than 2 Minutes, Blades went over the + ~~~~~~~~~~ protection without debugging the game. L8r! + + Installation: UnZIP using the '-d' option. If you want to change your + ~~~~~~~~~~~~~ configuration, run INSTALL.EXE... + + Greets: Congrats to RAZOR for not double-releasing Aces of the Pacific. + ~~~~~~~ Oh, yeah, and we had a bet on who would release 'The Four + Crystals of Trazere' first. Too bad TDT beat you on that + game a few months ago (Legends). You guys should really check + what you release before you put it out...Same exact game but + different name...Awesome, man :-() + + + + + Fairlight PC Division Staff + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Senior Staff: STRIDER, HERETIC, TRICK LORD, BLADE RUNNER + + Courier Coordinator: PSYLOCKE + + Members: THE TERMINATOR, GRIMSTALK, DOCTOR CRIPPEN + PROFESSOR SINISTER, WOLVERINE, ALEXIS MACHINE + HAGBARD CELINE, UNION JACK + + Senior Couriers: HEAVY METAL, COYOTES MEMBER + MR. MIXTY, SILENT ASSASSIN + + Couriers: THE SLEEPWALKER, KARRION + CATALYST, LORD NELSON + + Loaders and Cheats: THE NECROMANCER, BLACKJACK, TANK + + + FAIRLIGHT PC DISTRIBUTION ۲ + Ŀ + Board Name Phone Number SysOp INFO/NUP + Ĵ + The Bastille 217/YOU.WISH Trick Lord World HQ + Whirlwind 416/YOU.WISH Heretic Canada HQ + My BoOMin' System 514/YOU.WISH Blade Runner Courier HQ + Ĵ + Neo Tokyo 604/PRI.VATE Skeleton Secretary Distribution + Pirate Mind Station 314/PRI.VATE Felonius Monk Distribution + d'M0b 604/PRI.VATE Chaos Master Distribution + Richter Scale 516/PRI.VATE Earthquake Distribution + Marvel Universe 215/PRI.VATE Wolverine Distribution + The World of Krynn 313/PRI.VATE Caramon Distribution + Purple Haze 313/PRI.VATE Speedball Distribution + The Outer Limits 313/PRI.VATE Flashback Distribution + The Prison 615/PRI.VATE The Warden Distribution + + + Ŀ + We are currently looking for sites to carry the new Ethereal-Net. Fill + out the included application called ETHEREAL.APP and send it up to your + favorite FairLighT board. Thank you! + + + ************************************************************* + Fairlight is looking for distribution sites around the + world. If you think you have what it takes contact us at the + places designated below. Serious enquiries only please! + ************************************************************* + + -->>> NEED A LIFE? WELL.... <<<-- + Call our WORLD HEADQUARTERS listed above. + Now accepting new users...maybe. + + Ŀ + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + -->>FAIRLIGHT PC<<-- -->FLT AMIGA/PC<-- -->>FLT AMIGA<<-- + =================================================================== + FAIRLIGHT PC AMERICA FAIRLIGHT WORLD HQ FAIRLIGHT AMERICA + PO BOX 6864 PO BOX 6 PO BOX 268 + CHAMPAIGN, IL 61826-6864 23600 HOLLVIKEN AMISSVILLE, VA 22002 + U.S.A. SWEDEN U.S.A. + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + 716-987-1151 + + diff --git a/textfiles.com/piracy/FAIRLIGHT/gnb.nfo b/textfiles.com/piracy/FAIRLIGHT/gnb.nfo new file mode 100644 index 00000000..f0253999 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/gnb.nfo @@ -0,0 +1,132 @@ + + + + + + + + + + + + + + + + + ANSiJED + + + + + +ķ + PRESENTS: Great Naval Battles +Ķ + Supplied By: Ford Perfect Written By: SSI + Cracked By: The Terminator Graphics: 256 VGA + Packaged By: Night Ranger Sound: ALL + Release Date: 09/26/92 Rating: 9/10 +Ķ + + Game Notes: Here's another great release from SSI and Fairlight. + Spactacular graphics and great sound give this one a + rating of 9. Hope ya like this one.. + + + + + Group Notes: FAIRLIGHT, taking over the world with quality releases! + + + +Ķ + Greets: Ford Perfect, Night Ranger UK, The Hawk, Doctor Bombay, Mournblade +Ľ + + + + Ŀ + Ĵ -=FLT=- Senior Staff + + + MOURNBLD, Strider + + Ŀ + Ĵ -=FLT=- Members + + + Blade Runner, Con Artist, Crusher, FlashBack, Ford Perfect + The Gh0dess, Hannibal Lektor, The Hawk, Lord Blix, Night Ranger, + Night Ranger UK, The Madman, Skeleton Secretary, + The Terminator, VenoM, Wolverine + + Ŀ + Ĵ -=FLT=- Senior Couriers + + + Berserker, Orion, Shadow Angel, SkaTeMasTer + + Ŀ + Ĵ -=FLT=- Couriers + + + Arch Angel, Battle Axe, Coyotes Member, Cross, Destroyer + Dirty Frank, Doctor Bombay, Elliot Nes, Feedback, + Felonius Monk, Hellion, Kinetic Energy, Lethal Injection, + Mind Bomb, RoboCop, Sherlock Ohms, Warlock Bones + + Ŀ + Ĵ -=FLT=- Docs, Cheats & VGA + + + Dr. Crippen, Eloi, Hare Krishna, Network, + Pepsi Man, Revelation, Tank, The Weasel + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + The BANE Of The BLACK SWORD World HQ XXX/PRI.VATE MOURNBLD + Golden Spires Canadian HQ 416/PRI.VATE Master-Tech + My Boomin' System (4 Nodes) Can. Courier HQ 514/PRI.VATE Blade Runner + HMS Bounty (4 Nodes) U.S. Courier HQ 714/PRI.VATE Fletcher +Ķ + Body Count Member Board 516/DIE.FEDS VenoM + Eyes Of The Dragon Member Board 207/YOU.WISH Crusher + Marvel Universe Member Board 215/YOU.WISH Wolverine + Neo-Tokyo Member Board 604/YOU.WISH Skeleton Sec. + Nuclear Wastelandz Member Board 011/YOU.WISH Night Rang UK + The Nectar Base Member Board 602/YOU.WISH The Gh0dess + The Outer Limits (2 Nodes) Member Board 313/YOU.WISH FlashBack +Ķ + Battle Field Dist Site 706/XXX.XXXX Buck Blazer + Beyond The Realm Of Reality Dist Site 310/869.9484 Legend Master + Bubba Land Dist Site 407/XXX.XXXX Bubba + The Burroughs Dist Site 310/XXX.XXXX Weasel + Carbon Nation Dist Site 708/965.8965 Pepsi Man + CyberWars Dist Site 908/654.1290 Fearless Leade + Eldar's Craftworld Dist Site 418/XXX.XXXX Slum Dweller + Enigma Dist Site 201/XXX.XXXX Holy Avenger + Hydrogen Palace Dist Site 613/XXX.XXXX LoRD NuKE + Medieval Crypt Dist Site 214/XXX.XXXX Medieval Magi + Infinite Ragnarok Dist Site 916/863.1040 Jormungand + Inn Of The Last Home Dist Site 705/XXX.XXXX Caramon Majere + Pirate Mind Station Dist Site 314/567.3833 Felonius Monk + Rest In Peace Dist Site 513/XXX.XXXX Nuclear War + Rising Sun Dist Site 813/XXX.XXXX Orion + Second Sight Dist Site 416/XXX.XXXX Phalon + The Prison Dist Site 615/XXX.XXXX The Warden + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + +ķ + + Fairlight is looking for DISTRIBUTION SITES... Apply NOW at the VMB!!! + If you're not satisfied with your current group, then let us know!!! + Fairlight P.O. BOX 43 Flat Rock, MI 48134 -=FLT=- Rockin '92 + The Fairlight VMB 1(800) 356-1547 Box 4221# + +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** diff --git a/textfiles.com/piracy/FAIRLIGHT/goblins.nfo b/textfiles.com/piracy/FAIRLIGHT/goblins.nfo new file mode 100644 index 00000000..34869c8e --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/goblins.nfo @@ -0,0 +1,167 @@ + Ŀ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + + Proudly Presents + + Goblins + + From + + USA/FLT C.V.S. USA/FLT + +Ŀ + + Supplied: INC + Cracked: Hal 9000 + + Cracking Notes: This game was worse than Sierra protection! It had + password protection right at the beginning but it was + sure tough to crack. The usual: VGA, SB, Adlib. Enjoy! + + +Ŀ + + What's Up With USA/FLT? + ~~~~~~~~~~~~~~~~~~~~~~~ + Still need more couriers... Fill out an app and get it to us. + + +Ŀ + + Greets INC - Well, what can we say to you, Merry Christmas guys, and + that also goes for TDT, TRSI, and everyone else. + Genesis - There, is this better! Have a good time today! + + + + - USA/FLT Senior Staff - + + Genesis, Silencer, The NotSoHumble Babe + + + - USA/FLT Members - + + Black Jack, Buckaroo Banzai, Fire, HAL9000, Harry Lime, Lord Blix, Lord + Sterling, Marko Ramius, Minor Threat, R. Bubba Magillicutty, Repo Man, + Static, The Guch and The Necromancer + + + - FairLight PC Members - + + Strider + + + - The USA-DoX Team - + + Caramon, FAThead, Genesis, Kublai Khan, Repo Man + + + - USA/FLT Couriers - + + -Senior- + + Heavy Metal and Tomkat + + -Normal- + + Alexis Machine, Dr. Crippen, Morpheus and Scorch + + -Trial- + + Egocentrix and Electric Element + +Ŀ + - USA/FLT Boards - +Ĵ + BOARD NAME POSITION NUMBER SYSOP +Ĵ + BBS-A-Holic Western Home 213/PRI.VATE Genesis + Enterprize Elite Eastern Home 313/PRI.VATE Static / The NSH Babe +Ĵ + The Mudd Club Member Board 713/347.1416 Lord Blix + The Inferno Member Board 416/493.9927 Harry Lime + The Rush Board Member Board 313/348.6057 The Necromancer + House Of Lords Member Board 714/681.9219 Lord Sterling + Radioactive Decay Member Board 213/923.4447 Repo Man + Infinity Member Board 914/229.8483 Fire + High Intensity Member Board 512/385.4912 Marko Ramius +Ĵ + World of Mirage Dist Site 718/898.8421 The Widowmaker + The Richter Scale Dist Site 516/754.6402 Earthquake + Elysium BBS Dist Site 508/468.7636 Squire + Khaotic Attractor Dist Site 508/970.5306 Mr Wyzard + The Powerdome Dist Site 901/872.3715 Electron + Arachnophobia Dist Site +31/40817579 GML/TU + Modular Madness Dist Site 512/219.8045 Fatal Error + The Paki's Smell Dist Site 604/261.8182 Skeleton Secretary + Cloak & Dagger Dist Site 516/791.2156 Surak + The 4th Dimension Dist Site 813/948.1635 Time Traveler + The Krack House Dist Site 614/882.5546 Rain Man + + +Ŀ + - USA/FLT Support Nodes - +Ĵ + + The World Of Krynn - Down River Elite - Amiga World - The End + + + + So you wanna be a USA Dist Site or Member huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. This means + they all help the group in some way. If you can't or don't want to do + anything to help out, and just want to sit there and run a dist site, + then forget it. But if think you have something to offer and you want + to help the newest up and coming group reach the top, give us a call. + USA/FLT Support Nodes are also available, inquire any Senior Staff + Member for details, or call the VMB and leave your info. + + + So you wanna be a USA Courier huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Fill out a USA/FLT courier application and send it up to + BBS-A-Holic, private for Genesis. + +Ŀ + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/Fairlight + 35526 Grand River, Suite 121 + Farmington Hills, MI 48335 + + OR + + Fairlight + P.O. Box 6 + 23600 Hollviken + Sweden + +Ĵ + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The USA/Fairlight VMB + + 716-987-1151 + +Ĵ + + *** S P E C I A L O F F E R *** + + VHS Movies Available - Write To Address Below For Info: + + Skid Row + Postrestante + 8450 Hammel + Denmark + + + diff --git a/textfiles.com/piracy/FAIRLIGHT/hoy3vga.nfo b/textfiles.com/piracy/FAIRLIGHT/hoy3vga.nfo new file mode 100644 index 00000000..427c3878 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/hoy3vga.nfo @@ -0,0 +1,159 @@ + Ŀ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + + Proudly Presents + + Hoyles Book Of Games ]I[ - VGA + + From + + USA/FLT Sierra On-Line USA/FLT + +Ŀ + + Game Notes: Well we haven't had much luck with spotting the protection in + Sierra games prior to release lately, but we did play this one + for about an hour and a half before releasing it, and we found + no protection whatsoever. So if you do by any chance find any + protection please let us know and we'll fix it, or have our + favorite freelance cracker, Mad Scientist do it for us. + + +Ŀ + + What's Up With USA/FLT? + ~~~~~~~~~~~~~~~~~~~~~~~ + We still need Christmas Couriers! Only a few courier positions + left! We are in need of couriers available in the DAYTIME. If + you are available during weekdays and interested in couriering + for USA/FLT, please fill out the enclosed USACOUR.APP and send + it on up to BBS-A-Holic. + + Call The VMB - 716/987.1151 + + +Ŀ + + Greets: INC, Razor, TDT/SR, TRSI + + Cool Hand - It was good talking to you. Thanks for calling. + + Mad Scientist - Dude, you are a great cracker, no one doubts that. + To my knowledge none of our members said you could + not crack Dr. Brain, as you allege. I'm sorry + there are all these bad feelings between you and + USA. I wish I knew what we ever did to you to + cause you to be so hateful towards us. There's + really no reason for it, dude... With your talent + you should have nothing to prove. + + + + - USA/FLT Senior Staff - + + Genesis, The NotSoHumble Babe, Silencer + + + - USA/FLT Members - + + The Guch, Harry Lime, Lord Sterling, The Necromancer, R. Bubba Magillicutty, + Repo Man and Static + + + - FairLight PC Members - + + Strider + + + - The USA-DoX Team - + + Genesis, Repo Man, FAThead, Kublai Khan + + + - USA/FLT Couriers - + + Dr. Crippen, Heavy Metal, Ice Cube, Live Wire, Scorch, and Tomkat + +Ŀ + - USA/FLT Boards - +Ĵ + BOARD NAME POSITION NUMBER SYSOP +Ĵ + BBS-A-Holic Western Home 213-PRI-VATE Genesis + Enterprize Elite Eastern Home 313-PRI-VATE Static / The NSH Babe +Ĵ + The Inferno Member Board 416-493-9927 Harry Lime + The Rush Board Member Board 313-348-6057 The Necromancer + House Of Lords Member Board 714-681-9219 Lord Sterling + Radioactive Decay Member Board 213-923-4447 Repo Man +Ĵ + The Red Sector Dist Site 713-952-7682 The Guardian + World of Mirage Dist Site 718-898-8421 The Widowmaker + The Richter Scale Dist Site 516-754-6402 Earthquake + Elysium BBS Dist Site 508-468-7636 Squire + Khaotic Attractor Dist Site 508-970-5306 Mr Wyzard + The Powerdome Dist Site 901-872-3715 Electron + Digital Reich Dist Site 716-621-7240 Live Wire + + +Ŀ + - USA/FLT Support Nodes - +Ĵ + + The World Of Krynn - Down River Elite + + + + So you wanna be a USA Dist Site or Member huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. This means + they all help the group in some way. If you can't or don't want to do + anything to help out, and just want to sit there and run a dist site, + then forget it. But if think you have something to offer and you want + to help the newest up and coming group reach the top, give us a call. + USA/FLT Support Nodes are also available, inquire any Senior Staff + Member for details. + + + So you wanna be a USA Courier huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Fill out a USA/FLT courier application and send it up to + BBS-A-Holic, private for Genesis. + + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/Fairlight + 35526 Grand River, Suite 121 + Farmington Hills, MI 48335 + + OR + + Fairlight + P.O. Box 6 + 23600 Hollviken + Sweden + + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The USA/Fairlight VMB + + 716-987-1151 + + + *** S P E C I A L O F F E R *** + + VHS Movies Available - Write To Address Below For Info: + + Skid Row + Postrestante + 8450 Hammel + Denmark + diff --git a/textfiles.com/piracy/FAIRLIGHT/hunt.nfo b/textfiles.com/piracy/FAIRLIGHT/hunt.nfo new file mode 100644 index 00000000..e2a7951f --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/hunt.nfo @@ -0,0 +1,103 @@ +FAIRLIGHT PRESENTS THEIR FIRST IBM +RELEASE. HOPEFULLY MANY MORE WILL +FOLLOW... + +Ŀ + 'HUNT FOR THE RED OCTOBER!' + + +SUPPLIED BY : STRIDER OF FAIRLIGHT +CRACKED BY : NOONE, NO PROTECTION +RELEASE DATE: FRIDAY, 8TH OF FEBRUARY 1991, 7.00 PM +GRAPHICS : CGA, EGA, TGA, VGA +SOUND : INTERNAL, ADLIB + +CALL OUR FAIRLIGHT BOARDS : + +FAIRLIGHT WORLD HQ (AMIGA/IBM) - IRON FORTRESS - 508-798-3363 +FAIRLIGHT EURO HQ (AMIGA/IBM) - THE DUNGEON - +46-40435924 + +WE ARE NOW STARTING OUT ON IBM... WE ARE LOOKING FOR SOME GOOD CODERS, +CRACKERS AND ORIGINAL SUPPLIERS... DO YOU WANT TO HELP THE LEGEND OF +THE C64, AND AMIGA TO BE REALLY GREAT ON IBM AS WELL? THEN CALL : + +STRIDER OF FAIRLIGHT AT : +46-40496094, OR LEAVE MAIL ON ANY OF OUR BOARDS! + +OR LEAVE US MAIL ON OUR VOICE MAIL SYSTEM ON : 1-800-866-7668 (408-371-8401) + VMB NO. '*487' + +FOR A FULL SIZE POSTER OF STRIDER SEND A HST MODEM TO THE NEAREST FAIRLIGHT +SLAVE... HAHAHA.... + +HERE'S SOME QUICK DOX FOR Y'ALL.... +----------------------------------- + +SILENTLY, BENEATH THE CHILLY ATLANTIC WATERS, RUSSIA'S TOP SECRET NUCLEAR +MISSILE SUBMARINE THE 'RED OCTOBER' IS HEADING WEST..... + +'RED OCTOBER' IS ARMED WITH 26 SS-N-20 SCUD.. UHM.. I MEAN, SEAHAWK MISSILES +CAPABLE OF DESTROYING 200 CITIES AND IS THE PRIDE OF THE SOVIET NAVY. AS THE +MOST SENIOR OF RUSSIAN SUBMARINE COMMANDERS YOU ARE ORDERED TO TEST THE +LATEST IN SOVIET NAVAL TECHNOLOGY - A SUBMARINE SO POWERFUL AND SO QUIET, +WITH ITS UNIQUE AND REVOLUTIONARY CATERPILLAR DRIVE SYSTEM, THAT IT IS +ALMOST IMPOSSIBLE TO DETECT. + +YOUR HAND PICKED OFFICERS ARE TOTALLY LOYAL AND WILL RISK THEIR LIVES FOR +YOU, BUT THE ENLISTED CREW KNOW NOTHING ABOUT YOUR MISSION... TO DEFECT!! + +THE US NAVY IS UNSURE OF YOUR REAL INTENTIONS BUT IS CONVINCED BY JACK RYAN, +SENIOR INTELLIGENCE OFFICIAL AT THE CIA, THAT YOUR DEFECTION IS TRUE. + +UNFORTUNATELY THE SOVIET RED BANNER FLEET, ONE OF THE MOST POWERFUL FLEETS +IN THE WORLD, HAS ORDERS TO PURSUE AND DESTROY YOU - AT ANY COST! + +IN THIS DEADLY BATTLE OF SURVIVAL YOU MUST SUCCESSFULLY COMPLETE FIVE LEVELS +OF ACTION... + +LEVEL 1 +------- +YOU MUST DELIVER JACK RYAN, ON TO THE USS DALLAS SUBMARINE IN MID-ATLANTIC. +THE WEATHER IS BAD; JACK HATES FLYING; GALE FORCE WINDS AND LOW FUEL BRINGS +INCREASED DANGER TO JACK. ONE FALSE MOVE AND JACK IS DEAD AND THE MISSION +ABORTED! + +LEVEL 2 +------- + +NAVIGATE THE TREACHEROUS REYKJANES RIDGE, ONE OF THE KEY RIDGES IN RED +ROUTE ONE. YOU WILL NEED TO NAVIGATE THROUGH DEEP AND NARROW CHANNELS; +AVOID HEAT SEEKING AUTOMATIC GUIDED MISSILES AND MINES AND REMAIN +UNDETECTED. + +LEVEL 3 +------- + +SUCCESSFULLY GUIDE JACK RYAN TO RENDEZVOUS WITH THE RED OCTOBER FROM A MINI- +SUB WHERE GREAT PRECISION AND SKILL IS ESSENTIAL. + +LEVEL 4 +------- + +FACE THE FINAL (OR SO YOU THINK) CONFRONTATION WITH THE SOVIET RED BANNER +FLEET. THE FULL FORCE OF THEY NAVY CONFRONTS YOU - HOMING MISSILES, DEPTH +CHARGES AND TOTALLY DEDICATED SUBMARINE COMMANDERS IN PURSUIT. YOU WILL +BE STOPPED..... + +LEVEL 5 +------- + +FINALLY YOU HAVE SUCCEEDED - OR HAVE YOU!? AWAIT THE ULTIMATE CHALLENGE! +CAN YOU AND THE PRECIOUS 'RED OCTOBER' SURVIVE!? + +REMEMBER, YOU HAVE SOME VERY SPECIAL AND POWERFUL WEAPONS; YOU ALSO HAVE THE +UNIQUE, NEARLY UNDETECTABLE CATERPILLAR DRIVE SYSTEM AND THE ADVANTAGE OF +STEALTH. USE THEM ALL CAREFULLY AND YOU MIGHT SURVIVE. + +- "THE AMERICANS WANT THE 'RED OCTOBER'." +- "THE RUSSIANS WANT HER BACK!" + +THE MOST INCREDIBLE CHASE IN HISTORY BEGINS... THE HUNT IS ON!!!! + + + + \ No newline at end of file diff --git a/textfiles.com/piracy/FAIRLIGHT/infernal.nfo b/textfiles.com/piracy/FAIRLIGHT/infernal.nfo new file mode 100644 index 00000000..ffd52aea --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/infernal.nfo @@ -0,0 +1,141 @@ + ___ ________ ___ ________ + / /\ / __ /\ /\ \ /\ __ \ + / / / / __/ / / \ \ \ \ \ \__ \ + / / / / / / / / \ \ \ \ \ \ \ \ + /__/ / /__/ /__/ / \ \__\ \ \__\ \__\ + \__\/ . \__\/\__\/ . . \/__/ . \/__/\/__/ + + + + + + + + + + + + + + + F⥒ - FFS + ۱۱ + ۱۱ + ۱۱۱ + ۱۱۲۱߱ + ۱ + + + + ۲ ۲ + ޲ ۲ + ۲ + ޱ ۲ ۱ + ݲ ۲ޱ + + + ݱޱ۱ ۱۱ޱݲ +Ŀ Ŀ +Ĵ ޱ ݱ۱۱ ۱ Ĵ +Ĵ ߱߱߱߱߱߱߱ Ĵ +Ŀ ߲ ۰ ۲ Ĵ +Ŀ ߲ Ĵ +Ŀ ޲ TerminatorX1993 +Ŀ Ĵ +Ĵ +Ĵ +Ĵ P R I N C E O F P E R I A 2 Ĵ +Ĵ * Trainer & DoX * Ĵ +Ĵ +Ĵ +Ĵ * INFERNAL AFFAIRS * Ĵ +Ĵ ;-] tHE nONE sLEEPING gODS [-; Ĵ +Ĵ +Ĵ +Ĵ Program Prince of Peria 2 Ĵ Supplier Errand / FiST Ĵ +Ĵ Company Broderbund Ĵ Packager TerminatorX Ĵ +Ĵ Display VGA Ĵ Proctection N/A Ĵ +Ĵ Sound All Ĵ Cracker N/A Ĵ +Ĵ Labels None Ĵ ReleasDate 04-27-93 Ĵ +Ĵ +Ĵ +Ĵ * wE rELEASE eVERYTHING tHAT'S qUALITY iN qUANTITY * Ĵ +Ĵ + + Ĵ + Ĵ * RELEASE NOTES *- Ĵ + Ĵ +Ŀ +Ĵ +Ĵ Have Fun And Check Out ! Ĵ +Ĵ + + Ĵ + Ĵ * Inf.Aff.STAFF * Ĵ + Ĵ +Ŀ +Ĵ +Ĵ RatMan, Patch, Traveler, Enforcer, FiST Ĵ +Ĵ Errand, Disrupted Soul, TerminatorX [MEMBERs][8]Ĵ +Ĵ +Ĵ David Marshall, Ranik, JMagic, The Alchemist, Ĵ +Ĵ Penman, The XXXXX, MELTdown [SPREADERs][7]Ĵ +Ĵ + + Ĵ + Ĵ * N O T E S * Ĵ + Ĵ +Ŀ +Ĵ +Ĵ We still searching for cool Dist.Sites so get in contact with us! Ĵ +Ĵ Specially Sites in the US accepted. Also Sysops of I-Net Sites can Ĵ +Ĵ apply. So contact us today ! Ĵ +Ĵ Ĵ +Ĵ Contact us at: LeGION Of DoOM Ĵ +Ĵ login with user: Anonymous Ĵ +Ĵ passwd: Applicat. Ĵ +Ĵ Ĵ +Ĵ Tell what u can do for us. Ĵ +Ĵ Why idling arround when u can proove that you are Elite ? Ĵ +Ĵ + + Ĵ + Ĵ !CALL OUR BOARDS WORLDWIDE! Ĵ + Ĵ +Ŀ +Ĵ + M E M B E R B O A R D SĴ +Ĵ.Untamed Metal ............ MEM.BErO.NLY ...... I-WHQ .. TerminatorX ....Ĵ +Ĵ.Legion Of Doom ......... THeFOCK.EN.KEW.L1 .. I-EuHQ .. Dis.Soul, TermX.Ĵ +Ĵ.DeadZone ................ +358-VE-RYkEWL ... 2 Nodes .. Traveler .......Ĵ +Ĵ.The Fight Hell .......... +341-TFH-HELL .... 2 Nodes .. Disrupted Soul .Ĵ +Ĵ.The Dark Half ........... (412)-PRi-VATE ... 1 Nodes .. Ratman .........Ĵ +Ĵ +Ĵ + D I S T. S I T E S Ĵ +Ĵ.KnoWarez ................. HER.E.wE.Go! .. I-3 Nodes .. David Marshall..Ĵ +Ĵ.Alkaline ............... ITS.TO.oPRiVA.TE! .... InET .. Ranik ..........Ĵ +Ĵ.LedZeppelin .......... ANoTHER.PRiVATE.0N.E! .. InET .. The XXXXX ......Ĵ +Ĵ.The Power ................ ITS-PRI-VATE .... 3 Nodes .. MELTdown .......Ĵ +Ĵ.The Black Unicorn ....... +(204)-NOO-OOOO .. 3 Nodes .. The Alchemist ..Ĵ +Ĵ.Meat Express ............. +358-ASK-4IT .... 1 Nodes .. JMagic .........Ĵ +Ĵ.Alkalinity ............... 716-NOT-4YOU .... X Nodes .. Penman .........