
                               
                ܰ              
                  ܰ            
                  ݰ            
                    ۱            
                     ۲        
                   ۲     
                    ۲ ݰ      
                         
                          ݰ
                          
        ݱ         ݱ
        ۲ ۲        ۱
         ۲۲       ۱
           ۱         ۲
                                           ۲
                                              


   Welcome to Cracking Tutorial #11!

   Whoa! 2 weeks ago we released #10, I must say we're fast today! :P
   *cough* .. *cough* :)

   In this tutor we'll teach you everything more about W32Dasm,
   SoftIce, and SmartCheck. Without knowledge, no power! ;)

   Warning, this tutorial is a real mother!!  *grin*

   Oh btw I didn't write a tutor today, I've included other crackers'
   tutors here, 7 tutors in ONE! We hope you'll appreciate our bonus
   today! :))

   Ok, let's rock!!



   You'll need the following tools:

   (I use these tools, I assume you'll use 'em, but it doesn't
   mean that you'll need to use all those tools, so be sure to
   get them handy for the examples in this tutorial!)

   SoftIce 3.24
   W32Dasm 8.93
   Hacker's View 6.00
   SmartCheck 6.0
   Windows Commander 3.52 (I use it coz of easier to multitask)

   Don't ask me where to download all these tools since you had
   a chance to get them when you used my older tutorials. Here
   is a good cracking site where you can grab tools from:

   http://cracking.home.ml.org or http://surf.to/HarvestR

   or ask any crackers to get you these tools!

   Are you ready?!

   OK! ;)



    PART 1: How to get a serial in Sex Machine v1.2.0 using Softice


    Now what's this?? Another tut so fast?? You're damn right buddy. Now i know
    that i'm crazy :)
    "So..what are we gonna attack this time?", you ask. Well..how about some
    Visual Basic 5.0 stuff? Sounds cool? Well i'm the one to decide and i say YES!

    This time we'll attack a small program called:

                                    Sex Machine v1.2.0
                           (http://www.techsono.com/sexmachine)

    It's a VB5 program and therefor you need some basic knownledge of VB-cracking.
    This i will, of course, give to you =) So...let's start.

    The first you need to do it EDIT WINICE.DAT and add a line:

                            EXP=<drive:>\<dir>\MSVBVM50.DLL

    This is what SoftICE uses to recognice VB appz. So REBOOT.....back? Cool !
    Now you're ready to start. Cya in cyberspace d00d.

    1) Fire up the program and watch. SUX..a nast NAG saying: UNREGISTERED
       Hmm..we don't want it to say that so click "Go Away" and select
       "Enter Registration Key". Click "Yes, i agree..."
       Ok..you're now at the Name/Serial screen.

    2) Enter your Name and a random Serial (Name:BuLLeT / Serial: 22446688)
       So..happy as you are you press CTRL+D and set a breakpoint on:
       GetWindowTextA/GetDlgItemTextA. Press F5 and click OK. Hmm..what's this?
       You just get the NAG saying "Wrong...." Well i think it's time to tell you
       that VB5 does not use the normal breakpoints.

       When cracking VB appz you must use some other BPX. Like:
       __vbastrcomp  /  multibytetowidechar  /  __vbastri4
       Actually we could use all of them but then we'd have to trace a bit longer,
       and we don't wnat that. So..

    3) Clear the BPX (=BC*) and type: BPX __VBASTRCOMP
       Press F5 and click OK. *BANG* SoftIce is right in your ugly face :-/
       Now what? Well let's start tracing a bit. What's that? It says TONYTOP
       several times. How come? Well..i did a bit of checking and found that
       TONYTOP cracked version 1.0 of this program. HEHE..they blacklisted him :)
       (I hope they won't blacklist me...hehe)

    4) As you keep on tracing you see a lot of weird stuff which only VB appz uses
       stuff you don't need to know what is. Well..trace using F10..keep it going.
       i think you have to trace about 140 times :) (I didn't count them..just
       pressed F10 for a LOONG time). Keep on tracing till you see:

            MOV EAX, 00000001
            ADD ESP, 0C
            ADD AX, SI
            JO 0042E588
            MOV ESI, EAX
            JMP 0042E45D
            IMUL EDI, EDI, 40
            JO 0042E588
            PUSH EDI
            CALL [MSVBVM50!__VbaStrI4]
            MOV EDX, EAX                   <---------- This is where you STOP!

