Introduction to Windows Cracking
Introduction to Windows Cracking
A few words before beginning
Giving credits, where credit is due ! So, i'd like to give a really BIG thanks to ED!SON of United Cracking Force for his tutorial about Windows 95 cracking, without it i won't be here telling you how to crack a program under win 95.
Giving ALL the credits... all i learned about cracking is with the help of great tutorials : 5 Minutes 4 a Crack /NeverOne, Amateur Crackist Tutorial /Specular Vision, Cracking for Masses /FraVia, Old Red Cracker Tutorials /+ORC (A Must), The Ancient Art Of Cracking & Cracking 101 /Buckaroo Banzai, The Cracking Manual /Cyborg, The Uncle Joe CrackBook /Uncle Joe (heh, what did you expect ?). But also with 40 Hex Magazines, The Crypt Newsletters, Virus Laboratories And Distribution.
Note : a lot of the explaination i'll give you in Introduction parts are ripped from some tutorials upper, it's because i wanted to have something complete you can start with. Tnx again to those who wrot'em.
For this tutorial you'll need :
ACDSee32 V2.0 Beta
Soft-Ice 3.00
HexWorkShop
Introduction to Cracking
You might be wondering what type of programming skills you need to become a cracker. Knowing a higher level language such as Basic, Pascal, or C++ will help you somewhat in that you will have an understanding of what's involved in the process of writing a program and how certain aspects of a program function. If you don't have any programming skills, you have a long road ahead of you. But even if you can program in a high level language, in order to crack you have to know assembly... It really doesn't matter what language a program was written in in order to crack it, because all programs do the same thing. And that is issue commands to the microprocessor. And all programs when broken down to their simplest form are nothing more than a collection of 80XXX instructions and program specific data. This is the level of assembly language. In assembly you have total control of the system. This is also the level that the debugger operates at.
You don't have to become a master at assembly to crack a program, but it helps. You do need to learn some rudimentary principles, and you absolutely have to become familiar with the registers of the cpu and how the 8088 instruction set uses them. There is no way around this. How proficient you are at assembly will determine how good of a cracker you become. You can get by on learning a few basic instructions, how to use a debugger, and one or two simple techniques. This will allow you to remove a few shareware nag screens, and maybe you'll luck out and remove the copy protection from a game or two, but that's it.
You can then dynamically interact with the program and run it one line of code at a time, and see exactly what the program is doing in real time as each line of code is executed. You will also be able to re-assemble instructions (in memory only), edit the contents of memory locations, manipulate the cpu's registers, and see the effects your modifications have on the program as it's running. This is also where all your system crashes will occur... There is a lot of trial and error involved in cracking.
As you get better, you'll have to write programs that will implement your patches if you decide to distribute them. The patches themselves don't have to be written in assembly.
The sources code I included in this manual are extremely simple. They're written in assembly because that's the only language I know how to program in, but if you are already proficient in a higher level language, it should be trivial for you to duplicate it's methods in your preferred language.
Quick Introduction To Soft-Ice 3.0
Okay, okay, i already heard you : Hey exact, you've ripped the ED!SON introduction. Yes, i've taken it ;) Why should i do something if someone already did ? So for all of you that didn't have the chance to have that intro, i've a little remixed it, and here it is...
Cracking a Windows program is most often more simple than a program running in Dos. In Windows, it's hard to hide anything from anyone who really looks for information, as long as Windows own functions are used. The first (and often only) tool you need is Soft-Ice, a powerfull debugger from NuMega (http://www.numega.com). Some people find it hard to use, but i will tell you how to do efficient debugging with it.
To use Sice, you must load it before windows, to do that, just add the "Drive:\Path\WINICE.EXE" at the end of your "AUTOEXEC.BAT". Normally, the Sice Setup should have already done it. I advise you to make a multi-config in that way, you can load Sice only when you need it.