Ĵ +Ĵ + + Ĵ + Ĵ * G R E E T I N G S * Ĵ + Ĵ +Ŀ +Ĵ +Ĵ GrEEtiNgS gO To: Stingray6, Dr.Donatelo, InsaneTTM, Rad, ChemGOD, AlC, Ĵ +Ĵ Warchild, Corp, GothMog, FordPr, Zax, Bond007 Ĵ +Ĵ Ĵ +Ĵ Group Greets: RZR, TdT, HaSP, SkilLIoN, UnTOuchABLeS, UnITed CoUrIErs, Ĵ +Ĵ tRIO, ExCiDE, aSA, SeCT, ToAo ...... and da resta Ĵ +Ĵ Ĵ +Ĵ +Ĵ +Ĵ SUPPORT THE COMPANIES THAT RELEASE QUALITY SOFTWARE! Ĵ +Ĵ * If you like this stuff, please buy the original. * Ĵ +Ĵ + \ No newline at end of file diff --git a/textfiles.com/piracy/FAIRLIGHT/luigi.nfo b/textfiles.com/piracy/FAIRLIGHT/luigi.nfo new file mode 100644 index 00000000..0a013e24 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/luigi.nfo @@ -0,0 +1,144 @@ + + + . + + + + ߲۲ ۲ ۲ ۲ ۲ ۲ ۲ ۲۲۲ + ܲ ߲ + ߱ ߱ ߱ + + + When Dreams Come True + + + + + + + + + + + + -PROUDLY PRESENTS- +ķ + Luigi and Spaghetti +Ķ + Supplied by: MacBlue & Dark Bader Written by: ?????? + Cracked by: The TERMINATOR Protection: Screwed UP (NTSC) + Packaged by: THE HAWK Graphics/Sound: VGA/SB & ADLIB + Release Date: 1/04/93 Game Type: Arcade Game + Rating: EXCELLENT ACRADE # of Disks: 2 (1.2) +Ķ + Game Notes: Well this is an AWESOME Arcade game from SPAIN. Cool music + awesome graphics, joystick or keyboard controlled. Really + cool. And it is allready trained with unlimited lives. Watch + Luigi trun in to Superman? Check this one out.!! + NOTE- JUST UNZIP into a Directory and type START to play + ALSO be sure to get the new PKZip/Unzip 2.04 to + unzip this and future FLT releases. + + Group Notes: Well the reconstruction is done look for FAIRLIGHT in 93' + From THE HAWK to SINISITER- YOU GUYS SUCK !!!!!! + + Personal Greets: Blade Runner, Ford Perfect, Silencer, Terminator, & Onyx +Ķ + Greets go out to: FAIRLIGHT AMIGA and THE HUMBLE GUYS +Ľ + + + ķ + Ķ -FLT- President + Ľ + + - Ford Perfect - + + ķ + Ķ -FLT- Senior Staff + Ľ + + Blade Runner, Orion, THE HAWK, VenoM + + ķ + Ķ -FLT- Members + Ľ + + Berserker, Beach Bum, FILA, Gank Master + Nemsis Enforcer, Night Ranger, Jack, Onyx + Silencer, Sicko, The Patton, Tom Brokaw + The Terminator + + ķ + Ķ -FLT- Cheats/Trainers + Ľ + + Hare Krishna, Patch, Phoniex + Rescue Raider + + ķ + Ķ -FLT- Senior Couriers + Ľ + + Flyboy, Jester, Avalanche, Master Disaster + + ķ + Ķ -FLT- Couriers + Ľ + + Doom, Night Blade, Overseerer, Shadow Lord, Dark Bader + Butter Ball, Olan, Lion, MacBlue, Budsky, Mad Dog + Steel Thunder, Natas, Ranks + + + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + The Bog World HQ 312/???.???? Sicko + Digital Wasteland U.K. HQ +44-81BACKUP! Night Ranger + My Boomin' System (4 Nodes) Canadian HQ 514/PRI.VATE Blade Runner +Ķ + Body Count Member Board DIEGRIMREAPER VenoM + Rising Sun Member Board 813/YOU.WISH Orion + The Hood (2 Nodes) Member Board 416/YOU.WISH Berserker +Ľ + Def Con 4 Dist. Site 201/XXX.XXXX Devastor + Fourth Reich Dist. Site 916/XXX.XXXX Prince of Sin + Twilight Zone Dist. Site 504/XXX.XXXX Jack Flash + Tower Knowledge Dist. Site 404/XXX.XXXX The Sage + + + + + + + + + + + + +ķ + FAIRLIGHT is currently accepting Dist. Sites call The BoG logon on as + FAIRLIGHT APPLY password FAIRLIGHT. Leave your board #, voice #, and + best time to get in touch with you. + get in touch with you. + + FAIRLIGHT is looking for good couriers, if you are interested then logon + Lithium with the account mentioned above. And leave your alias, name, + voice # and time to call. + + FAIRLIGHT is also looking for people that can Scan Docs, Code Loaders, + Make MODS, Crack, and Supply. If you are one of these people then call + Lithium with the FAIRLIGHT APPLY account and leave what you can do and + how to get ahold of you. + + + FAIRLIGHT 'When Dreams Come True' +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** + + diff --git a/textfiles.com/piracy/FAIRLIGHT/mael.nfo b/textfiles.com/piracy/FAIRLIGHT/mael.nfo new file mode 100644 index 00000000..f8c64799 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/mael.nfo @@ -0,0 +1,141 @@ + + + + + + + + + + + + + + + + + + ANSiJED + + + + + + +ķ + PRESENTS: Maelstrom +Ķ + Supplied By: Razor 7-11 Written By: + Cracked By: THE Terminator Protection: Doc checks + Packaged By: Blade Runner Graphics: VGA\EGA + Release Date: 10-18-92 Sound: Adlib/Sound Blaster + Rating: 6/10 # of Disks: +Ķ + Crack: read crack.nfo or just run the tsr + It took longer to install this one,than to crack it. + + Group Notes: We at Flt have decided to FUCK The Wares Report ! We will not + Upload our stuff first to the wares report Due to 5 major + Reason. 1) HE is a INC SITE 2) He is not multi-node 3: He is + a Inc site 4)His bbs is always crashing on couriers besides + only Inc courier have no problems. 5) Who makes all these + Rules anyways? hmmm.. Anyways we don't want Razor 7-11 Megs +Ķ + Greets: James BOMB and The Couriers with out you we would Not be # 1 +Ľ + + + + Ŀ + Ĵ -=FLT=- Presidents + + + FAIRLIGHT - STRIDER + FAIRLIGHT PC - Ford Perfect + + + Ŀ + Ĵ -=FLT=- Senior Staff + + + Blade Runner, FlashBack, Night Ranger + THE HAWK, VenoM + + Ŀ + Ĵ -=FLT=- Members + + + ACE, Con Artist, Crusher, Dennise the Meance, F.I.L.A. + Hannibal Lektor, Night Ranger UK, Orion, Skelton Secretary + Shadow Angel, The Goddess, The Terminator, Wolverine + + Ŀ + Ĵ -=FLT=- Senior Couriers + + + Berserker, Doctor Bombay, SkaTeMasTer + + Ŀ + Ĵ -=FLT=- Couriers + + + Arch Angel, Bandieto, Chaos, Coyotes Member, Cross, Dark Star + Destroyer, Dirty Frank, Feedback, Hellion, James Bomb + Kinetic Energy, Lethal Injection, Mind Bomb, Mystic Whiz + Pagan, Popeye, Prince of Sin, Raging Bull, Sai Kotic + Sherlock Ohms, Sleepwalker + + Ŀ + Ĵ -=FLT=- Docs, Cheats & VGA + + + Crystal Warrior, Dr. Crippen, Eloi, Hare Krishna, Kublai Khan + Network, Revelation, Tank, The Weasel + + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Body Count World HQ 516/DIE.MIKE VenoM + Golden Spires Canadian HQ 416/PRI.VATE Master-Tech + My Boomin' System (4 Nodes) Can. Courier HQ 514/Die.FEDS Blade Runner + HMS Bounty (4 Nodes) US West Cour HQ 714/PRI.VATE Fletcher + Sin City (6 Nodes) US East Cour HQ 813/PRI.VATE Hellion +Ķ + Eyes Of The Dragon Member Board 207/YOU.WISH Crusher + Lithum Member Board 813/YOU.WISH Shadow Angel + Marvel Universe Member Board 215/YOU.WISH Wolverine + Neo-Tokyo Member Board 604/YOU.WISH Skeleton Sec. + Nuclear Wastelandz Member Board 011/YOU.WISH Night Rang UK + The Nectar Base Member Board 602/YOU.WISH The Gh0dess + The Outer Limits (2 Nodes) Member Board 313/YOU.WISH FlashBack +Ķ + Beyond The Realm Of Reality Dist Site 310/869.9484 Legend Master + Bubba Land Dist Site 407/XXX.XXXX Bubba + The Burrows Dist Site 310/XXX.XXXX Weasel + CyberWars Dist Site 908/654.1290 Fearless Leade + Eldar's Craftworld Dist Site 418/XXX.XXXX Slum Dweller + Enigma Dist Site 201/XXX.XXXX Holy Avenger + Hydrogen Palace Dist Site 613/XXX.XXXX LoRD NuKE + Medieval Crypt Dist Site 214/XXX.XXXX Medieval Magi + Infinite Ragnarok Dist Site 916/863.1040 Jormungand + Inn Of The Last Home Dist Site 705/XXX.XXXX Caramon Majere + Medieval Crypt Dist Site 214/XXX.XXXX Medieval Magi + Pirate Mind Station Dist Site 314/567.3833 Felonius Monk + Rising Sun Dist Site 813/XXX.XXXX Orion + Second Sight Dist Site 416/XXX.XXXX Phalon + The Game Grid Dist Site 513/XXX.XXXX Tron + The Prison Dist Site 615/XXX.XXXX The Warden + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + +ķ + + Fairlight is looking for DISTRIBUTION SITES... We will only courier + To our sites only!! We won't waste time with the INC Report any more!!! + Fairlight P.O. BOX 43 Flat Rock, MI 48134 -=FLT=- Rockin '92 + +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** diff --git a/textfiles.com/piracy/FAIRLIGHT/obitus.nfo b/textfiles.com/piracy/FAIRLIGHT/obitus.nfo new file mode 100644 index 00000000..7f16ff70 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/obitus.nfo @@ -0,0 +1,136 @@ + Ŀ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + + Proudly Presents + + Obitus + + From + + USA/FLT Psygnosis USA/FLT + +Ŀ + Supplied: The Patriot Sound: Adlib/SB/PCSpk Packaged: Genesis + Cracked: HAL9000 Graphics: CGA/EGA/VGA Date: 1/27/91 + Protection: Doc Check Controls: Kbd/Jystk/Mouse Rating: 7/10 +Ĵ + + Game Notes: You might remember the demo of this that was released by TDT + last September. Well here's the game finally. It looks like + a fairly decent RPG. Have fun. + + Game Hype: You are in the depths of your worse nightmare, but this time, + there is no waking up... Lost and alone, in a dangerous and + alien world, you must discover where you are, who you are, + how you got here, and you are going to get out. This is + your challenge. + + +Ŀ + + Greets: Patriot, thanks for the ware dude! + + +Ŀ + + What's up with USA/FLT? + ~~~~~~~~~~~~~~~~~~~~~~~ + Have you called the USA/FLT VMB lately to say hi? 716/987.1151 + + + + - USA/FLT Senior Staff - + + Genesis, Silencer, The NotSoHumble Babe + + + - USA/FLT Members - + + Black Jack, Eclipse, Fire, HAL9000, Harry Lime, Lord Sterling, Marko Ramius, + Minor Threat, R. Bubba Magillicutty, Repo Man, Static, The Guch and + The Necromancer + + + - FairLight PC Members - + + Strider + + + - The USA-DoX Team - + + Caramon, FAThead, Genesis, Kublai Khan, Repo Man + + + - USA/FLT Couriers - + + -Senior- + + Heavy Metal and Tomkat + + -Elite- + + Alexis Machine, Dr. Crippen, Electric Element and Scorch + + -Trial- + + Egocentrix, Mr. Mixty and Psylocke + +Ŀ + - USA/FLT Boards - +Ĵ + BOARD NAME POSITION NUMBER SYSOP +Ĵ + BBS-A-Holic Western Home 310/PRI.VATE Genesis + Enterprize Elite Eastern Home 313/PRI.VATE Static / The NSH Babe + Apocalypse(5 Nodes) Courier Home 703/825.6517 POW +Ĵ + The Inferno Member Board 416/493.9927 Harry Lime + The Rush Board Member Board 313/348.6057 The Necromancer + Infinity Member Board 914/229.8483 Fire + High Intensity Member Board 512/385.4912 Marko Ramius + The World Of Krynn Member Board 313/PRI.VATE Caramon +Ĵ + World of Mirage Dist Site 718/PRI.VATE The Widowmaker + The Richter Scale Dist Site 516/PRI.VATE Earthquake + Elysium BBS Dist Site 508/PRI.VATE Squire + Khaotic Attractor Dist Site 508/PRI.VATE Mr Wyzard + Modular Madness Dist Site 512/PRI.VATE Fatal Error + Rivendell Dist Site 217/356.2221 Trick Lord + The Paki's Smell Dist Site 604/261.8182 Skeleton Secretary + Cloak & Dagger Dist Site 516/791.2156 Surak + The 4th Dimension Dist Site 813/948.1635 Time Traveler + The Krack House Dist Site 614/882.5546 Rainman + Suburbia Dist Site 214/258.6634 The Chairman + +Ŀ + - USA/FLT Support Nodes - +Ĵ + + Down River Elite - Amiga World - The End - The Fifth Dimension + + +Ŀ + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/Fairlight + 35526 Grand River, Suite 121 + Farmington Hills, MI 48335 + + OR + + Fairlight + P.O. Box 6 + 23600 Hollviken + Sweden + +Ĵ + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The USA/Fairlight VMB + + 716-987-1151 + + diff --git a/textfiles.com/piracy/FAIRLIGHT/obitusdx.nfo b/textfiles.com/piracy/FAIRLIGHT/obitusdx.nfo new file mode 100644 index 00000000..9dc15866 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/obitusdx.nfo @@ -0,0 +1,128 @@ + Ŀ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + + Proudly Presents + + Obitus Complete Documentation + + From + + USA/FLT Psygnosis USA/FLT + +Ŀ + Supplied: Patriot Method: Hand-Typed Packaged: Genesis + Created: Patriot Extras: None Date: 1/28/91 +Ĵ + + Doc Notes: This is the complete game manual for Obitus... Not much else + to say! + + +Ŀ + + Greets: Patriot, Great job on the dox, buddy! + + +Ŀ + + What's up with USA/FLT? + ~~~~~~~~~~~~~~~~~~~~~~~ + Have you called the USA/FLT VMB lately to say hi? 716/987.1151 + + + + - USA/FLT Senior Staff - + + Genesis, Silencer, The NotSoHumble Babe + + + - USA/FLT Members - + + Black Jack, Eclipse, Fire, HAL9000, Harry Lime, Lord Sterling, Marko Ramius, + Minor Threat, R. Bubba Magillicutty, Repo Man, Static, The Guch and + The Necromancer + + + - FairLight PC Members - + + Strider + + + - The USA-DoX Team - + + Caramon, FAThead, Genesis, Kublai Khan, Repo Man + + + - USA/FLT Couriers - + + -Senior- + + Heavy Metal and Tomkat + + -Elite- + + Alexis Machine, Dr. Crippen, Electric Element and Scorch + + -Trial- + + Egocentrix, Mr. Mixty and Psylocke + +Ŀ + - USA/FLT Boards - +Ĵ + BOARD NAME POSITION NUMBER SYSOP +Ĵ + BBS-A-Holic Western Home 310/PRI.VATE Genesis + Enterprize Elite Eastern Home 313/PRI.VATE Static / The NSH Babe + Apocalypse(5 Nodes) Courier Home 703/825.6517 POW +Ĵ + The Inferno Member Board 416/493.9927 Harry Lime + The Rush Board Member Board 313/348.6057 The Necromancer + Infinity Member Board 914/229.8483 Fire + High Intensity Member Board 512/385.4912 Marko Ramius + The World Of Krynn Member Board 313/PRI.VATE Caramon +Ĵ + World of Mirage Dist Site 718/PRI.VATE The Widowmaker + The Richter Scale Dist Site 516/PRI.VATE Earthquake + Elysium BBS Dist Site 508/PRI.VATE Squire + Khaotic Attractor Dist Site 508/PRI.VATE Mr Wyzard + Modular Madness Dist Site 512/PRI.VATE Fatal Error + Rivendell Dist Site 217/356.2221 Trick Lord + The Paki's Smell Dist Site 604/261.8182 Skeleton Secretary + Cloak & Dagger Dist Site 516/791.2156 Surak + The 4th Dimension Dist Site 813/948.1635 Time Traveler + The Krack House Dist Site 614/882.5546 Rainman + Suburbia Dist Site 214/258.6634 The Chairman + +Ŀ + - USA/FLT Support Nodes - +Ĵ + + Down River Elite - Amiga World - The End - The Fifth Dimension + + +Ŀ + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/Fairlight + 35526 Grand River, Suite 121 + Farmington Hills, MI 48335 + + OR + + Fairlight + P.O. Box 6 + 23600 Hollviken + Sweden + +Ĵ + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The USA/Fairlight VMB + + 716-987-1151 + + diff --git a/textfiles.com/piracy/FAIRLIGHT/pq3-dox.nfo b/textfiles.com/piracy/FAIRLIGHT/pq3-dox.nfo new file mode 100644 index 00000000..7acb6422 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/pq3-dox.nfo @@ -0,0 +1,101 @@ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + USA-DoX Department + + Proudly Presents + + Complete Police Quest ]I[ Dox + + from + + Sierra + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + - USA Members - + + The NotSoHumble Babe, Silencer, Genesis, Lord Blix, Suicidal, Harry Lime + Lord Sterling, R. Bubba Magillicutty, Mad Gib, The Guch + The Necromancer, Snuggles, Static + + + - FairLight PC Members - + + Strider & Drone No.5 + + + - USA/FLT Couriers - + + Morpheus, The Bartender, Crime Slave, Snuggles + + + - USA/FLT Boards - + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BOARD NAME POSITION NUMBER SYSOP +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BBS-A-Holic Western Home 213-PRI-VATE Genesis + Enterprize Elite Eastern Home 313-442-7543 Static / The NSH Babe + The Mudd Club Member Board 713-347-1416 Lord Blix + The Inferno Member Board 416-841-1933 Harry Lime + House Of Lords Member Board 714-681-9219 Lord Sterling + The Rush Board Member Board 313-348-6057 The Necromancer + Hidden Empire Dist Site 301-926-6131 The Emperor + tHe CrAcK iN tImE Dist Site 2o1-573-o449 The Punisher + Support HQ Dist Site 415-692-6037 X-Terminator + The Red Sector Dist Site 713-952-7682 The Guardian + Radioactive Decay Dist Site 213-923-4447 Repo Man + World of Mirage Dist Site 718-UNK-NOWN The Widowmaker +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Doc Notes: Here are the complete dox and map for Police Quest ]I[: The Kindred. + In case we forgot to put it in the dox, Sonny's locker code is 776. + The map is included here in GIF format, viewable seperately. These + dox should be really helpful, we hope you like em. Have fun! + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Greets: INC, THG, Razor, PE, NEUA - Hi to everyone! + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + So you wanna be a Dist Site or Member huh? + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. If you can't + or don't want to do anything to help out, and just want to sit there + and run a dist site, then forget it. But if think you have something to + offer and you want to help the newest up and coming group reach the top, + give us a call. + + + So you wanna be a Courier huh? + + Fill out a USA/FLT courier application and send it up to one of the Home + boards reserved for our courier leader, Suicidal. + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + You may contact us by mail at: + + USA/Fairlight + 35526 Grand River, Suite 104 + Farmington Hills, MI 48335 + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + You may contact us by phone at: + + The USA/Fairlight VMB + + 716-987-1151 + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + "All's Fair In Love And Warez" + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + diff --git a/textfiles.com/piracy/FAIRLIGHT/pq3hints.nfo b/textfiles.com/piracy/FAIRLIGHT/pq3hints.nfo new file mode 100644 index 00000000..2b6bb1f9 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/pq3hints.nfo @@ -0,0 +1,106 @@ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + USA-DoX Department + + Proudly Presents + + Police Quest ]I[ Hints/Solve + + from + + Sierra + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + - USA Members - + + The NotSoHumble Babe, Silencer, Genesis, Lord Blix, Suicidal, Harry Lime + Lord Sterling, R. Bubba Magillicutty, Mad Gib, The Guch + The Necromancer, Snuggles, Static + + + - FairLight PC Members - + + Strider & Drone No.5 + + + - USA/FLT Couriers - + + Morpheus, The Bartender, Crime Slave, Snuggles + + + - USA/FLT Boards - + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BOARD NAME POSITION NUMBER SYSOP +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BBS-A-Holic Western Home 213-PRI-VATE Genesis + Enterprize Elite Eastern Home 313-442-7543 Static / The NSH Babe + The Mudd Club Member Board 713-347-1416 Lord Blix + The Inferno Member Board 416-841-1933 Harry Lime + The Rush Board Member Board 313-348-6057 The Necromancer + House Of Lords Member Board 714-681-9219 Lord Sterling + Hidden Empire Dist Site 301-926-6131 The Emperor + tHe CrAcK iN tImE Dist Site 2o1-573-o449 The Punisher + Support HQ Dist Site 415-692-6037 X-Terminator + The Red Sector Dist Site 713-952-7682 The Guardian + Radioactive Decay Dist Site 213-923-4447 Repo Man + World of Mirage Dist Site 718-UNK-NOWN The Widowmaker +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Game Notes: OK here are the Police Quest ]I[ Hints/Solve from the Sierra BBS. + They're all done up in a nice, clean little menu driven format + for ya. Be sure to pick up the latest from USA/FLT - Willy + Beamish from Dynamix. Call your favorite USA boards now! + + Call our VMB - 716-987-1151 + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Greets: We're too damn busy releasing wares and dox to think up any new greets + right now... Just a quick hi to all the groups, INC, THG, Razor, PE + FiRM, and TDT/TRSI... you're all doing a great job. Lots of good + competition out there lately... + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + So you wanna be a Dist Site or Member huh? + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. If you can't + or don't want to do anything to help out, and just want to sit there + and run a dist site, then forget it. But if think you have something to + offer and you want to help the newest up and coming group reach the top, + give us a call. + + + So you wanna be a Courier huh? + + Fill out a USA/FLT courier application and send it up to one of the Home + boards reserved for our courier leader, Suicidal. + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + You may contact us by mail at: + + USA/Fairlight + 35526 Grand River, Suite 104 + Farmington Hills, MI 48335 + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + You may contact us by phone at: + + The USA/Fairlight VMB + + 716-987-1151 + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + "All's Fair In Love And Warez" + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + diff --git a/textfiles.com/piracy/FAIRLIGHT/shadow.nfo b/textfiles.com/piracy/FAIRLIGHT/shadow.nfo new file mode 100644 index 00000000..1b7ec041 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/shadow.nfo @@ -0,0 +1,104 @@ + ____________/\ /\_ ___ /\____ /\_. ___/|___ /\________ + \_______ \/ | o\ /o \ / o| . \_/o|__//o ______/ + /o | \ | \\ // | > / ||___|\ // \// |_____ + // _______/ | \\// \/ || : \// \ | \ + // | / | \\ | \ | \ \ : \ + \ _____| \_____________/___________/____________/_______/_________ / + \| __/\________ /\_____ __/\________ /\_____ /\___ \| + : \ o ______/ /o \ \ o ______//o \ / | o\ : + . // __)__ // | \ // __)__// | | \ / | \\ . + // | \// | \// | \ | | \/\___ \\ + / | \ | \ | \ | | \ | \\ + \ ____________/_____|______/____________/__|_|_____/_________ / + \| -=PRESENTS=- |/ + Ŀ + The Shadow of Yserbius & The Fates of Twinion + + Ŀ Ŀ + Company SIERRA Supplier Axiom Codex + Display SVGA Cracker N/A + Sound ALL Packager Califboy + Rating 8 Protection None Found + #ofDisks 9 Date 09-30-93 + + Ŀ + RELEASE NOTES + + Well We tried this one out and found it to be 2 games in 1 for use either + by themselves or with the Sierra Network, we didn't see any protection.. but + in Sierra's usual style we expect there may be some protection there.. so if + you find it let us know and we'll have a crack out ASAP. + See yahh...... + Califboy + + NOTE: As usual Unzip with -d -$... it never hurts.. + TSN Disks 1-5 are needed for the installation of these games + so they have been included.. if you already had these disks.. we + apologize but like most people... we Didn't already have them + + THANKS goes out to AXIOM CODEX.. good job on the original + + Group Notes : Greets to all who deserve it you know who you are, + Greets to all the new members! If you were left out it will be straight soon + + Greets to Our Newest BBS KraftWerke! + + +Personal Greets : Brawley Brawler, Undertaker, Terra-X, Iceman, Godfather, + Dray, Cypher, Phonestud, Corsair, SOULTAKER, Speed Master, + Axiom Codex, and Trustee + + + *NOTE*: If we have accidentally left you out of the info file + we apologize, please let us know if we did! + + Ŀ + PUBLIC ENEMY Leaders and Members + Ŀ + Speed Master, Rakim, Blade Runner + Ĵ + Axiom Codex, Brawly Brawler, Califboy, Cypher, Exdous + Iceman, Killerette, Rhino, Red Wolf, Beowulf + Godfather, The Terminator, Union Jack + + Ŀ + PUBLIC ENEMY Spreaders + Ŀ + Black Dragon, Dark Passion, FAB, Dream Wraith + Malpha, Nephilim, Trustee, Timebuster, Aykin&Bartman + + + + + Ŀ + Name Status Number Nodes Sysop + Ĵ + Sancutary WHQ 708-969-8325 5 Speed Master + My Boomin' System CHQ 514-GET-REAL 4 Blade Runner + Twilight BBS EHQ 49-214ELITE! 