                      .    .              
                       :    .                                  
           :     :    /|    :           
       ____      |\  / |__  /\___  ___ __        
    . /    \  ___| \/     \/     \/   V  \         
    :/     _\/   |  \    _/   O   \       \           
    /      \/\   :  /_    ) ____   \       \ 
 ../          \  .    \   \/    \   \\_/|   \  
   \           \       \        /    \  |    \.... . .    
    \________  /_|_____/___/\  /__|  / /     /       
             |/    C.r.E.a.M |/   |_/  \____/   
             :               :    :    
             .               .    .      
THIS TUTORIAL IS FOR ABSOLUTE NEWBIES!!-------written by "sTILLgREEN"

ok let's get to the point this tutor is for the first cream project
which can be found at http://cream2000.cjb.net/
if u have read about the project u will know that we have to find 

1.  Find the email address of JPEG Optimizer.

2.  Tell  how many characters in a valid serial number for JPEG Optimizer.
2a. Explain how you answered question 2.

3.  (BONUS) Get a valid Serial number for JPEG Optimizer.
ok lets get goin'
we can find the email address from help-->about( jpinfo@xat.com)
they have also given another email address help-->help contents-->information-->ordering information(info@xat.com)

ok if we try to find the correct serial,we will also solve 2 question.
if jpeg opt. is not registered we will have a gif starin at our face and few options disabled.
if we register we can hide adverts from option menu.
i used softice to crack this one,so make sure u installed it correctly and configured the
winice.dat file
EXP=c:\windows\system\kernel32.dll
EXP=c:\windows\system\user32.dll
EXP=c:\windows\system\gdi32.dll
EXP=c:\windows\system\shell32.dll
EXP=c:\windows\system\advapi32.dll
EXP=c:\WINDOWS\SYSTEM\MSVBVM50.DLL
EXP=c:\WINDOWS\SYSTEM\MSVBVM60.DLL
EXP=c:\windows\system\vb40032.dll
EXP=c:\windows\system\shell.dll
should be found in that file WITHOUT ";" in front of them.
ok choose register from help menu..only a serial to enter no name required.
set a break point on memory copy by "bpx hmemcpy"
enter a random serial i entered 123789 and press ] ok [

u will be back in softice and u will be in the process user(xx),but that's not where we should be
press f10 until u get into JPEG process u will reach there after"kernel32!_freqasm"
as soon as u get into jpeg process take a look at the value in eax its length of our serial.
and keep pressin f10 to get out of those calls until u get here:

:00429563 8D45EC                  lea eax, dword ptr [ebp-14]
:00429566 E863320200              call 0044C7CE
:0042956B 83F808                  cmp eax, 00000008<--our serial length compared 2 real one(question 2)
:0042956E 751B                    jne 0042958B       <---- since eax and 8 dont match- "sorry invalid serial"

disable break point by typin "bd 0"
cmp instruction  sets zero flag if two operands are not equal (in our case eax & 8) which is "1"
                         resets zero flag if they are equal which is "0"
to toggle between set & reset of zero flag we use softice command "r fl z"
ok execute that one to continue without jumpin to 0042958B

:00429581 E88E0B0000              call 0042A114<----------------the call to cmp real serial with ours
:00429586 59                      pop ecx
:00429587 84C0                    test al, al<---------------------------al is set(1) if they are equal
:00429589 7504                    jne 0042958F<----------------------the crossroad for "invalid serial" &"thank you.."

