**************MEXELITE98      TUTORIAL**************

bulll [mex98]
url: n/a
Target:Cabrio v2.5
Request: snipes 'c4n'
Protection: Time limit, Nag Screen
Tools: Softice v3.0 or later, Hexworks Hex Editor, W32dasm(<--by far the best no matter what you hear:)


OK hear ya go.  You must excuse my poor writing abilities I am not a usual tutorial writer
that job is normally left to Vizion[mex98], but here goes.  I suppose that you do have some knowledge in
general cracking because this is not a "teach you how to crack tute" but more just a how to crack
this proggie.

Ok.  First you need to install the proggie and run it a few times just to see whats goin on.  Well
we get this nasty "you have blah blah days left" and 30 days just isnt enough time for use to "try
before we buy" now is it.  So fire up you w32dasm or whatever you use and lets get this baby opened
up.  Now check your your string references and also your functions (imports and exports)...Well...
really nothin interesting in the string ref....hmmm....

Lets go ahead and turn our clock up atleast 30 days.  I usually go more.  Now we get the usual "ex-
pired"  and if we turn it back to normal time that just doesnt fix it either.  So now its time to 
get our good ole sice to take a look at it.  When you looked in w32dasm at your functions you should 
have seen several "dialog" functions.  Just set a bpx on some of those (the winner is 'dialogbox')
When sice first breaks you will have to press f12 so that you will get back to the function.Then...
Now when sice breaks you should see something like this::::


:0003.7674 8C161C18               mov [181C], ss
:0003.7678 FF362A1A               push word ptr [1A2A]
:0003.767C FF7608                 push word ptr [bp+08]
:0003.767F FF7606                 push word ptr [bp+06]
:0003.7682 FF36F819               push word ptr [19F8]
:0003.7686 FF76FE                 push word ptr [bp-02]
:0003.7689 FF76FC                 push word ptr [bp-04]
:0003.768C 9A01350000             call USER.DIALOGBOX	  <---This is where you will land
:0003.7691 40                     inc ax
:0003.7692 740F                   je 76A3
:0003.7694 FF76FE                 push word ptr [bp-02]
:0003.7697 FF76FC                 push word ptr [bp-04]
:0003.769A 9AAA760000             call KERNEL.FREEPROCINSTANCE
:0003.769F 33C0                   xor ax, ax
:0003.76A1 C9                     leave
:0003.76A2 CB                     retf

But you say .........how did we get here????  Well you scroll up and you will find a conditional
jump at .7651 but thats no good for us....so.....????

0003.764F 0BD0                   or dx, ax
:0003.7651 745B                   je 76AE  <---useless
:0003.7653 8B460A                 mov ax, [bp+0A]

We have to use a bit of zen ........we know that our days are calculated and if we pass over our 
30 day trial limit then our proggie will be useless.  Also .......if we are not registered we will
get that nag screen.  So .....we have to look through the code and find our "sweet" spot.:




:0003.7172 8BD8                   mov bx, ax
:0003.7174 8C46FE                 mov [bp-02], es
:0003.7177 268B470A               mov ax, es:[bx+0A]
:0003.717B 8946F6                 mov [bp-0A], ax
:0003.717E 268B470E               mov ax, es:[bx+0E]
:0003.7182 8946F4                 mov [bp-0C], ax
:0003.7185 8D46E2                 lea ax, [bp-1E]
:0003.7188 16                     push ss
:0003.7189 50                     push ax
:0003.718A 9ABC24D66A             call 0001.24BC
:0003.718F 83C404                 add sp, 0004
:0003.7192 8EC2                   mov es, dx
:0003.7194 8BD8                   mov bx, ax
:0003.7196 8C46FE                 mov [bp-02], es
:0003.7199 268B7F0A               mov di, es:[bx+0A]
:0003.719D 268B470E               mov ax, es:[bx+0E]
:0003.71A1 8946F2                 mov [bp-0E], ax
:0003.71A4 837EE800               cmp word ptr [bp-18], 0000   <--How sweet it is!!!!
:0003.71A8 7557                   jne 7201			<--Bad jump ewww!!!!  (this is our spot to werk on)
:0003.71AA 8B46FA                 mov ax, [bp-06]
:0003.71AD 2B46F6                 sub ax, [bp-0A]
:0003.71B0 69C06D01               imul ax, 016D
:0003.71B4 2B46F4                 sub ax, [bp-0C]
:0003.71B7 0346F8                 add ax, [bp-08]
:0003.71BA 3B4606                 cmp ax, [bp+06]
:0003.71BD 7D42                   jge 7201			<---if we have gone over our time limit jump
:0003.71BF 2B7EFA                 sub di, [bp-06]
:0003.71C2 F7DF                   neg di
:0003.71C4 69C76D01               imul ax, di, 016D
:0003.71C8 2B46F2                 sub ax, [bp-0E]
:0003.71CB 0346F8                 add ax, [bp-08]
:0003.71CE 7831                   js 7201
:0003.71D0 8B460A                 mov ax, [bp+0A]
:0003.71D3 0B4608                 or ax, [bp+08]
:0003.71D6 7462                   je 723A			<--Very sweet!!
:0003.71D8 8B46F6                 mov ax, [bp-0A]
:0003.71DB 2B46FA                 sub ax, [bp-06]
:0003.71DE 69C06D01               imul ax, 016D
:0003.71E2 2B46F8                 sub ax, [bp-08]
:0003.71E5 0346F4                 add ax, [bp-0C]
:0003.71E8 034606                 add ax, [bp+06]
:0003.71EB 99                     cwd
:0003.71EC 52                     push dx
:0003.71ED 50                     push ax
:0003.71EE FF760C                 push word ptr [bp+0C]
:0003.71F1 FF760A                 push word ptr [bp+0A]
:0003.71F4 FF7608                 push word ptr [bp+08]
:0003.71F7 9A36761472             call 0003.7636
:0003.71FC 83C40A                 add sp, 000A
:0003.71FF EB39                   jmp 723A


 Well this snippet of code is found by scrolling up a bit from our initial sice break.  This is in-
 teresting to us also.  Theres alot of checks goin on here.  Should we display the nag or not...or 
 should we display the time over nag.  Well what we will do is change it so that it will never show
 a nag and never ever expire so that we can really evaluate this proggie:)))

So we see the spot at 71A4 and just below it an evil jump.  So let's fix it.

In w32dasm find the offset of the code ...it is found at offset 0001C134.  So fire up your hex editor
and goto the offset.  Now all we have to do is change our bytes and we'll be set.

So for the crack:  

:0003.71A8 7557   	   <--change this 
:0003.71AA 8B46FA      <--and this to........

			 ----------------------------
				 THIS

 :0003.71A8 E98F	  <--
 :0003.71AA 006800    <--Fixed bytes:))))


You notice that we had to pad our bytes 46FA with 6800 (push 00) so that we would work all right:))


Now you just have to rename your .bak to .exe and you will have a cracked proggie that you can evaluate
for as long as you like.  Now isn't that better???


In the crack that i made....i changed the"Evaluation"in the about box to "cracked" ...just for amusement:))
I hope this helps you on your journey to crack any and everything...Have fun



bulll[mex98]  A NEW BREED
Greets to all members of mexelite and all visitors of #cracking4newbies