4 Twilight + UnderWorld MEMBER 916-XXX-XXXX 2 Califboy + KraftWerke MEMBER 916-XXX-XXXX 1 Undertaker + + + + + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + IF YOU ARE INTERESTED IN BEING A DISTRIBUTION SITE, COURIER, CRACKER + CODER OR THINK YOU HAVE SOMETHING TO OFFER THE GROUP, WHICH WOULD + BE HELPFULLY AND PRODUCTIVITY. THEN LOG ONTO SANCUTARY UNDER THE + ACCOUNT : PUBLIC ENEMY + PASSWORD: #1 + BE SURE TO LEAVE YOUR ALIAS, FIRST NAME, VOICE #, AND BEST TIME + TO BE CALLED. + >>> NOTE <<<: If you leave a BBS # ONLY the chances are you won't hear + from us. + OR write to: Public Enemy + P.O. Box 106 + Downers Grove, Ill 60515 + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + ** IF YOU HAVE REVIEWED THIS GAME AND ENJOY IT, BUY IT! ** + ** SOFTWARE AUTHORS DESERVE SUPPORT ** + + \ No newline at end of file diff --git a/textfiles.com/piracy/FAIRLIGHT/shadow2.nfo b/textfiles.com/piracy/FAIRLIGHT/shadow2.nfo new file mode 100644 index 00000000..53cc54d4 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/shadow2.nfo @@ -0,0 +1,195 @@ + + + . + + + + ߲۲ ۲ ۲ ۲ ۲ ۲ ۲ ۲۲۲ + ܲ ߲ + ߱ ߱ ߱ + + + When Dreams Come True + + + + + + + + + + + + -PROUDLY PRESENTS- +ķ + Shadowgate For Windows +Ķ + Supplied by: Ford Perfect Written by: Electronic Arts + Cracked by: Silent Stalker Protection: Condom + Packaged by: The Hawk Graphics/Sound: Usual + Release Date: 12/05/92 Game Type: RPG + Rating: 7/10 # of Disks: 5 +Ķ + Game Notes: A most interesting game for windows. You must stop the evil + Warlock Lord from raising the Behemoth and taken over the + world. This is a good one to add for people who swear by + windows! Save your game often, because you are going to need + it! + Unzip to floppy and then start windows. From Windows program + manager, bring down file and click on run. Then switch to the + drive you have the files on, and run setup.exe. + + Group Notes: Razor nice job. TDT nice try. Double releasing + your own release from last year?? That's a new one. + + + Personal Greets: TRON, Con Artist, White Rose, Orion, & Shadow Angel +Ķ + Group Greets: Razor, no one else deserves one. +Ľ + + ķ + Ķ -FLT- Main Organizers + Ľ + + FLT Euro Division - STRIDER + FLT USA Division - Ford Perfect + + ķ + Ķ -FLT- Senior Staff + Ľ + + Blade Runner, Con Artist, Silent Stalker + THE HAWK, VenoM + + ķ + Ķ -FLT- Members + Ľ + + ACE, Berserker, Beach Bum, Black Shadow, Califboy + Dennis the Menace, Flashback, FILA, Iceberg, Jack, Kingpin + Larual & Hardy, MICHELANGELO, New Kids, Night Ranger UK + Nuclear War, Orion, RADAR, Rifleman, Selim & Rudi + Shadow Angel, Silencer, SkaTeMasTer, Sparky, Subzero + The Terminator, Tom Brokaw, Ufonaut, Union Jack + + ķ + Ķ -FLT- Senior Couriers + Ľ + + Doctor Bombay, Dorian Hawkmoon + Fourth Reich, Gank Master, Mind Bomb + Overlord, Pagan + + ķ + Ķ -FLT- Couriers + Ľ + + Always Dangerous, Arch Angel, Avalanche, Dirty Frank + Doom, Enforcer, Fear, Flyboy, Fresh Kid Ice, Fugazi + Genicide, Genocide, Ghost Pilot, Godfather, Havok, Insector X + JC Poon, Jester, King Meat, Lips, Malachai, Master of Diaster + Nightblade, Oolan, Pagan, Plague, Raging Bull, Raven, Rick Hunter, Rougue + Sai Kotic, Shadowlord, Stalker, Steel Thunder, The Destroyer, The Judge + The Outcast, Touchtone, Traumatic Breakdown, Unsettled Soul + X-Man, Zakafein + + + ķ + Ķ -FLT- Cheats/Trainers + Ľ + + The Phoney Coders + Hare Krishna, Patch + Rescue Raider, The Phrophet, The Weasel + + + ķ + Ķ -FLT- DOX + Ľ + + Crystal Warrior, Kublai Khan + Fourth Reich, Hellspawn, Hell Bound + HELLION + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Body Count World HQ 516/DIE.MIKE VenoM + Nuclear Wastelandz U.K. HQ +44-81BACKUP! Night Ranger + Unlimited Access (3 Nodes) German HQ +49-30BACKUP! Sparky + My Boomin' System (4 Nodes) Canadian HQ 514/PRI.VATE Blade Runner + HMS Bounty (4 Nodes) US West Cour HQ 714/PRI.VATE Fletcher + Sin City (6 Nodes) US East Cour HQ 813/PRI.VATE Hellion +Ķ + Crime Ring Member Board 714/YOU.WISH Kingpin + Golden Spires Member Board 416/YOU.WISH Master-Tech + Harmony Skates (2 Nodes) Member Board 718/ViS.iONX SkateMaster + Lithium Member Board 813/YOU.WISH Shadow Angel + Manhattan Project (2 Nodes) Member Board 503/YOU.WISH Rifleman + Narcotik Illusion Member Board 703/YOU.WISH Con Artist + Pirate Mind Station Member Board 314/YOU.WISH Felonius Monk + Rising Sun Member Board 813/YOU.WISH Orion + The Outer Limits (2 Nodes) Member Board 313/YOU.WISH FlashBack + The Hood (2 Nodes) Member Board 416/YOU.WISH Berserker + UnderWorld Member Board 916/YOU.WISH Califboy +Ķ + After Midnight Dist Site 310/XXX.XXXX The Painter + Bubba Land Dist Site 407/XXX.XXXX Bubba + Covert Action ][ Dist Site 818/XXX.XXXX Contra + CyberWars Dist Site 908/XXX.XXXX Fearless Leadr + Eldar's Craftworld Dist Site 418/XXX.XXXX Slum Dweller + Enigma Dist Site 201/XXX.XXXX Holy Avenger + Fatal Psychosis Dist Site 812/XXX.XXXX Gothmog + Fourth Reich Dist Site 916/XXX.XXXX Prince of Sin + Gator Crator Dist Site 318/XXX.XXXX Gatorman + Infinite Ragnarok Dist Site 916/XXX.XXXX Jormungand + Park Central Dist Site 708/XXX.XXXX Silver V + Private Collection Dist Site 305/XXX.XXXX Wild Child + Psycho Net Dist Site 616/XXX.XXXX Service + Second Sight Dist Site 416/XXX.XXXX Phalon + The City Dist Site 813/XXX.XXXX The Bainster + The Game Grid Dist Site 513/XXX.XXXX Tron + The Prison Dist Site 615/XXX.XXXX The Warden + The Sewer Dist Site +47/67.33292 Phoenix + The Wooden Boxcar Dist Site 606/XXX.XXXX Packrat + Tower of Knowledge Dist Site 404/XXX.XXXX The Sage + Twilight Zone Dist Site 504/XXX.XXXX Jack Flash + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + + + + + + + + + + + + +ķ + FAIRLIGHT is currently accepting Dist. Sites call Lithium logon on as + FAIRLIGHT APPLY password FAIRLIGHT. Leave your board #, voice #, and + best time to get in touch with you. + + FAIRLIGHT is looking for good couriers, if you are interested then logon + Lithium with the account mentioned above. Leave your alias, name, + voice # and time to call. + + FAIRLIGHT is also looking for people that can Scan Docs, Code Loaders, + Make MODS, Crack, and Supply. If you are one of these people then call + Lithium with the FAIRLIGHT APPLY account and leave what you can do and + how to get ahold of you. + + Lithium - 813-799-4417 + + FAIRLIGHT 'When Dreams Come True' +Ľ + *** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** + + diff --git a/textfiles.com/piracy/FAIRLIGHT/siege.nfo b/textfiles.com/piracy/FAIRLIGHT/siege.nfo new file mode 100644 index 00000000..1b2a291e --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/siege.nfo @@ -0,0 +1,105 @@ + + + + + + + + + + + + + + + + + ANSiJED + + + + + +ķ + PRESENTS: Siege +Ķ + Supplied By: Mournblade/Flashback Written By: Mindcraft + Cracked By: N/A Graphics: VGA256/ALL + Packaged By: Heretic Sound: ALL + Release Date: 07/18/92 Rating: 9/10 +Ķ + + Game Notes: This is probably the release of the month. 256 color VGA + + sound, and it looks awsome. You must have a mouse to play. + You can play the role of the attacker or defender and with + 2+ megs of ram you'll experience wicked digitized sound. + 4 elaborate castle designs with 24 intense senarios and + troop types ranging from dwarven warriors to giant spiders. + Comes complete with built-in senario editor. This game ROCKS! + +Ķ + Greets: Catalyst, Grimstalk, Strider, Venom and Mournblade! +Ľ + + + + Ŀ + Ĵ -=FLT=- Senior Staff + + + Heretic, Mournblade, Strider + + Ŀ + Ĵ -=FLT=- Members + + + Grimstalk (Courier Co-Ordinator), Lord Blix, VenoM, + R. Bubba Magillicutty, FlashBack, Ryec, Kintaro, Doc Holiday, + Hagbard Celine, Skeleton Secretary & Wolverine + + Ŀ + Ĵ -=FLT=- Couriers + + + Catalyst, Coyotes Member, Felonius Monk, Gank Master, + Lord Nelson, Mind Bomb, Pharoah & The Sleepwalker + + Ŀ + Ĵ -=FLT=- Docs & Cheats + + + EarthQuake, Tank + + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Whirlwind World HQ 416/PRI.VATE Heretic + The BANE Of The BLACK SWORD Courier H.Q. XXX/PRI.VATE Mournblade + Apocalypse (3 Nodes) U.S. HQ 703/PRI.VATE P.O.W. +Ķ + Body Count Member Board 516/PRI.VATE VenoM + Marvel Universe Member Board 215/PRI.VATE Wolverine + Neo-Tokyo Member Board 604/PRI.VATE Skeleton Sec. + The Outer Limits Member Board 313/PRI.VATE FlashBack +Ķ + D'M0B Dist Site 604/XXX.XXXX Chaos Master + Pirate Mind Station Dist Site 314/567.3833 Felonius Monk + Purple Haze Dist Site 313/XXX.XXXX Speedball + Psychonuerosis Dist Site 301/946.3835 Gank Master + The Prison Dist Site 615/758.8731 The Warden + The Richter Scale Dist Site 516/XXX.XXXX EarthQuake + The World of Krynn Dist Site 313/XXX.XXXX Caramon + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + +ķ + + Fairlight needs good people. Couriers, Distribution Sites etc. If you're + not satisfied with your current job let us know! FLT Rockin' 92'! + +Ľ + + \ No newline at end of file diff --git a/textfiles.com/piracy/FAIRLIGHT/simparc.nfo b/textfiles.com/piracy/FAIRLIGHT/simparc.nfo new file mode 100644 index 00000000..96ac21be --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/simparc.nfo @@ -0,0 +1,180 @@ + Ŀ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + + Proudly Presents + + The Simpsons Arcade Game + + From + + USA/FLT Konami USA/FLT + +Ŀ + + Supplied: Genesis + Cracked: HAL9000 + + Game Notes: Simpsons Arcade from Konami. Pretty easy crack, password + protection at the beginning of the game... Took Hal 5 minutes. + One thing, the graphics are choppy and the game locks up from + time to time on my 286. On my 386 the game runs a hell of a + lot better, with no lockups; and on TNSH Babe's 286 it seems + to run ok too, so I guess it's just my system. So if you + have problems, try booting clean or try a different computer. + + Game hype off the box: + ~~~~~~~~~~~~~~~~~~~~~~ + Theme music from the hit television series, as well as crisp + 3-D graphics delights us with the Simpsons unique vibrant + animation. The arcade hit featuring the family that plays + together, but will they stay together? Make room in your + house for America's most animated family. The Simpsons + sensational action arcade game is here for the home computer. + With Homer, Marge, Bart and Lisa racing to reunite the family + after Maggie is nabbed during a jewel heist. So choose a + Simpson character and trek through all 8 arcade levels. + + +Ŀ + + What's Up With USA/FLT? + ~~~~~~~~~~~~~~~~~~~~~~~ + Still need more couriers... Fill out an app and get it to us. + + +Ŀ + + Greets: Y'all + + + + - USA/FLT Senior Staff - + + Genesis, Silencer, The NotSoHumble Babe + + + - USA/FLT Members - + + Black Jack, Buckaroo Banzai, Fire, General Zennor, HAL9000, Harry Lime, + Lord Blix, Lord Sterling, Marko Ramius, Minor Threat, R. Bubba + Magillicutty, Repo Man, Static, The Guch and The Necromancer + + + - FairLight PC Members - + + Strider + + + - The USA-DoX Team - + + Caramon, FAThead, Genesis, Kublai Khan, Repo Man + + + - USA/FLT Couriers - + + -Senior- + + Heavy Metal and Tomkat + + -Normal- + + Alexis Machine, Dr. Crippen, Morpheus and Scorch + + -Trial- + + Egocentrix and Electric Element + +Ŀ + - USA/FLT Boards - +Ĵ + BOARD NAME POSITION NUMBER SYSOP +Ĵ + BBS-A-Holic Western Home 213/PRI.VATE Genesis + Enterprize Elite Eastern Home 313/PRI.VATE Static / The NSH Babe +Ĵ + The Mudd Club Member Board 713/347.1416 Lord Blix + The Inferno Member Board 416/493.9927 Harry Lime + The Rush Board Member Board 313/348.6057 The Necromancer + House Of Lords Member Board 714/681.9219 Lord Sterling + Radioactive Decay Member Board 213/923.4447 Repo Man + Infinity Member Board 914/229.8483 Fire + High Intensity Member Board 512/385.4912 Marko Ramius +Ĵ + World of Mirage Dist Site 718/898.8421 The Widowmaker + The Richter Scale Dist Site 516/754.6402 Earthquake + Elysium BBS Dist Site 508/468.7636 Squire + Khaotic Attractor Dist Site 508/970.5306 Mr Wyzard + The Powerdome Dist Site 901/872.3715 Electron + Modular Madness Dist Site 512/219.8045 Fatal Error + The Paki's Smell Dist Site 604/261.8182 Skeleton Secretary + Cloak & Dagger Dist Site 516/791.2156 Surak + The 4th Dimension Dist Site 813/948.1635 Time Traveler + The Krack House Dist Site 614/882.5546 Rainman + + +Ŀ + - USA/FLT Support Nodes - +Ĵ + + The World Of Krynn - Down River Elite - Amiga World - The End + + + + So you wanna be a USA Dist Site or Member huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. This means + they all help the group in some way. If you can't or don't want to do + anything to help out, and just want to sit there and run a dist site, + then forget it. But if think you have something to offer and you want + to help the newest up and coming group reach the top, give us a call. + USA/FLT Support Nodes are also available, inquire any Senior Staff + Member for details, or call the VMB and leave your info. + + + So you wanna be a USA Courier huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Fill out a USA/FLT courier application and send it up to + BBS-A-Holic, private for Genesis. + +Ŀ + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/Fairlight + 35526 Grand River, Suite 121 + Farmington Hills, MI 48335 + + OR + + Fairlight + P.O. Box 6 + 23600 Hollviken + Sweden + +Ĵ + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The USA/Fairlight VMB + + 716-987-1151 + +Ĵ + + *** S P E C I A L O F F E R *** + + VHS Movies Available - Write To Address Below For Info: + + Skid Row + Postrestante + 8450 Hammel + Denmark + + + diff --git a/textfiles.com/piracy/FAIRLIGHT/steel.nfo b/textfiles.com/piracy/FAIRLIGHT/steel.nfo new file mode 100644 index 00000000..f1455f73 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/steel.nfo @@ -0,0 +1,144 @@ + + + ۲ ۲ ۲ + ۱ ۱ ۱ + ۰ ۰ ۰ + + ۰ ۰ ۰ + ۱ ۱ ۱ Roy + P R E S E N T S ۲ ۲ ۲ SAC + + + + ķ + ķ + -/\- STEEL PANTHERS *CD-RiP* (c) SSI -/\- + Ľ + Ľ + + + [ RLAS INFORMATION ]ķ + ķ + DATE : [ 10/03/95 ] [ PM ] CRACKER : FANFAN & CO + Ķ + SUPPLIER: THE MAD JAMMER! PACKAGER : FANFAN LATULIPE + Ķ + ORIGINAL: CD-RiP > 10 DISKS GAME TYPE: WARGAME + Ķ + MINIMUM REQUIREMENTS: + 486-33 / DOS / 8 MB RAM / 126 MB HD + Ľ + Ľ + + + [ RLAS NOTS ]ķ + ķ + Ľ + + TDU-JAM! proudly presents: STEEL PANTHERS from SSI! This is an + awesome wargame! The interface is user friendly, and the graphics + sweet and comprehensible. Brought to you by the #1 CD-Ripping team + TDU-JAM!!! Enjoy... + + CD-RiP: The animations and CD-Soundtrack were ripped, but the game + is complete. + + Run TDUJAM.EXE to install the game, and SETSOUND.EXE to configure + your sound card. Run STEEL.EXE to play. Do not forget to run our + cool intro, TDUINTRO.EXE... + + Enjoy and expect much more coming soon from TDU-JAM! + + + FANFAN LATULIPE / TDU-JAM! + + ķ + ...IF YOU LIKE THIS SOFTWARE PLEASE TAKE IT UPON YOURSELF TO BUY IT... + Ľ + + GROUP NEWS : * We greet ASSAULT, DYTEC, SAC, RAZOR, and all + the PC Scene! + + * We are dedicated in bringing you the best in PC + games entertainment! If you have something to offer + and want to be a part of the BEST group, contact us + immediately! + + ķ + Ľ + Ľ + + + [ WE 'B' JAMMING ]ķ + ķ + Ľ + + Fanfan la Tulipe, Werner & Tardy + + Brainbox, Code Breaker, Dark Knight, Dr Insanity, Faceless, Fatman, + Ginger the Cat, General Lee, HaMMeR!!, Johnny Cyberpunk, Hans, Knox, + Liquid Khaos, The Mad Jammer, Raider, Roger Wilco, Roland, Roy, Shadow Master, + The Bandit, The Pressman, The Toyman, The Viper, Whistler, WiLD THiNG, + Wolverine. + + Anti-Derivative, Color Crimson, Criminal Overlord, DarkStar, Death Angel, + Dendybar, Deuce's Wild, Grady, Grinder, Hybrid, Jopiter, Legion, Lord Rook, + Ones Wally, Skinypuppy, Stingray, Viral Overlord. + + ķ + Ľ + Ľ + + + [ GNSiS bOARDS ]͸ + ͸ + - [ hEADqUARTERS ] - + ; + THE DiGiTAL UNDERGROUND . iTS-PRi-VATE .. 8 NoDES . FANFAN LATULIPE\BRAINBOX + ELUSIVE DREAMS .......... iTS-PRi-VATE .. 8 NoDES .............. TOYMAN\KNOX + 2112 .................... iTS-PRi-VATE .. 9 NoDES ............... ANALOG KID + + Ŀ + - [ mEMBER bOARDS ] - + + 2ND FACE ................ iTS-PRi-VATE . 8 NoDES ...... RAMBO\W&T + CLOSED SOCIETY .......... iTS-PRi-VATE . 3 NoDES ............ ROY + SOUTHERN WASTELANDS ..... iTS-PRi-VATE . 4 NoDES ......... LEGION + UNLIMITED POWER ......... iTS-PRi-VATE . 5 NoDES ......... RAIDER + VAX MUSEUM .............. iTS-PRi-VATE . 2 NoDES ..... ONES WALLY + THE WALL ................ iTS-PRi-VATE . 8 NoDES ......... ROLAND + + Ŀ + - [ bOARDS ] - + + CESSPOOL ................ iTS-PRi-VATE . 2 NoDES ........... GANGREEN + SCOOTER DOME ............ iTS-PRi-VATE . 2 NoDES ............ SCOOTER + + Ŀ + - [ aFFILIATES ] - + + ATOMIC TOWER ............ iTS-PRi-VATE . 3 NoDES ........ DEATH ANGEL + COFFEESHOP .............. iTS-PRi-VATE . 1 NoDE ............ JOPITER + INCOGNITO ............... iTS-PRi-VATE . 3 NoDES ...... COLOR CRIMSON + NO ESCAPE ............... iTS-PRi-VATE . 2 NoDES .. CRIMINAL OVERLORD + + Ŀ + + ; + ; + + + [ PLEASE NOTE ]ķ + ķ + Anybody interested in being a part of the our new group: + Leave a Member a Message on Any BBS we frequent. + (You must leave a detailed message with name and voice # to be contacted!) + Ľ + ķ + Interested in Console Copiers? For the best prices call: + 1-718-854-5877 + Ľ + ķ + - /\ - "WE REDEFINE QUALITY!!!" /\ - + Ľ + Ľ diff --git a/textfiles.com/piracy/FAIRLIGHT/steel2.nfo b/textfiles.com/piracy/FAIRLIGHT/steel2.nfo new file mode 100644 index 00000000..524d8a9e --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/steel2.nfo @@ -0,0 +1,116 @@ + + + + + + + + + + + + P R O U D L Y P R E S E N T S + + STEEL EMPIRE + .............. + + Ŀ + Program By: Silicon Knights Graphic Support: VGA/EGA + Ĵ + Cracked By: THE TERMINATOR Sound Supported: SB/ADLIB + Ĵ + Date of Release: 15th April 1992 Controls: JOYSTICK/MOUSE/KEYB + Ĵ + + Protecion: Simple Doc Check + ~~~~~~~~~~ + + + + Game Type: Strategy Game + ~~~~~~~~~~ + + + + + Installation: Unzip into any directory + ~~~~~~~~~~~~~ + + + + + Comments: An allright game + ~~~~~~~~~ + + + + + + + + + Fairlight PC Division Staff + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Senior Staff: STRIDER, NEMESIS ENFORCER, TRICK LORD + + Members: PSYLOCKE, BLADE RUNNER, THE TERMINATOR + HERETIC, THE NECROMANCER, FIRE, NIGHT STICK + MARKO RAMIUS, BLACK JACK, MINOR THREAT + HEAVY METAL, DOCTOR CRIPPEN, GRIMSTALK + HARDWIRE, COYOTES MEMBER, SILENT ASSASSIN + ALEXIS MACHINE, MR. MIXTY, LORD STERLING + + + + FAIRLIGHT PC DISTRIBUTION ۲ + Ŀ + Board Name Phone Number SysOp NUP + Ĵ + Rivendell (WHQ) 217/356.2221 Trick Lord 'friend' + Ĵ + Whirlwind (CHQ) 416/PRI.VATE Heretic + Paki's Smell 604/PRI.VATE Skeleton Secretary + Modular Madness 512/PRI.VATE Fatal Error + F/X 914/PRI.VATE Fire + My Boomin'System 514/PRI.VATE Blade Runner + Elysium 508/PRI.VATE Squire + Richter Scale 516/754.6402 Earthquake + Street Spyders 713/266.8330 Maverick 'Beam Me Up' + The Lab 514/858.1326 Pr. Sinister + d'M0b 604/922.7318 Chaos Master 'HUH?' + Marvel Universe 215/758.8644 Wolverine + + -->>> WANNA BE ON THIS LIST? <<<-- + Call our World H.Q. listed above. + + + Ŀ + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + -->>FAIRLIGHT PC<<-- -->FLT AMIGA/PC<-- -->>FLT AMIGA<<-- + =================================================================== + FAIRLIGHT PC AMERICA FAIRLIGHT WORLD HQ FAIRLIGHT AMERICA + PO BOX 6864 PO BOX 6 PO BOX 268 + CHAMPAIGN, IL 61826-6864 23600 HOLLVIKEN AMISSVILLE, VA 22002 + U.S.A. SWEDEN U.S.A. + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + 716-987-1151 + + + + + /> Greet to Inc(Neil I back),Razor and To DR. Shareware and Hal 0.9 + Still making patches for doors... Hey dudes look for our other release + today. + + Thanks to Black Spirit for the logo. + + + Hasta Dudes, + Blade Runner diff --git a/textfiles.com/piracy/FAIRLIGHT/trn.nfo b/textfiles.com/piracy/FAIRLIGHT/trn.nfo new file mode 100644 index 00000000..b362a6c1 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/trn.nfo @@ -0,0 +1,129 @@ + + + + + + + + + + + + + + + + + + + ANSiJED + + + + + +ķ + PRESENTS: CANNON FODDER FROM SENSIBLE SOFTWARE [+2] TRAINER +Ķ + Supplied By: TRSI Written By: Fornicator + Cracked By: - Graphics: -/10 + Packaged By: Ken Buddha Sound: -/10 + Release Date: 05/01/94 Rating: -/10 +Ķ + Lovely game, and even lovelier with a Fairlight trainer for it. + Infinite rockets, infinite grenades, everything a man needs. + + Note: If you load a game, you