SV Cracking DIY

Page 1 of 4

01/09/2007 09:24 Enki#1

Credits to anantasia for the trace and Cucurucho for clarify the things.

Here we going to see how patch the file directly, so you will dont need patch every time.

Warning: use this tools at your own risk, some av software detect suspicious things on it, read the entire post before. You can find another tool that do the same [Only registered and activated users can see links. Click Here To Register...]

First the things we need.

1 The post of anantsia
[Only registered and activated users can see links. Click Here To Register...]
To give karma to him and download the SV(AgentKing.exe and countrymakeinUS.dll)

2 Post of Cucurucho
[Only registered and activated users can see links. Click Here To Register...]
Karma to him for clarify the things a little more, and the adress.

3 This tools (same files in the 2 links)
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
For unpack and edit the files.

First we need unpack the files, extract the files in tools.rar and open asprstripperxp.exe, open the AgentKing.exe and click unpacking(AgentKing.exe and countrymakeinUS.dll must be in the same folder), do the same for countrymakeinUS.dll. Now you have your files unpacked, one called _AgentKing.exe and another called _countrymakeinUS.dll, copy this to another place and change the name for the original (without the "_").

Now open hiew32.exe(tools.rar), and browse to the dir where you have your unpacked files(ALT+F1 to change drives/partitions if needed). Open AgentKing.exe.

F4 and select decode. Now wee need the adress in Cucurucho�s post. F5 and write the first adress (00403596) beggining whit a "." so write this ".00403596" and press enter and you will see something like this:

.00403596: 0F84F0010000 je .00040378C --- (6)

This is what we need to edit and the tricky part. Look carefully at this, we need separate the 0F84F0010000 in bytes, so every pair of numbers its a byte, we need count the bytes, 0F 84 F0 01 00 00. We have 6 pairs so we have 6 bytes.

Now we need to do the 'Replace for code that does nothing' manually, The "code that does nothing" its the NOP or the Hex code 90, but this is only one byte long, and we need change the entire line, We have 6 bytes(0F 84 F0 01 00 00), we need 6 NOP�s(90). Locate your cursor in the first pair (0F) and press F3, now you are in edit mode, just write 6 times 90 to replace the 6 bytes. Press F9 to update the file and you will have something like:

.00403596: 90 nop
.00403597: 90 nop
.00403598: 90 nop
.00403599: 90 nop
.0040359A: 90 nop
.0040359B: 90 nop

Replace the next 3 adress in the same way.

What happen? Where is the 10002895?. In the dll. Open the countrymakeinUS.dll pressing F9 (the changes you made to the other file are saved when you press F9). Change mode to decode (F4), and replace the adress in Cucuruchos post.

Just be carefull here, not all the adress are 6 bytes long, the 10002895 are only 2 bytes long, so here you just need replace for 2 nop�s(90). When you repalce the 11 adress the work is done :D.

Happy cracking.

01/09/2007 14:06 Lake292#2

thanks man! this is even better then that trainer works well for me :) tho its the same as trainer but easier to launch :)

01/09/2007 15:28 Lake292#3

after this mine explorer stopped crashing :) great tip thnx man!

01/09/2007 16:23 Enki#4

Quote:

Originally posted by Lake292@Jan 9 2007, 15:28
after this mine explorer stopped crashing :) great tip thnx man!

Good to see this works for you.

Anyone can test this, cuz my explorer never crashed before.

01/09/2007 16:49 k-row#5

very well, man!

01/09/2007 17:08 daveq#6

K, I like the method, and i'll admit im quite the noob when it comes to cracking, but i can follow instructions well...and I have a few concerns....after following your instructions I come up with possibly disturbing information...I'll attach [Only registered and activated users can see links. Click Here To Register...] scans in my next 2 posts.

The original AgentKing.exe and countrymakeinUS.dll show up on [Only registered and activated users can see links. Click Here To Register...] as having some suspicioius items included...thats to be expected as i understand because of ASProtect and such. However, AFTER using ur method, using the tools downloaded from your first post, I rescanned AgentKing.exe and countrymakeinUS.dll only to find that they now showed signs of having the Win32.Polipos.sus virus...Any ideas

Read my next 2 posts for the scans...Anyone (hi lvl epvper, hi karma, etc) care to take a stab at why this happens???