    5) Ok..you're now standing at 'MOV EDX, EAX' and you don't have a clue what to
       do. Well...when you traced the CALL a lot of registers changed.
       So let's look in some of those nasty registers. Let's start with EAX.
       Type 'D EAX' Hmm..a number.. (In my case: 33280) But it looks weird doesn't
       it? It should normally look like: '33280' but it's '3 3 2 8 0'. how come?
       This is because VB uses multibytetowidechar. A funtion to convert data to
       wide char. Doesn't really matter..you got the number don't ya?

    6) So..clear all breakpoints (=BC*). Press F5 and enter the right serial.
       *BOOM*...registered...hopefully :)

    I hope this tought you just a bit about VB cracking.

    All for now..Cya

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------

    Written by -=[BuLLeT]=-
    E-Mail: BuL_LeT@hotmail.com

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------



    PART 2: How to get a serial inPowerAIM v1.3.7 using SmartCheck


    Ok..once again i bring you a tutorial to help you improve your skills.
    This time we'll crack a program called:

                                    PowerAIM v1.3.7
                                   (Add-on for AOL)

    We'll crack it using SmartCheck so you don't need to know Assembly or anything
    to follow this tutorial.

    So...let's get started: (oh..remember your SCREEN NAME - it's needed later)

    1) Start SmartCheck (=SC from now on) and open PWRAIM.EXE
       Run it and press 'acknowledge' a lot of times. (until it stops loading).

    2) A popup-screen will be shown to your good old newbie face *cough* :)
       Press 'Register' and enter a random code.

    3) Click 'OK'.

    4) Go back to SC and go to the following section:

               DoEvents/Timer1_Timer/btn_EnterReg.Do.Click/RaiseEvent/
               btn_Enter.Reg.Do.Click/DoEvents/btn_OK_Click/

       There you'll see this line:

               Double(x.xxxxx+xxx) --> Long (xxxxxxx)
                      |---------|            |-----|
                           |                    |
               Your code + some stuff  | Your code - stuff

    5) Click it and watch the Debug Window (the one on the right).
       There you see:

               Double       x.xxxxxx+xxx
               Long         xxxxxxx         <--------
                                                |
       And guess what?? What d'ya think the is?  ----

        You're damn right you are..your code.

                (In my case: SCREEN NAME: BuLLeT  /  Reg-Key: 6011810)

    Hope you enjoyed cracking this VB5 app. I surely did =)

    All for now..Cya

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------

    Written by -=[BuLLeT]=-
    E-Mail: BuL_LeT@hotmail.com

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------


    PART 3: How to crack Stone's Connect Control v1.4.1 using W32Dasm


    So..once again i give you the opportunity to learn to crack. The program we
    will attack is called:

                            Stone's Connect Control v1.4.1
                             (http://www.image.dk/~stone)

    This program is free for private users. You will, however, see a NAG which
    we will try to modify into showing your own name.

    We will crack this fella using W32Dasm and HIEW. So...ready to go? OK!

    1) Launch the program...you see it? "IKKE REGISTRERET"...Note it...

    2) Launch the nasty disassembler W32Dasm and disassemble CONNCTRL.EXE

    3) Select SDR (=String Data Reference) and find the message.
       Double-click it and close the SDR window. Now you should see:

       * Referenced by a (U)nconditional ar (C)onditional Jump at Address:
       0041408E(C)

       004140C0 B848614100          MOV EAX, 00416148

       *Possible StringData Ref from Code Obj -> "[IKKE-REGISTRERET!!!]"

       004140C5 BA24414100          MOV EDX, 00414124

       ......some other un-important stuff.

    4) You see the CALL?  -> 0041408E.....let's check that address. Scroll up till
       you see:

       * Referenced by a (U)nconditional ar (C)onditional Jump at Address:
       00414088(U)

       0041408C 84DB                TEST BL, BL
       0041408E 7430                JE 004140C0

       Even more un-important stuff...

    5) So..trace up further till you see:

       * Referenced by a (U)nconditional ar (C)onditional Jump at Address:
       00414064(C)

       00414086 33DB                XOR EBX, EBX
       00414088 EB02                JMP 0041408C

       ...how much un-important stuff is there ?????