Example of multi-config :
;--- Config.sys
[menu]
menuitem SICE,Load Soft-Ice Debugger Behind Windows
menuitem NORM,Normal Mode
menudefault NORM,5
[SICE]
[NORM]
[common]
DEVICE=C:\WIN96\HIMEM.SYS
DOS=HIGH
DEVICE=C:\cd\drivers\MTMCDAI.SYS /D:MTMIDE01
FILES=40
;--- EOF Config.sys
;--- Autoexec.bat
@ECHO OFF
SET BLASTER=A220 I5 D1 H5 P330 T6
SET MIDI=SYNTH:1 MAP:E
SET PATH=C:\WIN96;C:\WIN96\COMMAND;C:\DOS;D:\NC
SET TEMP=C:\TEMP
SET SOUND=C:\VIBRA16
C:\VIBRA16\DIAGNOSE /S
C:\VIBRA16\MIXERSET /P /Q
PROMPT $p$g
goto %config%
:SICE
C:\Progra~1\SoftIc~1\WINICE.EXE
goto common
:NORM
goto common
:common
;--- EOF Autoexec.bat
In the config.sys the [menu] indicates that's a multiconfig, it will display the two menuitem and wait for the user to select. When selected, the part of the config file refering to it is runned and followed by the [common] one. In the autoexec.bat there's a %config% variable set to the user'selection and is used to select witch part of your bat you will execute.
So, udpate your system files if they need so, and reboot your machine. If you don't understand why these config files look like this, refer to the MS-DOS Help (Type HELP at the dos prompt).
Now that Sice is loaded into memory, press "CTRL-D" to to pop it up. Here is a little description of the windows you can see on Sice screen:
CPU Registers
Window "WR" En/Disable, "R", "Alt-R" Edit.
FPU Registers
Window "WF" En/Disable.
Locals Windows "WL" En/Disable, "Alt-L" Focus.
Watch Window "WW" En/Disable, "Alt-W" Focus.
Data Window "WD" En/Disable, "E", "Alt-D" to Edit.
Code Window "WC" En/Disable, "A" Edit, "Alt-C" Focus.
Command Window Type Commands and read output here.
Help Line Get summary help on what you are typing.
The register window contains the general purpose and flags registers of the cpu. You will notice that the general purpose registers contain hexadecimal values. These values are just what happened to be in there when you brought up the debugger. You will also notice that some of the flags are highlighted while some are not. The highlighted flags are the ones that are SET. While the ones that are not highlighted are CLEARED. Generally, the register are also highlighted when they change value. From this window you will be able to manipulate the contents of the cpu's registers. You will change the values of the registers while debugging a program in order to change the behavior of the running program. Say you come across a JNZ instruction (jump if not zero), that instruction makes the decision on whether or not to make the jump based on the state of the (Z)ero flag. You can modify the condition of the (Z)ero flag in order to alter the flow of the programs code. By the same token, you can modify the general purpose registers in the same manner. Say the AX register contains 0000, and the program bases it's actions on that value, modifying the AX register to contain a new value will also have the effect of modifing the flow of the code. After you become comfortable with using Sice you'll begin to appreciate just how powerful this window is, and you'll aslo discover soon enough just how totally it can screw your system if you fuck up.
The data window will display data as it exists in memory. From this window you can usually display, search, edit, fill, and clear entire ranges of memory. The two most common commands for this window are display and edit. The search command is also useful in cracking. Sice offers you 4 data windows, you can toggle from one to another using the "data" command. You can also change the type of data this window is displaying using the "format" command. You can scroll into the data window using ALT and arrows or PgUp/PgDn keys.
The code window is the window in which you will interact with the running program. This is the most complex window, and it is where the bulk of debugging occurs. The layout of the window is pretty simple, the group of 12 numbers with the colon in the middle of them to the far left of the window is the address:offset of that line of code. Each line of code in this window is an instruction that the program will issue to the microprocessor, and the parameters for that instruction. The registers that contain the address for the current instruction waiting to be executed are the CS:EIP registers (code segment and instruction pointer). This line is highlighted, if you havent it in the code window use the "." command to retrieve it. You will also notice a group of hex numbers to the right of the addresses, this group of numbers is the hexadecimal equivalent of the mnemonic instructions. The next group of words and numbers to the right of the hex numbers are the mnemonic instructions themselves. You can scroll into the code window using ALT and arrows or PgUp/PgDn keys.
