SV trace assembly code

its cool way to use sv but if u have to do it each time u wanna play its a bit to much time waste :(

well i have been reading through this post i dotn have cheatengine 5.3 i have i think 5.1 does that make a diff.i am going to try and do this and man i hope i can.if any oen would liek to help me maybe we can put 2 heads togeather on this.first thing is i am not sure what the hell a trap is.but that will not stop me
but any ways any oen that wants to join me in this please pm me im sure i wil get it just how long is teh question.one more thing some one said that you have ot do this each time you want to play that cant be right.just save what ever you have done would be my guess.any ways good luck to all and hopefully after this i wont be as much of a noob as i was.

@rannik

This crack guide is for your learning and study purpose only. If you want to do furthermore you should to know about expand compress exe , codecave and inject dll. You can make the standalone exe for future use.

@GIZMO0425

I will come along with u. If any thing you may curious after read guide try ask me here.

Goodluck,

ok i thank you for that.and i am really wanting to do this on my own.meaning i dont want a cracket version i want to be able to say that i did it and learn of of this as well.so i am exited i havent started it yet but i will today as of now i am hitting the gw pole so i am occupied but in a couple of hors i will be back at it again.and thanx alot. one more thing does it matter what version of cheatengine you have.NM i have got the cheatengine 5.3 now.so i will start on this soon. i hope you are patiant with noobs because i am very much a noob :D .but i will do my best to get this thing and again thanx for all the help and the help you are going to be.

@anantasia:
yeap i know, u did good job :) +karma for u ofcorse!
now i have to learn more to get cracked sv, coz nobody wanna send me cracked one :P

Quote:

Originally posted by Domates@Jan 6 2007, 00:58 ** set trap on first jump here and by pass 00403596 je 40378c <- by pass this point to 40359C 0040359C move ecx,[ebp-2c] Ok here just Toggle Breakpoint and change je=jmp . . /** set trap and here and by pass 004035CB jne 40378c <- by pass this point to 4035DD 004035D1 cmp [004356e0],edi 004035D7 jne 40378c 004035DD push 00 same here jne=jmp . . /** call dll 00403685 CALL 00403CF6 <- this command to call routine at address 00403CF6 and when hit command RET. It's will return to next address 40368A 0040368A mov eax,[esi+1c] . . 00403CF6 JMP DWORD PTR[00429508] <- this command jump to long address. Almost use pointer to point long address to go. So PTR[00429508] = 10002860 . . 10002860 SUB ESP, 000000C8 <- here is starting of countrymakeinus.dll . . 1000288B CALL 1001E804 <- this call check that it's right user/pass or not? . 10002895 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d <- If wrong it's will jump to exit.. So this point we should by pass and go next command 10002897 CMP [esp+000000d4],fffd7fd0 100028A2 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d <- the another one , so just by pass to next command 100028A4 MOV eax,[esp+000000d8] . . /* there amount 10-20 jump condition at here try by pass only JNE . . 10002AC0 CALL dword ptr[100303a0] . . /* there amount 10-20 jump condition at here try by pass only JNE . . 10003110 RET <- finished sub routine and return to address 40368A After this poin u can start bot by press Funtion key 11 on CO2 How we save this after, Iam gonna sleep :P If u think iam wasting my time send me SV:P

This question is for you anantasia, here when u say by pass, its for set a breakpoint on first line? or on the second line?
** set trap on first jump here and by pass
00403596 je 40378c <- by pass this point to 40359C ( push F5 )
((((((by pass this point to 40359C ))))))) <<< what i have to do here?<<<
0040359C move ecx,[ebp-2c]

Like DOmates said i push f5 on the second line, and double clicked first line and changed JE to JMP. Its RIGHT?

