HOW TO PATCH Advanced Space Hunter 2.5 

Tutorial by UmE

Introduction: it's time for another time trial program!!! You'll see in this tutorial how 
simple can be cracking an application with W32Dasm and what the crackers means with "5 minutes
cracking"!!! :)

Necessary tools: W32Dasm version 8.9 or better.

Program description: Advanced Space Hunter 2.5, ASH.exe, 745.472 bytes.

PARENTAL ADVISORY: this tutorial is cracking oriented!!!

Step 1: when you run the program a nag screen will appear with some informations about the 
author and three buttons: "Register" show you a form for on-line registration, "Insert Key" 
let you insert the registration number and "Ok" let you continue to use the program. If you 
have used the program for more of 30 days, after pushing the "Ok" button a message box will 
appear with the following written:

"Your trial period is expired, please register"

I prefer to patch the time trial limit...if someone would try to find the correct serial number 
so this tutorial is not for you! :)
Let's proceed...

Step 2: open W32Dasm and dissasemble the program. Go to the "Refs" menu and click on 
"String Data Reference". Here you can analyze all the strings that are referenced in the 
program. Search for the "Your trial period is expired..." string and when you have found 
click twice on it and you will be on the piece of code where the string is referenced. You can 
see:

:0048E408 2B82AC030000            	sub eax, dword ptr [edx+000003AC]
:0048E40E 83F81E                  	cmp eax, 0000001E	Note 1
:0048E411 7E1D                    	jle 0048E430	Note 2

* Possible StringData Ref from Code Obj ->"Your trial period is expired. "
                                        ->"Please register."
                                  |
:0048E413 B878E44800              	mov eax, 0048E478
:0048E418 E8431AFBFF              	call 0043FE60
:0048E41D A174014900              	mov eax, dword ptr [00490174]
:0048E422 8B00                    	mov eax, dword ptr [eax]

I can believe that is so simple. Let's see.....

Note 1: compare eax (it contains the number of days you've used the program) with 1Eh (30 in 
decimal!).
Note 2: jump if eax is less than 30 (continue unregistered).

Just change the conditional jump jle... in unconditional jump jmp and the program will work 
forever.
Let's kill now the initial nag screen.

Step 3: in W32Dasm go to the "Debug" menu and click on "Load Process...": the program will be 
loaded in memory. Now you see three windows: the first is the same window of before where you 
can see the program's code (the entry point is highlighted with a light blue). The second with 
the caption "EIP: 0048E2C0 is in Module: ASH.exe" is a window where you can see and set the 
values of the various registers and flags. The third (the most important) is a window where you 
can see the program's code and where the actual instruction that is executed is highlighted 
with a dark blue. In this window push the "Auto Step Over F6" button and W32Dasm will start to 
trace the code line by line. Let it trace until the initial nag screen appear. Now you can 
notice that W32Dasm has stopped the traceing....look in which instruction it has stoppe and 
you'll see:

call ASH.0042F2E4

This means that the program calls a function in the ASH module (ASH.exe) that is at the address 
0042F2E4. Just nop this call and the nag screen is killed.
Very easy....isn't it?

Ok this tutorial is at the end. As you've seen it is very easy and i think it will be very 
useful for newbies.

Greetings to Volatility and all the Immortal Descendants.

Contact me at: ume15@hotmail.com

UmE