For most examples, we'll only need to have the CPU Registers Window,
the Data and the code one. Disable others. I'm in 60 lines mode. So if
all windows are disabled to have the same screen as me do (comment are
preceded by a semi-colon) :
:lines 60 ; Set 60 lines mode
:color f a 4f 1f e ; Set psychedelic colors (Optional)
:wd 22 ; Enable Data Window 22 lines long
:wc 25 ; Enable Code Window 25 lines long
:wr ; Enable Register Window
:code on ; Display instruction bytes
This can seems you strange to have to type all these commands each time you'll start Sice. In fact, all these command can be done in the winice.dat file (in your sice directory). Let'see what is in mine:
;--- Example of Winice.dat
; General Variables
NMI=ON
SIWVIDRANGE=ON
LOWERCASE=OFF ; Disable lowercase
assembly
MOUSE=ON ; Enable mouse
NOLEDS=OFF ; Disable led
switching
NOPAGE=OFF
PENTIUM=ON ; Pentium Op-Codes
THREADP=ON ; Following Thread
Process
VERBOSE=ON
PHYSMB=16 ; Exact Memory Size
SYM=256 ; Memoy allocated to
symbols
HST=16 ; Memory allocated to
history
TRA=92 ; Memory allocated to
back trace buffer
; Startup sequence
INIT="lines 60;color f a 4f 1f e;wd 22;wc
22;wr;code on;x;"
; Function Keys
F5="^G;" ; Run (CTRL-D)
F8="^T;" ; Step into functions
(Trace)
F10="^P;" ; Step Over functions
(Procedure)
F11="^G @SS:ESP;" ; Step out of function
; Export Symbols
EXP=c:\win96\system\kernel32.dll
EXP=c:\win96\system\user32.dll
EXP=c:\win96\system\gdi32.dll
;--- EOF Winice.dat
Okay, i think, it speaks by itself. Just a little note for defining
function keys, all commands preceded by ^ are invisible, and all those
followed by a ; are executed (the ; indicates an ENTER). Dont forget
to load the Export Symbols !
Cracking ACDSee 32 V2.0 Beta
Loading ACDSee32.exe into Soft-Ice And Breaking At The Right Point. Run the Symbol Loader, do "File/Open Module" or you can also click on the first button on the left of the tool bar and browse until you can select the file ACDSee32.exe. Now, to start debugging you must to do "Module/Loads..." or click the "Load button" (next to the "Open" one). Perhaps Sice poped-up, saying Break Due To Load Module, or something like that, leave it by pressing "CTRL-D" or typing "X" followed by "ENTER". You should disable the "Break At WinMain Option" to dont pop-up Sice each time you load a module (the little lamp button).
OK, let's go. In ACDSee, click on "Tools/Register..." Fill up the boxes with what you want. (I've filled them with Name:"Out Rage Pirates" and Registration:"112233445566"). Generally programs must read the content of the boxes with one of these functions:
16-bit 32-bit
GetWindowText GetWindowTextA,
GetWindowTextW
GetDlgItemText GetDlgItemTextA,
GetDlgItemTextW
The last letter of the 32 functions tells if the function uses one-byte or double-byte strings. Double-byte code is RARE. So, now we gonna enter Sice pressing CTRL-D and set breakpoints on the getting content of edit boxes :
:bpx GetWindowText
:bpx GetWindowTexta
:bpx GetWindowTextw
:bpx GetDlgItemText
:bpx GetDlgItemTexta
:bpx GetDlgItemTextw
Oki, there's no need to set BPs (BreakPointS) 0 and 3 since we know it is a 32-bit application, but i've put them here to be exhaustive. If you encounter problems settings these breakpoints, make sure that the export symbols are loaded in Soft-Ice : edit the file winice.dat and check if the semi-colons are removed from the exp= that follows the "Example of export symbols that can be included for chicago" near the end of file. Generally, you only need to keep kernel32.dll, user32.dll, gdi32.dll. If you get an error message "No LDT", make sure you dont run any other DOS application in the background,
It's not sure that Sice will pop-up, and not all program are calling these Windows functions.
Continue the program ("CTRL-D"), and click the OK button. It worked, we're back to Sice ! press "CTRL-D" to continue the process, back to Sice again ! re-re-press "CTRL-D", no more Sice pop-up. Normal, there's only two textboxes... Click OK to get back to the registration window. And now, let's throw an eye into Sice, CTRL-D. There's comments for the two break points :
Break due to BPX USER32!GetDlgItemTextA (ET=4.70 seconds)
Break due to BPX USER32!GetDlgItemTextA (ET=269.77 microseconds)
It's BP 04 let's delete other BPs :
:bl ; BPs list
00) BPX USER!GetWindowText
01) BPX USER32!GetWindowTexta
02) BPX USER32!CharNextExW
03) BPX USER!GetDlgItemText
04) BPX USER32!GetDlgItemTextA
05) BPX USER32!AppendMenuW
:bc 0 1 2 3 5 ; Clear BPs #0, 1, 2, 3 and 5.