Quote:

Originally posted by anantasia@Jan 2 2007, 17:50 Here is DIY (do it your self) crack SV as your self. First thing to do is download all program that need, 1. Download SV (2 files of them) Download link for SV (agent king and dll) is locate on lower post, 2. Use "Cheat Engine" to set trace/debug & trap Here is link to download "Cheat Engine" [Only registered and activated users can see links. Click Here To Register...] Below is instruction code that you see in Cheat Engine, Please follow step . /*1* Starting Agent King insert user/password . /*2* Set trap(breakpoint) on first jump here and click start button at AgentKing window 00403596 je 40378c <- by pass this point to 40359C 0040359C move ecx,[ebp-2c] /*3* When your CE(Cheat Engine) stop at 403596 change your EIP to next command 40359C . . /*4* Set trap at here 4035CB. When CE stop at 4035CB change EIP to 4035DD 004035CB jne 40378c <- by pass this point to 4035DD 004035D1 cmp [004356e0],edi 004035D7 jne 40378c 004035DD push 00 . . /*5* Set trap at 403685. When CE stop press F7 to trace in to sub routine 403CF6 00403685 CALL 00403CF6 <- this command to call routine at address 00403CF6 and when hit command RET. It's will return to next address 40368A 0040368A mov eax,[esi+1c] . . /*6* Routine 403CF6 will send you to address 10002860. Press F7 to step to countrymakeinUS.dll 00403CF6 JMP DWORD PTR[00429508] <- Just FYI, this command jump to DLL. DWORD PTR[00429508] = 10002860 . . /*7* Starting tracestep at here, look carefully for miss jump/exit program 10002860 SUB ESP, 000000C8 <- here is starting of countrymakeinus.dll . . 1000288B CALL 1001E804 <- Nothing to do at here just press F8 to step over . . /*8* When found JNE command just change your EIP to next command. For below instead jump EIP to 10002897 you can jump to 100028A4 coz of CMP is just compare command not change memory value. . 10002895 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d <- by pass this point to 100028A4 10002897 CMP [esp+000000d4],fffd7fd0 100028A2 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d 100028A4 MOV eax,[esp+000000d8] . . /*9* there amount 10-20 jump condition (JNE) at here. Only thing is change EIP to next command if you found JNE . . 10002AC0 CALL dword ptr[100303a0] < Nothing to do here just press F8 to step over. . . /*10* there amount 10-20 jump condition (JNE) at here. Only thing is change EIP to next command if you found JNE . . /*11* When you first hit RET command at 10003110 that mean u finished it. Return to program and try press F11 to test bot is activate or not 10003110 RET <- finished sub routine and return to address 40368A After this poin you can start bot by press Funtion key 11

its a nice tut but also im new to CE and i dont understand some terms wich you use ... i get kinda confused with the EIP thing i dont know if you mean to change the EIP by clicking on the screen and changing it or by bypassing using jmp "XXXXXX" like other guys said forther in the thread. mostly i get stuck at point 5 and the AK seems always to hang whenever i hit the start button so i dont know a way to save the changes and reopen another AK to continue in the mem cracking. if you can help anastasia i really appreciate it.
thank you very much.

Quote:

Originally posted by Xibungo+Jan 6 2007, 20:49--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Xibungo @ Jan 6 2007, 20:49)</td></tr><tr><td id='QUOTE'> Quote: Originally posted by -Domates@Jan 6 2007, 00:58 ** set trap on first jump here and by pass 00403596 je 40378c <- by pass this point to 40359C 0040359C move ecx,[ebp-2c] Ok here just Toggle Breakpoint and change je=jmp . . /** set trap and here and by pass 004035CB jne 40378c <- by pass this point to 4035DD 004035D1 cmp [004356e0],edi 004035D7 jne 40378c 004035DD push 00 same here* jne=jmp . . /** call dll 00403685 CALL 00403CF6 <- this command to call routine at address 00403CF6 and when hit command RET. It's will return to next address 40368A 0040368A mov eax,[esi+1c] . . 00403CF6 JMP DWORD PTR[00429508] <- this command jump to long address. Almost use pointer to point long address to go. So PTR[00429508] = 10002860 . . 10002860 SUB ESP, 000000C8 <- here is starting of countrymakeinus.dll . . 1000288B CALL 1001E804 <- this call check that it's right user/pass or not? . 10002895 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d <- If wrong it's will jump to exit.. So this point we should by pass and go next command 10002897 CMP [esp+000000d4],fffd7fd0 100028A2 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d <- the another one , so just by pass to next command 100028A4 MOV eax,[esp+000000d8] . . /* there amount 10-20 jump condition at here try by pass only JNE . . 10002AC0 CALL dword ptr[100303a0] . . /* there amount 10-20 jump condition at here try by pass only JNE . . 10003110 RET <- finished sub routine and return to address 40368A After this poin u can start bot by press Funtion key 11 on CO2 How we save this after, Iam gonna sleep :P If u think iam wasting my time send me SV:P This question is for you anantasia, here when u say by pass, its for set a breakpoint on first line? or on the second line? ** set trap on first jump here and by pass 00403596 je 40378c <- by pass this point to 40359C ( push F5 ) ((((((by pass this point to 40359C ))))))) <<< what i have to do here?<<< 0040359C move ecx,[ebp-2c] Like DOmates said i push f5 on the second line, and double clicked first line and changed JE to JMP. Its RIGHT? [/b]

