<pre>


       лллллллллллллллллллллллллллллллллллллллл
       л                                      л
       л  ллллл       ллллл       ллллл       л
       л  л           л   л       л           л
       л  лллл    ллл л   л ллл   лллл   ллл  л
       л  л       л   ллллл   л   л      л    л
       л  ллллллл л   л   л   ллл лллллл л    л
       л          л   л   л              л    л
       л                                      л
       л           ллллллл          л         л
       л              л             л         л
       л              л   лллл  ллл ллл       л
       л              л   л     л   л л       л
       л              л   лл    ллл л л       л
       л                  л                   л
       л                  лллл                л
       л                                      л
       лллллллллллллллллллллллллллллллллллллллл


HOW TO CRACK API SPY	Version 2.4	by (r)ErAzEr(r)

ApiSpy 2.4 can be downloaded at www.crackstore.com

After the Installation and starting the Programm you can see a window with the text UNREGISTERED.
Then a with a stupid RegistrationInfo MSGBOX pops up and you are in the Programm.
In the Title of the Programm you can see UNREGISTERED and if you click on ABOUT you can see it too.

Now i will describe the way i cracked the Prog.
But the first Step isnt required.

1.Your are in the Prog and now you have to click on Register.

Then we give the Programm any Name and Code und press OK.OHHH a window pops up within the text: The Registration
Information you provided is incorrect.....

After doing this we start W32DSM (look at crackstore) and begin searching a String looking like the MSG,
but w cant find!!!

The Programm is packed/crypted and can only be found unpacked/decrypted after starting in you RAM.

What to do now...

Let`s take a programm called WIN32INTRO (crackstore.com or protools.cjb.net)

After starting WIN32INTRO you have to open Apis32.exe (APISPY) und click on DUMP.

When W32INTRO is finished quit it and copy/rename the file Dumped.exe (can be found in the directory of W32INTRO;its the unpacked APISPY) in the dir of APISPY (renaming is not necessary).

Now open the unpacked file with W32DSM and search for the STRING: The Registration ...

You will land here..

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401774(U)
|
:00401777 0AC0                    or al, al
:00401779 7402                    je 0040177D		//Here the Prog shouldnt jump or it will continue at 40177D
:0040177B EB2C                    jmp 004017A9		//the prog should jump here then everything is ok :)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401779(C)
|

* Possible StringData Ref from Data Obj ->"The registration information you "		
                                        ->"provided is incorrect. Please"
                                  |
:0040177D BFE8904000              mov edi, 004090E8		//Here edi gets filled with the String
:00401782 BAE0D14000              mov edx, 0040D1E0
:00401787 83C9FF                  or ecx, FFFFFFFF
:0040178A 33C0                    xor eax, eax
:0040178C F2                      repnz

So I think that we have to jump over this part.Upper this Text there are 2 jumps which seems to be interesting.
So we want to jump to 4017A9 in every case we start Hview,
-open the file
-click on MODE or press F4 and change decode
then we click on GOTO (or press F5) and put in the adress of the first jump (.401779 the DOT is important)
then click on EDIT (or press F3) and move your cursor over 7402 (the HEXCODE for JE 0040177D) and replace it by
9090 (the HEXCODE for NOP=NO OPERATION = DO NOTHING)

If you`ll start APISPY now you can enter every Registrationcode you want you are always registered.
But if you restart APISPY you are unregistered again because it checks you Registrationcode in the Registry.

So we search the UNREGISTERED String again.You should find it 4 times.

Here:


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015D1(U)
|
:004015D4 0AC0                    or al, al
:004015D6 7402                    je 004015DA  //This should be replaced by 2 NOPs
:004015D8 EB35                    jmp 0040160F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015D6(C)
|

* Possible StringData Ref from Data Obj ->"UNREGISTERED"
                                  |
:004015DA BFC8904000              mov edi, 004090C8
:004015DF BAE0D14000              mov edx, 0040D1E0
:004015E4 83C9FF                  or ecx, FFFFFFFF

So you have to start Hview and overwrite 7402 with 9090 at 004015D6 (dont forget the DOT)


and 2. here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D1F(U)
|
:00401D22 0AC0                    or al, al
:00401D24 7402                    je 00401D28  //This has to be NOPed out too
:00401D26 EB09                    jmp 00401D31

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D24(C)
|

* Possible StringData Ref from Data Obj ->"UNREGISTERED"
                                  |
:00401D28 C745D0C8904000          mov [ebp-30], 004090C8
:00401D2F EB61                    jmp 00401D92

The JE 00401D28 at 00401D24 has to be replaced by 9090.


and 3. here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401F3E(U)
|
:00401F41 0AC0                    or al, al
:00401F43 7402                    je 00401F47 //the same procedure again
:00401F45 EB35                    jmp 00401F7C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401F43(C)
|

* Possible StringData Ref from Data Obj ->"UNREGISTERED"
                                  |
:00401F47 BFC8904000              mov edi, 004090C8
:00401F4C BAE0D14000              mov edx, 0040D1E0
:00401F51 83C9FF                  or ecx, FFFFFFFF
:00401F54 33C0                    xor eax, eax
:00401F56 F2                      repnz

You have to replace 7402 by 9090 again.

If you`ll start APISPY now, there is only a Registration Info : This Copy of APIS32 is unregistered

Search in W32DSM: This copy..
Voila:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004025F0(U)
|
:004025F3 0AC0                    or al, al
:004025F5 7402                    je 004025F9	//That is the enemy *g*
:004025F7 EB70                    jmp 00402669

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004025F5(C)
|

* Possible StringData Ref from Data Obj ->"This  copy  of  APIS32  is"
                                  |
:004025F9 BF08924000              mov edi, 00409208
:004025FE BAE0D14000              mov edx, 0040D1E0
:00402603 83C9FF                  or ecx, FFFFFFFF
:00402606 33C0                    xor eax, eax

Start Hview, replace JE 004025F9 at adress 4025F5 by 2 NOPs (9090)

And you cracked it!

And dont forget: Press F9 to Save/Update in Hviw :)

Hview can be downloaded at www.crackstore.com too.

(r)ErAzEr(r) greetz Darth Sidious

For Questions please mail to ErAzEr@gmx.at

Greetings go out to all other crackers and to all newbies like me tryin to learn to crack.


Translated by tHe_rШbEll...if you find Mistakes please mail the_rebell_alz@gmx.de THX

---------------------------------------------------
These informations are for educative purpose only!|
---------------------------------------------------
</pre>