-=-=-=-=-={cOLLaPsUs}=-=-=-=-=- {{{{{THIS TUTORIAL IS FOR EDUCATIONNEL PURPOSE ONLY}}}}} Hey u all ....... This Time we want to crack the eXeScope 6.10 .. i think other Versions Works with the same crack ...... eXeScope is a very powerfull ressource editor , it's a reverser Tool ... if we want to change more than one Ressource we have a Nag screen popup says must register to have the full version an all options enabled Tools : WinDASM , SoftICE 4.0 m,NesCAFE Cup URL: N/A we can find it in Cracking and Progamming Sites Open the program go to help /register menu ...... u must enter a NAME and ID .... Name : {cOLLaPsUs} ID : 135113511351 ( it appears in Star Format ****) press "ok" a msgbox appears :"invalid ID or name " Now open the file with WinDASM Search in the SDR for "invalid ID or name " ... Double click on the string when it's found u will be here ..... * Possible StringData Ref from Code Obj ->"Name" | :004A7C63 B91C7D4A00 mov ecx, 004A7D1C * Possible StringData Ref from Code Obj ->"Reg" | :004A7C68 BA2C7D4A00 mov edx, 004A7D2C :004A7C6D 8B45F8 mov eax, dword ptr [ebp-08] :004A7C70 8B18 mov ebx, dword ptr [eax] :004A7C72 FF5304 call [ebx+04] :004A7C75 A134594B00 mov eax, dword ptr [004B5934] :004A7C7A 8B00 mov eax, dword ptr [eax] :004A7C7C 50 push eax * Possible StringData Ref from Code Obj ->"Reg" | :004A7C7D BA2C7D4A00 mov edx, 004A7D2C :004A7C82 B9387D4A00 mov ecx, 004A7D38 :004A7C87 8B45F8 mov eax, dword ptr [ebp-08] :004A7C8A 8B18 mov ebx, dword ptr [eax] :004A7C8C FF5304 call [ebx+04] :004A7C8F 8B45F8 mov eax, dword ptr [ebp-08] :004A7C92 E83DB2F5FF call 00402ED4 :004A7C97 A17C574B00 mov eax, dword ptr [004B577C] :004A7C9C C60001 mov byte ptr [eax], 01 :004A7C9F 8B45FC mov eax, dword ptr [ebp-04] :004A7CA2 C7803402000001000000 mov dword ptr [ebx+00000234], 00000001 :004A7CAC EB20 jmp 004A7CCE * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004A7C10(C), :004A7C24(C) go the these ADDress | :004A7CAE 6A00 push 00000000 :004A7CB0 8D55E0 lea edx, dword ptr [ebp-20] * Possible StringData Ref from Code Obj ->"Invalid ID or Name;" ********** here the Sring | :004A7CB3 B8447D4A00 mov eax, 004A7D44 :004A7CB8 E8D79D0000 call 004B1A94 :004A7CBD 8B45E0 mov eax, dword ptr [ebp-20] :004A7CC0 668B0D747D4A00 mov cx, word ptr [004A7D74] :004A7CC7 B201 mov dl, 01 :004A7CC9 E88E01FBFF call 00457E5C * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004A7BB9(U), :004A7CAC(U) | :004A7CCE 33C0 xor eax, eax :004A7CD0 5A pop edx :004A7CD1 59 pop ecx :004A7CD2 59 pop ecx :004A7CD3 648910 mov dword ptr fs:[eax], edx :004A7CD6 68FD7C4A00 push 004A7CFD Above the String there is two referenced conditionnel jumps ..... so go to the first address is : 004A7C10 :004A7BBE 8D55F0 lea edx, dword ptr [ebp-10] :004A7BC1 8B45FC mov eax, dword ptr [ebp-04] :004A7BC4 8B80D0020000 mov eax, dword ptr [eax+000002D0] :004A7BCA E885B7F8FF call 00433354 :004A7BCF 8B55F0 mov edx, dword ptr [ebp-10] :004A7BD2 A1B8594B00 mov eax, dword ptr [004B59B8] :004A7BD7 E830C0F5FF call 00403C0C :004A7BDC 8D55EC lea edx, dword ptr [ebp-14] :004A7BDF 8B45FC mov eax, dword ptr [ebp-04] :004A7BE2 8B80D4020000 mov eax, dword ptr [eax+000002D4] :004A7BE8 E867B7F8FF call 00433354 :004A7BED 8B55EC mov edx, dword ptr [ebp-14] :004A7BF0 A134594B00 mov eax, dword ptr [004B5934] :004A7BF5 E812C0F5FF call 00403C0C ================> Set a Breakpoint Here :004A7BFA 8B1534594B00 mov edx, dword ptr [004B5934] :004A7C00 8B12 mov edx, dword ptr [edx] :004A7C02 A174574B00 mov eax, dword ptr [004B5774] :004A7C07 8B00 mov eax, dword ptr [eax] :004A7C09 E8DA8D0000 call 004B09E8 :004A7C0E 84C0 test al, al :004A7C10 0F8498000000 je 004A7CAE ===================> Ref jump :004A7C16 A1B8594B00 mov eax, dword ptr [004B59B8] :004A7C1B 8B00 mov eax, dword ptr [eax] :004A7C1D E816C2F5FF call 00403E38 :004A7C22 85C0 test eax, eax :004A7C24 0F8E84000000 jle 004A7CAE :004A7C2A 8D55E4 lea edx, dword ptr [ebp-1C] :004A7C2D A1C4594B00 mov eax, dword ptr [004B59C4] :004A7C32 8B00 mov eax, dword ptr [eax] :004A7C34 E82F9BFAFF call 00451768 :004A7C39 8B45E4 mov eax, dword ptr [ebp-1C] :004A7C3C 8D4DE8 