    6) Trace up even further till you see this:

       00414079 8B1540614100        MOV EDX, DWORD PTR [00416140]

       * Reference To: VCL20.System.@LStrCmp@51F89FF7, Ord: 0000h

       0041407F E8BCD0FEFF          CALL 00401140
       00414084 7504                JNE 0041408A

       Hmm....a CALL followed by a JNE (=Jump if Not Equal)....interesting isn't
       it? Well..at least I think it is :)

    7) So..what can we conclude from this? In the CALL something is calculated.
       If the result of the CALL is NOT equal it'll jump. Cool!
       This means that we can just change something....but what? Guessed it ?
       I hope so..Let's change the JNE to JE (=Reverse the Jump)

    8) Note the offset at the bottom of W32Dasm --> @Offset 00013479h
       Launch HIEW CONNCTRL.EXE

    9) Press Enter twice to go to Decode mode.

   10) Press F5 and enter the offset

   11) Press F3 to edit the file and type 75 (=JE)

   12) Press F9 to update your changes, followed by a few ESC's

   13) ...so..you think you're done? WRONG!! Before you will see your name in the
       About Box, you will have to tell the program where to find the name etc.
       So where do we do that? Well..i'd say Registry is a pretty good guess ;)

   14) Fire up REGEDIT.EXE and go to this section:

       [HKEY_CURRENT_USER\Software\Stone's Software\ConnectControl\Start]

       There you'll have to add this:

       "RegNavn"="BuLLeT"           (=or any name you like)
       "RegNr"="S12345"             (=it *HAS* to start with 'S')

       That should be all..after creating the Strings quit REGEDIT and run
       CONNCTRL.EXE again...what happend to the IKKE REGISTRERET ??
       Well..you see your name?

       Cool...program cracked successfully    (once again :P )


        All for now..Cya

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------

    Written by -=[BuLLeT]=-
    E-Mail: BuL_LeT@hotmail.com

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------


    PART 4: How to crack Stone's WebWriter 2 v2.1.1 using W32Dasm


    Ok..time to attack another program ;)

                              Stone's WebWriter 2 v2.1.1
                             (http://www.image.dk/~stone)

    This program is free for private users. You will, however, see a NAG which
    we will try to modify into showing your own name.

    We will crack this fella using W32Dasm and HIEW. So...ready to go? OK!

    1) Launch the program...you see it? "IKKE REGISTRERET"

    2) Launch the nasty disassembler W32Dasm and disassemble WEBWRITE.EXE

    3) Select SDR (=String Data Reference) and search for the message....hmm..it's
       not there!! Now what?? Well..try scrolling down till you're at a line
       saying: "p". Double-click it until you at the bottom see that you're at
       offset: 0006D8B1     -   close the SDR window. Now you should see:

       * Referenced by a (U)nconditional ar (C)onditional Jump at Address:
       0046E494(U)

       0046E498 84DB                TEST BL, BL
       0046E49A 7440                JE 0046E4DC

       .......some ASM code

       * Reference To: VCL30.System.LoadResString@02614E1B, Ord: 0000h

       .......some other ASM code

       *Possible StringData Ref from Code Obj -> "p"

       0046E4B1 8B159DE4700         MOV EDX, DWORD POTR [0047DE94]
       0046E4B7 FF7482FC            PUSH [EDX+4*EAX-04]

       ......some other un-important stuff.

    4) You see the CALL?  -> 0046E494.....let's check that address. Scroll up till
       you see:

       * Referenced by a (U)nconditional ar (C)onditional Jump at Address:
       0046E470(C)

       0046E492 33DB                XOR EBX, EBX
       0046E494 EB02                JMP 0046E498

       Even more un-important stuff...

    5) Trace up even further till you see this: (should be on the same screen)

       00414079 8B1540614100        MOV EDX, DWORD PTR [0047F418]

       * Reference To: VCL30.System.@LStrCmp@51F89FF7, Ord: 0000h

       0046E48B E8302DF9FF          CALL 004011C0
       0046E490 7404                JE 0046E496

       Hmm....a CALL followed by a JE (=Jump if Equal)....interesting isn't
       it? Sure it is..i mean...is HAS to be :)

    6) So..what can we conclude from this? In the CALL something is calculated.
       If the result of the CALL is equal it'll jump. Cool!
       This means that we can just change something....but what? Guessed it ?
       I hope so..Let's change the JE to JNE (=Reverse the Jump)

    7) Note the offset at the bottom of W32Dasm --> @Offset 0006D890h
       Launch HIEW WEBWRITE.EXE

    8) Press Enter twice to go to Decode mode.