have to select a weapon before the trainer + becomes active, but I guess you knew that. + + FairLight is re-structuring for maximum efficiency! FairLight is dedicated + to quality and not quantity. We extend a courteous hand to fellow groups + in the pirate community. Always looking for talented and loyal people. + + If you are interested in contributing call the FairLight 24HR VMB at + + 619-497-1580 + +Ķ + Greets go out to all cool FairLight members and to all other cool people +Ľ + + Ŀ + Ĵ FAiRLiGHT PC PRESIDENT + + + BLACK SHADOW + + Ŀ + Ĵ FAiRLiGHT PC VICE PRESIDENT + + + STRIDER + + Ŀ + Ĵ FAiRLiGHT PC MEMBERS + + + Judge, Ken Buddha, Moocher, Genius, Exolon, + Fornicator, Coroner, Lust Lord, Ranx, + Splatt, Skol and JBM + + Ŀ + Ĵ FAiRLiGHT PC COURIER TEAM + + + Rebound,Screwball + +ķ + PROUD FAiRLiGHT BULLETIN BOARDS: +Ķ + BOARD NAME POSITION NODES NUMBER SYSOP +Ķ + 7th Heaven European HQ 2 +46-Private Black Shadow + +46-Private (With TERBO!) + 2nd Phobia Member Board 1 +46-Private Judge + Realms of Death Member Board 1 +xx-Private Unlisted + +Ķ + ** SPACE FOR RENT ** Distrib. Site ** YOUR NUMBER HERE ** +Ľ +ķ + + FAIRLIGHT TRADING, INC IS YOUR BEST SOURCE FOR CONSOLE BACK-UP UNITS + AND IS THE LARGEST DISTRIBUTOR FOR FRONT FAR EAST CORP. WE STOCK + THE FOLLOWING UNITS ; SUPER WILD CARD & SUPER MAGIC DRIVE! + + WE ARE LOOKING FOR RE-SELLERS WORLDWIDE! CALL US *NOW* : + + U.S.A. ; 1-800-FAIRLIGHT + INTERNATIONAL ; 1-619-282-5311 + 24HRS FAX ; 1-619-282-1780 + +Ľ +ķ + + Call the FairLight Party-Girls 24 hrs! Live 1-on-1 action!! + + 1-900-288-9155 + 9735 + + $3.99 per min. Must be 18 yrs. Procall Co. (602) 631-0615 + +Ľ +ķ + + Write to FairLight : + + FairLight, P.O. Box 5, 1410 Waterloo, Belgium + +Ľ +ķ + FAiRLiGHT is looking for LOYAL MEMBERS who are dedicated to QUALITY! + Call : 7th Heaven - EHQ + Write to : FAiRLiGHT PC, P.O. Box 6 , 236 00 Hollviken, Sweden + Don't write if you want to have games and stuff, only membership + applications and such will be looked at, all other mail will be + trashed... And we don't SELL games so don't even think about it! +Ľ + + *** IF YOU LIKE THIS SOFTWARE, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT *** + \ No newline at end of file diff --git a/textfiles.com/piracy/FAIRLIGHT/vegas.nfo b/textfiles.com/piracy/FAIRLIGHT/vegas.nfo new file mode 100644 index 00000000..17ab1180 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/vegas.nfo @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + 1 9 1 1 + + + Ŀ + + Razor 1911 Proudly Presents: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Las Vegas Super Casino for Windows + (c) Cosmi Corporation + + + + Ŀ + + Supplied By : EOS Release Date : 26 August 1995 + Game Type : gambling Game Rating : 6.5/10 + + Ĵ + + Cracked By : -- Protection Type : none found + Crack Patch : -- Install Method : subst or floppy + + Ĵ + + Game Notes & Crack Information + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Here's a title for the recreational as well as the the hard core + gamblers out there. This collection of five casino games includes + amusing features such as celebrity sightings, piano music and + a variety of drinks to make you feel like you're actually in + one of the trashy downtown Vegas casinos. There are also enough + blackjack and poker variations for you to tip the odds in your + favor. Can't count your way through a six-deck shoot? Don't worry. + Only Rain Man can. Play with one deck. Change the odds. The casino + is in your hands. + + + + EOS/R ) + + + There are still plenty of time left for you to order your very own + Razor shirt, so fill out the RZRSHIRT.TXT carefully, and send your + order forms in ASAP. It's not to be missed! + + + + Ŀ + + Razor 1911 Greetings + ~~~~~~~~~~~~~~~~~~~~~~ + Personal Greetz to: + + The GEcko. Troll. The Speed Racer. Hot Tuna. Beowulf. Sector9. Pharaoh + Sternone. Third Son. Ustasa. The Undertaker. Cobra. Fatal Error. Toast + Captain Blood. Roland. and Blitzkrieg-X. + + + + Ŀ + + The Gods at Razor 1911 Are: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Abrasax. Beowulf. Blitzkrieg-X. Cameron Hodge. Cobra. Dr.Magic + Druidkin. EOS. Evil Current. Faldo. The GEcko. High Density. Hojoe + Hot Tuna. Hula. Illegal Error. Kilroy. Masters. Misha. Pharaoh + Pitbull. Roland. Sector 9. Sharp. Snake. The Speed Racer. Sternone + Third Son. Troll. Troops. The Undertaker. Vivid. Wayward + + + + Ŀ + + Razor 1911: Director(s) of Internet Operations + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Illegal Error + + + Razor 1911: Director of Courier Operations + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Ustasa + + Razor 1911 : The Elites of the Trading Scene + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Captain Blood. Elvin Nox. Fatal Error. Hero. Janno. Jester King. + Lunatic Genius. The Master. Pioneer. The Punisher. Ralph + Raw Liquid. Toast. Tomas. Ustasa. Vivid. Ware Maker. + + + + Ŀ + + World-Famous Razor 1911 Boards + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The Gods Realm World HQ 1O Node(s) Razor Staff + + Akira Canadian HQ 1O Node(s) Pharaoh + Southern Comfort USA HQ O5 Node(s) Cobra + + The Tribe European HQ O8 Node(s) Sternone + The Graveyard UK HQ O4 Node(s) The Undertaker + + Menzoberrazan Member Board O3 Node(s) Pitbull + Reggae Muffin Member Board O3 Node(s) IE/Sector9 + RockCreek Member Board O4 Node(s) Third Son + Snake's Place Member Board O6 Node(s) Snake + Street Spydrs Member Board O4 Node(s) Maverick/GEcko + The Wall Member Board O7 Node(s) Roland/TGW + + Citadel of Chaos Affiliate O4 Node(s) The Punisher + The Crypt Affiliate O3 Node(s) Spectre/Blade + The Haunted House Affiliate 15 Node(s) The Master + Little Vegas Affiliate O3 Node(s) Casino Man + Sin Affiliate O2 Node(s) Mindshrinker + Toxic Dump Affiliate O2 Node(s) Toast/Darkwing + Lunatic Asylum Affiliate O3 Node(s) Lunatic Genius + + + + Ŀ + + So, You're Interested in Becoming a Razor 1911 Courier. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Razor 1911 is always on the lookout for talented new couriers. If you + think you are good enough to join the ranks of the elite, fill out one + of our courier applications (file courier.app in this release) and get + it up to us on one of our boards. + + So, You're Interested in Becoming a Razor 1911 Affiliate. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + If you run a 3+ node board and are ready to contribute to the success + of the oldest cracking group on the IBM, get in touch with us. All of + our sysops are actively participating in the success of the group, so + if you plan to just sit there and run a board, forget it. Logon to our + application account and leave us your name and a voice number where you + can be reached. If you do not leave us your voice information, you will + not be contacted at all! + + + + Ŀ + + You May Reach us Via Modem At: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + (405)843-8501 + Logon : RAZOR + Pword : RAZOR + + Or Via E-mail At: + ~~~~~~~~~~~~~~~~~~~ + an285616@anon.penet.fi + + (Or simply ask to join #RAZOR on IRC) + + + + Ŀ + + For the very best price in .DAT tapes call: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + (416) 461-8111 Logon: CUSTOMER Pword: DAT + + + + Remember, SUPPORT THE COMPANIES THAT PRODUCE QUALITY SOFTWARE, if you + enjoyed this product, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT!! + diff --git a/textfiles.com/piracy/FAIRLIGHT/vegas2.nfo b/textfiles.com/piracy/FAIRLIGHT/vegas2.nfo new file mode 100644 index 00000000..bd260ee6 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/vegas2.nfo @@ -0,0 +1,108 @@ + + + + + + + + + + + + + + + + + ANSiJED + + + + + +ķ + PRESENTS: Vegas Games for Windows +Ķ + Supplied By: Mournblade/Flashback Written By: New World Computing + Cracked By: N/A Graphics: VGA/EGA/MCGA + Packaged By: VenoM Sound: PC Speaker + Release Date: 07/15/92 Rating: 6/10 +Ķ + + Game Notes: Installation for this game is simple. Just unzip VEGASFLT.ZIP + on to a floppy and go in to Windows Program Manager File menu. + Choose run and type a:setup, and your all set. This games is + easy to play and has decent graphics. + + + + + + + + +Ķ + Greets: Heretic, GrimStalk, Gank Master, RAZOR and TDT! +Ľ + + + + Ŀ + Ĵ -=FLT=- Senior Staff + + + Heretic, Mournblade, Strider + + Ŀ + Ĵ -=FLT=- Members + + + Grimstalk (Courier Co-Ordinator), Lord Blix, VenoM, + R. Bubba Magillicutty, FlashBack, Ryec, Kintaro, Doc Holiday, + Hagbard Celine, Skeleton Secretary & Wolverine + + Ŀ + Ĵ -=FLT=- Couriers + + + Catalyst, Coyotes Member, Felonius Monk, Gank Master, + Lord Nelson, Mind Bomb, Pharoah & The Sleepwalker + + Ŀ + Ĵ -=FLT=- Docs & Cheats + + + EarthQuake, Tank + + +ķ + -=FLT=- Boards +Ķ + BOARD NAME POSITION NUMBER SYSOP +Ķ + Whirlwind World HQ 416/PRI.VATE Heretic + The BANE Of The BLACK SWORD Courier H.Q. XXX/PRI.VATE Mournblade + Apocalypse (3 Nodes) U.S. HQ 703/PRI.VATE P.O.W. +Ķ + Body Count Member Board 516/PRI.VATE VenoM + Marvel Universe Member Board 215/PRI.VATE Wolverine + Neo-Tokyo Member Board 604/PRI.VATE Skeleton Sec. + The Outer Limits Member Board 313/PRI.VATE FlashBack +Ķ + D'M0B Dist Site 604/XXX.XXXX Chaos Master + Pirate Mind Station Dist Site 314/567.3833 Felonius Monk + Purple Haze Dist Site 313/XXX.XXXX Speedball + Psychonuerosis Dist Site 301/946.3835 Gank Master + The Prison Dist Site 615/758.8731 The Warden + The Richter Scale Dist Site 516/XXX.XXXX EarthQuake + The World of Krynn Dist Site 313/XXX.XXXX Caramon + Wintermute Dist Site 514/XXX.XXXX Case +Ľ + +ķ + + We are currently looking for a few good Couriers. Send all applications + to Grimstalk at Whirlwind, or look for our 1-800 VMB coming soon. + +Ľ + diff --git a/textfiles.com/piracy/FAIRLIGHT/vrs-dox.nfo b/textfiles.com/piracy/FAIRLIGHT/vrs-dox.nfo new file mode 100644 index 00000000..9065fd2e --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/vrs-dox.nfo @@ -0,0 +1,156 @@ + Ŀ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + USA-DoX Department + + Proudly Presents + + Complete Virtual Reality Studio Dox + + From + + USA/FLT Domark USA/FLT + +Ŀ + + Doc Notes: The Virtual Reality Studio is a pretty complex programming tool + and is practically useless without this manual. I'm sure these + dox will save many of you from having to go out and buy the + software. Hope you find them useful. + + +Ŀ + + What's Up With USA/FLT? + ~~~~~~~~~~~~~~~~~~~~~~~ + Christmas is nearly upon us. If you find yourself on Christmas + vacation with nothing to do and would like to help out USA/FLT, + please fill out a USACOUR.APP and send it up to BBS-A-Holic. + You can be a USA/FLT Christmas Courier during December, or stay + on with us as a regular courier after Christmas, if you like. + + Call The VMB - 716/987.1151 + + +Ŀ + + Greets: A very emphatic "Thanks!" goes to Caramon for doing these dox. + Great job, dude! + + + + - USA/FLT Senior Staff - + + Genesis, Silencer, The NotSoHumble Babe + + + - USA/FLT Members - + + Black Jack, Buckaroo Banzai, Fire, Harry Lime, Lord Blix, Lord Sterling, + Marko Ramius, Minor Threat, R. Bubba Magillicutty, Repo Man, Static, + The Guch and The Necromancer + + + - FairLight PC Members - + + Strider + + + - The USA-DoX Team - + + FAThead, Genesis, Kublai Khan, Repo Man + + + - USA/FLT Couriers - + + Alexis Machine, Dr. Crippen, Heavy Metal, Morpheus, Scorch, and Tomkat + +Ŀ + - USA/FLT Boards - +Ĵ + BOARD NAME POSITION NUMBER SYSOP +Ĵ + BBS-A-Holic Western Home 213-PRI-VATE Genesis + Enterprize Elite Eastern Home 313-PRI-VATE Static / The NSH Babe +Ĵ + The Inferno Member Board 416-493-9927 Harry Lime + The Rush Board Member Board 313-348-6057 The Necromancer + House Of Lords Member Board 714-681-9219 Lord Sterling + Radioactive Decay Member Board 213-923-4447 Repo Man + Infinity Member Board 914-229-8483 Fire + High Intensity Member Board 512-385-4912 Marko Ramius +Ĵ + World of Mirage Dist Site 718-898-8421 The Widowmaker + The Richter Scale Dist Site 516-754-6402 Earthquake + Elysium BBS Dist Site 508-468-7636 Squire + Khaotic Attractor Dist Site 508-970-5306 Mr Wyzard + The Powerdome Dist Site 901-872-3715 Electron + Arachnophobia Dist Site +31-40817579 GML/TU + Modular Madness Dist Site 512-219-8045 Fatal Error + + +Ŀ + - USA/FLT Support Nodes - +Ĵ + + The World Of Krynn - Down River Elite - Amiga World + + + + So you wanna be a USA Dist Site or Member huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. This means + they all help the group in some way. If you can't or don't want to do + anything to help out, and just want to sit there and run a dist site, + then forget it. But if think you have something to offer and you want + to help the newest up and coming group reach the top, give us a call. + USA/FLT Support Nodes are also available, inquire any Senior Staff + Member for details, or call the VMB and leave your info. + + + So you wanna be a USA Courier huh? + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Fill out a USA/FLT courier application and send it up to + BBS-A-Holic, private for Genesis. + +Ŀ + + You may contact us by mail at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/Fairlight + 35526 Grand River, Suite 121 + Farmington Hills, MI 48335 + + OR + + Fairlight + P.O. Box 6 + 23600 Hollviken + Sweden + +Ĵ + + You may contact us by phone at: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The USA/Fairlight VMB + + 716-987-1151 + +Ĵ + + *** S P E C I A L O F F E R *** + + VHS Movies Available - Write To Address Below For Info: + + Skid Row + Postrestante + 8450 Hammel + Denmark + + + diff --git a/textfiles.com/piracy/FAIRLIGHT/willhnts.nfo b/textfiles.com/piracy/FAIRLIGHT/willhnts.nfo new file mode 100644 index 00000000..50d2ffde --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/willhnts.nfo @@ -0,0 +1,184 @@ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + USA-DoX Department + + Proudly Presents + + Willy Beamish Hints/Solve + + from + + Dynamix + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + - USA Members - + + The NotSoHumble Babe, Silencer, Genesis, Lord Blix, Suicidal, Harry Lime + Static, The Necromancer, R. Bubba Magillicutty, Mad Gib, The Guch + Lord Sterling, Snuggles + + + - FairLight PC Members - + + Strider & Drone No.5 + + + - USA/FLT Couriers - + + Morpheus, The Bartender, Crime Slave, Snuggles, Dr. Crippen, Heavy Metal + Live Wire + + + Thanks to The Guardian for his undying support. We appreciate you... really + we do... + + + + - USA/FLT Boards - + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BOARD NAME POSITION NUMBER SYSOP +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BBS-A-Holic Western Home 213-PRI-VATE Genesis + Enterprize Elite Eastern Home 313-442-7543 Static / The NSH Babe + The Mudd Club Member Board 713-347-1416 Lord Blix + The Inferno Member Board 416-841-1933 Harry Lime + The Rush Board Member Board 313-348-6057 The Necromancer + House Of Lords Member Board 714-681-9219 Lord Sterling + Hidden Empire Dist Site 301-926-6131 The Emperor + tHe CrAcK iN tImE Dist Site 2o1-573-o449 The Punisher + Support HQ Dist Site 415-692-6037 X-Terminator + The Red Sector Dist Site 713-952-7682 The Guardian + Radioactive Decay Dist Site 213-923-4447 Repo Man + World of Mirage Dist Site 718-898-8421 The Widowmaker +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Game Notes: Here are the Hints/Solve from the Sierra BBS done up in a nice, + stylin little menu-driven format for ya. This game is one of the + best and funnest Dynamix games I've ever played. Hope you enjoy + the game and the hints/solve. USA/FLT has been working hard this + week putting out wares faster than you can download them. We + haven't let up yet, and there's still more to come from us this + week, so keep calling your favorite USA/FLT Dist Sites daily to + make sure you get all the latest and greatest! Looks like the + Christmas Warez Season is finally upon us! + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Greets: Greets to all LEGITIMATE and ALIVE groups - INC, Razor, PE and + TDT/TRSI... you're all doing a great job. Lots of good competition + out there lately... + + Greets to our newest couriers - Dr. Crippen and Heavy Metal - Welcome + aboard guys! + +Fuck You's: A big FUCK YOU goes out to the deadest group on the scene these + days, even deader than NEUA, The Humble Geeks, and specifically + Pieman and Slavelord. THG died after losing the people who + currently form USA, and ever since USA started kicking their ass + with the latest releases, THG has held this petty little bullshit + grudge against us. The Pitts and Slave's Den have become two + total anti-USA boards - from the one-liners to the voting questions + they do nothing but slander USA, and spew their mindless and petty + bullshit about how we suck and they rule. Why do they do this? + What have we done to piss them off so much? One thing - we're + whipping their lame little asses in the warez game and killing + their group. The only thing THG is capable of releasing these + days is wares they can steal from other groups! Yes USA put + Willy Beamish up on the Pitts, and what do you know, our version + is left unvalidated for 6 hours, then deleted, then mysteriously, + THG's version of Willy Beamish appears - and it has been + validated immediately! You don't believe THG would do such a + thing? Well ask INC about that, they've done it to INC several + times... ask THG couriers about it too, they saw what happened + with the Beamish release, shit ask anyone who calls the Pitts + about it, it was so obvious to everyone! THG is so fucking dead + right now, they have to steal their wares from other groups or + they can't release anything at all! + + If you're a courier or member of another group, we strongly urge + you - DO NOT send your wares up to Pitts or Slave Den! These + no talent, deperate little dirtbags will STEAL YOUR WARE and put + some lame little half-assed THG NFO file in it and release it as + their OWN! You've been warned! + + It's time for the pirate world to revolt against THG. They have + pulled this shit one too many times. The pirate world is sick + and tired of their inflated ego's and petty bullshit. It's + time to boycott THG and all of their boards. Shit they can't + release anything but 6 hour old stolen wares anyway, so what does + it matter. + + We're a little pissed about this as you can see, but we really + shouldn't be, considering that what THG did with Beamish was + so blatant and obvious to everyone, and considering that their + group is deader than shit right now... THG is on their way out, + folks, and the funny thing is the dumb fuckers brought this all + down upon themselves. THG is THE MOST HATED group in the world + right now, not just by us, but by anyone with half a brain and + an ounce of integrity. Let's put these unscrupulous, petty little + rodents away for good - JOIN THE BOYCOTT OF THG AND THG BOARDS! + DON'T CALL THEM, DON'T UPLOAD TO THEM, DON'T ACKNOWLEDGE THEIR + PITIFUL EXISTANCE! We can put an end to these scumbags once and + for all if we all pull together on this one... Let's make it + happen. The next ware THG steals might be from your group! Let's + bury these assholes before they do it again to you or to us, or + to anyone. They have no right to do this to people... let's not + let them get away with this, for to do so will be condoning it + and making it easier for them to do it again! + + USA has tried our best to be cool about the THG split up from + the very start. We never wanted a war over this, we never wanted + to strike out against THG, but this is the absolute last straw. + We're going to try not to drag this out any farther, but we're + not gonna sit here and let THG talk shit about us and steal our + wares without defending ourselves any longer. If THG shuts up + about USA and leaves our wares alone we won't have any more to + say on this subject. + + - USA Senior Staff + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + So you wanna be a Dist Site or Member huh? + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. If you can't + or don't want to do anything to help out, and just want to sit there + and run a dist site, then forget it. But if think you have something to + offer and you want to help the newest up and coming group reach the top, + give us a call. + + + So you wanna be a Courier huh? + + Fill out a USA/FLT courier application and send it up to one of the Home + boards reserved for our courier leader, Suicidal. + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + You may contact us by mail at: + + USA Fairlight + 35526 Grand River, Suite 104 P.O. Box 6 + Farmington Hills, MI 48335 23600 Hollviken Sweden + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + You may contact us by phone at: + + The USA/Fairlight VMB + + 716-987-1151 + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + "All's Fair In Love And Warez" + (Except Stealing Other Groups Releases) + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + diff --git a/textfiles.com/piracy/FAIRLIGHT/word-dox.nfo b/textfiles.com/piracy/FAIRLIGHT/word-dox.nfo new file mode 100644 index 00000000..ec58f77b --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/word-dox.nfo @@ -0,0 +1,76 @@ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + + Proudly Presents + + Complete Wordtris Dox + + from + + Spectrum Holobyte + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + - USA Members - + + The NotSoHumble Babe, Silencer, Genesis, Suicidal, Strider, R. Bubba + Magillicutty, The Necromancer, Static, Harry Lime, Drone #5, Captain Kirk + + + - USA Couriers - + + Morpheus, The Bartender, Crime Slave, Snuggles + + + - USA Boards - + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BOARD NAME POSITION NUMBER SYSOP +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BBS-A-Holic Western Home 213-PRI-VATE Genesis + Enterprize Elite Eastern Home 313-442-7543 Static / The NSH Babe + The Inferno Member Board 416-841-1933 Harry Lime + The Rush Board Member Board 313-348-6057 The Necromancer + Hidden Empire Dist Site 301-926-6131 The Emperor + tHe CrAcK iN tImE Dist Site 2o1-573-o449 The Punisher + Support HQ Dist Site 415-692-6037 X-Terminator + The Red Sector Dist Site 713-952-7682 The Guardian + Radioactive Decay Dist Site 213-923-4447 Repo Man +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + Doc Notes: Here are the COMPLETE dox for Wordtris. This game is highly + addictive, and the head to head modem option is a blast. Enjoy! + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + So you wanna be a Dist Site or Member huh? + + If you are interested in becoming a USA/FLT Dist Site or Member, please + contact Genesis at BBS-A-Holic or TNSH Babe at Enterprise Elite. Tell + us what you have to offer to USA/FLT and you will be considered. All + of our members and dist sites are completely functional. If you can't + or don't want to do anything to help out, and just want to sit there + and run a dist site, then forget it. But if think you have something to + offer and you want to help the newest up and coming group reach the top, + give us a call. + + + So you wanna be a Courier huh? + + Fill out a USA/FLT courier application and send it up to one of the Home + boards reserved for our courier leader, Suicidal. + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + You may contact us by mail at: + + USA/Fairlight + 35526 Grand River, Suite 104 + Farmington Hills, MI 48335 + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + + "All's Fair In Love And Warez" + + -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- diff --git a/textfiles.com/piracy/FAIRLIGHT/wordtris.nfo b/textfiles.com/piracy/FAIRLIGHT/wordtris.nfo new file mode 100644 index 00000000..7554e686 --- /dev/null +++ b/textfiles.com/piracy/FAIRLIGHT/wordtris.nfo @@ -0,0 +1,110 @@ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + USA/FLT United Software Association USA/FLT + Fairlight PC Division + + Proudly Presents + + Wordtris + + by + + Spectrum Holobyte + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + - USA Members - + + The NotSoHumble Babe, Silencer, Genesis, Suicidal, Strider, R. Bubba + Magillicutty, The Necromancer, Static, Harry Lime, Drone #5, Captain Kirk + + + - USA Couriers - + + Morpheus, The Bartender, Crime Slave, Snuggles + + + - USA Boards - + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BOARD NAME POSITION NUMBER SYSOP +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + BBS-A-Holic Western Home 213-PRI-VATE Genesis + Enterprize Elite Eastern Home 313-442-7543 Static / The NSH Babe + The Inferno Member Board 416-841-1933 Harry Lime + The Rush Board Member Board 313-348-6057 The Necromancer + Hidden Empire Dist Site 301-926-6131 The Emperor + tHe CrAcK iN tImE Dist Site 2o1-573-o449 The Punisher + Support HQ Dist Site 415-692-6037 X-Terminator + The Red Sector Dist Site 713-952-7682 The Guardian + Radioactive Decay Dist Site 213-923-4447 Repo Man +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +Game Notes: OK here's the latest "tris" game from Spectrum Holobyte. You + may have caught the demo of this that was floating around last + month. It's a fairly decent game and has 256-VGA, Soundblaster + and Roland support. Have fun! + + A few words on Larry 5 - This game is a BITCH to crack. We are + working on a crack for it, and it's my understanding that about + every other crack group out there is also working on it, so there + should be a fix out soon, so hang in there. SCD-Dox put the + scanned doc check codes out so pick those up if you're desperate + to play the game before the crack is released. + + Welcome to our newest Dist Site- Radioactive Decay, SysOp: Repo Man + + +Greets: INC - Heard you ordered Larry 5 and your supplier was able to download + the USA version before the UPS man even got to his house... haha + + RAZOR - Here's another one you "could" have released. Tsk tsk. + + THG - Thanks for the "Don't get too big for your pants" advice. Maybe + you should practice what you preach. + + TRSI/TDT - Reader Rabbit ][ - Wow! The new NEUA! + + Nimbus - Blow me - _/\!/\_ + + Bookie - > +T E X T F I L E S + +

.NFO and Information Files from The Humble Guys

+

+

+ + + + + +
+
Filename
Size
Description of the Textfile
aces.nfo 3757
 THE HUMBLE GUYS: Aces of the Pacific by Dynamix +
alley.nfo 4311
 THE HUMBLE GUYS: Armor Alley by Three-Sixty Software +
arachna.nfo 4779
 THE HUMBLE GUYS: Arachnaphobia by Disney Software +
arborea.nfo 3749
 THE HUMBLE GUYS: Crystals of Arborea by Silmarils +
atf.nfo 7209
 THE HUMBLE GUYS: ATF-II Simulator +
atf2.nfo 2600
 THE HUMBLE GUYS: ATF-II Simulator +
bards3.nfo 3846
 THE HUMBLE GUYS: Bard's Tale 3: Thief of Fate from Electronic Arts +
batman.nfo 7749
 THE HUMBLE GUYS: Batman Returns by Park Place Development +
batman2.nfo 3977
 THE HUMBLE GUYS: Batman Returns by Park Place Development +
bchess2.nfo 2549
 THE HUMBLE GUYS: Battle Chess 2: Chinese Chess +
beasty.nfo 3549
 THE HUMBLE GUYS: Altered Beasty Boy by Sega +
benc.nfo 4612
 THE HUMBLE GUYS: Bill Elliott's NASCAR Challenge from Konami +
billy.nfo 4638
 THE HUMBLE GUYS: The Legend of Billy the Kid from Ocean +
blades.nfo 3958
 THE HUMBLE GUYS: Legend of Arkania: Blades of Destiny from US Gold +
bladewar.nfo 3609
 THE HUMBLE GUYS: Blade Warrior from Imageworks +
blitz.nfo 2776
 THE HUMBLE GUYS: Blitzkreig in the Ardeness +
blow.nfo 5514
 THE HUMBLE GUYS: Low BLow II by Electronic Arts +
bodyblow.nfo 7890
 THE HUMBLE GUYS: Body Blows from Team 17 Software +
btechii.nfo 2725
 THE HUMBLE GUYS: Battletech II: Crescent's Revenge +
bubble.nfo 598
 THE HUMBLE GUYS: Bubble Bobble by Fabulous Furlough +
califor2.nfo 3649
 THE HUMBLE GUYS: California Games 2 from Epyx Software +
ceasar.nfo 2310
 THE HUMBLE GUYS: Ceasar's Palace +
checkit.nfo 7133
 THE HUMBLE GUYS: Checkit Pro +
combat.nfo 5032
 THE HUMBLE GUYS: Operation Com-Bat from merit +
commanch.nfo 8309
 THE HUMBLE GUYS: Maximum Overkill Data Disk 1 +
continum.nfo 3811
 THE HUMBLE GUYS: Continuum from Data East/Infogrammes +
covert.nfo 3711
 THE HUMBLE GUYS: COvert Action by Microprose +
crime.nfo 4591
 THE HUMBLE GUYS: Crime Does Not Pay from Titus +
darkspyr.nfo 3805
 THE HUMBLE GUYS: Dark Spyre from Electronic Zoo +
dasboot.nfo 3996
 THE HUMBLE GUYS: Das Boot from Three Sixty Software +
double.nfo 3665
 THE HUMBLE GUYS: Double Tetris from Taiwan +
draglr2.nfo 3959
 THE HUMBLE GUYS: Dragon's Lair II: Time Warp from ReadySoft +
earthrse.nfo 1523
 THE HUMBLE GUYS: Earthrise by Interstel +
elite.nfo 4886
 THE HUMBLE GUYS: Elite from Realtime +
fight.nfo 4102
 THE HUMBLE GUYS: 4D Sports Boxing from Microprose +
firefor2.nfo 2765
 THE HUMBLE GUYS: Fire and Forget II +
fruit.nfo 5093
 THE HUMBLE GUYS: Arcade Fruit Machine from Zeppelin Games +
future.nfo 2463
 THE HUMBLE GUYS: Back to the Future Part 2 +
geisha.nfo 4015
 THE HUMBLE GUYS: Geisha +
generic.nfo 4425
 THE HUMBLE GUYS: Generic Information File +
glory.nfo 3738
 THE HUMBLE GUYS: Galleons of Glory from broderbund +
goldaxe.nfo 3768
 THE HUMBLE GUYS: Golden Axe by Sega +
gp500ii.nfo 4722
 THE HUMBLE GUYS: Gran Priz 500 II from Microids +
grem2new.nfo 5122
 THE HUMBLE GUYS: Gremlins II: The New Batch from Hi Tech Expressions +
gs2000.nfo 4853
 THE HUMBLE GUYS: Gunship 2000 from Microprose +
hack.nfo 7373
 THE HUMBLE GUYS: Dungeon Hack from Strategic Simulations, Inc. +
hexsider.nfo 4505
 THE HUMBLE GUYS: Hexsider from UBIsoft +
historik.nfo 4846
 THE HUMBLE GUYS: prehistorik from Titus +
hound.nfo 5299
 THE HUMBLE GUYS: The Hound of Shadow from Electronic Arts +
hpatrol.nfo 2647
 THE HUMBLE GUYS: Highway patrol 2 +
ikari.nfo 2594
 THE HUMBLE GUYS: Ikari Warriors 3 +
intro10.nfo 5102
 THE HUMBLE GUYS: THG Intro Maker 1.0 from THG +
intruder.nfo 2521
 THE HUMBLE GUYS: Flight of the Intruder +
ironman.nfo 3675
 THE HUMBLE GUYS: Ivan Ironman Stewart's Super Off-Road Racer from Virgin Games +
jf2rel.nfo 4903
 THE HUMBLE GUYS: Jet Fighter II (The Release) Velocity +
jimpower.nfo 8003
 THE HUMBLE GUYS: Jimpower: The Lost Dimension in 3D from Loricels +
joemont.nfo 3771
 THE HUMBLE GUYS: Joe Montana Football from Sega +
kgb.nfo 5599
 THE HUMBLE GUYS: KGB from Virgin +
kickoff2.nfo 3577
 THE HUMBLE GUYS: Kick Off 2 +
kingq1.nfo 2733
 THE HUMBLE GUYS: King's Quest I (SCI Version) from Sierra +
kpcom.nfo 5165
 THE HUMBLE GUYS: Kidpix Companion Disk from Broderbund +
lemmings.nfo 4867
 THE HUMBLE GUYS: Lemmings, by Psygnosis +
lightcor.nfo 3797
 THE HUMBLE GUYS: Light Corridor from infogames +
manager.nfo 3944
 THE HUMBLE GUYS: The manager from US Gold 2000 +
mbj.nfo 4481
 THE HUMBLE GUYS: Might Bombjack from Elite +
megadox.nfo 3514
 THE HUMBLE GUYS: Mega Lo Mania Full Documentation from UBISoft +
metal.nfo 4714
 THE HUMBLE GUYS: Metal Mutants from Similris +
mlomania.nfo 3508
 THE HUMBLE GUYS: Mega-Lo-Mania from UBISoft +
monty.nfo 2596
 THE HUMBLE GUYS: Monty Python's Flying Circus from Virgin Games +
moonbase.nfo 3770
 THE HUMBLE GUYS: Moon Base Simulator +
murder.nfo 3600
 THE HUMBLE GUYS: Murder from US Gold +
night.nfo 3602
 THE HUMBLE GUYS: Night Hunter by UBISoft +
nightbrd.nfo 4235
 THE HUMBLE GUYS: Night Breed The Arcade Game from Ocean Software +
ninja.nfo 4589
 THE HUMBLE GUYS: Ninja Rabbit +
ninja2.nfo 2325
 THE HUMBLE GUYS: The Last Ninja 2 +
nukewar.nfo 1961
 THE HUMBLE GUYS: Nuclear War by New World Computing +
objction.nfo 4215
 THE HUMBLE GUYS: Objection by Transmedia +
overlord.nfo 4086
 THE HUMBLE GUYS: Overlord from Virgin/Mastertronic +
patrol.nfo 4141
 THE HUMBLE GUYS: Stormlord from Hewson +
penthse.nfo 3579
 THE HUMBLE GUYS: Penthouse Jigsaw by Polarware +
pickpile.nfo 4540
 THE HUMBLE GUYS: Pick and Pile from Ubisoft +
piction.nfo 1828
 THE HUMBLE GUYS: Pictionary +
popup.nfo 3846
 THE HUMBLE GUYS: Pop-Up from InfoGrammes +
predator.nfo 4856
 THE HUMBLE GUYS: Predator 2 from Imageworks +
prince.nfo 2961
 THE HUMBLE GUYS: Prince of Persia from Broderbund +
princetr.nfo 1148
 THE HUMBLE GUYS: Prince of Persia Trainer +
racrally.nfo 7282
 THE HUMBLE GUYS: Network Q RAC Rally from Europress +
read.thg 953
 THE HUMBLE GUYS: The Humble Guys Ask for Help +
robocod.nfo 9313
 THE HUMBLE GUYS: Robocod from Millenium +
robot.nfo 4243
 THE HUMBLE GUYS: Escape from the Planet of the Robot Monsters from Tengen +
sfii.nfo 8751
 THE HUMBLE GUYS: Stick Fighter 2.0 from Millenium +
simant.nfo 3054
 THE HUMBLE GUYS: Sim Ant from Maxis +
sito.nfo 4833
 THE HUMBLE GUYS: Sito Somebody's 500 CC Gran prix +
snoopy.nfo 2433
 THE HUMBLE GUYS: Snoopy +
sowdox.nfo 3739
 THE HUMBLE GUYS: Spoils of War: The Complete Documentation by Empire +
space18.nfo 4295
 THE HUMBLE GUYS: Space 1889 from Paragon Software +
spidey.nfo 4314
 THE HUMBLE GUYS: The Amazing Spider Man from Paragon +
spoils.nfo 4392
 THE HUMBLE GUYS: Spoils of War by Internecine +
storm.nfo 4445
 THE HUMBLE GUYS: Stormlord from Hewson +
stunrun.nfo 3636
 THE HUMBLE GUYS: Stun Runner from Domark +
subbuteo.nfo 4212
 THE HUMBLE GUYS: Subbuteo from Goliath Games +
superc.nfo 3818
 THE HUMBLE GUYS: Super C +
t2trn.nfo 7602
 THE HUMBLE GUYS: Terminator II Arcade Trainer from Virgin +
td3data.nfo 3849
 THE HUMBLE GUYS: Test Drive 3 Cars and Roads I from Accolade +
test.txt 981
 THE HUMBLE GUYS: Duck Tales from Disney +
thg.nfo 8511
 THE HUMBLE GUYS: El Fish from Maxis/Midscape +
tomcat.nfo 4526
 THE HUMBLE GUYS: F-14 Tomcat from Activision +
tracy.nfo 3854
 THE HUMBLE GUYS: Dick Tracy from Titus +
troika.nfo 4100
 THE HUMBLE GUY: Troika Fix +
turntrnr.nfo 4043
 THE HUMBLE GUYS: Turn n Burn Trainer +
ty.nfo 3546
 THE HUMBLE GUYS: Team Yankee +
umsii.nfo 3857
 THE HUMBLE GUYS: universal Military Simulator II from Microprose +
vallahal.nfo 5446
 THE HUMBLE GUYS: Valhalla, from Optyk +
wcii.nfo 4168
 THE HUMBLE GUYS: Wing Commander Secret Missions Disk II from Origin +
weird.nfo 3381
 THE HUMBLE GUYS: Weird Dreams from Microprose +
world.nfo 3688
 THE HUMBLE GUYS: World Circuit Formula One Grand Prix by Microprose +
x-wing.nfo 6796
 THE HUMBLE GUYS: X-Wing from Lucasfilms +
zeliard.nfo 3440
 THE HUMBLE GUYS: Zeliard from Sierra +

There are 118 files for a total of 498,358 bytes.

+Important Credit: A portion of these files came from a site called the +Defacto2 Scene Archive, +and were acquired and saved by the folks of that group. They've done a +wonderful job on the site, and it is highly reccommended that you check +it out. + + diff --git a/textfiles.com/piracy/HUMBLE/.windex.html b/textfiles.com/piracy/HUMBLE/.windex.html new file mode 100644 index 00000000..eebc1ab6 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/.windex.html @@ -0,0 +1,138 @@ + +T E X T F I L E S + +

.NFO and Information Files from The Humble Guys

+

+

+ + + + + +
+
Filename
Size
Description of the Textfile
aces.nfo 3757
 THE HUMBLE GUYS: Aces of the Pacific by Dynamix +
alley.nfo 4311
 THE HUMBLE GUYS: Armor Alley by Three-Sixty Software +
arachna.nfo 4779
 THE HUMBLE GUYS: Arachnaphobia by Disney Software +
arborea.nfo 3749
 THE HUMBLE GUYS: Crystals of Arborea by Silmarils +
atf.nfo 7209
 THE HUMBLE GUYS: ATF-II Simulator +
atf2.nfo 2600
 THE HUMBLE GUYS: ATF-II Simulator +
bards3.nfo 3846
 THE HUMBLE GUYS: Bard's Tale 3: Thief of Fate from Electronic Arts +
batman.nfo 7749
 THE HUMBLE GUYS: Batman Returns by Park Place Development +
batman2.nfo 3977
 THE HUMBLE GUYS: Batman Returns by Park Place Development +
bchess2.nfo 2549
 THE HUMBLE GUYS: Battle Chess 2: Chinese Chess +
beasty.nfo 3549
 THE HUMBLE GUYS: Altered Beasty Boy by Sega +
benc.nfo 4612
 THE HUMBLE GUYS: Bill Elliott's NASCAR Challenge from Konami +
billy.nfo 4638
 THE HUMBLE GUYS: The Legend of Billy the Kid from Ocean +
blades.nfo 3958
 THE HUMBLE GUYS: Legend of Arkania: Blades of Destiny from US Gold +
bladewar.nfo 3609
 THE HUMBLE GUYS: Blade Warrior from Imageworks +
blitz.nfo 2776
 THE HUMBLE GUYS: Blitzkreig in the Ardeness +
blow.nfo 5514
 THE HUMBLE GUYS: Low BLow II by Electronic Arts +
bodyblow.nfo 7890
 THE HUMBLE GUYS: Body Blows from Team 17 Software +
btechii.nfo 2725
 THE HUMBLE GUYS: Battletech II: Crescent's Revenge +
bubble.nfo 598
 THE HUMBLE GUYS: Bubble Bobble by Fabulous Furlough +
califor2.nfo 3649
 THE HUMBLE GUYS: California Games 2 from Epyx Software +
ceasar.nfo 2310
 THE HUMBLE GUYS: Ceasar's Palace +
checkit.nfo 7133
 THE HUMBLE GUYS: Checkit Pro +
combat.nfo 5032
 THE HUMBLE GUYS: Operation Com-Bat from merit +
commanch.nfo 8309
 THE HUMBLE GUYS: Maximum Overkill Data Disk 1 +
continum.nfo 3811
 THE HUMBLE GUYS: Continuum from Data East/Infogrammes +
covert.nfo 3711
 THE HUMBLE GUYS: COvert Action by Microprose +
crime.nfo 4591
 THE HUMBLE GUYS: Crime Does Not Pay from Titus +
darkspyr.nfo 3805
 THE HUMBLE GUYS: Dark Spyre from Electronic Zoo +
dasboot.nfo 3996
 THE HUMBLE GUYS: Das Boot from Three Sixty Software +
double.nfo 3665
 THE HUMBLE GUYS: Double Tetris from Taiwan +
draglr2.nfo 3959
 THE HUMBLE GUYS: Dragon's Lair II: Time Warp from ReadySoft +
earthrse.nfo 1523
 THE HUMBLE GUYS: Earthrise by Interstel +
elite.nfo 4886
 THE HUMBLE GUYS: Elite from Realtime +
fight.nfo 4102
 THE HUMBLE GUYS: 4D Sports Boxing from Microprose +
firefor2.nfo 2765
 THE HUMBLE GUYS: Fire and Forget II +
fruit.nfo 5093
 THE HUMBLE GUYS: Arcade Fruit Machine from Zeppelin Games +
future.nfo 2463
 THE HUMBLE GUYS: Back to the Future Part 2 +
geisha.nfo 4015
 THE HUMBLE GUYS: Geisha +
generic.nfo 4425
 THE HUMBLE GUYS: Generic Information File +
glory.nfo 3738
 THE HUMBLE GUYS: Galleons of Glory from broderbund +
goldaxe.nfo 3768
 THE HUMBLE GUYS: Golden Axe by Sega +
gp500ii.nfo 4722
 THE HUMBLE GUYS: Gran Priz 500 II from Microids +
grem2new.nfo 5122
 THE HUMBLE GUYS: Gremlins II: The New Batch from Hi Tech Expressions +
gs2000.nfo 4853
 THE HUMBLE GUYS: Gunship 2000 from Microprose +
hack.nfo 7373
 THE HUMBLE GUYS: Dungeon Hack from Strategic Simulations, Inc. +
hexsider.nfo 4505
 THE HUMBLE GUYS: Hexsider from UBIsoft +
historik.nfo 4846
 THE HUMBLE GUYS: prehistorik from Titus +
hound.nfo 5299
 THE HUMBLE GUYS: The Hound of Shadow from Electronic Arts +
hpatrol.nfo 2647
 THE HUMBLE GUYS: Highway patrol 2 +
ikari.nfo 2594
 THE HUMBLE GUYS: Ikari Warriors 3 +
intro10.nfo 5102
 THE HUMBLE GUYS: THG Intro Maker 1.0 from THG +
intruder.nfo 2521
 THE HUMBLE GUYS: Flight of the Intruder +
ironman.nfo 3675
 THE HUMBLE GUYS: Ivan Ironman Stewart's Super Off-Road Racer from Virgin Games +
jf2rel.nfo 4903
 THE HUMBLE GUYS: Jet Fighter II (The Release) Velocity +
jimpower.nfo 8003
 THE HUMBLE GUYS: Jimpower: The Lost Dimension in 3D from Loricels +
joemont.nfo 3771
 THE HUMBLE GUYS: Joe Montana Football from Sega +
kgb.nfo 5599
 THE HUMBLE GUYS: KGB from Virgin +
kickoff2.nfo 3577
 THE HUMBLE GUYS: Kick Off 2 +
kingq1.nfo 2733
 THE HUMBLE GUYS: King's Quest I (SCI Version) from Sierra +
kpcom.nfo 5165
 THE HUMBLE GUYS: Kidpix Companion Disk from Broderbund +
lemmings.nfo 4867
 THE HUMBLE GUYS: Lemmings, by Psygnosis +
lightcor.nfo 3797
 THE HUMBLE GUYS: Light Corridor from infogames +
manager.nfo 3944
 THE HUMBLE GUYS: The manager from US Gold 2000 +
mbj.nfo 4481
 THE HUMBLE GUYS: Might Bombjack from Elite +
megadox.nfo 3514
 THE HUMBLE GUYS: Mega Lo Mania Full Documentation from UBISoft +
metal.nfo 4714
 THE HUMBLE GUYS: Metal Mutants from Similris +
mlomania.nfo 3508
 THE HUMBLE GUYS: Mega-Lo-Mania from UBISoft +
monty.nfo 2596
 THE HUMBLE GUYS: Monty Python's Flying Circus from Virgin Games +
moonbase.nfo 3770
 THE HUMBLE GUYS: Moon Base Simulator +
murder.nfo 3600
 THE HUMBLE GUYS: Murder from US Gold +
night.nfo 3602
 THE HUMBLE GUYS: Night Hunter by UBISoft +
nightbrd.nfo 4235
 THE HUMBLE GUYS: Night Breed The Arcade Game from Ocean Software +
ninja.nfo 4589
 THE HUMBLE GUYS: Ninja Rabbit +
ninja2.nfo 2325
 THE HUMBLE GUYS: The Last Ninja 2 +
nukewar.nfo 1961
 THE HUMBLE GUYS: Nuclear War by New World Computing +
objction.nfo 4215
 THE HUMBLE GUYS: Objection by Transmedia +
overlord.nfo 4086
 THE HUMBLE GUYS: Overlord from Virgin/Mastertronic +
patrol.nfo 4141
 THE HUMBLE GUYS: Stormlord from Hewson +
penthse.nfo 3579
 THE HUMBLE GUYS: Penthouse Jigsaw by Polarware +
pickpile.nfo 4540
 THE HUMBLE GUYS: Pick and Pile from Ubisoft +
piction.nfo 1828
 THE HUMBLE GUYS: Pictionary +
popup.nfo 3846
 THE HUMBLE GUYS: Pop-Up from InfoGrammes +
predator.nfo 4856
 THE HUMBLE GUYS: Predator 2 from Imageworks +
prince.nfo 2961
 THE HUMBLE GUYS: Prince of Persia from Broderbund +
princetr.nfo 1148
 THE HUMBLE GUYS: Prince of Persia Trainer +
racrally.nfo 7282
 THE HUMBLE GUYS: Network Q RAC Rally from Europress +
read.thg 953
 THE HUMBLE GUYS: The Humble Guys Ask for Help +
robocod.nfo 9313
 THE HUMBLE GUYS: Robocod from Millenium +
robot.nfo 4243
 THE HUMBLE GUYS: Escape from the Planet of the Robot Monsters from Tengen +
sfii.nfo 8751
 THE HUMBLE GUYS: Stick Fighter 2.0 from Millenium +
simant.nfo 3054
 THE HUMBLE GUYS: Sim Ant from Maxis +
sito.nfo 4833
 THE HUMBLE GUYS: Sito Somebody's 500 CC Gran prix +
snoopy.nfo 2433
 THE HUMBLE GUYS: Snoopy +
sowdox.nfo 3739
 THE HUMBLE GUYS: Spoils of War: The Complete Documentation by Empire +
space18.nfo 4295
 THE HUMBLE GUYS: Space 1889 from Paragon Software +
spidey.nfo 4314
 THE HUMBLE GUYS: The Amazing Spider Man from Paragon +
spoils.nfo 4392
 THE HUMBLE GUYS: Spoils of War by Internecine +
storm.nfo 4445
 THE HUMBLE GUYS: Stormlord from Hewson +
stunrun.nfo 3636
 THE HUMBLE GUYS: Stun Runner from Domark +
subbuteo.nfo 4212
 THE HUMBLE GUYS: Subbuteo from Goliath Games +
superc.nfo 3818
 THE HUMBLE GUYS: Super C +
t2trn.nfo 7602
 THE HUMBLE GUYS: Terminator II Arcade Trainer from Virgin +
td3data.nfo 3849
 THE HUMBLE GUYS: Test Drive 3 Cars and Roads I from Accolade +
test.txt 981
 THE HUMBLE GUYS: Duck Tales from Disney +
thg.nfo 8511
 THE HUMBLE GUYS: El Fish from Maxis/Midscape +
tomcat.nfo 4526
 THE HUMBLE GUYS: F-14 Tomcat from Activision +
tracy.nfo 3854
 THE HUMBLE GUYS: Dick Tracy from Titus +
troika.nfo 4100
 THE HUMBLE GUY: Troika Fix +
turntrnr.nfo 4043
 THE HUMBLE GUYS: Turn n Burn Trainer +
ty.nfo 3546
 THE HUMBLE GUYS: Team Yankee +
umsii.nfo 3857
 THE HUMBLE GUYS: universal Military Simulator II from Microprose +
vallahal.nfo 5446
 THE HUMBLE GUYS: Valhalla, from Optyk +
wcii.nfo 4168
 THE HUMBLE GUYS: Wing Commander Secret Missions Disk II from Origin +
weird.nfo 3381
 THE HUMBLE GUYS: Weird Dreams from Microprose +
world.nfo 3688
 THE HUMBLE GUYS: World Circuit Formula One Grand Prix by Microprose +
x-wing.nfo 6796
 THE HUMBLE GUYS: X-Wing from Lucasfilms +
zeliard.nfo 3440
 THE HUMBLE GUYS: Zeliard from Sierra +

There are 118 files for a total of 498,358 bytes.