We'll do it again. Press "CTRL-D" to leave Soft-Ice, and click the OK button. Magic, we're back in it... Let's do a little focus : where are we, and what's the hell now ? We are at the start of the "Get Dialog Item Text A" function, and we are going to find where it is called. Since we know that when we do a far call to something the next logical instruction address is stored on the stack, we gonna set a BP on that address and execute the program until we reach it. G command will continue the program at the current CS:EIP, and set a temporary BP to the address indexed (@) in SS:ESP. There's a function key that automatically do it, normally, it's F11.
:G @SS:ESP
Finding Where The Registation Code Is Checked
Ok, we are back into Sice at the instruction following the call to DlgItemTextA. We gonna take a look on what's happenning before and after. Use CTRL-UP and CTRL-DOWN to move into the code window. If you dont have the code window on your screen you can make it appears by typing WC (WC 20 will set the code windows to be 20 lines long). You should see something like following (i've added blank lines and comments for clarity and future explainations) :
; Get The Name Into Buffer (ESP+8)
0040367B 8D442418 LEA EAX, [ESP + 18] ; Buffer(For Name) Address
0040367F 6A1E PUSH 0000001E ; Max String Size
00403681 8BB42408010000 MOV ESI, [ESP + 00000108]
00403688 50 PUSH EAX ; Buffer Address
00403689 6A6B PUSH 0000006B ; Control ID
0040368B 8B3D94DA4900 MOV EDI,[USER32!GetDlgItemTextA]
00403691 56 PUSH ESI ; Dialog Handle
00403692 FFD7 CALL EDI ; Call GetDlgItemTextA
; Get The Registration Code Into Buffer (ESP+38)
>00403694 8D442438 LEA EAX, [ESP + 38] ; Buffer(Registration) Addy
00403698 68C8000000 PUSH 000000C8 ; Max String Size
0040369D 50 PUSH EAX ; Buffer Address
0040369E 6882000000 PUSH 00000082 ; Control ID
004036A3 56 PUSH ESI ; Dialog Handle
004036A4 FFD7 CALL EDI ; Call GetDlgItemTextA
; Registration Checking
>004036A6 8D442438 LEA EAX, [ESP + 38] ; Registration Buffer
004036AA 8D4C2418 LEA ECX, [ESP + 18] ; Name Buffer
004036AE 50 PUSH EAX ; Save Datas
004036AF 51 PUSH ECX
!004036B0 E80BF9FFFF CALL 00402FC0 ; Registration Check
004036B5 83C408 ADD ESP, 00000008 ; Free Stack
004036B8 85C0 TEST EAX, EAX
004036BA 7E6E JLE 0040372A ; EAX=0 Means Bad Reg...
; Do Something, sure... ;)
004036BC 8D442438 LEA EAX, [ESP + 38]
004036C0 8D4C2418 LEA ECX, [ESP + 18]
004036C4 50 PUSH EAX
004036C5 51 PUSH ECX
004036C6 E895FAFFFF CALL 00403160
004036CB 83C408 ADD ESP, 00000008
004036CE 833D44F0480000 CMP DWORD PTR [0048F044], 00000000
004036D5 740B JE 004036E2
004036D7 A144F04800 MOV EAX, [0048F044]
004036DC 8BC8 MOV ECX, EAX
004036DE 8B18 MOV EBX, [EAX]
004036E0 FF13 CALL DWORD PTR [EBX]
004036E2 833D40F0480000 CMP DWORD PTR [0048F040], 00000000
004036E9 740C JE 004036F7
004036EB A140F04800 MOV EAX, [0048F040]
004036F0 8BC8 MOV ECX, EAX
004036F2 8B18 MOV EBX, [EAX]
004036F4 FF5314 CALL [EBX+14]
; Close Registration Windows, And pops : "Thanks Registering"
004036F7 6A01 PUSH 00000001
004036F9 56 PUSH ESI
004036FA FF15F4DA4900 CALL [USER32!EndDialog]
00403700 6A00 PUSH 00000000
00403702 6820324000 PUSH 00403220
00403707 56 PUSH ESI
00403708 FF15F8DA4900 CALL [USER32!GetParent]
0040370E 50 PUSH EAX
0040370F 68E4000000 PUSH 000000E4
00403714 A148F04800 MOV EAX, [0048F048]
00403719 50 PUSH EAX
0040371A FF1544DB4900 CALL [USER32!DialogBoxParamA]
00403720 B801000000 MOV EAX, 00000001
00403725 E92EFFFFFF JMP 00403658
; Pops up a window saying : "Your name and registration code do not match."
