//**cracking tut by alpine**// //*****and******// //**the immortal descendants**// #3 05.1999 Greetings Today i'm dealing with a program protected with a nag and a time trial. I'm not going to explain the basic things, so this tut is not a beginner tut. But if you read my first tutor you (beginner) should be able to follow my ideas. We need: softice winspect.exe // included as smu.zip to the crackers notes pc_offset.zip by iczelion or wdasm // to get the opcodes. ws_ftp pro // our target,can be downloaded at www.ipswitch.com. lets fetz(=german language means lets beginn)! After installing our target and starting it for the first time we get a nagscreen. Click on continue and enjoy the program. Quit it and restart. We won't get the nag anymore. Okay, we know that it has a time trial-protection; so set your system time forward (more than 30 days). Now start our target again; suprise, suprise a nag is telling us that our target has expired. Start winspect and get the handle of the window. Breakpoint on it using wm_destroy.Now press "Buy later". You will be kicked back to softice. Use f12 to get back to the main exe file. You will find yourself a few lines under dialogboxindirecta or dialogboxparama (i can't remember:-) Now press f10 till you've passed the ret. You should find yourself... :0041191D 68234E0000 push 00004E23 :00411922 8B4508 mov eax, dword ptr [ebp+08] :00411925 50 push eax :00411926 8B450C mov eax, dword ptr [ebp+0C] :00411929 50 push eax :0041192A E84BF6FFFF call 00410F7A :0041192F 83C410 add esp, 00000010 <--...here :00411932 8B45A0 mov eax, dword ptr [ebp-60] :00411935 50 push eax So we know that the call at 0041192a triggered our nag-screen. We also know after pressing "buy later" the program quits. Lets find out what instruction triggers the exitprocess (quits the program). Trace further on till you reach the following jump... :00423D42 83C410 add esp, 00000010 :00423D45 33C0 xor eax, eax :00423D47 E971070000 jmp 004244BD<--...here :00423D4C 837DE400 cmp dword ptr [ebp-1C], 00000000 :00423D50 0F8538000000 jne 00423D8E When you execute the jump using softice you will get an invalid adress, and pressing f10 three times more will call exitprocess.The next instruction cmp... is part of the routine which starts our program. I know this, because i traced through the program when it wasn't expired. So the only thing we have to do is to nop the jump out. You could also change the jump to jmp 00423d4c, that would have the same effect. You did it? Ok, rerun you program, you get the nag and now press on "buy later". Instead of quitting the program runs fine, although it is expired. The last thing we going to do, is to crack the nag. Well do you still remember the call we came out after breakpointing on bmsg? It was the call to 00410F7A and the adress was 0041192A. Get the opcodes and nop it out. Another program has been reversed. alpine alpine@gmx.at greetings to the immortal descendants and to all i know.