+Important Credit: A portion of these files came from a site called the +Defacto2 Scene Archive, +and were acquired and saved by the folks of that group. They've done a +wonderful job on the site, and it is highly reccommended that you check +it out. + + diff --git a/textfiles.com/piracy/HUMBLE/aces.nfo b/textfiles.com/piracy/HUMBLE/aces.nfo new file mode 100644 index 00000000..95f3cec2 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/aces.nfo @@ -0,0 +1,59 @@ + + Aces of the Pacific + by Dynamix + +ͻ + Protection None + Graphics VGA/EGA/CGA + Controls Keyboard/Mouse/Joystick + Sound Most + Supplier Not you +ͼ + + + This Requires a 386sx & at least 2 meg of ram... + It looks like a good game, and we couldn't find any protection + + + [ Members ]Ŀ + Fabulous Furlough Thinks he's retired + The PieMaN Sysop of The P.I.T.S. + The Slavelord Sysop of The Slaveden + The Mad Scientist Protection Eradication Engineer + JROK THG Protection Eradication Engineer + Night Writer THG Member! + Eddie Haskel Sysop of SpamLand + BamBam Sysop of DownTown + Barimor Sysop of The Final Frontier + Predator Sysop of Iron Fortress + Mr. Plato Sysop of Plato's Place + The Toyman Sysop of Elusive Dream + The Iceman Sysop of The Ice Castle + Bryn Rogers Sysop of The Demon's Forge + Hi.T.Moonweed Sysop of The Flying Teapot + Sauron THG/fx crew + Lord Zombie THG/fx crew + + [ Member Boards ]Ŀ + The Slaveden (2 nodes) (904) 331-1038 The Slavelord + SpamLand (3 nodes) (508) 831-0131 Eddie Haskel + Plato's Place (6 Nodes) (618) 254-5263 Mr. Plato + The P.I.T.S. (5 Nodes) (718) THE-PITS The PieMaN + DownTown +31-5750-29313 BamBam + The Inferno (416) 841-1933 Black Plague + The Final Frontier (602) 730-5193 Barimor + Elusive Dream (4 Nodes) (317) - The Toyman + The Ice Castle +47 - The Iceman + The Demon's Forge +44 282-22514 Bryn Rogers + The Flying Teapot +44 603-767543 Hi.T.Moonweed + + [ Distribution Sites ]Ŀ + Skull Isle (514) 647-3096 Skoal Bandit + Concrete Sea (901) 274-0019 Razor Face + Cloud Nine Elite () - Nimbus + The Real World (206) - Mack The Hack + The Eclipse BBS () - The Mustang + Big City Lights () - The Hook + Piper's Pit (203) - Rowdy Roddy Piper + Covert Society (206) 946-6666 The Lizard + diff --git a/textfiles.com/piracy/HUMBLE/alley.nfo b/textfiles.com/piracy/HUMBLE/alley.nfo new file mode 100644 index 00000000..10da58a5 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/alley.nfo @@ -0,0 +1,88 @@ + Armor Alley + From Three-Sixty Software + + +Cracking: Somewhat Complex Serial Number Check +Graphics: EGA/CGA/Tandy/Monocrome Herc +Controls: Keyboard/Mouse/????? +Sound: You Tell me + +Cracking/Game Notes: They took every keypress & check it in the Serial Number +routine, if it was ok, they loaded the registers & returned to allow you to +choose the "Personalize" Option.. Just enter whatever you like and choose +"Personalize", now you'll have your name up in lights!! + +Greets: Neil - Got that stuff changed to Blue Label Yet?? +Some quick greetz go to Basket Case - Hang Tight Dude! + + The Humble Guys are: + Candyman, Fabulous Furlough, NightWriter, The Slavelord, + Predator, Mr. Plato, Fletcher Christian, BamBam, Lord Zombie, + Eddie Haskel, Funakoshi, Wico, JROK, Mace Mandella, Belgarion, + The Humble Babe, Harry Lime, Black Plague, MALZAM, + Lord Sterling, Sauron, and George, The PieMaN + + Our Humble Couriers are : + High Roller, The Mogur, Con Artist, Blood Reviver, Lord Exterminator, + Heavy Metal, Skoal Bandit, ForkBeard The Pirate, Master Frodo, Silencer, + Prince of Thieves, Quick Silver, Kane KK + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ +Members |The Slave Den (904) 331-1038 The Slavelord | + |SpamLand (3 nodes) (508) 831-0131 Eddie Haskel | + |Plato's Place (6 nodes) (618) 254-5263 Mr. Plato | + |The P.I.T.S. (5 Nodes) (718) THE-PITS The PieMaN | + |HMS Bounty (3 nodes) () - Fletch | + |Iron Fortress () - Predator | +Boards |DownTown +31-5750-29313 BamBam | + |Festering Pit (206) 481-2728 Belgarion | + |Inner Circle +46-31-304142 Wico | + |The Inferno (416) 841-1933 Black Plague | + |House of Lords (714) 681-9219 Lord Sterling | + |Enterprise Elite (313) 442-7543 The Humble Babe | + +----------------------------------------------------------------+ +Dist. |Elusive Dream (317) 452-1257 The Toyman | + |The Ice Castle +47 PRI-VATE The Iceman | +Sites |Black Ice (904) 377-1325 Chaos | + |The Cove (317) 743-1168 Viper | + |BBS a Holic (213) PRI-VATE Genesis | + |Dark Data Security +39 2 29519751 Tom Cat | + |Maximum Security (408) 867-5139 The Warden | + |Skull Island (514) 647-3096 Skoal Bandit | + |Concrete Sea (901) 274-0019 Razor Face | + |Red October (415) 935-8720 Captain Ramius | + +----------------------------------------------------------------+ + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or P.O.Box 12207 + Nashville, TN 37202 Mill Creek, WA 98012 + + + +Send us any letters thanking us for being so incredibly great!! We know +you guys worship the ground we walk above, but it's good for you guys +to tell us. All letters will be posted on the LSDnet (tm) arts and letters +section! Please send any computer hardware you don't need! We can use it! +Especially modems and hard drives!! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +Look for The Humble Review magazine coming soon to a BBS near you! + +Remember, you too can be either Humble Courier, a Humble Franchise, +a THG Distribution site, or even possibly a member. + +Contact The PieMaN on The PITS if You Interested! + +Also, Call the Humble 900 number - 1-900-535-4200 ext. 780 +NOTE! $2.00 per minute. Updated EVERY Monday Morning!! +Kiddies under 18 MUST have their parents Permission! + diff --git a/textfiles.com/piracy/HUMBLE/arachna.nfo b/textfiles.com/piracy/HUMBLE/arachna.nfo new file mode 100644 index 00000000..a372317e --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/arachna.nfo @@ -0,0 +1,91 @@ + Arachnaphobia + From Disney Software + + +Cracking: Name this Spider! +Graphics: CGA/EGA/VGA/Tandy +Controls: Keyboard/You Tell ME! +Sound: Honker, Disney Sound box for the Parallel port + +Cracking/Game Notes: Interesting protection, if you tried to trace over a +RETF to go back to the root program, it would crap out Soft-ice to the same +address EVERY time.. Nice idea.. Too bad.. 3 byte crack.. + +Greets: +Some quick greetz go to Harry Lime & Black Plague - Welcome Aboard!! + + +The Humble Guys are: The Candyman, Fabulous Furlough, NightWriter, Magnetic +The Slavelord, Predator, Mr. Plato, Fletcher Christian, Lord Blix, Barimor, +The Viper, BamBam, Lord Zombie, The Guch, Eddie Haskel, Funakoshi, Wico, +The Humble Sysop, Drool Master Rick, JROK, Mr.M, Mace Mandella, Belgarion, +The Humble Babe, Harry Lime, Black Plague and our HUMBLE leader, Gods +Gift to the IBM ! + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ +Members |Candyland (***) ***-**** The Candyman | + |The Slave Den (904) 376-1117 The Slavelord | + |HMS Bounty (2 nodes) (215) 873-7287 Fletch | + |The Humble Review (319) 372-5987 The Humble Sysop | + |Plato's Place (3 nodes) (618) 254-5263 Mr. Plato | + |Iron Fortress (508) 798-5492 Predator | + |SpamLand (508) 831-0131 Eddie Haskel | + Boards |Final Frontier (602) 491-0703 Barimor | + |DownTown 31-5750-29313 BamBam | + |TinselTown Rebellion (713) 453-2153 The Viper | + |Enterprize Elite (313) 442-7543 The Humble Babe | + |Festering Pit (206) 481-2728 Belgarion | + |Inner Circle +46-31-304142 Wico | + |The Inferno (416) 841-1933 Black Plague | + +----------------------------------------------------------------+ +Dist. |The P.I.T.S. (3 Nodes) (718) THE-PITS The PieMaN | + | (718) PRI-VATE Don't U DARE Call! | + |Elusive Dream (317) 452-1257 The Toyman | + Sites |The Wall (716) PRI-VATE Pink Floyd | + |Twilight Zone (617) ???-???? Raistlin | + |The Ice Castle (+47) PRI-VATE The Iceman | + |Black Ice BBS (904) 377-1325 Chaos | + |Paradise City (416) 479-9879 Mongolian Cannibal | + |Swindler's Stronghold (703) 722-6051 Loan $hark | + |Software Conspiracy (305) 235-4335 Sparrowhawk | + |The Phortress System I (914) 221-0035 The FREEZE | + |The Phortress System II (914) 227-6847 Mephistopheles | + |Access Denied! (313) 977-5880 Access | + |The Cove (317) 743-1168 Viper | + |BBS a Holic (213) PRI-VATE Genesis | + |Dark Data Security (+39) 2 29519751 Tom Cat | + |Maximum Security (408) 867-5139 The Warden | + +----------------------------------------------------------------+ + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or Post Restante + Nashville, TN 37202 p.o. box 99960 + 7200 NA Zutphen Holland + + + +Send us any letters thanking us for being so incredibly great!! We know +you guys worship the ground we walk above, but it's good for you guys +to tell us. All letters will be posted on the LSDnet (tm) arts and letters +section! Please send any computer hardware you don't need! We can use it! +Especially modems and hard drives!! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +Look for The Humble Review magazine coming soon to a BBS near you! + +Remember, you too can be either Humble Spittle, a Humble Slave, a +Humble Franchise, a THG Distribution site, or even possibly a member. +Contact us on Enterprize Elite if you are interested! + +Also, Call the Humble 900 number - 1-900-535-4200 ext. 780 +NOTE! $2.00 per minute. Updated EVERY Monday Morning!! + diff --git a/textfiles.com/piracy/HUMBLE/arborea.nfo b/textfiles.com/piracy/HUMBLE/arborea.nfo new file mode 100644 index 00000000..3aacd25e --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/arborea.nfo @@ -0,0 +1,83 @@ + Crystals of Arborea + Silmarils + Supplied by Funakoshi Sensei + + +GRAPHICS:CGA/VGA +CONTROLS:Mouse/Joystick preferred, if you use Keyboard your on your own! +SOUND:Might have Adlib (?) +CRACK:Simple disk check thingy (3 bytes) + + +A SPECIAL HUMBLE YAHOO TO: All our NEW! contacts in Japan & Taiwan + +GREETS TO: RBM - You EVER gonna fix Joe Montana? + + + + + + The Humble Guys are: + + The Candyman, Fabulous Furlough, NightWriter, + The Slavelord, Predator, Mr. Plato, Fletcher Christian, + Lord Blix, Barimor, The Viper, BamBam, Lord Zombie, The Guch, + Eddie Haskel, BigBobRob, Funakashi, The Humble Sysop, Drool Master Rick, + Jrok, Mr. M and God's Gift to the IBM, Mace Mandella + + Ŀ + The Members Boards and Humble Distribution Sites + Ĵ +HOME BOARD-Candyland (XXX) XXX-XXXX The Candyman + The Slave Den (904) 376-1117 The Slavelord + HMS Bounty (215) 873-7287 Fletch + Plato's Place (618) 254-5263 Mr. Plato + Iron Fortress (508) 798-3363 Predator + SpamLand (508) 831-0131 Eddie Haskel + Final Frontier (602) 491-0703 Barimor + DownTown 31-5750-29313 BamBam + TinselTown Rebellion (713) 453-2153 The Viper + The Humble Review (319) 372-5987 The Humble Sysop + The Drool Bucket (615) 331-9782 Drool Master Rick + Ĵ + The Badlands (904) PRI-VATE Lowrider + The P.I.T.S. (718) THE-PITS The Pieman + Elusive Dream (317) 452-1257 The Toyman + The Wall (716) PRI-VATE Pink Panther + Twilight Zone (617) 288-2597 Raistlin + The Ice Castle 47-PRI-VATE The Iceman + Black Ice BBS (904) 377-1325 Chaos + Elm Street BBS (214) 407-1801 Freddy Krueger + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or post restante + Nashville, TN 37202 p.o. box 99960 + 7200 NA Zutphen Holland + +Send us your hate mail! We LOVE to get your hate mail! All hate mail sent +to the P.O. Box will be sent out on the LSDNet (tm) THG Arts and Letters +Section! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +If you have a fax, and want the docs for your latest game, contact +Drool Master Rick and get in on the Humble Fax Network. + +Look for The Humble Review magazine comming soon to a BBS near you! + +Remember, you too can be either Humble Spittle, a Humble Slave, a +Humble Franchise, a THG Distribution site, or even possibly a member. +Contact us on Candyland, The Slave Den, or Downtown BBS if you are +interested! + +P.S. - The Humble Guys are ALWAYS looking for artists for their Intros! +If you have any artistic ability give one of our boards a call. + + + diff --git a/textfiles.com/piracy/HUMBLE/atf.nfo b/textfiles.com/piracy/HUMBLE/atf.nfo new file mode 100644 index 00000000..6b66efb9 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/atf.nfo @@ -0,0 +1,130 @@ + + + + ܱ ۲ + ߲ ۲ ۲ ۲ ۲ ۲ ܱ + ۱ ۲ ۲ ۲ ߲ ۲ _ + ۲ ۲ ۱ ۲ ۲ ۲Rs + ۲ ۲ ۰ ۲ ߲ ۱Oa + ۱ ۱ ۰Yc + ۰ ۲ ۲ ۱ - + ۱۲ ۲ ߲ ۲ ۲ + ۲۱ ۲ ۲ ۲ + ۲ ߱ ߲ ۲ ۲ + ۲ ߱ + + + + + + [ NAPALM PC PRESENTS ]Ŀ + + Advanced Tactical Fighters (c) Electronic Arts + + Ĵ + Supplier: Hannibal Release Dat : 3/27/96 + Packager: Prophet Game Type : 3D Flight Simulation + Stripper: Hannibal Protection : CD-CHECK + Cracker : Lost Soul Disks : 19 + Ĵ + System Requirements: 486/33, 8 MB RAM, 30 MB HD + + + Release Notes: + ~~~~~~~~~~~~~~ + This simulation is based on exclusive, authentic and up-to-date information + from Jane's information group (the world's largest publisher of military + information), it includes a fully interactive aircraft guide with blue + prints, weapons information, engine diagrams, and cockpit layouts. Advanced + 3D graphics and digitized special effects add to the realism. Also multiple + states of damage (watch your target explode into bits) and digital + explosions. Modem and network play lets up to 8 players dogfight in + authentically detailed F-22's. + + + + CD-Rip Info: + ~~~~~~~~~~~~ + All animations/speech were taken out, but the rest is here. + + + Installation Notes: + ~~~~~~~~~~~~~~~~~~~ + Unpack the files, make sure you copy the AF.EXE in the zip over the old + AF.EXE in \ATF\, after that run ATF.BAT and start flying! + + Note: Take a look at the ATF.DOX! + + + Also the Abuse release from us is the FINAL/STORE version unlike previous + releases of Abuse were all betas. + + + Ŀ + -/- NAPALM MEMBERSHIP -\- + + + + Chainsaw Massacre, Cirion, The Comanche, Cyberphreak, Dark Star + David & Goliath, Daviolator, Dr. Detergent, The Ghost Wind + Gilby, Hannibal, Physco Stik, Lost Soul, Mach One + Mithrandir, Ol' Dirty Bastard, Prophet + Raptor, Starman, Tinox, Wolverine + + + Napalm Couriers + ~~~~~~~~~~~~~~~ + Coordinators: Beelzebub - Darkforce - The Dutchmen + + Anthrax, Archvile, Bash, Darkside, Demon Lord, DK, Duro, The GodFather + The Operator, Osmosis, OutHouse, Pericles, The Pep, Phat + Phoenix, Rom Racer, Shatter Star, Tornado + + + * NOTE: All Sysops of Napalm boards are FULL members. * + + Ŀ + -/- NAPALM'S WORLD WIDE BULLETIN BOARDS -\- + + + X-Factor 1O Node(s) World HQ Longshot + + TEMPORARY DOWN Node(s) United States HQ + 2112 10 Node(s) Eastern US HQ Analog Kid + The Warp Zone 9 Node(s) Western US HQ TWZ Staff + + SpellBound 9 Node(s) European HQ Cruger + + Info SuperHighway 4 Node(s) Member Board Zino/Lost Soul + Stranger Than Fiction 6 Node(s) Member Board Sinister Dexter/TGW + + Underground Insanity 5 Node(s) Affiliated Board Kreep/Bishop + Carnel Infatuation 5 Node(s) Affiliated Board Stratocaster + Manifest Destiny 3 Node(s) Affiliated Board Tornado + DeathScape 2 Node(s) Affiliated Board Rom Racer + + YOU COULD BE HERE +2 Node(s) Dist Site YOU + + CxxxxxRxxx Cxxxxx FTP Site World HQ Cxxxxx + Dxxxxxxx FTP Site USA HQ Cxxxxxxxxxx + + Ŀ + -/- INFORMATION -\- + + + We are dedicated in bringing you the best in PC games entertainment! + If you have something to offer us and want to be part of Napalm, contact + us immediately! + + IF YOU WANT TO GET IN TOUCH WITH US HERE IS HOW TO DO IT: + + On the internet, e-mail prophet@dazeclub.stu.rpi.edu, or on IRC look + for either: DarkForce, Beelzebub, The Dutchmen, Dviolator, Hannibal_ + + + + + Uncopyright (u) by Napalm 1996 + + ** IF YOU LIKE THIS GAME, BUY IT! SOFTWARE AUTHORS DESERVES SUPPORT! ** + diff --git a/textfiles.com/piracy/HUMBLE/atf2.nfo b/textfiles.com/piracy/HUMBLE/atf2.nfo new file mode 100644 index 00000000..e749c5ad --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/atf2.nfo @@ -0,0 +1,55 @@ + ATF-II Simulator + Cracked by Lord Blix + + +Graphics: EGA/VGA +Sound: High-Tech Quasi-Random Internal Speaker +Controls: Several + + +Cracking Notes: This bastard kicks on the A: for a second and keeps + it going. + + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ + |Candyland (615) 834-3333 Candyman | + |HMS Bounty (3 nodes) (215) 873-7287 Fletch | + |The Badlands (904) PRI-VATE Lowrider | + |The Slave Den (904) 376-1117 The Spamlord | + |Plato's Place (4 nodes) (618) 254-5263 Mr. Plato | + |The P.I.T.S. (718) THE-PITS The PieMaN | + |The Crack in Time (201) 573-0449 Master Blaster | + |Edge of Insanity (206) 868-1435 The Shocker | + |Iron Fortress (508) 798-3363 Predator | + |SpamLand (508) 831-0131 Eddie Haskel | + |Fucked up (305) 227-4110 Bart Simpson | + |Ghost Shadow (213) 221-6861 Ghost Master | + |Elusive Dream (317) 452-1257 The Toyman | + |Final Frontier (602) 491-0703 Barimor | + |Tensiltown Rebellion (713) 453-2153 The Viper | + |The Wall (716) 691-5945 Pink Floyd | + |Black Ice (904) 377-1325 Chaos | + |Downtown +31-5750-29313 Bam Bam | + |The Ice Castle +47 Private The Ice Man | + |Elm Street BBS (214) 407-1801 Freddy Krueger | + +----------------------------------------------------------------+ + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 Post RESTANTE + Nashville, TN 37202 P. O. Box 99960 + 7200 NA + Zutphen Holland + +Send us anything that you deem appropriate. If you can supply us with games, +give us a call at any of the above listed boards. + +Also, Call The Humble Guys! Voice Mailbox - 615-664-1952, +Leave us a message, tell us what you think. + + diff --git a/textfiles.com/piracy/HUMBLE/bards3.nfo b/textfiles.com/piracy/HUMBLE/bards3.nfo new file mode 100644 index 00000000..eea11c19 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/bards3.nfo @@ -0,0 +1,85 @@ + Bard's Tale 3: Thief of Fate + From Electronic Arts + + +GRAPHICS:Tndy/Cga/Ega/Composite or Tv (Har Har) +CONTROLS:Keyboard +SOUND:Most +CRACK: Yes + +A SPECIAL HUMBLE YAHOO TO: NEUA - We missed you while you were gone. + $yndicate - Both of them! + PE - Is it dead yet? + Neil - See you Tuesday! + +GREETS TO: Our New Contact at EAD Thanks for This ONE! And the NEW (and + improved) Humble Slave #1 - {Welcome to the winning team Amy} + + + + + + The Humble Guys are: + + The Candyman, Fabulous Furlough, NightWriter, + The Slavelord, Predator, Mr. Plato, Fletcher Christian, + Lord Blix, Barimor, The Viper, BamBam, Lord Zombie, The Guch, + Eddie Haskel, BigBobRob, Funakashi, The Humble Sysop, Drool Master Rick, + Jrok, Mr. M and God's Gift to the IBM, Mace Mandella + + Ŀ + The Members Boards and Humble Distribution Sites + Ĵ +HOME BOARD-Candyland (XXX) XXX-XXXX The Candyman + The Slave Den (904) 376-1117 The Slavelord + HMS Bounty (215) 873-7287 Fletch + Plato's Place (618) 254-5263 Mr. Plato + Iron Fortress (508) 798-3363 Predator + SpamLand (508) 831-0131 Eddie Haskel + Final Frontier (602) 491-0703 Barimor + DownTown 31-5750-29313 BamBam + TinselTown Rebellion (713) 453-2153 The Viper + The Humble Review (319) 372-5987 The Humble Sysop + The Drool Bucket (615) 331-9782 Drool Master Rick + Ĵ + The Badlands (904) PRI-VATE Lowrider + The P.I.T.S. (718) THE-PITS The Pieman + Elusive Dream (317) 452-1257 The Toyman + The Wall (716) PRI-VATE Pink Panther + Twilight Zone (617) 288-2597 Raistlin + The Ice Castle 47-PRI-VATE The Iceman + Black Ice BBS (904) 377-1325 Chaos + Elm Street BBS (214) 407-1801 Freddy Krueger + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or post restante + Nashville, TN 37202 p.o. box 99960 + 7200 NA Zutphen Holland + +Send us your hate mail! We LOVE to get your hate mail! All hate mail sent +to the P.O. Box will be sent out on the LSDNet (tm) THG Arts and Letters +Section! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +If you have a fax, and want the docs for your latest game, contact +Drool Master Rick and get in on the Humble Fax Network. + +Look for The Humble Review magazine comming soon to a BBS near you! + +Remember, you too can be either Humble Spittle, a Humble Slave, a +Humble Franchise, a THG Distribution site, or even possibly a member. +Contact us on Candyland, The Slave Den, or Downtown BBS if you are +interested! + +P.S. - The Humble Guys are ALWAYS looking for artists for their Intros! +If you have any artistic ability give one of our boards a call. + + + diff --git a/textfiles.com/piracy/HUMBLE/batman.nfo b/textfiles.com/piracy/HUMBLE/batman.nfo new file mode 100644 index 00000000..0c04389e --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/batman.nfo @@ -0,0 +1,137 @@ + + + + + + + + + + + + + + + + + + ͵Proudly PresentsĿ + -+- The Adventures of Batman and Robin -+- + + + + ͸ +Ŀ + +  RELEASE INFORMATION  + + + Ŀ + SuPPLiER : A God CRaCKeR : n/a + ReLeaSeD : 12/24/95 PaCKaGeR : Third Son... + LaNGuaGe : ENGLISH # of DiSCs : 24 + GRaPHiCs : [X] VGA [X] SVGA ENViRoNMeNT : [ ] MS-DOS [X] Win [X] Win95 + SouNDs : [X] Adlib [X] SB [X] SBPro [X] SB16 [X] PAS [X] Roland [X] GUS + RaTInGs : ۰ + + + + + ͸ +ڳ  RELEASE & INSTALLATION NOTES  +͵ + BLaDE presents " The Adventures of Batman and Robin " from Sound Source + Interactive! For two heroic crime Fighters, their job is never done. For + three colorful villians, there is nowhere to run! It's educational! It's + totally action packed! It's a totally interactive reading experience for + children five and up! + + Create a directory called BATMAN, place all the arj files in there and + the install.exe. Type INSTALL and you are ready to play in Windows. Only + the video was ripped. The game is installed so create a program group + in Windows. The program is setup for C: drive but adjust the .ini files + for a different drive. And most of all, HAVE FUN! + + + + Greets Go To: The Gecko - How are those " Strip Bars " anyway! :) + The Speed Racer - I think you should go for a Vette! + Pharaoh - Akira. THE fastest in the world! + DruidKin - The best on the iNET! + ZPat - I miss you man...!! + Sir Alf - Keep DruidKin in line will ya! + + And everybody who gets to sleep on a regular basis! + + + Groups + RAZOR 1911 - Others come and go... But Razor 1911 lives on! + PWA - THE best in Utilities! + RiSC - The ART of Trading! + + * Special Greets to all the Traders that Spread our warez * + + + + W E A R E + +  B L A D E R U N N E R S  + Ŀ + Ŀ + FOUNDING MEMBERS + +  ALiEN SoN  THiRD SoN  + ---- + + + Ŀ + Ŀ +  SENIOR MEMBERS  + + Gunga Fat. Captain Blood. Urick + and Toast + + + Ŀ + Ŀ + COURiER TEM +  Toast..... CC  + GuNGa FaT + Roast + IronEagle + Fortune + + ---- + + +  BLaDE RuNNeRS HEADQUARTERS SiTES Ŀ + + The ROCK THiRD SoN 6 NoDES ITSPRIVATE The WORLD HQ + BiG BoBBeRS ALiEN SoN 2 NoDES ITSPRIVATE The USA HQ + PRiVaTe CoLLeCTioN WiLDCHiLD 6 NoDES ITSPRIVATE DiSTRo SiTe + BLaCK OPiuM EViLiVe 2 NoDES ITSPRIVATE DiSTRo SiTe + + + + -- A little INFO -- + BLADE RUNNERS are looking for people dedicated to making the scene + the best it can be. This group is very well organized and is + looking for new members that will help the group in all areas. + Couriers are needed most. If you would like to apply for + a group that has it's SHIT together then give our Courier HQ + a Call and leave Feedback to The Wiz... + + Want to be a Site for BLADE?? sure not a problem.. We are accepting + sites but you must be willing to offer something to the group.. + Don't expect to sit back on your ass and just receive the warez. + If you can then contact the Courier HQ and let us know what you can + offer.. If not don't bother calling!! + + + Ŀ + If you liked this software then please BUY it.. If you didn't then + trash it. Support Software authors and warez that work!! + Blade Runners is NOT in any way compensated for their work. We do + it for fun. + + \ No newline at end of file diff --git a/textfiles.com/piracy/HUMBLE/batman2.nfo b/textfiles.com/piracy/HUMBLE/batman2.nfo new file mode 100644 index 00000000..68f7326c --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/batman2.nfo @@ -0,0 +1,61 @@ + Batman Returns + by Park Place Development + +ͻ + Protection Nothing Apparent + Graphics MCGA 320x200x256 + Controls Moose (?) + Sound Adlib/Sound Blaster + Supplier Expert +ͼ + +All I know is that it's really big. 17 megs installed. The sound sucks, +the graphics are decent, and I'll be damned if I can figure this fucker out. +Good luck. + + Greets to BAD: Nice Mag! Pie loved the GIF. + + [ Members ]Ŀ + Fabulous Furlough Starring in Deliverance II + The PiePersoN Sexual Deviate (right Bitch?) + The Mad Scientist Duplication Deterrent Removal Expert + JROK Protection Eradication Engineer + Eddie Haskel Sysop of SpamLand + BamBam Sysop of DownTown + Bryn Rogers Sysop of The Demon's Forge + Hi.T.Moonweed Sysop of The Flying Teapot + Sauron THG/fx crew + The Mustang Sysop of The Eclipse + Hydro PR Man! + Rawhide Protection Eradication Engineer + Expert |<-Rad d00d + Mad Marvin THG Doc-meister + Law and Order Party Copyright Infringement Specialist + + [ THG Peasants ]Ŀ + DeLiRiouS NoMaD President of the THG Fan Club + The Slavelord Official THG Virus Tester + + [ Member Boards ]Ŀ + The P.I.T.S. (5 Nodes) () - The PiePersoN + SpamLand (3 nodes) () - Eddie Haskel + DownTown (1 lousy node) +-- BamBam + The Demon's Forge + - Bryn Rogers + The Flying Teapot (2 Nodes) + - Hi.T.Moonweed + The Eclipse BBS (2 Nodes) () - The Mustang + Private Society () - Mad Marvin + + [ Distribution Sites ]Ŀ + Skull Isle () - Skoal Bandit + Concrete Sea () - Razor Face + The Real World () - Mack The Hack + Piper's Pit () - Rowdy Roddy Piper + Covert Society () - The Lizard + Big City Lights () - The Hook + Midnight Blues () - Bitch + The Arena () - Roman + Cloak -/\/- Dagger () - Surak + The Garden of Eden () - Excessive Freddie + Thunder BBS () - Thunder + + \ No newline at end of file diff --git a/textfiles.com/piracy/HUMBLE/bchess2.nfo b/textfiles.com/piracy/HUMBLE/bchess2.nfo new file mode 100644 index 00000000..c53e14f0 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/bchess2.nfo @@ -0,0 +1,56 @@ + Battle Chess 2: Chinese Chess + Broken by Fabulous Furlough + Supplied by Plato + Thanks for your Patience! + + +GRAPHICS:CGA/EGA/VGA/TDY +SOUND:Soundblaster/Adlib/PC +CONTROLS:Mouse/Keyboard/Joystick + +CRACKING NOTES: GOD! this was easy! go buy the original if you want to learn + to crack, this is the game! + + + + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ + |Candyland (615) 834-3333 Candyman | + |HMS Bounty (3 nodes) (215) 873-7287 Fletch | + |The Badlands (904) PRI-VATE Lowrider | + |The Slave Den (904) 376-1117 The Spamlord | + |Plato's Place (4 nodes) (618) 254-5263 Mr. Plato | + |The P.I.T.S. (718) THE-PITS The Pieman | + |The Crack in Time (201) 573-0449 Master Blaster | + |Edge of Insanity (206) 868-1435 The Shocker | + |Iron Fortress (508) 798-3363 Predator | + |SpamLand (508) 831-0131 Eddie Haskel | + |Fucked up (305) 227-4110 Bart Simpson | + |Ghost Shadow (213) 221-6861 Ghost Master | + |Elusive Dream (317) 452-1257 The Toyman | + |Final Frontier (602) 491-0703 Barimor | + |Tensiltown Rebellion (713) 453-2153 The Viper | + |The Wall (716) 691-5945 Pink Floyd | + |Black Ice (904) 377-1325 Chaos | + |Downtown +31-5750-29313 Bam Bam | + |Ice Castle +44 Private Ice Man | + +----------------------------------------------------------------+ + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 Post RESTANTE + Nashville, TN 37202 P. O. Box 99960 + 7200 NA + Zutphen Holland + +Send us anything that you deem appropriate. If you can supply us with games, +give us a call at any of the above listed boards. + +Also, Call The Humble Guys! Voice Mailbox - 615-664-1952, +Leave us a message, tell us what you think. + diff --git a/textfiles.com/piracy/HUMBLE/beasty.nfo b/textfiles.com/piracy/HUMBLE/beasty.nfo new file mode 100644 index 00000000..4e9650c2 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/beasty.nfo @@ -0,0 +1,67 @@ + Altered Beasty Boy by Sega + Cracked by R. Bubba Magillicutty and Fabulous Furlough + +GRAPHICS: HGC/CGA/TDY/EGA/"VGA" +SOUND: IBM/TDY/Adlib +CONTROLS: Keyboard/Joystick +SPAM: Not tonight, you give me a head-ache. + +NOTES: + Press F1 from the title screen for a key quick-reference. The adlib +sounds just like the arcade game, except the lame "roar" when you change. + +CRACKING NOTES: + This one was interesting. A little different from the traditional +Sega protection, but not much. It has two methods - running from floppy uses +a traditional INT 13-based read, then runs part of the code it read in (or +just uses the info to tell it where to jump to.) If you install to a hard +drive, it modifies the root directory around the directory name where you +installed it. We forced it to think it was always on a hard drive. It also +checked to see if it was running from a directory right below the root dir. +It wouldn't let you run it in something below that, i.e. you couldn't install +it to \games\beasty. Now you can. You're welcome. + This was sort of a co-crack. Actually, we pretty much both did it +separately. Fabulous Furlough had it almost working but didn't know it when +he called me and gave it to me. He got it far enough to get a "FILE NOT +FOUND" error from LOAD. But it turned out that it always does that if you +don't let it get called by BEAST. I had more fun with it. I ran the ACCESS +thing which modifies your hard drive root dir. It refused to run under +Compaq DOS. Of course both computers here run Compaq DOS. So I booted up +with a floppy, cracked the ACCESS install program, and got it to run. That's +when I told FF that you can't just run LOAD. From there we both fixed it up +on our own, giving each other bad advice along the way to make cracking it +take longer. + + - RBM + +Greets from R. Bubba Magillicutty to Portashop! Thanks for the help! +Greets from Fabulous Furlough to Grey Ghost! Good job with Power Drift. +Greets from The Spamlord to Line Noise. Parlez-vous Francais? + + Ŀ + The Humble Boards + ľĿ + Candyland (615) 333-6561 + The Computer is Your Friend (415) 234-4588 + HMS Bounty (215) 873-7287 + HMS Bounty Line 2 (215) 873-8620 + The Badlands (904) PRI-VATE + The Slave Den (904) 376-1117 + Plato's Place node 1 - 14.4 (618) 254-5263 + The P.I.T.S. (718) 921-3107 + Edge of Insanity (206) 868-1435 + Iron Fortress (508) 798-3363 + The Theory (305) 628-0315 + Lala Land (508) 831-0131 + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! + P.O.Box 24541 + Nashville, TN 37202 + +We're not getting enough hate mail in the P.O. Box! Please send us some +really nasty letters or we won't feel properly despised. The meanest one +will make it into the next NFO file. Have a nice day! diff --git a/textfiles.com/piracy/HUMBLE/benc.nfo b/textfiles.com/piracy/HUMBLE/benc.nfo new file mode 100644 index 00000000..e2850768 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/benc.nfo @@ -0,0 +1,90 @@ + Bill Elliott's NASCAR Challenge + From Konami + + +Crack: Name this Track +Graphics: CGA/EGA/TDY/VGA +Controls: Joystick/Mouse/Keyboard +Sound: Regular/Unleaded/Premium + +Cracking/Game Notes: + + This looks like the INDY 500 of NASCAR Racing GREAT graphics. + The protection was exactly the same as Stunts, (Mainly because it + is the SAME type). It is kinda ironic, I spent a while today + looking through Stunts (I had no idea the protection was the same). + Anyway, they have tables of the Op codes that the program uses, and + they write out odd-ball code to get a byte from their file, and do a + calculation on it, and us that value to pull the byte out of the table + and put it in the program. Sounds easy enough right? Well, the + statement that they use to pull the byte out of the table is the part + that keeps me from byte-cracking this. It is something to the tune + of: MOV AX,[DX+BP+FE02]. And last but not least, the + calculations that they do to get the offset won't allow you to access + every byte. FUN FUN FUN! + + +The Humble Guys are: The Candyman, Fabulous Furlough, NightWriter, Magnetic +The Slavelord, Predator, Mr. Plato, Fletcher Christian, Lord Blix, Barimor, +The Viper, BamBam, Lord Zombie, The Guch, Eddie Haskel, Funakoshi, Wico +The Humble Sysop, Drool Master Rick, Jrok, Mr.M, Mace Mandella, Belgarion, +The Humble Babe and our HUMBLE leader, Gods Gift to the IBM! + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ +Members |Candyland (***) ***-**** The Candyman | + |The Slave Den (904) 376-1117 The Slavelord | + |HMS Bounty (2 nodes) (215) 873-7287 Fletch | + |The Humble Review (319) 372-5987 The Humble Sysop | + |Plato's Place (3 nodes) (618) 254-5263 Mr. Plato | + |Iron Fortress (508) 798-3363 Predator | + |SpamLand (508) 831-0131 Eddie Haskel | + Boards |Final Frontier (602) 491-0703 Barimor | + |DownTown 31-5750-29313 BamBam | + |TinselTown Rebellion (713) 453-2153 The Viper | + |Enterprize Elite (313) 427-8755 The Humble Babe | + |Festering Pit (206) 481-2728 Belgarion | + |----------------------------------------------------------------| +Dist. |The P.I.T.S. (2 Nodes) (718) 921-3107 The PieMaN | + | (718) PRI-VATE Don't U DARE Call! | + |Elusive Dream (317) 452-1257 The Toyman | + Sites |The Wall (716) PRI-VATE Pink Floyd | + |Twilight Zone (617) ???-???? Raistlin | + |The Ice Castle 47-PRI-VATE The Iceman | + |Black Ice BBS (904) 377-1325 Chaos | + |Paradise City (416) 479-9879 Mongolian Cannibal | + |Swindler's Stronghold (703) 722-6051 Loan $hark | + |Software Conspiracy (305) 235-4335 Sparrowhawk | + |The Fortress System I (914) 221-0035 The FREEZE | + |The Fortress System II (914) 227-6847 Mephistopheles | + +----------------------------------------------------------------+ + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or post restante + Nashville, TN 37202 p.o. box 99960 + 7200 NA Zutphen Holland + + + +Send us any letters thanking us for being so incredibly great!! We know +you guys worship the ground we walk above, but it's good for you guys +to tell us. All letters will be posted on the LSDnet (tm) arts and letters +section! Please send any computer hardware you dont need! We can use it! +Especially modems and hard drives!! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +Look for The Humble Review magazine comming soon to a BBS near you! + +Remember, you too can be either Humble Spittle, a Humble Slave, a +Humble Franchise, a THG Distribution site, or even possibly a member. +Contact us on Enterprize Elite if you are interested! + + diff --git a/textfiles.com/piracy/HUMBLE/billy.nfo b/textfiles.com/piracy/HUMBLE/billy.nfo new file mode 100644 index 00000000..2e350c57 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/billy.nfo @@ -0,0 +1,91 @@ + The Legend of Billy the Kid + From Ocean Inc. + + +Cracked by: Belgarion, with prompting from Jrok +Supplier: George (Call his board: Darkstar +49-821-994227) +Crack: Simple Doc Check +Graphics: 16 Color VGA / ???? +Controls: Mouse / Keyboard +Sound: ALL + +Cracking/Game Notes: + + Jrok walked me through this on the phone, and I cracked it with PC + Tools. It was just a simple doc check, that popped up, when you go + to rob a bank. All files need to be copied into a directory called + x:\BILLY>. When you run the program, type "HUGE /i", and then + configure it accordingly. Each time you run the program, you'll + need to use "HUGE.EXE". It's in German, but it shouldn't be to hard + to figure out. We figured out that you need to go to Santa Fe, and + rob the bank. Have fun with it.... + + Belgarion + +The Humble Guys are: The Candyman, Fabulous Furlough, NightWriter, Magnetic +The Slavelord, Predator, Mr. Plato, Fletcher Christian, Lord Blix, Barimor, +The Viper, BamBam, Lord Zombie, The Guch, Eddie Haskel, Funakoshi, Wico +The Humble Sysop, Drool Master Rick, Jrok, Mr.M, Mace Mandella, Belgarion, +The Humble Babe and our HUMBLE leader, Gods Gift to the IBM! + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ +Members |Candyland (***) ***-**** The Candyman | + |The Slave Den (904) 376-1117 The Slavelord | + |HMS Bounty (2 nodes) (215) 873-7287 Fletch | + |The Humble Review (319) 372-5987 The Humble Sysop | + |Plato's Place (3 nodes) (618) 254-5263 Mr. Plato | + |Iron Fortress (508) 798-3363 Predator | + |SpamLand (508) 831-0131 Eddie Haskel | + Boards |Final Frontier (602) 491-0703 Barimor | + |DownTown 31-5750-29313 BamBam | + |TinselTown Rebellion (713) 453-2153 The Viper | + |Enterprize Elite (313) 442-7543 The Humble Babe | + *|Festering Pit (206) 481-2728 Belgarion | + +----------------------------------------------------------------+ +Dist. |The P.I.T.S. (2 Nodes) (718) 921-3107 The PieMaN | + | (718) PRI-VATE Don't U DARE Call! | + |Elusive Dream (317) 452-1257 The Toyman | + Sites |The Wall (716) PRI-VATE Pink Floyd | + |Twilight Zone (617) ???-???? Raistlin | + |The Ice Castle 47-PRI-VATE The Iceman | + |Black Ice BBS (904) 377-1325 Chaos | + |Paradise City (416) 479-9879 Mongolian Cannibal | + |Swindler's Stronghold (703) 722-6051 Loan $hark | + |Software Conspiracy (305) 235-4335 Sparrowhawk | + |The Phortress System I (914) 221-0035 The FREEZE | + |The Phortress System II (914) 227-6847 Mephistopheles | + |Access Denied! (313) 977-5880 Access | + |The Cove (317) 743-1168 Viper | + + ---------------------------------------------------------------+ + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or Post Restante + Nashville, TN 37202 p.o. box 99960 + 7200 NA Zutphen Holland + + + +Send us any letters thanking us for being so incredibly great!! We know +you guys worship the ground we walk above, but it's good for you guys +to tell us. All letters will be posted on the LSDnet (tm) arts and letters +section! Please send any computer hardware you don't need! We can use it! +Especially modems and hard drives!! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +Look for The Humble Review magazine coming soon to a BBS near you! + +Remember, you too can be either Humble Spittle, a Humble Slave, a +Humble Franchise, a THG Distribution site, or even possibly a member. +Contact us on Enterprize Elite if you are interested! + +Also, Call the Humble 900 number - 1-900-535-4200 ext. 780 +NOTE! $2.00 per minute. diff --git a/textfiles.com/piracy/HUMBLE/blades.nfo b/textfiles.com/piracy/HUMBLE/blades.nfo new file mode 100644 index 00000000..ca4d9f8c --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/blades.nfo @@ -0,0 +1,64 @@ + Legend of Arkania: Blades of Destiny + From US Gold + +ͻ + Protection Doc-Check + Cracked by Shoes + Graphics VGA 256k. + Controls Rodent + Sound Honker/Soundblaster + Supplier Uk's Finest! +ͼ + +Ok to install this you have to unzip with volume labels (-$) and then +install from floppy. Then copy the cracked SCHICKM.EXE from Blades-1.zip +over the installed one. + +This is the English version of Das Schartz Auge. The English version is +being distributed by US Gold and they havent changed the name in the +game or the Intro yet. However the actual game itself is 100% English +and not a eta. + +Many Thanx to Shoes and The Druid for helping me get this sucker +cracked. + + - Hi.T. + + [ Members ]Ŀ + Fabulous Furlough Thinks he's retired + The PieMaN Sysop of The P.I.T.S. + The Mad Scientist Protection Eradication Engineer + JROK Protection Eradication Engineer + Night Writer THG Member! + Eddie Haskel Sysop of SpamLand + BamBam Sysop of DownTown + Barimor Sysop of The Final Frontier + The Iceman Sysop of The Ice Castle + Bryn Rogers Sysop of The Demon's Forge + Hi.T.Moonweed Sysop of The Flying Teapot + Sauron THG/fx crew + Lord Zombie THG/fx crew + The Mustang Sysop of The Eclipse + Hydro THG Member! + + [ Member Boards ]Ŀ + SpamLand (3 nodes) (XXX) XXX-XXXX Eddie Haskel + The P.I.T.S. (5 Nodes) (XXX) XXX-XXXX The PieMaN + DownTown +XX-XXXX-XXXXX BamBam + The Final Frontier (XXX) XXX-XXXX Barimor + The Ice Castle +XX XXX-XXXX The Iceman + The Demon's Forge +XX XXX-XXXXX Bryn Rogers + The Flying Teapot (2 Nodes) +XX XXX-XXXXXX Hi.T.Moonweed + The Eclipse BBS (2 Nodes) () - The Mustang + + [ Distribution Sites ]Ŀ + Skull Isle (XXX) XXX-XXXX Skoal Bandit + Concrete Sea (XXX) XXX-XXXX Razor Face + The Real World (XXX) - Mack The Hack + Piper's Pit (XXX) - Rowdy Roddy Piper + Covert Society (XXX) XXX-XXXX The Lizard + Private Society (XXX) XXX-XXXX Mad Marvin + + +If you need to reach any of these fine THG boards, and are presently part of +the community, you will already know how to do this. diff --git a/textfiles.com/piracy/HUMBLE/bladewar.nfo b/textfiles.com/piracy/HUMBLE/bladewar.nfo new file mode 100644 index 00000000..4f5f1f2b --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/bladewar.nfo @@ -0,0 +1,77 @@ + Blade Warrior + From ImageWorks + Broken by JROK + + + +GRAPHICS:CGA/EGA/VGA - 256 color/Tandy +CONTROLS:Keyboard/Mouse/Joystick +SOUND:Maybe +CRACK:A standard Rob Nothern Copylock PC - simple really + + + The Humble Guys are: + + The Candyman, Fabulous Furlough, NightWriter, + The Slavelord, Predator, Mr. Plato, Fletcher Christian, + Lord Blix, Barimor, The Viper, BamBam, Lord Zombie, The Guch, + Eddie Haskel, BigBobRob, Funakashi, The Humble Sysop, Drool Master Rick, + Jrok, Mr. M and God's Gift to the IBM, Mace Mandella + + Ŀ + The Members Boards and Humble Distribution Sites + Ĵ +HOME BOARD-Candyland (615) 834-3333 The Candyman + The Slave Den (904) 376-1117 The Slavelord + HMS Bounty (215) 873-7287 Fletch + Plato's Place (618) 254-5263 Mr. Plato + Iron Fortress (508) 798-3363 Predator + SpamLand (508) 831-0131 Eddie Haskel + Final Frontier (602) 491-0703 Barimor + DownTown 31-5750-29313 BamBam + TinselTown Rebellion (713) 453-2153 The Viper + The Humble Review (319) 372-5987 The Humble Sysop + The Drool Bucket (615) 331-9782 Drool Master Rick + Ĵ + The Badlands (904) PRI-VATE Lowrider + The P.I.T.S. (718) THE-PITS The Pieman + Elusive Dream (317) 452-1257 The Toyman + The Wall (716) PRI-VATE Pink Panther + Twilight Zone (617) 288-2597 Raistlin + The Ice Castle 47-PRI-VATE The Iceman + Black Ice BBS (904) 377-1325 Chaos + Elm Street BBS (214) 407-1801 Freddy Krueger + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or post restante + Nashville, TN 37202 p.o. box 99960 + 7200 NA Zutphen Holland + +Send us your hate mail! We LOVE to get your hate mail! All hate mail sent +to the P.O. Box will be sent out on the LSDNet (tm) THG Arts and Letters +Section! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +If you have a fax, and want the docs for your latest game, contact +Drool Master Rick and get in on the Humble Fax Network. + +Look for The Humble Review magazine comming soon to a BBS near you! + +Remember, you too can be either Humble Spittle, a Humble Slave, a +Humble Franchise, a THG Distribution site, or even possibly a member. +Contact us on Candyland, The Slave Den, or Downtown BBS if you are +interested! + +P.S. - The Humble Guys are ALWAYS looking for artists for their Intros! +If you have any artistic ability give one of our boards a call. + + + + \ No newline at end of file diff --git a/textfiles.com/piracy/HUMBLE/blitz.nfo b/textfiles.com/piracy/HUMBLE/blitz.nfo new file mode 100644 index 00000000..eff90630 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/blitz.nfo @@ -0,0 +1,55 @@ + BlitzKreig in the Ardeness + (Or Something Like That..) + + +GRAPHICS:CGA/EGA/VGA +SOUND:The Ultra Hi-Fi IBM PC Honker +CONTROLS:Keyboard/Mouse(Highly Recommended) + +CRACKING NOTES:Don't know what to say about this one really. The only reason + it was cracked and released is because no one has seen it + on the boards. This game looks like a project that was never + finished. Its got file dates from 1986 in there, and file + dates as late as May or June 1990. 4 years to finish a game.. + (And not an excellent one at that..) + Anyhow, it HAD a doc check in the beginning, and it has been + completely removed. Enjoy it if you wish.. + Oh, and read the README.DOC if you have any other questions. + We have no DOCS for the game, so don't expect any.. + + + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ + |Candyland (615) 834-3333 Candyman | + |HMS Bounty (215) 873-7287 Fletch | + |HMS Bounty Line 2 (215) 873-8620 Still Fletch | + |The Badlands (904) PRI-VATE Lowrider | + |The Slave Den (904) 376-1117 The Spamlord | + |Plato's Place (3 nodes) (618) 254-5263 Mr. Plato | + |The P.I.T.S. (718) THE-PITS The Pieman | + |The Crack in Time (201) 573-0449 Master Blaster | + |Edge of Insanity (206) 868-1435 The Shocker | + |Iron Fortress (508) 798-3363 Predator | + |SpamLand (508) 831-0131 Eddie Haskel | + |Fucked up (305) 227-4110 Bart Simpson | + |Ghost Shadow (213) 221-6861 Ghost Master | + |Elusive Dream (317) 452-1257 The Toyman | + |Final Frontier (602) 491-0703 Barimor | + |TinselTown Rebellion (713) 453-2153 The Viper | + |The Wall (716) 691-5945 Pink Floyd | + +----------------------------------------------------------------+ + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! + P.O.Box 24541 + Nashville, TN 37202 + +Send us anything that you deem appropriate. If you can supply us with games, +give us a call at any of the above listed boards. + + \ No newline at end of file diff --git a/textfiles.com/piracy/HUMBLE/blow.nfo b/textfiles.com/piracy/HUMBLE/blow.nfo new file mode 100644 index 00000000..2a2c4c62 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/blow.nfo @@ -0,0 +1,103 @@ + + + + + + + + + + + ViG/U + + + + \/\ Yet another fine Release from The Humble Team! /\/ + + 'LOW BLOW ][ by ELECTRONIC ARTS' + +ͻ + Protection Bogus DOC Check + Graphics VGA + Controls Moose Required! + Sound Adlib/Sound Blaster/Roland + Supplier THE GRIM REAPER +ͼ + + OK Dude, A Nice Boxing Arcade Game with VGA graphics and ADLIB Sound.. + Give it a try.. The Doc check is fake...This is the Second part of + Low Blow I.. + + + [ Members ]Ŀ + Fabulous Furlough Starring in Deliverance II + The PiePersoN Sexual Deviate (right Bitch?) + The Mad Scientist Duplication Deterrent Removal Expert + JROK Protection Eradication Engineer + Eddie Haskel Sysop of SpamLand + BamBam Sysop of DownTown + Bryn Rogers Wheres My Walking Frame? + Hi.T.Moonweed Sysop of The Flying Teapot + Sauron THG/fx crew + The Mustang Sysop of The Eclipse + XXXXX Hidden + Rawhide Protection Eradication Engineer + Expert |<-Rad d00d + Mad Marvin THG Doc-meister + Law and Order Party Copyright Infringement Specialist + + [ THG Peasants ]Ŀ + DeLiriouS NomaD Catering The Pie Fest '93 + The Slavelord Official THG Virus Tester + Led THG Courier Peasant #2 + StormTrooper THG Courier Peasant #3 + Dreamscape THG (Over Weight) Courier Peasant #4 + Skol! THG Courier Peasant #5 + + [ Member Boards ]Ŀ + The P.I.T.S. (5 Nodes) () - The PiePersoN + SpamLand (3 nodes) () - Eddie Haskel + DownTown (1 lousy node) +-- BamBam + The Flying Teapot (2 Nodes) + - Hi.T.Moonweed + The Eclipse BBS (2 Nodes) () - The Mustang + Private Society () - Mad Marvin + + [ Distribution Sites ]Ŀ + Skull Isle () - Skoal Bandit + Concrete Sea () - Razor Face + The Real World () - Mack The Hack + Piper's Pit (2Nodes) () - Rowdy Roddy Piper + Covert Society () - The Lizard + Big City Lights () - The Hook + Midnight Blues (2Nodes) () - Bitch + The Arena () - Roman + Cloak -/\/- Dagger () - Surak + The Garden of Eden () - Excessive Freddie + C.C.S BBS () - Thunder + The Boxer Rebellion () - The Boxer + Cyberspace (2Nodes) () - Fearless Leader + + + + + + + + + + + + + + + + + + + +Ŀ + This file was distributed via The Lexicon of the Cabal / The Lexicon CAE + + + + \ No newline at end of file diff --git a/textfiles.com/piracy/HUMBLE/bodyblow.nfo b/textfiles.com/piracy/HUMBLE/bodyblow.nfo new file mode 100644 index 00000000..b38b1749 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/bodyblow.nfo @@ -0,0 +1,125 @@ + + + ܰ߱۲ + ܰ߰߰ + ߲ܰ߰ ߲ܰ + ߲ ܰ ܲܰ + ߲۲ ߱ ܰ + ߱ ܰ߰ ߰ + ߲ ߲۰ ߲ ߲ + ۲ ߲ ۱ ۲ ۱ + ۰ ߲۲ ۲ ߲۲ ۲ Slum + + + + + + + Yet another fine Release from The Humble Team! + + ͵ Body Blows From Team 17 Software + + + ͻ + Protection Doc Check.. + Graphics VGA + Controls Joystick/Keys + Sound SB/Adlib + Supplier Uk's Finest + ͼ + + Well youve probably seen the demo for this floating around.. but heres + the final version.. Team 17's first game for the PC and its pretty sweet + about the best SF2 type beat em up seen so far on the PC.. Pretty much + similar to the Amiga version except you can have a max of 8 players on this + version compared to the Amiga.. + + Once the game has installed copy the enclosed BB.EXE over the top of the + original one... + + After Installing the game its probably an idea to reboot before trying to + play the dam thing as it insisted on corrupting the graphics when i tried + it on my machine off the original... + + Many thanks for Fab for doing such a quick job on this, looks the average + is safe still heh.. + + - Hi.T. + + + + + Ŀ + Fabulous Furlough Busy Playing Nintendo + The PiePersoN Beats Little Kittens With Sticks + JROK Protection Eradication Engineer + Eddie Haskel Sysop of SpamLand + BamBam Fucked Pebbles Up The Ass + Bryn Rogers Lost his false Teeth + Hi.T.Moonweed Doing all the hard work + The Mustang Inside Sweet Thing?? + Hydro Creaming his Courgette + Rawhide Having fun with his Au pair girl + The Witch King Hates Ugly PCboards + Gangsta Rok THG (Lack Of) Public Relations + Law and Order Party Deep (Throat) KGB Agent + Joebee Turned Down For Moped Rental + Delerious Nomad THG Janitorial Towel Washer + Beast Doing all the hard work + MickySoft SysOp of The Final Frontier + + + + + + + Ŀ + X TASE & RALPH (Supreme Spreaders!) + Shocker - Untouchable - Bullwinkle - Mellow Man + Forced Entry - Stormtrooper - Mother Turtle - Specs + Hurricane - Red Alert - Lion Heart + + + + + + Ŀ + -+- In The United States Of America -+- + Ĵ + The P.I.T.S. (6 Nodes) () - The PieMan + SpamLand (3 nodes) () - Eddie Haskel + The Eclipse (3 Nodes) () - The Mustang + Final Frontier (4 Nodes) () - MickySoft + R.I.O.T. Control () - Gangsta Rok + The Dwelling (2 Nodes) () - Delerious Nomad + Ĵ + -+- In Europe And Beyond! -+- + Ĵ + The Flying Teapot (2 Nodes) +-- Hi.T.Moonweed + Arcadia (4 Nodes) +-- Beast + DownTown (3 nodes) +-- BamBam + No Name BBS (2 Nodes) + - OFF-LINE Pablo + + + + + + Ŀ + Skull Isle () - Skoal Bandit + Concrete Sea () - Razor Face + The Real World () - Mack The Hack + Piper's Pit (2 Nodes) () - Rowdy Roddy Piper + Covert Society () - The Lizard + Big City Lights () - The Hook + Midnight Blues (2 Nodes) () - Bitch + The Arena () - Roman + The Garden of Delight +-- Excessive Freddie + Thunder BBS () - Thunder + The Boxer Rebellion () - The Boxer + Cyberwars (2 Nodes) () - Fearless Leader + Mode 1o1 () - The Prof. + Carnage + - - Illicit Trader + Horror House + - - Thunder Droid + + + "We're So Glad we're better than you!" - THG'93! diff --git a/textfiles.com/piracy/HUMBLE/btechii.nfo b/textfiles.com/piracy/HUMBLE/btechii.nfo new file mode 100644 index 00000000..0525ca6b --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/btechii.nfo @@ -0,0 +1,56 @@ + Battle Tech II: Crescents Revenge + +Cracking Notes:No Crack Needed +Graphics:You name it, we got it. +Sound:IBM, Adlib, Roland, Covox, Sound Bastard, etc.. + + This is the long awaited Battle Tech II. Yes, not only do we own europe, + but we DO own U.S.A. too. + + Political Bullshit, PE I dont know what you're talking about with this + SlaveBeg.TXT shit, but if you REALLY think I would quit THG, + then dream on.. + + Greets to The Humble Bitch and Backdoor Bandit, you guys do a hell of a + job in making INC look so bad that they won't be around much longer. + Thanks guys! + + More Greets to: Lord Zmobie, Barimor, The Viperdude, Candyman, + The Mad Scientist. + + A Big Humble Guys Yahoo goes out to Lord Blix for his invaluable work + and help in this past week. + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ + * |Candyland (615) 834-3333 Candyman | + * |HMS Bounty (215) 873-7287 Fletch | + |The Badlands (904) PRI-VATE Lowrider | + * |The Slave Den (904) 376-1117 The Spamlord | + |Plato's Place (3 nodes) (618) 254-5263 Mr. Plato | + |The P.I.T.S. (718) THE-PITS The Pieman | + * |Iron Fortress (508) 798-3363 Predator | + * |SpamLand (508) 831-0131 Eddie Haskel | + |Elusive Dream (317) 452-1257 The Toyman | + * |Final Frontier (602) 491-0703 Barimor | + |LakeSide Park (203) 929-7437 Mr. Xerox | + |The Wall (716) PRI-VATE Pink Panther (heh) | + * |Tinseltown Rebellion (713) 453-2153 The Viper | + |Twilight Zone (617) ???