0040372A 6A00 PUSH 00000000
0040372C A104F34800 MOV EAX, [0048F304]
00403731 50 PUSH EAX
00403732 68ACF34800 PUSH 0048F3AC
00403737 56 PUSH ESI
00403738 FF15E4DA4900 CALL [USER32!MessageBoxA]
0040373E 6882000000 PUSH 00000082
00403743 56 PUSH ESI
00403744 FF15F0DA4900 CALL [USER32!GetDlgItem]
0040374A 50 PUSH EAX
0040374B FF1548DB4900 CALL [USER32!SetFocus]
00403751 B801000000 MOV EAX, 00000001
00403756 E9FDFEFFFF JMP 00403658
Let's do a some analysis on what we are seeing. We are at 0157:00403694 (Your segment address may be different, it depends on what you load, update my values with yours). The previous instruction is the call to the GetDlgItmeTextA. Again, you can scroll in the code windows with "CTRL-UP", "CTRL-PGUP", "CTRL-DOWN" and "CTRL-PGDOWN".
You can also make the Focus to the code window by pressing "Alt-C" and use the UP, DOWN, PGUP, PGDOWN to scroll it.
In C, the call to the GetDlgItemTextA should look like this :
int GetWindowText (int windowhandle, char *buffer, int maxlen);
So the push eax is the buffer address, let's have a look :
:d esp+18 ; You can also use "db esp+18" for byte display
We've got it, it's our name ! We saw that in few intructions, there will be second call to the GetDlgItemTextA, the CALL EDI at 0157:004036A4. We dont want Sice to break, so we will disable it :
:bd 4 ; Disable BP 4
After that second call, there's another one followed by a test on the eax value... humm suspicious, is there any check inside that routine ? That's what we gonna determine fastly. We gonna trace the code stepping over function calls. Press P (Procedure trace) then ENTER (normally it's F10 key). Press it several times.
After you've reached 0157:004036A6 (the second call) our registration code appears in the data window (if it is big enought, else you can scroll it down using Alt-DOWN) our predictions were right ;). You are now reaching the TEST AX,AX intruction (0157:004036BA), then there's a branch to another routine (0157:0040372A), the program will follow it and soon you will get a message saying that your registration code is wrong... (0157:00403738).
So now we are sure that the call before the test was done to check the data we've enterred, and that the branch choose the direction to the Registration Not Match message. What if we change the direction the program took?
Let's go, enable BP 4.
:be 4 ; Enable BP 4
Leave Sice (CTRL-D), click on OK to get back to the registration window, and click on OK again to pop-up into Sice. Press CTRL-D another time to go to the second GetDlgItemTextA call and press F11 to go out of that function call. Now step to the branch (F10 until you reach 0157:004036BA). And change the zero flag value to disable it:
:r fl z ; Toggle Zero Register FLag
Then leave the proggy to himself (CTRL-D). We've done it ! The beautifull message appears : thanks for supporting our products, etc, etc...
Hu Oh, Hey, what's that stupid program ? If i click on the little eye (the about button in the toolbar), it's telling me it is not registered !!!? Fucking damn thing, we gonna gotcha !
Oki, let's think two seconds... what's the matter ? Well everything seems like if ACDSee checks the name and the registration at every times it shows them. So, to avoid this problem, we've got to give him the answer he wait each times he call the registration checker. First of all, we must verify our affirmations, we must know if the routine wich is called by the about button is effectively the piece of code into this call. Go into Soft-Ice using the BP we've set on the GetDlgItemTexta (go to the registration window and press enter), and press F11. Now, we're going to put another BP into the call.
:bpx 0157:00402FC0 ; Change the address in regard to yours
Now we gonna try, leave Soft-Ice (it will pop-up two times because BP 4 is still enabled, we're not interrested into these breaks), close the registration window by clicking cancel and finally click on the about button... Yep! back in Sice, we were right !!! So everything we've got to do now is to send back a satisfying answer to the calling code...
