-----cut here-------------------------------------------------------------------
Exescope 5.0 - How to crack it

Target: Exescope 5.0
WWW: http://www.protools.cjb.net
Cracker: Johnny AUM (TNT)
Protections to remove: writes a code in the header of a file & reads this code

  What we observe at this program (great proggie, thanks Toshi) is this: first
time when we modify a program we can do as many modifications as we wish 
without going out. In the moment of attemptimg the second set of modifications
and we entering in Exescope for the second time, we notice that we cannot
save those second set of modifications on the way out. What's happening?
On every time when getting out after modifications, Exescope search for it's
code in the header of file & if it's not found, the program writes this code
(hiew CC -> 8F 05) in the header of modified file. So, on second time when
geting out, Exescope, after some new changes in the file verifies if code is
present, and if it is, will tell you to register & also that it cannot save
these new modifications.
  So, let's find this protection that writes on header of the file. Must be
something with write a file, like API function WRITEFILE. Let's search after
this function. Dissasemble Exescope with w32dasm, make combination ALT-F-S and
put this text: "kernel32.WRITEFILE", because we don't need interference with
other texts in the begining of code. We find 5 WRITEFILEs. Many, ha? But we
think that the real function WRITEFILE will write on the exescoped file many
times (the other modifications), so above the needed function WRITEFILE must be
a lot of calls. If we take a look we see that only the 3rd function is the 
one who has many calls above. Let's test it! The adress (w32dasm) is: 40512C.
Corespondence in hiew: 452C. Let's nope it with 90 90 90 90 90 - 5 times. We
entry in Exescope and modify a file. When getting out, Exescope try to save and
to put first the code in the header, but the function is gone, so we have an
error message. Bingo! That's it! 
  Now what? Remeber the calls above the 3rd WRITEFILE? One of this, probably
at the begining or near is writing the header. Let's find which one!
  I've checked for you quickly and I found that 5th call, I mean call 4566FA is
the one who writes the header of exescoped files. We going at adress 4566FA in
w32dasm. We observe that above call 405108 (from adress 4566FA) is the next
instruction: mov ecx,000000E0 meaning ecx=E (14 zecimal). Let's change the
value, first trying with ecx=0. This will give further in the code of
Exescope some calculations with null values, meaning that function WRITEFILE
will not be activated. Let's see if this work. Hiew adress for mov ecx,e is
55AF5, and value E0 is at 55AF6. Making EO -> 00. I hope you use an unmodified
Exescope and a fresh file (not already exescoped, remember that program writes
the code in header). Finally, works! Yohoo! Working! Goodbie writing headers on
exescoped files!
  One protection bye-bye. We know that the writing on headers of files is down.
But if we have an exescoped file with the unmodified shareware version of
Exescope, is bad, because first we need to delete the code in the header (we can
do this with a *.bat and a patch - automatized - work also without cracking
Exescope - Toshi, find a better protection) or second - we must crack the
read function to stop Exescope reading this code in order to permit us to do as
many modifications we need.
  Let's make this proggie to never read this own header code or search for it.
  After looking in code well, I observed that the procedure of registering is
like that: put name and good serial and Exescope will create in it's ini a few
lines at the end:
[Reg]
Name=your name
ID=your good serial from Toshi
  and also that has two places were reg and name are founded: 1st when you are
registering the program (this is the order in ASM code at the end) and 2nd when
the program is searching for REG, name and serial in it's exescope.ini.
Here are two situations:
a) unregistered - the program after verifying tell through a CALL to the code
to read header of file;
b) registered - the program tell through that CALL that now is registered and
stop reading.
  If this CALL or CALLs can be identified and killed, the code cannot go further
to process for any case.
  This CALL must be around the two places mentioned above, it is and I found it:
- 1st case - when registering the program - CALL from line 47CDBC;
- 2nd case - when Exescope look in its ini - CALL from line 48433C;
Both CALLs are calling for the same w32dasm adress: line 48450C. Let's kill this
path (for stopping functions from here to execute) and reopen cracked Exescope
with a exe modified by unregistered version. Change at hiew 8390C - 55 -> c3.
Test... aha... Working!!! So reading code from headers is blocked.
  Job done!

[  Enjoy this fine program now full featured! Toshi, don't be angry on me, I
would not be in your place! If you have something which is really good, people
deserve to have it from all our hearts! Love must be the engine for all the
actions! With more men thinking this way, we will advance more quickly on the
road of real peace, love and happyness! You all must now that this is happening
already, no matter on what side you are! Don't let your ego to make oposition to
your soul happiness! Ego is the hell! Listen to your heart first and then think
all you from there!!! Love you! Bye now!                                       ]

----------------
Greets: tKC (my love too!), CIA, TNT, PC, CORE, all crackers, PRO or newbies, all
cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all
must become free), we are great guys, and nice too. Love you all (but you must
be a good soul!).
Romanian Greets: Salutari tuturor crackerilor din Romania! Mergeti inainte, o
sa ne astepte si zile mai bune, ginditi optimist, Dumnezeu e aici cu noi! In
curind, info despre Romanian Cracking Team la www.geocities.com/john_aum,
sfirsitul paginii.
At last, but from all my heart: I love you Heavenly Father, I know you are with
me all the time!!! God is love!
E-mail: johnny_aum@yahoo.com
---------------Sorry if my english is not perfect!------------------------------
-----cut here-------------------------------------------------------------------g13 being the 2 bytes from our License Key which weren't