    9)Press F5 and enter the offset

    10)Press F3 to edit the file and type 75 (=JNE)

    11)Press F9 to update your changes, followed by a few ESC's

    12)...so..you think you're done? WRONG!! Before you will see your name in the
       About Box, you will have to tell the program where to find the name etc.
       So where do we do that? Well..i'd say Registry is a pretty good guess ;)

    13)Fire up REGEDIT.EXE and go to this section:

       [HKEY_CURRENT_USER\Software\Stone's Software\WebWriter\Start]

       There you'll have to add this:

       "RegNavn"="BuLLeT"           (=or any name you like)
       "RegNr"="S12345"             (=it *HAS* to start with 'S')

       That should be all..after creating the Strings quit REGEDIT and run
       WEBWRITE.EXE again...what happend to the IKKE REGISTRERET ??
       Well..you see your name?

        Cool...program cracked successfully    (once again :P )


        All for now..Cya

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------

    Written by -=[BuLLeT]=-
    E-Mail: BuL_LeT@hotmail.com

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------


    PART 5: How to get a serial in GameLaunch 3D v1.00.0020 using SmartCheck


    This is my first tutorial and i hope it helps everybody to understand cracking of
    VB proggies.  The proggie we want to crack is Game Launch 3D i hope you all heard
    of it? Well its a must for Quake 1 + 2, Hexen 2 and Heretic 2 gamers .. :)

                            Game Launch 3D v1.00.0020
                    ftp://ftp.cdrom.com/pub/planetquake/gamelaunch/gamelaunch100.exe

    For this tutorial you only need Smartcheck from Numega. This is pretty simple
    copy protection so lets get goin. :)

    1. Start the program .. hmm whats this evaluation? Ok enter any evaluation name you want.
       After you have given all your paths to the program goto Help, Register Gamelaunch
       Enter random e-mail User name and code.
       (e.g Name: AgorA [CIA] | E-mail: Crackers.in.@ction | Registration Number: 12345)

    2. Ok it will tell you that it is an incorrect code. :)

    3. Start up Numega Smartcheck.  In program settings, [Error Detection] everything should
       be ticked, In [Reporting] everything should be ticked except Report Mouse movements from
       ocx control and in [Error Detection -> Advanced] only the top 3 boxes should be ticked.

    4. Ok load the program executable.  Run the program.... ok go make yourself some coffee and
       some toast cause this is gonna take a while .. :)

    5. It will tell you sometime its got errors, just click on acknowledge not supress.  After
       Its finished loading goto Help and Click on Register Gamelaunch again. Enter the E-mail
       you want, and enter any stupid code again.  Ok now in Smartcheck go down until you find
       Register_Bar_click ok expand the tree ...  Expand Register_Frm_show and Expand the tree
       Register_Cmd_click.

    6. Ok now for the difficult bit.  Under the Email_txt.text under the word trim$ you will find
       your e-mail address you have entered.  Ok go a little bit more down under the word
       RegCode_txt.text you will see the Registration number you have entered.  Now look it is
       now going to convert your info you gave to long int ... Ok we are more interested in where
       the code gets compared so we can find out what the real serial is.  We know that our code
       has the name Trim$.  It also says that its looking for 4 x 4 digit number we can see that
       by when the program looks for Long(4) -> Integer. Ok lets go down ... far down until we find
       trim$ again and we see our code. Ok so it takes trim$ and it compares it with "left" ok
       so maybe the number above trim$ will be our serial? Left hmm lets have a look what is in
       "left" ahh we see a lot of numbers but the one format looks familiar yes it does xxxx-xxxx
       -xxxx-xxxx <- thats our format.  Whats the code behind that ahh yes its our name, e-mail
       converted.

    7. Take the the serial that you get and voila enter it in the Registration Number field and
       voila it accepts that code. In my case 499F-q563-Te7Z-eD8Z.

        Well i hope you enjoyed this tutorial as much as i did. :)

    cya next time.