1)Set trap at jump condition!!!

Q: Why i must set trap at jump?
A: Coz of you should stop before you decide which way to go when you arrive split way,right?

2)I said in some post the meaning of my bypass.

Not change your code from JNE to JMP. Just only change your EIP to next command. Double click on EIP after its stop at your break point(F5) and change it to next command.



<!--QuoteBegin--Gera@Jan 6 2007, 20:49
its a nice tut but also im new to CE and i dont understand some terms wich you use ... i get kinda confused with the EIP thing i dont know if you mean to change the EIP by clicking on the screen and changing it or by bypassing using jmp "XXXXXX" like other guys said forther in the thread. mostly i get stuck at point 5 and the AK seems always to hang whenever i hit the start button so i dont know a way to save the changes and reopen another AK to continue in the mem cracking. if you can help anastasia i really appreciate it.
thank you very much. [/quote]

For about bypass you must change EIP on the screen by double click it. Great that if u arrival Step 5 you almost halfway, try more. If your AK hang and close. You can reopen itto start another cracking.

Quote:

Originally posted by anantasia+Jan 6 2007, 21:25--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (anantasia @ Jan 6 2007, 21:25)</td></tr><tr><td id='QUOTE'> Quote: Originally posted by -Xibungo@Jan 6 2007, 20:49 <!--QuoteBegin--Domates Quote: @Jan 6 2007, 00:58 ** set trap on first jump here and by pass 00403596 je 40378c <- by pass this point to 40359C 0040359C move ecx,[ebp-2c] Ok here just Toggle Breakpoint and change je=jmp . . /** set trap and here and by pass 004035CB jne 40378c <- by pass this point to 4035DD 004035D1 cmp [004356e0],edi 004035D7 jne 40378c 004035DD push 00 same here jne=jmp . . /** call dll 00403685 CALL 00403CF6 <- this command to call routine at address 00403CF6 and when hit command RET. It's will return to next address 40368A 0040368A mov eax,[esi+1c] . . 00403CF6 JMP DWORD PTR[00429508] <- this command jump to long address. Almost use pointer to point long address to go. So PTR[00429508] = 10002860 . . 10002860 SUB ESP, 000000C8 <- here is starting of countrymakeinus.dll . . 1000288B CALL 1001E804 <- this call check that it's right user/pass or not? . 10002895 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d <- If wrong it's will jump to exit.. So this point we should by pass and go next command 10002897 CMP [esp+000000d4],fffd7fd0 100028A2 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d <- the another one , so just by pass to next command 100028A4 MOV eax,[esp+000000d8] . . /* there amount 10-20 jump condition at here try by pass only JNE . . 10002AC0 CALL dword ptr[100303a0] . . /* there amount 10-20 jump condition at here try by pass only JNE . . 10003110 RET <- finished sub routine and return to address 40368A After this poin u can start bot by press Funtion key 11 on CO2 How we save this after, Iam gonna sleep :P If u think iam wasting my time send me SV:P This question is for you anantasia, here when u say by pass, its for set a breakpoint on first line? or on the second line? ** set trap on first jump here and by pass 00403596 je 40378c <- by pass this point to 40359C ( push F5 ) ((((((by pass this point to 40359C ))))))) <<< what i have to do here?<<< 0040359C move ecx,[ebp-2c] Like DOmates said i push f5 on the second line, and double clicked first line and changed JE to JMP. Its RIGHT?

1)Set trap at jump condition!!!

Q: Why i must set trap at jump?
A: Coz of you should stop before you decide which way to go when you arrive split way,right?

