" HD Morph "


This tutorial is coming from... 


ReFleXZ '99
Url: Http://ReFleXZ99.cjb.net
Email: ReFleXZ@fcmail.com


About the essay...

Written by:

Date:17th April 1999
Program name: HD Morph
Program type: W32
Program location: N/A
Program filename: N/A
Program size: n/c

Tools required:
Soft - ice 3.2x

Difficult level:
Easy (  )  Medium (   )  Hard (    )  Pro (    )


Hello !! time to learn again !! , so a long time ago , there ..... lol


About the protection...
Name / Serial protection ....


The Essay...

this time it is for a vb proggy but not a crackme , it is
a shareware : HDmorph.
It can change the Hard disk icon . not sure it is useful but it is
not ReGGed !!
So we will play with it !!
fisrt there is a thing who work good in vb cracking, it is this search :

S 0 L ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7

NOTE: its a good to put this in winice.dat.
the Alt-F4 that is rarely used in your winice.dat file.so you can
use Alt-F4 as shortcut ! put this in the winice.dat
AF4="^s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7;"
This will save you the time of typing all that !! restart your computer now !

when it is done , we can start to crack this babe !

Run it and click on about and on register.
Enter nAME: ACiD BuRN
sERIAL: 123456

ctrl+D to soft-ice and type bpx hmemcpy.
click on Ok and we back at Soft-ice ! great ...
now press F11 and F12 untill you see Msvbvm50 at the down of the softice window.
We are now at the good place , alt+F4 to search the compare emplacement !!
Now you should see "search pattern found at XXX:XXXXXXXX". for me XXX:XXXXXX is
25F:7B1DD9EA. Put a bpx on 25F:7B1DD9EA and disabled the hmemcpy bpx ,type bd 0.
now press F11 and we break at 25F:7B1DD9EA .
it is where is the comparaison , We will see :

: 56 push esi
: 57 push edi
: 8B7C2410 mov edi, [esp + 10] ; Move real serial into edi
: 8B7C240C mov esi, [esp + 0C] ; Move fake serial into esi
: 8B4C2414 mov ecx, [esp + 14]

press F10 to pass "mov edi, [esp + 10]" and type d edi for see the real serial !
for ACiD BuRN we see:
'cauz it is a vb proggy it is in wide format (space between digits).
So, the real code is 130268630544320792163813121404
for check if it is the good one , we will enter:
cODE: 130268630544320792163813121404

press Ok button , but nothing say good work or bad serial , just end the proggy and restart it.
go in about , and you see Registered to: ACiD BuRN

Great !!!! Cool work we made it !
Another cracked !

I hope you understand all in this essay
Iif you have a problem you can mail me at :
have fun and happy cracking !

ACiD BuRN [ReFleXZ'99] 


Final Notes...
Greetz To:

R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, Torn@do, T4D, Jeff, [Virus], Jane , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes ...
---> 4 Being So Good Friends To Me.
Sorry if you are not here too many people to greetz !!!)

                                       ....And All Crackers !!! ....

U can Found me on IRC : At #ReFleXZ99, #Cracking4Newbies , #ECL on Efnet


This tutorial is written for EDUCATIONAL purposes only.
So if you want to use the program after its trial period ends please BUY IT!
Support shareware (and its authors), this is our learning tool!

ReFleXZ is not responsible for any damage caused with this essay or any of its parts.
So everything what you're doing and 'experimenting' is on your own responsibile!

Also, in this tutorial you'll not find any serial numbers, so try to search
elsewhere under Cracks and Warez.

Copyright 1999-2000 By ReFleXZ '99
All Rights Reserved