Hi..I have just downloaded a program called "I Haven't Read The FAQ" from www.i.havent.read.the.faq.com. this program has 2 protection..a time limit and a functionality limit.I have been trying to crack this prog for 3 days now.I tried the messageboxa breakpoint with softice but could not figure out the called to the messageboxa routine.After being diappointed I changed my PC's time to 01/01/2010 to see if i can do anything when the trial limit is over..I am not able to do it here too..a messagebox will appear saying thanks for trying..blablabla..
in win32dasm you have the strings:
1. holdem winner registerd version
2. thanks for trying...
my question is where should i find a place in the code wehre i will add a call method to the first string above(registered)
and how should i write that call?
by the way have a problem with hiew too..it loads the prog but without being able to goto or do anything else.
thanks

also i tried the APIs getsystemtime getlocaltime and others..

System Locate 32...

:0040351C 68ECF24200 push 0042F2EC

* Possible StringData Ref from Data Obj ->"System Locate 32"
|
:00403521 68D8F24200 push 0042F2D8
:00403526 8D8C24A0050000 lea ecx, dword ptr [esp+000005A0]
:0040352D E8CEDAFFFF call 00401000
:00403532 8D8C2490050000 lea ecx, dword ptr [esp+00000590]
:00403539 C78424B807000000000000 mov dword ptr [esp+000007B8], 00000000
:00403544 E867E1FFFF call 004016B0
:00403549 84C0 test al, al
:0040354B 7413 je 00403560 <<< to JMP
:0040354D 6A00 push 00000000
:0040354F 6A00 push 00000000

* Possible Reference to Dialog:
|
:00403551 686CF24200 push 0042F26C
:00403556 E817EE0100 call 00422372
:0040355B E9AF010000 jmp 0040370F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040354B(C)
|
:00403560 8D8C2490050000 lea ecx, dword ptr [esp+00000590]
:00403567 E8F4E1FFFF call 00401760
:0040356C 83F816 cmp eax, 00000016
:0040356F 7542 jne 004035B3 <<< to JMP
:00403571 A154FC4200 mov eax, dword ptr [0042FC54]
:00403576 89442404 mov dword ptr [esp+04], eax
:0040357A 8D4C2404 lea ecx, dword ptr [esp+04]



functionality limit:

:0040BCFD 6A30 push 00000030

* Reference To: USER32.MessageBeep, Ord:01BDh
|
:0040BCFF FF1580734200 Call dword ptr [00427380]
:0040BD05 E909030000 jmp 0040C013

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040BB75(C)
|
:0040BD0A 6683FB04 cmp bx, 0004
:0040BD0E 0F85DD020000 jne 0040BFF1 <<< NOP
:0040BD14 8BCE mov ecx, esi
:0040BD16 E872370100 call 0041F48D
:0040BD1B 8B8674050000 mov eax, dword ptr [esi+00000574]
:0040BD21 6A00 push 00000000
:0040BD23 668B8820DD0000 mov cx, word ptr [eax+0000DD20]
:0040BD2A 51 push ecx

OK i am sorry coz of not reading the faq..secondly thank you..it is clear now

oh, there's one more problem... the title of the window... just overwrite trial-strings with spaces in hex

I think there is another problem here..the time limit is done well..but when the functionality one causes the prog to crash after you choose the first card
I have a question here..how can i trace back a code?
for example if i have this offset 00405654 push -----, how can i know the caller to this line?
newbie Qs i know
thanks

Kid, You really need to read the softice tutorials. You;re loading your gun, going to war, and do not know how to reload in case your bullets are over.

My hunch is:

1. Keep cracking aside for some time.
2. Learn SoftICE, IDA and W32SAsm (you can learn Ollydbg and Windbg if you are adventerous)
3. Then start cracking.

Too deep too soon will leave you frustrated. Resist the temptation to dive straight in.

BTW, it takes only a week or so to understand all the tools.

Have Phun

Oh yes, almost forgot:

1. ADDR <your_app_name_as_seen_in_softice>
2. BPM 00405654 X
3. Run
4. When breakpoint occurs, type STACK or open the stack window using WS
5. You will see your caller

Alternatively:

6. Press the F11 Key it will take you to the caller

OR:

7. Press the F12 key and finish what you were doing and return back to the caller

So you see, I routinely read softice tutorials.

Have Phun