ok step into the call by pressin f8 u will get here.,

:0042A114 55                      push ebp
:0042A115 8BEC                    mov ebp, esp
:0042A117 83C4F4                  add esp, FFFFFFF4
:0042A11A 53                      push ebx
:0042A11B 8B4508                  mov eax, dword ptr [ebp+08]
:0042A11E 8D5DF4                  lea ebx, dword ptr [ebp-0C]
:0042A121 8A10                    mov dl, byte ptr [eax]
:0042A123 8813                    mov byte ptr [ebx], dl
----------------------
------------------------
:0042A14F 8A4008                  mov al, byte ptr [eax+08]
:0042A152 884308                  mov byte ptr [ebx+08], al
:0042A155 C6430900                mov [ebx+09], 00
:0042A159 0FBE03                  movsx eax, byte ptr [ebx]
:0042A15C 50                      push eax
:0042A15D E8228C0400              call 00472D84
:0042A162 59                      pop ecx
:0042A163 83F84A                  cmp eax, 0000004A<-------the comparin starts 1<=>?(4a[x16]=74[x10]=?[Ascii])
:0042A166 7559                    jne 0042A1C1<--------------"r fl z" here to continue
:0042A168 0FBE5301                movsx edx, byte ptr [ebx+01]
:0042A16C 52                      push edx
:0042A16D E8128C0400              call 00472D84
:0042A172 59                      pop ecx
:0042A173 83F853                  cmp eax, 00000053<----------2<=>?
:0042A176 7549                    jne 0042A1C1<--------------"r fl z" here to continue
:0042A178 0FBE4B02                movsx ecx, byte ptr [ebx+02]
:0042A17C 83F924                  cmp ecx, 00000024<---------3<=>?
:0042A17F 7540                    jne 0042A1C1<--------------"r fl z" here to continue
:0042A181 0FBE4303                movsx eax, byte ptr [ebx+03]
:0042A185 83F832                  cmp eax, 00000032<-----------7<=>?
:0042A188 7537                    jne 0042A1C1<--------------"r fl z" here to continue
:0042A18A 0FBE5304                movsx edx, byte ptr [ebx+04]
:0042A18E 83FA38                  cmp edx, 00000038<-----------8<=>?(we guessed it right:)
:0042A191 752E                    jne 0042A1C1<--------------"r fl z" here to continue
:0042A193 0FBE4B05                movsx ecx, byte ptr [ebx+05]
:0042A197 83F939                  cmp ecx, 00000039<-----------9<=>?(once again:)
:0042A19A 7525                    jne 0042A1C1<--------------"r fl z" here to continue
:0042A19C 0FBE4306                movsx eax, byte ptr [ebx+06]
:0042A1A0 83F832                  cmp eax, 00000032<-----------""<=>?
:0042A1A3 751C                    jne 0042A1C1<--------------"r fl z" here to continue
:0042A1A5 0FBE5307                movsx edx, byte ptr [ebx+07]
:0042A1A9 83FA31                  cmp edx, 00000031<-----------""<=>?
:0042A1AC 7513                    jne 0042A1C1<--------------"r fl z" here to continue
:0042A1AE C70554A448001443FC69    mov dword ptr [0048A454], 69FC4314
:0042A1B8 E8CFA7FDFF              call 0040498C
:0042A1BD B001                    mov al, 01<-----------------sets the al register.
:0042A1BF EB1B                    jmp 0042A1DC<-------------&"thank you.."

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042A166(C), :0042A176(C), :0042A17F(C), :0042A188(C), :0042A191(C)
|:0042A19A(C), :0042A1A3(C), :0042A1AC(C)
|
:0042A1C1 53                      push ebx
:0042A1C2 E8D1280000              call 0042CA98
:0042A1C7 59                      pop ecx
:0042A1C8 84C0                    test al, al
:0042A1CA 7404                    je 0042A1D0
:0042A1CC B001                    mov al, 01
:0042A1CE EB0C                    jmp 0042A1DC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042A1CA(C)
|
:0042A1D0 C70554A44800EBBC0396    mov dword ptr [0048A454], 9603BCEB
:0042A1DA 33C0                    xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042A1BF(U), :0042A1CE(U)
|
:0042A1DC 5B                      pop ebx
:0042A1DD 8BE5                    mov esp, ebp
:0042A1DF 5D                      pop ebp
:0042A1E0 C3                      ret

so our serial is compared with " ******** " (you find it :)
restart JPEG... and enter the correct serial. and don't forget to hide adverts from option menu.
this is my first turtor hope it has helped you! 
u can find me at #cracking4newbies on EFNET.    &    ICQ#62383482 & stillgreen@onebox.com