2)I said in some post the meaning of my bypass.

Not change your code from JNE to JMP. Just only change your EIP to next command. Double click on EIP after its stop at your break point(F5) and change it to next command. [/b][/quote]
uhm i understand more now about the EIP, the other guys were just messing it more lol. but what about other points ... some strange thing happens that when i press the f7 key the CE goes to a mem adress that nothing has to do with the one that you mean in the thread to appear and in the part that you have to change the JNE to JMP its like about changing the EIP ? or just changin JNE "XXXXXX" to JMP "XXXXXXX"

Quote:

Originally posted by Gera+Jan 6 2007, 21:34--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Gera @ Jan 6 2007, 21:34)</td></tr><tr><td id='QUOTE'> Quote: Originally posted by -anantasia@Jan 6 2007, 21:25 Quote: Originally posted by -Xibungo@Jan 6 2007, 20:49 <!--QuoteBegin--Domates Quote: Quote: @Jan 6 2007, 00:58 ** set trap on first jump here and by pass 00403596 je 40378c <- by pass this point to 40359C 0040359C move ecx,[ebp-2c] Ok here just Toggle Breakpoint and change je=jmp . . /** set trap and here and by pass 004035CB jne 40378c <- by pass this point to 4035DD 004035D1 cmp [004356e0],edi 004035D7 jne 40378c 004035DD push 00 same here* jne=jmp . . /** call dll 00403685 CALL 00403CF6 <- this command to call routine at address 00403CF6 and when hit command RET. It's will return to next address 40368A 0040368A mov eax,[esi+1c] . . 00403CF6 JMP DWORD PTR[00429508] <- this command jump to long address. Almost use pointer to point long address to go. So PTR[00429508] = 10002860 . . 10002860 SUB ESP, 000000C8 <- here is starting of countrymakeinus.dll . . 1000288B CALL 1001E804 <- this call check that it's right user/pass or not? . 10002895 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d <- If wrong it's will jump to exit.. So this point we should by pass and go next command 10002897 CMP [esp+000000d4],fffd7fd0 100028A2 JNE 101zo1z21v01o12012z1vo101zo1z21v0+5d <- the another one , so just by pass to next command 100028A4 MOV eax,[esp+000000d8] . . /* there amount 10-20 jump condition at here try by pass only JNE . . 10002AC0 CALL dword ptr[100303a0] . . /* there amount 10-20 jump condition at here try by pass only JNE . . 10003110 RET <- finished sub routine and return to address 40368A After this poin u can start bot by press Funtion key 11 on CO2 How we save this after, Iam gonna sleep :P If u think iam wasting my time send me SV:P This question is for you anantasia, here when u say by pass, its for set a breakpoint on first line? or on the second line? ** set trap on first jump here and by pass 00403596 je 40378c <- by pass this point to 40359C ( push F5 ) ((((((by pass this point to 40359C ))))))) <<< what i have to do here?<<< 0040359C move ecx,[ebp-2c] Like DOmates said i push f5 on the second line, and double clicked first line and changed JE to JMP. Its RIGHT? 1)Set trap at jump condition!!! Q: Why i must set trap at jump? A: Coz of you should stop before you decide which way to go when you arrive split way,right? 2)I said in some post the meaning of my bypass. Not change your code from JNE to JMP. Just only change your EIP to next command. Double click on EIP after its stop at your break point(F5) and change it to next command.

uhm i understand more now about the EIP, the other guys were just messing it more lol. but what about other points ... some strange thing happens that when i press the f7 key the CE goes to a mem adress that nothing has to do with the one that you mean in the thread to appear and in the part that you have to change the JNE to JMP its like about changing the EIP ? or just changin JNE "XXXXXX" to JMP "XXXXXXX" [/b][/quote]
I confirmed only change EIP. If you change code to JMP xxxxx. Your program will call un want routine infinity loop and cause your program freeze or hang.

another question anantasia, on the second trap:
/** set trap and here and by pass
004035CB jne 40378c <- by pass this point to 4035DD
004035D1 cmp [004356e0],edi
004035D7 jne 40378c
004035DD push 00
(we have to trap all "Jumps"? or only adress u show to by pass?