    -->The Badest, Meanest Cracker on the fact of this earth. :)<--
                           --->AgorA<---

    Written by AgorA
    E-Mail: AgorA_666@hotmail.com



    PART 6: How to make a keygen for UnInstall Manager v2.5


    Flu[X]'s cracking tutor #5 - A EXTREMELY easy keygen

    Tools
    -Softice 3.2+
    -Uninstall manager v2.5
    -Turbo Pascal 7
    -Brain


    I HIGHLY RECOMEND YOU VIEW THIS IN NOTEPAD!!!

    -INTRO-
    Ok, in this tut ill teach you how to do a keygen..  THIS
    is a VERY easy example. Simple principals.. simple protection.
    This is probably the most simple protection IVE EVER seen!

    Ok, install and start out target. Find under the menus the
    register button. Enter a fake code.. i used:
    name: Fluxphrozen
    code: 121212

    ok get into softice (Control-D) set a bpx on 44FD57
    hopefully softice should break.. you will see the heart of
    the protection scheme..

    Ok it is inportant to know at the start of this routine
    EDI contains ho many letters there are in out name.
    Also note, before the program gets to this point, it converts
    your name to total lowercase.. you can see that from tracing.
    I will just concentrate on the maths part of it.
    Note EBX is used as an accumulator.. the below function
    just adds up all the ascii values into one number.


    :0044FD57        mov edx, dword ptr [ebp-04]     <-get name into edx
    :0044FD5A        mov dl, byte ptr [edx+eax-01]   <-get character
    :0044FD5E        cmp dl, 20                      <-compare character to a "spacebar"
    :0044FD61        je 0044FD6E                     <-if equal to "spacebar" skip the adding process
    :0044FD63        mov ecx, dword ptr [ebp-04]     <-get name into ecx (usless instruction.. never used)
    :0044FD66        and edx, 000000FF               <-basically does nothing to data (another unimportant step)
    :0044FD6C        add ebx, edx                    <-add ascii value of character to accumulator
    :0044FD6E        inc eax                         <-increase position in name to get next character
    :0044FD6F        dec edi                         <-decrease # of letters left to process in your name
    :0044FD70        jne 0044FD57                    <-if no more letters left continue
                                                       or else bak to top of this process

    Ok that piece of code should be simple. i hope i explained it well
    enough.. ok now what happens with the number it makes? below is the
    code that processes it.


    :0044FD72        xor ebx, 00000089                 <-XOR result by hex $89
    :0044FD78        xor ebx, 00000033                 <-Xor Result of above by $33
    :0044FD7B        lea edx, dword ptr [ebp-08]       <-|
    :0044FD7E        mov eax, dword ptr [esi+0000021C] <-| these functions get your fake
    :0044FD84        call 0041F8E0                     <-| serial you put in the box
    :0044FD89        mov eax, dword ptr [ebp-08]       <-| to check it
    :0044FD8C        call 00407408                     <-|
    :0044FD91        cmp ebx, eax                      <-Compare your fake one with real generated
                                                         ebx= real  eax= fake



    Now to make a keygenerator. I have included my source below. It
    is commented and should be easy to follow.


    ===Begin Source Code===


    program umkeymaker;

    var
     name:string;           {declare variables to use}
     secondc:integer;
     total:integer;
     pos,z:integer;

    begin
     writeln('Uninstall Manager v2.5 Keygen');   {write info to screen}
     writeln('Flu[X]/PC98');
     writeln('7/06/98');
     writeln(' ');
     write('Enter Name :');
     readln(name);                        {read keyboard input}
     Write('Registration Key : ');

     total:=0;                            {initalize variables}
     secondc:=0;
     pos:=1;

     while pos <= length(name) do         {change name to all lowercase}
      begin
      z:= ord(name[pos]);
      secondc:=ord(name[pos]);
       if ord(name[pos]) <= 90 then
        begin
         if ord(name[pos]) >= 65 then
          begin
           name[pos]:= char(ord(name[pos]) + 32);
          end;
        end;
       pos:=pos+1;
     end;

     secondc:=0;
     pos:=1;                              {reset counter variable}

     while pos <= length(name) do         {add ascii values of lowercasr name together}
      begin
        if ord(name[pos]) <> $20 then      {test to see if name has a space}
        begin
         secondc := secondc + ord(name[pos]);
        end;
        pos := pos +1;
      end;

     total := secondc XOR $89;            {XOR total by 89 hex}
     secondc:= total;                     {copy resul;t from above to secondc}
     total := secondc XOR $33;            {XOR the result by 33 hex}


     writeln(total);                      {print out total, which is your key}

    end.