Patching ACDSee
Actually in your code window, you should have something like the following piece of code. All we've got to do is to leave this routine with EAX different from 0...
; Check Name Lenght
00402FC0 56 PUSH ESI
00402FC1 8B742408 MOV ESI, [ESP + 08]
00402FC5 56 PUSH ESI
00402FC6 E835000000 CALL 00403000 ; check name length (1st)
00402FCB 83C404 ADD ESP, 00000004
00402FCE 85C0 TEST EAX, EAX
00402FD0 7504 JNE 00402FD6 ; branch is followed
00402FD2 33C0 XOR EAX, EAX ; Set EAX to 0 (BAD!)
00402FD4 5E POP ESI
00402FD5 C3 RET ; Exit 1
; Check Registration Code
00402FD6 8B44240C MOV EAX, [ESP + 0C]
00402FDA 50 PUSH EAX
00402FDB 56 PUSH ESI
00402FDC 6848F34800 PUSH 0048F348 ; "-294378973"
00402FE1 E86AE70100 CALL 00421750 ; The key is herein (2nd)
00402FE6 83C40C ADD ESP, 0000000C
00402FE9 83F801 CMP EAX, 00000001
00402FEC 1BC0 SBB EAX, EAX
00402FEE 5E POP ESI
00402FEF 40 INC EAX
00402FF0 C3 RET ; Exit 2
So what we gonna do is erase the three instructions that works on EAX with our own code. Dont forget to change the address in regard to your.
Erasing the branch will assure us that only our code will be followed.
There's thousand of way to modify this code, i choosed the following :
:a 0157:00402FCE ; Assemble
0157:00402FCE mov eax,1
0157:00402FD3 nop
0157:00402FD3 ; Press escape to stop assembling
:bc 0 ; Clear BP on 0157:00402FC0
And now let's check our work ! Press CTRL-D, welldone, the thanks for registering message appears... Okay, now click on the about button... (suspens) !!!YES!!! we've registered it.
Oki let's do our work, now we've only got to make the patch... What we need to know is where are these instructions in the ACDSee32.exe file. I've use HexWorkShop for win95 and found them making a search for 85C0750433C0 (the instructions Opcodes, if Sice doesnt show the type "CODE ON") the one interesting us are at offset 23CE. Now we must make a little proggy to replace these bytes with our code. Here it is :
;--- ORP-A32B.ASM
Title Patch For ACDSee 32 2.0 Beta
.Model Huge
.386
.Stack 100h
.Code
mov ax,cs
mov ds,ax
mov es,ax
mov ax,3d02h
mov dx,offset cs:fname ; DX=*FileName
int 21h ; DOS/FileOpen
jc errorlbl ; Jump On Errors
mov word ptr [offset cs:fname],ax ; BX=Handle
mov bx,ax
mov ax,4200h
xor cx,cx ; Segment
mov dx,23ceh ; Offset
int 21h ; DOS/FileSeekSet
jc errorlbl ; Error !
mov ax,4000h
mov bx,word ptr [offset fname] ; BX=Handle
mov cx,6 ; Lenght
mov dx,offset patch ; Buffer
int 21h ; DOS/WriteFile
jc errorlbl
mov ax,3e00h
mov bx,word ptr [offset fname] ; BX=Handle
int 21h ; DOS/CloseFile
jc errorlbl
mov dx,offset cs:text2
jmp getout
errorlbl:
mov dx,offset cs:text1 ; Print
getout: mov ah,9
int 21h
mov ah,4ch ; Get Out Of Here !
int 21h
patch db 0B8H,001H,000H,000H,000H,090H ; MOV EAX,00000001 - NOP
fname db 'ACDSEE32.EXE',0
text1 db 0ah,0dh,'Error Handling File'
text2 db 0ah,0dh,'Patch By Exact /oRP',0ah,0dh,'$'
end;--- EOF ORP-A32B.ASM
You can compile it with tasm 3.1 and tlink 5.1 (they can be found on my home page) in that manner:
TASM /m9 /n /q orp-a32b
TLINK /3 /x orp-a32b
I think there is not so much comment to add at the source, anyway if you have any problems understanding what happening in there, you must find a book about programming (you can also try to get Helppc).
Final Note
Ok, this is the End...
A really BIG thanks is going to ACP of UCF for sending me W32DASM !
Have Fun With This Stuff !
eXact /oRP
aka sice_boy
