This software is: Ghost DEMO (3.1d) General Hardware Orientated System Transfer --------------------- 1. First, unpack it: TR ghost.exe ;load ghost.exe in TR getknl ;get the kernel ;wait a minute mkexe ghost.exe ;this will make file mem.exe You can try to run MEM.EXE for test. --------------------- 2. Second, crack it to bypass the 15 seconds delay TR mem.exe g ;let it go When the screen display 'wait 15 minutes', press Ctrl+D. After TR's screen appear, press some to see how it loop. It is very easy to find that Proc_199f is the Delay: PUSHF ;3304:199F 9C CLI ;3304:19A0 FA MOV AL,00 ;3304:19A1 B000 OUT 43,AL ;3304:19A3 E643 CALL 199E ;3304:19A5 E8F6FF IN AL,40 ;3304:19A8 E440 MOV BL,AL ;3304:19AA 8AD8 CALL 199E ;3304:19AC E8EFFF IN AL,40 ;3304:19AF E440 MOV BH,AL ;3304:19B1 8AF8 NOT BX ;3304:19B3 F7D3 POPF ;3304:19B5 9D MOV AX,BX ;3304:19B6 8BC3 RET ;3304:19B8 C3 change it: a 199f ;assembly MOV AX,SI ;3304:199F 8BC6 DEC AX ;3304:19A1 48 RET ;3304:19A2 C3 So what we should do is open MEM.EXE in a HEX editor and search : 9c fa b0 00 46 43 change to: 8b c6 48 c3 --------------------- 3. Crack the evaluation time limited. TR MEM.exe G ;let it go When 'Connection type' windows appear, press , and , and TR's screen will apear. In TR, Logpro 1 ;log it g When Ghost end, file 'logpro.dat' will be created. Lopro ;run this in DOS prompt This will read 'logpro.dat' cand create 'logpro.txt'. Ren logpro.txt log1.txt ;save it date 10-22-98 ;make date later TR mem.exe g When 'Connection type' windows appear, press , and , and TR's screen will apear. In TR, Logpro 1 ;log it g logpro ren logpro.txt log2.txt By now, we got two log. log1.txt is good. log2.txt is time-out. Compare it: log1.txt ...... CALL 0fdb ;40f5:04dd e8fb0a CALL FAR 32c4:0638 ;40f5:0ff5 9a3806c432 RETF ;32c4:064a cb CALL FAR 32c4:401d ;40f5:10ac 9a1d40c432 log2.txt ...... CALL 0fdb ;40f5:04dd e8fb0a CALL FAR 32c4:0638 ;40f5:0ff5 9a3806c432 RETF ;32c4:064a cb CALL FAR 32c4:27e7 ;40f5:1054 9ae727c432 We can find the first difference is in proc_fdb. We can imagine it must be: CALL 0fdb ;call check_if_timeout CALL FAR 32c4:0638 ;call get_time RETF ... ;compare j?? @@ CALL FAR 32c4:27e7 ;call error @@: Lets see what exactly it is: TR mem.exe g fdb ;direct go to proc_fdb .... ; some When TR appear: U $,105d>tem.txt Then we get follow in 'tem.txt': ENTER 001C,00 ;40F5:0FDB C81C0000 CMP [WORD 00B2],00 ;40F5:0FDF 833EB20000 JNE 0FF0 ;40F5:0FE4 750A CMP [WORD 00AC],00 ;40F5:0FE6 833EAC0000 JNE 0FF0 ;40F5:0FEB 7503 JMP 10D8 ;40F5:0FED E9E800 PUSH SS ;40F5:0FF0 16 LEA AX,[BP-04] ;40F5:0FF1 8D46FC PUSH AX ;40F5:0FF4 50 CALL FAR 32C4:0638 ;40F5:0FF5 9A3806C432 ADD SP,04 ;40F5:0FFA 83C404 MOVSX EAX,[WORD BP-04] ;40F5:0FFD 660FBF46FC MOV [BP-10],EAX ;40F5:1002 668946F0 MOVZX EAX,[BYTE BP-01] ;40F5:1006 660FB646FF MOV [BP-14],EAX ;40F5:100B 668946EC MOVZX EAX,[BYTE BP-02] ;40F5:100F 660FB646FE MOV [BP-18],EAX ;40F5:1014 668946E8 MOV EAX,[BP-10] ;40F5:1018 668B46F0 ADD EAX,FFFFF894 ;40F5:101C 660594F8FFFF IMUL EAX,EAX,00002710 ;40F5:1022 6669C010270000 MOV EDX,[BP-14] ;40F5:1029 668B56EC IMUL EDX,EDX,64 ;40F5:102D 666BD264 ADD EAX,EDX ;40F5:1031 6603C2 ADD EAX,[BP-18] ;40F5:1034 660346E8 MOV [BP-0C],EAX ;40F5:1038 668946F4 MOV AX,7A18 ;40F5:103C B8187A MOV ES,AX ;40F5:103F 8EC0 MOV EAX,[ES:0A18] ;40F5:1041 6626A1180A CMP EAX,[BP-0C] ;40F5:1046 663B46F4 <<<----- JGE 105C ;40F5:104A 7D10 PUSH 01 ;40F5:104C 6A01 PUSH 7A18 ;40F5:104E 68187A PUSH 0FFA ;40F5:1051 68FA0F CALL FAR 32C4:27E7 ;40F5:1054 9AE727C432 ADD SP,06 ;40F5:1059 83C406 MOV AX,7A18 ;40F5:105C B8187A This is just what we imagine! Do you know what should do next? a 1046 jmp 105c ;eb 14 G It work! Then we should find a HEX editor to edit MEM.EXE: search : 66 3b 46 f4 7d 10 change to: eb 14 Track,Unpack,Crack, all done! --------------------- 4. Origin file 'ghost.exe' must be put in the same dir with MEM.EXE to run MEM.EXE, as orgin 'ghost.exe' has overlay. I think we can make the MEM.EXE run without ghost.exe: a. make MEM.EXE as follow: mkexe ;no parameter needed b. If MEM.exe large than ghost.exe's main part, compress it. pklite mem.exe copy /b mem.exe+dummy ;make length fit c. get overlay from ghost.exe d. append it to mem.exe copy /b mem.exe+overlay If you have done it, Please put it to ftp://ftp.nease.net/incoming/tr and tell me. Thank You! -------------------------------------------------------------- One friend tell me that : Here, I want to tell u about my cracking of Ghost31d. Because u cracking have some problem of 'Load Disk/Partition to Image'. After MKEXE Ghost.exe Ren mem.exe to GGGGG.EXE TR GGGGG.exe -#e=g.env bp ip=5497 g a cs:ip cs:5497 jmp 550E bp ip=1386 g a cs:ip cs:1386 jmp 13A1 g q Run the program GGGGG.EXE Now, u have registered version.