-???? Raistlin (Another 1)| + * |DownTown 31-5750-29313 BamBam | + |The Ice Castle 47-PRI-VATE The Iceman | + |Black Ice BBS (904) 377-1325 Chaos | + +----------------------------------------------------------------+ + '*' denotes this THG board is run by a REAL Humble Guy. + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! + P.O.Box 24541 + Nashville, TN 37202 + +Send us anything that you deem appropriate. If you can supply us with games, +give us a call at any of the above listed boards. + \ No newline at end of file diff --git a/textfiles.com/piracy/HUMBLE/bubble.nfo b/textfiles.com/piracy/HUMBLE/bubble.nfo new file mode 100644 index 00000000..193177a1 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/bubble.nfo @@ -0,0 +1,20 @@ +Bubble Bobble by Nova Logic Through Taito + +Broken by Fabulous Furlough + +Normal Taito Loader - 5 minutes + +Greets to: INC, NYC, Petra, PTL (where are you Guys??), PSI, FiRM + +A Big Yahoo goes out to Nikademus! + +Call These: + + Candyland - 615-333-6561 + Tye Dye Control Central - 615-XXX-XXXX <- Moving + Ozone BBS - 313-689-2876 + +Call The Humble Guys! Voice Mailbox - 615-664-1952 + +For an 8X10 Glossy of your Favorite Humble Guys Memeber, Send a Self Addressed +Stamped Envelope to The Humble Guys! P.O.Box 24541 Nashville, TN 37202 \ No newline at end of file diff --git a/textfiles.com/piracy/HUMBLE/califor2.nfo b/textfiles.com/piracy/HUMBLE/califor2.nfo new file mode 100644 index 00000000..5878bb8c --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/califor2.nfo @@ -0,0 +1,75 @@ + California Games 2 + EPYX Software (Therrrrre Baaaaaack!) + + +Crack: Simple Tie-Dye Protection +Graphics: CGA/EGA/VGA/MCGA/TDY +Controls: Everything +Sound: Adlib Available? - this is what the package Says + +Cracking/Game Notes: + + Pretty Simple crack Really, 2.5 K of Confusion code + 3 lines to change to crack it. + + +The Humble Guys are: The Candyman, Fabulous Furlough, NightWriter, Wico +The Slavelord, Predator, Mr. Plato, Fletcher Christian, Lord Blix, Barimor, +The Viper, BamBam, Lord Zombie, The Guch, BigBobRob, Eddie Haskel, Funakashi, +The Humble Sysop, Drool Master Rick, Jrok, Mr.M, Mace Mandela, Belgarion,and +our HUMBLE leader, Gods Gift to the IBM! + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ +Members |Candyland (***) ***-**** The Candyman | + |The Slave Den (904) 376-1117 The Slavelord | + |HMS Bounty (215) 873-7287 Fletch | + |The Humble Review (319) 372-5987 The Humble Sysop | + |Plato's Place (3 nodes) (618) 254-5263 Mr. Plato | + |Iron Fortress (508) 798-3363 Predator | + |SpamLand (508) 831-0131 Eddie Haskel | + Boards |Final Frontier (602) 491-0703 Barimor | + |DownTown 31-5750-29313 BamBam | + |TinsleTown Rebellion (713) 453-2153 The Viper | + |----------------------------------------------------------------| +Dist. |The Badlands (904) PRI-VATE Lowrider | + |The P.I.T.S. (2 Nodes) (718) THE-PITS The PieMaN | + |Elusive Dream (317) 452-1257 The Toyman | + Sites |The Wall (716) PRI-VATE Pink Panther (heh) | + |Twilight Zone (617) ???-???? Raistlin (Another 1)| + |The Ice Castle 47-PRI-VATE The Iceman | + |Black Ice BBS (904) 377-1325 Chaos | + |Enterprize Elite (313) 427-8755 Static | + |Paradise City (416) 479-9879 Mongolian Cannibal | + |Gangzterz Paradize 46-313-041-42 Wico | + +----------------------------------------------------------------+ + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or post restante + Nashville, TN 37202 p.o. box 99960 + 7200 NA Zutphen Holland + + + +Send us any letters thanking us for being so incredibly great!! We know +you guys worship the ground we walk above, but it's good for you guys +to tell us. All letters will be posted on the LSDnet (tm) arts and letters +section! Please send any computer hardware you dont need! We can use it! +Especially modems and hard drives!! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +Look for The Humble Review magazine comming soon to a BBS near you! + +Remember, you too can be either Humble Spittle, a Humble Slave, a +Humble Franchise, a THG Distribution site, or even possibly a member. +Contact us on Candyland, The Slave Den, or Downtown BBS if you are +interested! + diff --git a/textfiles.com/piracy/HUMBLE/ceasar.nfo b/textfiles.com/piracy/HUMBLE/ceasar.nfo new file mode 100644 index 00000000..08216d72 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/ceasar.nfo @@ -0,0 +1,52 @@ + Ceasar's Palace + Supplied by THE HUMBLE GUYS! + With Special Help from The Blademan + + +GRAPHICS: CGA/EGA +SOUND: hooter +CONTROLS: fingers + +CRACKING NOTES: what crack? if it ain't broke, don't fix it. + +GREETS TO: nobody. this is a half-assed casino game thing that's not + worth saying hello in. + + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ + |Candyland (615) 834-3333 Candyman | + |HMS Bounty (3 nodes) (215) 873-7287 Fletch | + |The Badlands (904) PRI-VATE Lowrider | + |The Slave Den (904) 376-1117 The Spamlord | + |Plato's Place (4 nodes) (618) 254-5263 Mr. Plato | + |The P.I.T.S. (718) THE-PITS The PieMaN | + |Iron Fortress (508) 798-3363 Predator | + |SpamLand (508) 831-0131 Eddie Haskel | + |Elusive Dream (317) 452-1257 The Toyman | + |Final Frontier (602) 491-0703 Barimor | + |Tonsiltown Rebellion (713) 453-2153 The Viper | + |The Wall (716) 691-5945 Pink Floyd | + |Black Ice (904) 377-1325 Chaos | + |Downtown +31-5750-29313 Bam Bam | + |The Ice Castle +47 Private The Ice Man | + +----------------------------------------------------------------+ + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 Post RESTANTE + Nashville, TN 37202 P. O. Box 99960 + 7200 NA + Zutphen Holland + +Send us anything that you deem appropriate. If you can supply us with games, +give us a call at any of the above listed boards. + +Also, Call The Humble Guys! Voice Mailbox - 615-664-1952, +Leave us a message, tell us what you think. + + diff --git a/textfiles.com/piracy/HUMBLE/checkit.nfo b/textfiles.com/piracy/HUMBLE/checkit.nfo new file mode 100644 index 00000000..60b459ef --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/checkit.nfo @@ -0,0 +1,113 @@ + + + ܰ߱۲ + ܰ߰߰ + ߲ܰ߰ ߲ܰ + ߲ ܰ ܲܰ + ߲۲ ߱ ܰ + ߱ ܰ߰ ߰ + ߲ ߲۰ ߲ ߲ + ۲ ߲ ۱ ۲ ۱ + ۰ ߲۲ ۲ ߲۲ ۲ Slum + + + + + + + Yet another fine Release from The Humble Team! + + Checkit Pro + + ͻ + Protection Serial Numba + Graphics VGA + Controls Moose, Keyboard + Sound Honker + Deprotected General Lee + Supplier ????????????? + Rating 1-10 [10] Nice Compi Tester + All Ratings are done on a 486-33 + ͼ + +Cracking Notes: + + I just removed the SNR, the stuff should run in every directory ! + General Lee + + +Greets to : The PiePersoN, and Bryn Rogers .. also I would like to greet +our new members Witch King, Joebee,Gangsta RoK..welcome to THG! + +The Piefest was Great! for all you that missed it maybe next year.. DN + + + + + + Ŀ + Fabulous Furlough Starring in Deliverance II + The PiePersoN Sexual Deviate (right Bitch?) + The Mad Scientist Duplication Deterrent Removal Expert + JROK Protection Eradication Engineer + Eddie Haskel Sysop of SpamLand + BamBam Sysop of DownTown + Bryn Rogers Wearing Rubber Underwear. + Hi.T.Moonweed Sysop of The Flying Teapot. + The Mustang Sysop of The Eclipse + Hydro Doing the Five-knuckle Shuffle. + The Witch King The THG FrockMaster + Rawhide Protection Eradication Engineer + Expert /<-Rad d00d + Mad Marvin THG Doc-meister + Law and Order Party Copyright Infringement Specialist + General Lee Duplication Deterrent Removal Expert + Gangsta RoK THG Frockette + Joebee Can't find his car!! Missing the key? + + + + + + Ŀ + DeLirious NomaD Master of Peasants! this week + The Slavelord Official THG Virus Tester + Led THG Courier Peasant #2 + Stormtrooper THG Courier Peasant #3 + Dreamscape THG Courier Peasant #4 + Skol! THG Courier Peasant #5 + Shocker THG Courier Peasant #6 + X TASE/TRiAD THG Courier Peasant #7 + + + + + + Ŀ + The P.I.T.S. (5 Nodes) () - The PiePersoN + SpamLand (3 nodes) () - Eddie Haskel + DownTown (3 nodes) +-- BamBam + The Flying Teapot (2 Nodes) + - Hi.T.Moonweed + Private Society () - Mad Marvin + + + + + + Ŀ + Skull Isle () - Skoal Bandit + Concrete Sea () - Razor Face + The Real World () - Mack The Hack + Piper's Pit (2Nodes) () - Rowdy Roddy Piper + Covert Society () - The Lizard + Big City Lights () - The Hook + Midnight Blues (2Nodes) () - Bitch + The Arena () - Roman + Cloak -/\/- Dagger () - Surak + The Garden of Eden +-- Excessive Freddie + Thunder BBS () - Thunder + The Boxer Rebellion () - The Boxer + Cyberwars (2Nodes) () - Fearless Leader + + + Have a Nice day:) diff --git a/textfiles.com/piracy/HUMBLE/combat.nfo b/textfiles.com/piracy/HUMBLE/combat.nfo new file mode 100644 index 00000000..5d1cac6f --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/combat.nfo @@ -0,0 +1,95 @@ + Operation ComBat + From Merit Software + + +Cracking: Simple Doc check, Made EXTREMELY clean in 10 minutes. +Graphics: CGA/EGA/Tandy +Controls: Mouse/Keyboard +Sound: You Tell ME! + +Cracking/Game Notes: VERY Simple doc check, the reason it took 10 minutes was +that I ate some Great Chinese Food from Across the street. +"Five Flavor Chicken With a GREAT Egg roll, and Won Ton Soup".. YUM!! +This game was out on the AMIGA an eternity ago, (The crack was lousy though). +Well, here it is, you can play it over the modem, I know there are folks out +there looking for anything that works over the modem.. + +Greets: +Some quick greetz go to the Crew at That GREAT Chinese Place, the GREATEST +suppliers on the face of the Earth! + + +The Humble Guys are: The Candyman, Fabulous Furlough, NightWriter, Magnetic +The Slavelord, Predator, Mr. Plato, Fletcher Christian, Lord Blix, Barimor, +The Viper, BamBam, Lord Zombie, The Guch, Eddie Haskel, Funakoshi, Wico, +The Humble Sysop, Drool Master Rick, JROK, Mr.M, Mace Mandella, Belgarion, +The Humble Babe, Harry Lime, Black Plague and our HUMBLE leader, Gods +Gift to the IBM ! + + +-----------------+ + |The Humble Boards| + +---------------------+-----------------+------------------------+ +Members |Candyland (***) ***-**** The Candyman | + |The Slave Den (904) 376-1117 The Slavelord | + |HMS Bounty (2 nodes) (215) 873-7287 Fletch | + |The Humble Review (319) 372-5987 The Humble Sysop | + |Plato's Place (3 nodes) (618) 254-5263 Mr. Plato | + |Iron Fortress (508) 798-5492 Predator | + |SpamLand (508) 831-0131 Eddie Haskel | + Boards |Final Frontier (602) 491-0703 Barimor | + |DownTown 31-5750-29313 BamBam | + |TinselTown Rebellion (713) 453-2153 The Viper | + |Enterprize Elite (313) 442-7543 The Humble Babe | + |Festering Pit (206) 481-2728 Belgarion | + |Inner Circle +46-31-304142 Wico | + |The Inferno (416) 841-1933 Black Plague | + +----------------------------------------------------------------+ +Dist. |The P.I.T.S. (3 Nodes) (718) THE-PITS The PieMaN | + | (718) PRI-VATE Don't U DARE Call! | + |Elusive Dream (317) 452-1257 The Toyman | + Sites |The Wall (716) PRI-VATE Pink Floyd | + |Twilight Zone (617) ???-???? Raistlin | + |The Ice Castle (+47) PRI-VATE The Iceman | + |Black Ice BBS (904) 377-1325 Chaos | + |Paradise City (416) 479-9879 Mongolian Cannibal | + |Swindler's Stronghold (703) 722-6051 Loan $hark | + |Software Conspiracy (305) 235-4335 Sparrowhawk | + |The Phortress System I (914) 221-0035 The FREEZE | + |The Phortress System II (914) 227-6847 Mephistopheles | + |Access Denied! (313) 977-5880 Access | + |The Cove (317) 743-1168 Viper | + |BBS a Holic (213) PRI-VATE Genesis | + |Dark Data Security (+39) 2 29519751 Tom Cat | + |Maximum Security (408) 867-5139 The Warden | + +----------------------------------------------------------------+ + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or Post Restante + Nashville, TN 37202 p.o. box 99960 + 7200 NA Zutphen Holland + + + +Send us any letters thanking us for being so incredibly great!! We know +you guys worship the ground we walk above, but it's good for you guys +to tell us. All letters will be posted on the LSDnet (tm) arts and letters +section! Please send any computer hardware you don't need! We can use it! +Especially modems and hard drives!! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +Look for The Humble Review magazine coming soon to a BBS near you! + +Remember, you too can be either Humble Spittle, a Humble Slave, a +Humble Franchise, a THG Distribution site, or even possibly a member. +Contact us on Enterprize Elite if you are interested! + +Also, Call the Humble 900 number - 1-900-535-4200 ext. 780 +NOTE! $2.00 per minute. Updated EVERY Monday Morning!! + diff --git a/textfiles.com/piracy/HUMBLE/commanch.nfo b/textfiles.com/piracy/HUMBLE/commanch.nfo new file mode 100644 index 00000000..302cc271 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/commanch.nfo @@ -0,0 +1,126 @@ + + + ܰ߱۲ + ܰ߰߰ + ߲ܰ߰ ߲ܰ + ߲ ܰ ܲܰ + ߲۲ ߱ ܰ + ߱ ܰ߰ ߰ + ߲ ߲۰ ߲ ߲ + ۲ ߲ ۱ ۲ ۱ + ۰ ߲۲ ۲ ߲۲ ۲ Slum + + + + + + + Yet another fine Release from The Humble Team! + + Maximum Overkill : Data Disk 1 + Full Release + + ͻ + Protection None + Graphics Very Pretty + Controls Joystick, Keyboard, Meeses + Sound All + Deprotected Trojan Ribbed + Supplier The WiTCH KiNG + Rating 1-10 [9] + ͼ + +Game Notes: This data disk takes you further into the envelope with 30 new + missions and new terrain. Arctic assaults to high noon fire-fights + in desert terrain, will thrill you. New missions, new etrrain, new + enemies, new tactics....this has it all! + +Greets: PieMan, Law & Order Party, Delerious Nomad, Joebee, Fabulous Furlough, + Gatekeeper, Master of Puppets, Gansta Rok! + + +Note : Escape key.......Money, equipment.....these things do not make one cool! + + + + + + + Ŀ + Fabulous Furlough Busy Playing Nintendo + The PiePersoN Beats Little Kittens With Sticks + The Mad Scientist Duplication Deterrent Removal Expert + JROK Protection Eradication Engineer + Iceman Who The Hell Is He? + Eddie Haskel Sysop of SpamLand + BamBam Fucked Pebbles Up The Ass + Bryn Rogers Wants To Move To New York + Hi.T.Moonweed Smoked Too Much Moonweed + The Mustang Sysop of The Eclipse + Hydro Doing the Five-knuckle Shuffle + The Witch King Waiting To Return Joebee's Car + Gangsta Rok THG (Lack Of) Public Relations + Law and Order Party Deep (Throat) KGB Agent + General Lee Duplication Deterrent Removal Expert + Joebee Turned Down For Moped Rental + Delerious Nomad THG Janitorial Towel Washer + Fourth Reich Killed Hitler, Fucked Ava + Tormented Soul Wishes He Knew About This + + + + + + Ŀ + The Slavelord Official THG Virus Tester + StormTrooper THG Courier Peasant #2 + Led THG Courier Peasant #3 + Dreamscape THG Courier Peasant #4 + Skol! THG Courier Peasant #5 + Shocker THG Courier Peasant #6 + X TASE/TRiAD THG Courier Peasant #7 + Sniper THG Courier Peasant #8 + Bullwinkle THG Courier Peasant #9 + Mellow Man THG Courier Peasant #10 + Untouchable THG Courier Peasant #11 + Lost Rider THG Courier Peasant #12 + Forced Entry THG Courier Peasant #13 + + + + + + Ŀ + The P.I.T.S. (5 Nodes) () - The PiePersoN + SpamLand (3 nodes) () - Eddie Haskel + DownTown (3 nodes) +-- BamBam + The Flying Teapot (2 Nodes) + - Hi.T.Moonweed + The Dwelling (2 Nodes) () - Delerious Nomad + R.I.O.T. Control () - Gangsta Rok + + + + + + Ŀ + Skull Isle () - Skoal Bandit + Concrete Sea () - Razor Face + The Real World () - Mack The Hack + Piper's Pit (2Nodes) () - Rowdy Roddy Piper + Covert Society () - The Lizard + Big City Lights () - The Hook + The Eclipse (2Nodes) () - The Mustang + Midnight Blues (2Nodes) () - Bitch + The Arena () - Roman + Cloak -/\/- Dagger () - Surak + The Garden of Eden +-- Excessive Freddie + Thunder BBS () - Thunder + The Boxer Rebellion () - The Boxer + Cyberwars (2Nodes) () - Fearless Leader + Mode 1o1 () - The Prof. + Cloud Nine Elite () - Nimbus + The Persian Gulf () - The Goblin + Infiniti Node ]I[ (2Nodes) () - Cazzaza + Soul Of The Hunter () - Tormented Soul + The Private Collection () - Wildchild + diff --git a/textfiles.com/piracy/HUMBLE/continum.nfo b/textfiles.com/piracy/HUMBLE/continum.nfo new file mode 100644 index 00000000..e775b833 --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/continum.nfo @@ -0,0 +1,84 @@ + Continuum + From Data East/Infogrammes + Broken by Fabulous Furlough + + +GRAPHICS:HERC/CGA/EGA/VGA +CONTROLS:Joystick/Keyboard +SOUND:Yes +CRACK: One of the Neatest Doc checks I've seen recently, so I didn't take it out + just press the enter key 3 times, or feel free to play with it. + + +A SPECIAL HUMBLE YAHOO TO: All the Humble Fans Everywhere + +GREETS TO: INC - Geez, if it wasn't for Taiwan, you guys would be DEAD! + + + + + + The Humble Guys are: + + The Candyman, Fabulous Furlough, NightWriter, + The Slavelord, Predator, Mr. Plato, Fletcher Christian, + Lord Blix, Barimor, The Viper, BamBam, Lord Zombie, The Guch, + Eddie Haskel, BigBobRob, Funakashi, The Humble Sysop, Drool Master Rick, + Daniel, Jrok, Mr. M and Mace Mandella + + Ŀ + The Members Boards and Humble Distribution Sites + Ĵ +HOME BOARD-Candyland (XXX) XXX-XXXX The Candyman + The Slave Den (904) 376-1117 The Slavelord + HMS Bounty (215) 873-7287 Fletch + Plato's Place (618) 254-5263 Mr. Plato + Iron Fortress (508) 798-3363 Predator + SpamLand (508) 831-0131 Eddie Haskel + Final Frontier (602) 491-0703 Barimor + DownTown 31-5750-29313 BamBam + TinselTown Rebellion (713) 453-2153 The Viper + The Humble Review (319) 372-5987 The Humble Sysop + The Drool Bucket (615) 331-9782 Drool Master Rick + Ĵ + The Badlands (904) PRI-VATE Lowrider + The P.I.T.S. (718) THE-PITS The Pieman + Elusive Dream (317) 452-1257 The Toyman + The Wall (716) PRI-VATE Pink Panther + Twilight Zone (617) 288-2597 Raistlin + The Ice Castle 47-PRI-VATE The Iceman + Black Ice BBS (904) 377-1325 Chaos + Elm Street BBS (214) 407-1801 Freddy Krueger + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or post restante + Nashville, TN 37202 p.o. box 99960 + 7200 NA Zutphen Holland + +Send us your hate mail! We LOVE to get your hate mail! All hate mail sent +to the P.O. Box will be sent out on the LSDNet (tm) THG Arts and Letters +Section! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +If you have a fax, and want the docs for your latest game, contact +Drool Master Rick and get in on the Humble Fax Network. + +Look for The Humble Review magazine comming soon to a BBS near you! + +Remember, you too can be either Humble Spittle, a Humble Slave, a +Humble Franchise, a THG Distribution site, or even possibly a member. +Contact us on Candyland, The Slave Den, or Downtown BBS if you are +interested! + +P.S. - The Humble Guys are ALWAYS looking for artists for their Intros! +If you have any artistic ability give one of our boards a call. + + + diff --git a/textfiles.com/piracy/HUMBLE/covert.nfo b/textfiles.com/piracy/HUMBLE/covert.nfo new file mode 100644 index 00000000..bb55aa1c --- /dev/null +++ b/textfiles.com/piracy/HUMBLE/covert.nfo @@ -0,0 +1,80 @@ + Covert Action + By Microprose + Broken by Fabulous Furlough + +GRAPHICS:CGA/EGA/MCGA/VGA (256 Color)/Tandy +CONTROLS:Keyboard &| Joystick +SOUND:Adlib/SB/Speaker/NONE/Roland +CRACK: Simple Name the Director of the CIA question + + +A SPECIAL HUMBLE YAHOO TO: All the Humble Spittle! + +GREETS TO: All our European Contacts, you guys are Cookin'! + + + + The Humble Guys are: + + The Candyman, Fabulous Furlough, NightWriter, + The Slavelord, Predator, Mr. Plato, Fletcher Christian, + Lord Blix, Barimor, The Viper, BamBam, Lord Zombie, The Guch, + Eddie Haskel, BigBobRob, Funakashi, The Humble Sysop, Drool Master Rick, + Mr. M and God's Gift to the IBM + + Ŀ + The Members Boards and Humble Distribution Sites + Ĵ +HOME BOARD-Candyland (615) 834-3333 The Candyman + The Slave Den (904) 376-1117 The Slavelord + HMS Bounty (215) 873-7287 Fletch + Plato's Place (618) 254-5263 Mr. Plato + Iron Fortress (508) 798-3363 Predator + SpamLand (508) 831-0131 Eddie Haskel + Final Frontier (602) 491-0703 Barimor + DownTown 31-5750-29313 BamBam + TinselTown Rebellion (713) 453-2153 The Viper + The Humble Review (319) 372-5987 The Humble Sysop + The Drool Bucket (615) 331-9782 Drool Master Rick + Ĵ + The Badlands (904) PRI-VATE Lowrider + The P.I.T.S. (718) THE-PITS The Pieman + Elusive Dream (317) 452-1257 The Toyman + The Wall (716) PRI-VATE Pink Panther + Twilight Zone (617) 288-2597 Raistlin + The Ice Castle 47-PRI-VATE The Iceman + Black Ice BBS (904) 377-1325 Chaos + Elm Street BBS (214) 407-1801 Freddy Krueger + + +For an 8x10 glossy of your favorite Humble Guys member, send a self-addressed +stamped envelope to: + + The Humble Guys! The Humble Guys! + P.O.Box 24541 or post restante + Nashville, TN 37202 p.o. box 99960 + 7200 NA Zutphen Holland + +Send us your hate mail! We LOVE to get your hate mail! All hate mail sent +to the P.O. Box will be sent out on the LSDNet (tm) THG Arts and Letters +Section! + +* Note * All Letter Bombs will be returned to sender. + +Call The Humble Guys Voice Mail Box! 615-664-1952! Leave us a message! + +If you have a fax, and want the docs for your latest game, contact +Drool Master Rick and get in on the Humble Fax Network. + +Look for The Humble Review magazine comming soon to a BBS near you! + +Remember, you too can be either Humble Spittle, a Humble Slave, a +Humble Franchise, a THG Distribution site, or even possibly a member. +Contact us on Candyland, The Slave Den, or Downtown BBS if you are +interested! + +P.S. - The Humble Guys are ALWAYS looking for artists for their Intros! +If you have any artistic ability give one of our boards a call. + + +