HOW TO PATCH Advanced Space Hunter 2.5 Tutorial by UmE Introduction: it's time for another time trial program!!! You'll see in this tutorial how simple can be cracking an application with W32Dasm and what the crackers means with "5 minutes cracking"!!! :) Necessary tools: W32Dasm version 8.9 or better. Program description: Advanced Space Hunter 2.5, ASH.exe, 745.472 bytes. PARENTAL ADVISORY: this tutorial is cracking oriented!!! Step 1: when you run the program a nag screen will appear with some informations about the author and three buttons: "Register" show you a form for on-line registration, "Insert Key" let you insert the registration number and "Ok" let you continue to use the program. If you have used the program for more of 30 days, after pushing the "Ok" button a message box will appear with the following written: "Your trial period is expired, please register" I prefer to patch the time trial limit...if someone would try to find the correct serial number so this tutorial is not for you! :) Let's proceed... Step 2: open W32Dasm and dissasemble the program. Go to the "Refs" menu and click on "String Data Reference". Here you can analyze all the strings that are referenced in the program. Search for the "Your trial period is expired..." string and when you have found click twice on it and you will be on the piece of code where the string is referenced. You can see: :0048E408 2B82AC030000 sub eax, dword ptr [edx+000003AC] :0048E40E 83F81E cmp eax, 0000001E Note 1 :0048E411 7E1D jle 0048E430 Note 2 * Possible StringData Ref from Code Obj ->"Your trial period is expired. " ->"Please register." | :0048E413 B878E44800 mov eax, 0048E478 :0048E418 E8431AFBFF call 0043FE60 :0048E41D A174014900 mov eax, dword ptr [00490174] :0048E422 8B00 mov eax, dword ptr [eax] I can believe that is so simple. Let's see..... Note 1: compare eax (it contains the number of days you've used the program) with 1Eh (30 in decimal!). Note 2: jump if eax is less than 30 (continue unregistered). Just change the conditional jump jle... in unconditional jump jmp and the program will work forever. Let's kill now the initial nag screen. Step 3: in W32Dasm go to the "Debug" menu and click on "Load Process...": the program will be loaded in memory. Now you see three windows: the first is the same window of before where you can see the program's code (the entry point is highlighted with a light blue). The second with the caption "EIP: 0048E2C0 is in Module: ASH.exe" is a window where you can see and set the values of the various registers and flags. The third (the most important) is a window where you can see the program's code and where the actual instruction that is executed is highlighted with a dark blue. In this window push the "Auto Step Over F6" button and W32Dasm will start to trace the code line by line. Let it trace until the initial nag screen appear. Now you can notice that W32Dasm has stopped the traceing....look in which instruction it has stoppe and you'll see: call ASH.0042F2E4 This means that the program calls a function in the ASH module (ASH.exe) that is at the address 0042F2E4. Just nop this call and the nag screen is killed. Very easy....isn't it? Ok this tutorial is at the end. As you've seen it is very easy and i think it will be very useful for newbies. Greetings to Volatility and all the Immortal Descendants. Contact me at: ume15@hotmail.com UmE