EDIT: changed number of posts, combined multiple scans into 2 posts instead of 4 seperate. sorry.

01/09/2007 17:10 daveq#7

This is scan of AgentKing.exe the original directly from anastasia's post b4 any modifications.

Complete scanning result of "AgentKing.exe", received in VirusTotal at 01.09.2007, 16:53:01 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.09.2007 no virus found
BitDefender 7.2 01.09.2007 no virus found
CAT-QuickHeal 9.00 01.09.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 01.09.2007 no virus found
DrWeb 4.33 01.09.2007 no virus found
eSafe 7.0.14.0 01.09.2007 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.109 01.09.2007 no virus found
eTrust-Vet 30.3.3313 01.09.2007 no virus found
Ewido 4.0 01.09.2007 no virus found
Fortinet 2.82.0.0 01.09.2007 no virus found
F-Prot 3.16f 01.08.2007 no virus found
F-Prot4 4.2.1.29 01.09.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.09.2007 no virus found
McAfee 4934 01.08.2007 no virus found
Microsoft 1.1904 01.09.2007 no virus found
NOD32v2 1966 01.09.2007 no virus found
Norman 5.80.02 12.31.2007 no virus found
Panda 9.0.0.4 01.08.2007 no virus found
Prevx1 V2 01.09.2007 no virus found
Sophos 4.13.0 01.05.2007 no virus found
Sunbelt 2.2.907.0 01.05.2007 VIPRE.Suspicious
TheHacker 6.0.3.146 01.08.2007 no virus found
UNA 1.83 01.06.2007 no virus found
VBA32 3.11.2 01.09.2007 no virus found
VirusBuster 4.3.19:9 01.09.2007 no virus found

Aditional Information
File size: 171008 bytes
MD5: 2c271bfd0deaca5745e87bf069999862
SHA1: 92e4783fc4fef2d46000728d9f1dba051078468f
packers: Aspack
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

And this is countrymakeinUS.dll in the same fashion, directly from the original post, b4 modifications:

Complete scanning result of "countrymakeinUS.dll", received in VirusTotal at 01.09.2007, 16:53:11 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.09.2007 no virus found
BitDefender 7.2 01.09.2007 no virus found
CAT-QuickHeal 9.00 01.09.2007 no virus found
ClamAV devel-20060426 01.09.2007 no virus found
DrWeb 4.33 01.09.2007 no virus found
eSafe 7.0.14.0 01.09.2007 no virus found
eTrust-InoculateIT 23.73.109 01.09.2007 no virus found
eTrust-Vet 30.3.3313 01.09.2007 no virus found
Ewido 4.0 01.09.2007 no virus found
Fortinet 2.82.0.0 01.09.2007 no virus found
F-Prot 3.16f 01.08.2007 no virus found
F-Prot4 4.2.1.29 01.09.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.09.2007 no virus found
McAfee 4934 01.08.2007 no virus found
Microsoft 1.1904 01.09.2007 no virus found
NOD32v2 1966 01.09.2007 no virus found
Norman 5.80.02 12.31.2007 no virus found
Panda 9.0.0.4 01.08.2007 no virus found
Prevx1 V2 01.09.2007 no virus found
Sophos 4.13.0 01.05.2007 no virus found
Sunbelt 2.2.907.0 01.05.2007 VIPRE.Suspicious
TheHacker 6.0.3.146 01.08.2007 no virus found
UNA 1.83 01.06.2007 no virus found
VBA32 3.11.2 01.09.2007 no virus found
VirusBuster 4.3.19:9 01.09.2007 no virus found

Aditional Information
File size: 175616 bytes
MD5: bfcd6e9cd879bb6c01b7fbf2d6266f04
SHA1: 9bf95ba9266a98d38f74756177a7305101eb1a9b
packers: Aspack
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

01/09/2007 17:14 daveq#8

NOW...here is AgentKing.exe AFTER the instructions in this post were completed (on a safe computer, because b4 using the tools i scanned each one of those in [Only registered and activated users can see links. Click Here To Register...] and it appeared that almost every one of the tool files in your downloads contained some quetionable results, but I chalked that up to how the tools operate and what they accomplish)