lea ecx, dword ptr [ebp-18] * Possible StringData Ref from Code Obj ->".ini" | :004A7C3F BA0C7D4A00 mov edx, 004A7D0C } :004A7C44 E8F319F6FF call 0040963C }======} Write the correct :004A7C49 8B4DE8 mov ecx, dword ptr [ebp-18]}======}Registration info in the eXEScope.INI :004A7C4C B201 mov dl, 01 } * Possible StringData Ref from Code Obj ->"XuG" | :004A7C4E A1906E4700 mov eax, dword ptr [00476E90] :004A7C53 E8E0F2FCFF call 00476F38 :004A7C58 8945F8 mov dword ptr [ebp-08], eax :004A7C5B A1B8594B00 mov eax, dword ptr [004B59B8] :004A7C60 8B00 mov eax, dword ptr [eax] :004A7C62 50 push eax After taking an Idea About the Algo System go another time in the REgistration box but this time we will set a breakpoint before pressing "ok" Buttom 1) Ctrl-D type bpx hmemcpy than press F5 2) press "ok" ---> SlammmBoouum S!ce_pOpUp 3) Clear All Breakpoint by typing (bc*) 4) F12 few time to reach the eXeScope Codes , types Bpx 004A7BF5 5) F5 to exit than press the "ok" Buttom 6) F10 3or 4 times till the Adress 017F:004A7C09 (we wanna trace the this call using the F8 Command) 017F:004A7BF5 E812C0F5FF call 00403C0C ===> Sice Breaks here :004A7C00 8B12 mov edx, dword ptr [edx] :004A7C02 A174574B00 mov eax, dword ptr [004B5774] :004A7C07 8B00 mov eax, dword ptr [eax] :004A7C09 E8DA8D0000 call 004B09E8 =====> the call to trace :004A7C0E 84C0 test al, al :004A7C10 0F8498000000 je 004A7CAE :004A7C16 A1B8594B00 mov eax, dword ptr [004B59B8] :004A7C1B 8B00 mov eax, dword ptr [eax] :004A7C1D E816C2F5FF call 00403E38 :004A7C22 85C0 test eax, eax :004A7C24 0F8E84000000 jle 004A7CAE :004A7C2A 8D55E4 lea edx, dword ptr [ebp-1C] :004A7C2D A1C4594B00 mov eax, dword ptr [004B59C4] Inside the Call : ================= :004B09E8 55 push ebp :004B09E9 8BEC mov ebp, esp :004B09EB 83C4F0 add esp, FFFFFFF0 :004B09EE 8955F8 mov dword ptr [ebp-08], edx :004B09F1 8945FC mov dword ptr [ebp-04], eax :004B09F4 8B45F8 mov eax, dword ptr [ebp-08] :004B09F7 E8F035F5FF call 00403FEC :004B09FC 33C0 xor eax, eax :004B09FE 55 push ebp :004B09FF 689F0A4B00 push 004B0A9F ========> put prefix on the Stack :004B0A04 64FF30 push dword ptr fs:[eax] :004B0A07 648920 mov dword ptr fs:[eax], esp :004B0A0A C645F700 mov [ebp-09], 00 :004B0A0E 8B45F8 mov eax, dword ptr [ebp-08] :004B0A11 E82234F5FF call 00403E38 :004B0A16 83F80A cmp eax, 0000000A :004B0A19 756E jne 004B0A89 :004B0A1B 8B55F8 mov edx, dword ptr [ebp-08] go to the line 017F:004B09FF push 004B0A9F and type "d 004B0A9F " u will see in the WD 2 numbers : A1910 , A1423 ( Alt +up and Down if they are not appeared) hummmmmmmmmm these two numbers are th prefix of the correct ID ... this mean the correct ID will be like A1910XXXX or A1423XXXXX now we have the first key what we do ???? Type in Sice " s 0 l fffffff 'A1910' " the debugger here search us all Ascii's who begin with A1910 ..... found ? ok but not what we want so let's search again for other ascii's by typing 'S" than press enter (each search ) when u keep searching few times u will see there is many ID generated ..: A191018544 A191036980 A191071880 A191090144 I didn't tried the preffix " A1423 " try it urself if u find other ID's mail me B!NGO the Crack is Done ; name :{cOLLaPsUs} ID : one of the above I m So sorry for my bad english i am frensh educated If u are dissapointed mail me or try my keygen or my INI file loll Greet's to :" DBC,EVC ;UCF ;CORE;PhroZen CreW,serial2k crew,ORC+ Nukem + All DBC members & _ACID_ & BuL_Let,JosephCO, tKc,Parker,ExAGONE,Fravia+ W!Ld!nseCt;Tha_godfatha;TKC;cbd;Razzia;ORC;Flu[x] iczelion ,vision ,egis! ,oblek,nitallica,oche;volatility,SanDman , " ***bRa!n is Da_power rEaD!Ng is Da_key*** ÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎ  »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» » » »       » »          » »              » »              » »            » »             » »            » »      » »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»  ÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎ  cOLLaPsUs@hotmail.com cOL_LaPsUs@hotmail.com Effnet : #DBC ;#Win32ASM ;#Crakcing4newbies -------->Nick : "ZeR0fLaG"