    ===END Source Code===


    I hope to see you again in Flu[X] tutor #6
    As always if you like a program buy it!  Thi essay is for
    educational purposes ONLY! Software authors deserve your support!

    Flu[X]/PC98



    PART 7: How to crack LiveImage 1.29D Build 52 using W32Dasm


    Flu[X]'s cracking tutor #6 - Dealing with a packed EXE
                                 Getting past Disassembler Protection

    Tools
    -Softice 3.2+
    -Live Image v1.29D Build 52
    -Hackersview 5.65+
    -Brain


    Ok ... recently programmers are using techniques or programs to "pack"
    their EXEcutables or DLL's in an attempt to add additional copyright
    protection. A popular one is shrinker. If your a cracker.. believe me you
    know about it :)  Ok enough lets get started..

    Ok lets examine our target, Live Image v1.29D Build 52, it asks for a name/serial.
    So we begin tracing (hmemcpy). Eventually we come to these lines of code:



    mov eax,[ebp-20]
    mov ecx,[ebp-0C]
    mov esp, ebp
    Ret

    ----- After return is executed -----

    cmp eax,0
    je BAD_Cracker



    OK, what it does is move a value into EAX, and if that value is 0
    it means you failed the serial check... Now.. if we could make it
    always pass the test... we would have a full regged copy (because
    the programmer always uses the above routine to check his serials).
    OK, i also notice that ebp-20 is 0 unless it is right serial..
    but wait.. EBP is always non zero.. so if we moved ebp into eax
    it will always pass the test.

    so the above code would become:

    mov eax,[ebp]      ; line changed...
    mov ecx,[ebp-0C]
    mov esp, ebp
    Ret


    Ok we think this is going to be some simple patch... So we opan up
    W32Dasm to find the file offset (we did write down the address
    from SoftIce didnt we?). Ok we disassemble the file.. and what?!?!
    what is this crap? i cant find that code anywhere!

    This EXE is packed..ARGHHH...So after a bit of analyzing we notice
    that it is packed by shrinker.. so we must De-pack it. I used
    Unshrinker v1.2 (on my web page http://tuts98.cjb.net).

    Ok we now have an unshrinked EXE file :) Things should be good right?
    No, wrong. Lets disassemble the unpacked EXE with W32Dasm, what it wont
    work? It seems as if the author not only used Shrinker, but also added
    a bit of his own protection! ok.. now what do we do here? wait a sec,
    remember what the code we are looking for is?  Maybe if we used our
    heads a bit (a very little bit) we would recall taht Hiew allows
    for Hex Searches :)

    mov eax,[ebp-20]
    mov ecx,[ebp-0C]
    mov esp, ebp

    This translates to:  8B45E08B4DF48BE5

    so if we open the file in Hiew we can do a search for 8B45E08B4DF48BE5.
    Hit the F7 key in Hiew and type it in the hex string area.. and find it.
    Hey.. it worked.. we found our code..

    so change it from:
     8B45E0
     8B4DF4
     8BE5

    to:
     8B4500        ;note the 00.
     8B4DF4
     8BE5

    save the file and run.. Hey look its registered.. crack done!

    Also about a patch.. a patch for this program would be virtually
    seeing as it is improbable to modify a packed file.



    I hope to see you again in Flu[X] tutor #7
    As always if you like a program buy it!  Thi essay is for
    educational purposes ONLY! Software authors deserve your support!

    Flu[X]/PC98
    http://tuts98.cjb.net


   We really hope you've enjoyed this tutorial too much as we did!
   Don't miss Tutot #12! ;)

   And as I said last time: Without knowledge, there's no power! ;)

   Credits go to: 

   Lazareth/CiA for Splash Logo
   BuLLeT/CiA for providing tuts in this version.
   AgorA/CiA for providing tuts in this version.
   Flu[X]/PC for providing tuts in this version.

   (All the crackers (non-members of CiA are welcome to send tutors
   for the next tutorials .. see below for my email address!)

   Greetz go to all the newbees!

   You can find me on IRC or email me at tkc@reaper.org


   Coded by The Keyboard Caper - tKC
   The Founder of PhRoZeN CReW/Crackers in Action '98

   Compiled on 30 November 1998

   Cracking Tutorial #11 is dedicated to all the newbees :-P