Complete scanning result of "countrymakeinUS.dll", received in VirusTotal at 01.09.2007, 16:53:11 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.09.2007 no virus found
BitDefender 7.2 01.09.2007 no virus found
CAT-QuickHeal 9.00 01.09.2007 no virus found
ClamAV devel-20060426 01.09.2007 no virus found
DrWeb 4.33 01.09.2007 no virus found
eSafe 7.0.14.0 01.09.2007 no virus found
eTrust-InoculateIT 23.73.109 01.09.2007 no virus found
eTrust-Vet 30.3.3313 01.09.2007 no virus found
Ewido 4.0 01.09.2007 no virus found
Fortinet 2.82.0.0 01.09.2007 no virus found
F-Prot 3.16f 01.08.2007 no virus found
F-Prot4 4.2.1.29 01.09.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.09.2007 no virus found
McAfee 4934 01.08.2007 no virus found
Microsoft 1.1904 01.09.2007 no virus found
NOD32v2 1966 01.09.2007 no virus found
Norman 5.80.02 12.31.2007 no virus found
Panda 9.0.0.4 01.08.2007 no virus found
Prevx1 V2 01.09.2007 no virus found
Sophos 4.13.0 01.05.2007 no virus found
Sunbelt 2.2.907.0 01.05.2007 VIPRE.Suspicious
TheHacker 6.0.3.146 01.08.2007 no virus found
UNA 1.83 01.06.2007 no virus found
VBA32 3.11.2 01.09.2007 no virus found
VirusBuster 4.3.19:9 01.09.2007 no virus found

Aditional Information
File size: 175616 bytes
MD5: bfcd6e9cd879bb6c01b7fbf2d6266f04
SHA1: 9bf95ba9266a98d38f74756177a7305101eb1a9b
packers: Aspack
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

and here is countrymakeinUS.dll AFTER modifications in this post:

Complete scanning result of "countrymakeinUS.dll", received in VirusTotal at 01.09.2007, 16:47:03 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.09.2007 no virus found
BitDefender 7.2 01.09.2007 no virus found
CAT-QuickHeal 9.00 01.09.2007 no virus found
ClamAV devel-20060426 01.09.2007 no virus found
DrWeb 4.33 01.09.2007 no virus found
eSafe 7.0.14.0 01.09.2007 Win32.Polipos.sus
eTrust-InoculateIT 23.73.109 01.09.2007 no virus found
eTrust-Vet 30.3.3313 01.09.2007 no virus found
Ewido 4.0 01.09.2007 no virus found
Fortinet 2.82.0.0 01.09.2007 suspicious
F-Prot 3.16f 01.08.2007 no virus found
F-Prot4 4.2.1.29 01.09.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.09.2007 no virus found
McAfee 4934 01.08.2007 no virus found
Microsoft 1.1904 01.09.2007 no virus found
NOD32v2 1966 01.09.2007 no virus found
Norman 5.80.02 12.31.2007 no virus found
Panda 9.0.0.4 01.08.2007 no virus found
Prevx1 V2 01.09.2007 no virus found
Sophos 4.13.0 01.05.2007 no virus found
Sunbelt 2.2.907.0 01.05.2007 VIPRE.Suspicious
TheHacker 6.0.3.146 01.08.2007 no virus found
UNA 1.83 01.06.2007 no virus found
VBA32 3.11.2 01.09.2007 no virus found
VirusBuster 4.3.19:9 01.09.2007 no virus found

Aditional Information
File size: 268800 bytes
MD5: d13cb235f8618a5c9e625bc4bb08e277
SHA1: 3643a56963b2e1e34df2d8be4e2d6501ffb15ec8
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Any explanations to all of this would b appreciated, I understand the work involved in this hack, I just would like to know what exactly is going on.

Ty in advance for any information.

01/09/2007 17:38 Lake292#9

i dont understand u ppl! orginal SV which bought my friend has trojan in it too... he paid for it he has original login and it has trojan too... so i think everybody has that trojan because it was made with it

01/09/2007 19:28 Enki#10

Let me check this, i scaned the files in jotti but dont found nothing, i will check it later.