Quote:

Originally posted by Xibungo@Jan 6 2007, 22:19 another question anantasia, on the second trap: /** set trap and here and by pass 004035CB jne 40378c <- by pass this point to 4035DD 004035D1 cmp [004356e0],edi 004035D7 jne 40378c 004035DD push 00 (we have to trap all "Jumps"? or only adress u show to by pass?

Only from instruction

Ok when i click here
** set trap on here and trace in this CALL sub routine
00403685 call 403CF6 <- call SV routine (PF11 to activate and disable button as picture above (F7 here, nothing happens =/)

ok this is what i understand and what i did on this tut.

/*1* Starting Agent King insert user/password

ok douible click on the AK that anastasia gave to dl and its up and running :o

/*2* Set trap(breakpoint) on first jump here and click start button at AgentKing window
00403596 je 40378c <- by pass this point to 40359C
0040359C move ecx,[ebp-2c]
/*3* When your CE(Cheat Engine) stop at 403596 change your EIP to next command 40359C

ok so i open CE load AgentKing from the process list and then i click on memory view, so i get a memory adress list from current project.
in the main window i do right click then i choose the option "Go to adress". i type the adress 403596 and CE takes me there.
when CE takes me there i press f5 so i click start on my AgentKing client it says something like loading.... and then it hangs for ever BUT!, CE still kinda work and i wait til CE shows me in red numbers what i get from breaking there as soon as CE shows me that i double click on EIP and write down 403590 it gives me in the window with red numbers the EIP 0040359C.

so i check if AgentKing is still running and its still there ... hangin i cant do nothing but i keep on my path to mem cracking it and proceed to point 4

/*4* Set trap at here 4035CB. When CE stop at 4035CB change EIP to 4035DD
004035CB jne 40378c <- by pass this point to 4035DD
004035D1 cmp [004356e0],edi
004035D7 jne 40378c
004035DD push 00

so i right click again over the window of the mem list of CE, i choose the option to search for the code and i get to the desired location [4035cb] i press f5 in this point but ... nothing happens from that i gave it minutes even half an hour to wait for CE to respond but nothing happens and AgentKing is pretty dead.

so i dont know what its wrong or what i do wrong, i would like to learn more cause im having fun but for now i give up cause i spent half my day to learn from this tut how to crack in mem adress with CE.

anastasia i would like to chat with you in any other way if possible so i can agilize my work.

thank you very much ×××

Quote:

Originally posted by Gera@Jan 6 2007, 22:58 ok this is what i understand and what i did on this tut. /*1* Starting Agent King insert user/password ok douible click on the AK that anastasia gave to dl and its up and running :o /*2* Set trap(breakpoint) on first jump here and click start button at AgentKing window 00403596 je 40378c <- by pass this point to 40359C 0040359C move ecx,[ebp-2c] /*3* When your CE(Cheat Engine) stop at 403596 change your EIP to next command 40359C ok so i open CE load AgentKing from the process list and then i click on memory view, so i get a memory adress list from current project. in the main window i do right click then i choose the option "Go to adress". i type the adress 403596 and CE takes me there. when CE takes me there i press f5 so i click start on my AgentKing client it says something like loading.... and then it hangs for ever BUT!, CE still kinda work and i wait til CE shows me in red numbers what i get from breaking there as soon as CE shows me that i double click on EIP and write down 403590 it gives me in the window with red numbers the EIP 0040359C. so i check if AgentKing is still running and its still there ... hangin i cant do nothing but i keep on my path to mem cracking it and proceed to point 4 /*4* Set trap at here 4035CB. When CE stop at 4035CB change EIP to 4035DD 004035CB jne 40378c <- by pass this point to 4035DD 004035D1 cmp [004356e0],edi 004035D7 jne 40378c 004035DD push 00 so i right click again over the window of the mem list of CE, i choose the option to search for the code and i get to the desired location [4035cb] i press f5 in this point but ... nothing happens from that i gave it minutes even half an hour to wait for CE to respond but nothing happens and AgentKing is pretty dead. so i dont know what its wrong or what i do wrong, i would like to learn more cause im having fun but for now i give up cause i spent half my day to learn from this tut how to crack in mem adress with CE. anastasia i would like to chat with you in any other way if possible so i can agilize my work. thank you very much ×××

Im having the same problem doing my head in.