01/09/2007 19:47 daveq#11

I prefer [Only registered and activated users can see links. Click Here To Register...] over jotti, not that jotti is bad at all, i just find virustotal more detailed in what it finds, and it uses more AV softwares to do it. I only use jotti when virustotal is backed up more than 10 minutes. :D

01/09/2007 19:57 Tieukenny17#12

Quote:

Originally posted by Enki@Jan 9 2007, 09:24
Credits to anantasia for the trace and Cucurucho for clarify the things.

Here we going to see how patch the file directly, so you will dont need patch every time.

First the things we need.

1 The post of anantsia
[Only registered and activated users can see links. Click Here To Register...]
To give karma to him and download the SV(AgentKing.exe and countrymakeinUS.dll)

2 Post of Cucurucho
[Only registered and activated users can see links. Click Here To Register...]
Karma to him for clarify the things a little more, and the adress.

3 This tools (same files in the 2 links)
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
For unpack and edit the files.

First we need unpack the files, extract the files in tools.rar and open asprstripperxp.exe, open the AgentKing.exe and click unpacking(AgentKing.exe and countrymakeinUS.dll must be in the same folder), do the same for countrymakeinUS.dll. Now you have your files unpacked, one called _AgentKing.exe and another called _countrymakeinUS.dll, copy this to another place and change the name for the original (without the "_").

Now open hiew32.exe(tools.rar), and browse to the dir where you have your unpacked files(ALT+F1 to change drives/partitions if needed). Open AgentKing.exe.

F4 and select decode. Now wee need the adress in Cucurucho�s post. F5 and write the first adress (00403596) beggining whit a "." so write this ".00403596" and press enter and you will see something like this:

.00403596: 0F84F0010000 je .00040378C --- (6)

This is what we need to edit and the tricky part. Look carefully at this, we need separate the 0F84F0010000 in bytes, so every pair of numbers its a byte, we need count the bytes, 0F 84 F0 01 00 00. We have 6 pairs so we have 6 bytes.

Now we need to do the 'Replace for code that does nothing' manually, The "code that does nothing" its the NOP or the Hex code 90, but this is only one byte long, and we need change the entire line, We have 6 bytes(0F 84 F0 01 00 00), we need 6 NOP�s(90). Locate your cursor in the first pair (0F) and press F3, now you are in edit mode, just write 6 times 90 to replace the 6 bytes. Press F9 to update the file and you will have something like:

.00403596: 90 nop
.00403597: 90 nop
.00403598: 90 nop
.00403599: 90 nop
.0040359A: 90 nop
.0040359B: 90 nop

Replace the next 3 adress in the same way.

What happen? Where is the 10002895?. In the dll. Open the countrymakeinUS.dll pressing F9 (the changes you made to the other file are saved when you press F9). Change mode to decode (F4), and replace the adress in Cucuruchos post.

Just be carefull here, not all the adress are 6 bytes long, the 10002895 are only 2 bytes long, so here you just need replace for 2 nop�s(90). When you repalce the 11 adress the work is done :D.

Happy cracking.

Hi i have followed ur instruction but, when i open up hiew32.exe.. a window pops up and i press f4..nothing happpens...should i browse to the agentking.exe after it's open or what? i do something wrong, can u give the instruction one more time using numbe rlike cucu...much help appreciated tyvm... :)

01/09/2007 20:15 daveq#13

Is it possible that the tools u linked for download are corrupted, bcuz like i said, each one scanned at virustotal also included some questionable material. Also, I tried downloading the asprstripper elsewhere and the links were broken, so u had to get them from somewhere. Just more to think about.

01/09/2007 21:05 Lake292#14

every SV on this forum have trojan in it!! original SV has trojan also!! saw it and scanned!! believe me or not...

01/09/2007 21:16 fatguy#15

Hey. Thanks for the guide I think its better just to have a cracked exe and dll instead of opening the trainer all the time..

But ehm I ran into a little problem. How many times am I supposed to write 90 at the 10002895 code?

I don't really understand that.. Couldn't you maybe give an example ? :D

Page 1 of 4

Last »