Target: Firehand Lightning 2.1.3 Tools: SICE Symbol Loader, W32Dasm, Hex-Editor Level: 2 (2 only because of the crashes!) Protection: Nag/Timeout + some evaluation/unregistered texts :) Crack type: Patch URL: www.firehand.com Background: I only picked this program coz its name was very c00l :) guess its some sorta picture viewer.. Since there's no enter name/serial boxes where to enter our regcode, we shall simply patch the program to think its registered.. i dunno then if it really is coz i'm an incredibly lazy tester.. (well.. u at #c4n know I'm a lazy bastard, so not lazy tester but Lazy Bastard) Let's kick asz (make sure you made the backups!!! i woulda been lost without them) when you launch the program you see the annoying nag popping up.. blah, lets get rid of it BPX DialogBoxParamA and relaunch the program, *BREAK*.. lets see.. SICE is at 4210D4, lets use w32dasm to get a better picture (BD* and exit SICE) :004210D3 57 push edi * Reference To: USER32.DialogBoxParamA, Ord:0093h | :004210D4 FF1588724400 Call dword ptr [00447288] <-- call the nag mmm.. a simple thing, nop it out (5 x 90h).. ok launch the program again.. wtf? gpf? the program crashed.. oh damned.. *sigh*.. i hate these ones.. restore the original .exe.. and lets go to symbol loader ok, here's where symbol loader comes useful, open the .exe and translate it, when in SICE, press f10 to get into main program and type G 4210D4 you're in the above place.. now execute the call (step over it -> F10).. now look at the values in registers.. write them down or something and patch the nag again, reopen the .exe with symbol loader and translate again.. goto 4210D4 again.. look at the registers again, do they differ? Yup I remember a person once telling me on IRC that only thing you have to watch is that esp is restored correctly.. and thats exactly what we have to do (if you let esp remain as it is in the patched .exe the program will crash coz it'll return from the call to a wrong place..) Do a following patch : FF1588724400 (the nag caller after DialogBoxParamA) change it to (might differ on your comp): BC64EE6A00 (this one restores ESP like it has to be after the nag is displayed..) and 40 (inc eax to be 1) , so it'll look like BC64EE6A0040 Notice that BC64EE6A00 might differ on your comp depending on the correct ESP value. trace with symbol loader over the call (with the original .exe) and see ESP value after it, and modify the opcode to suit your comp save and exit and execute the program, does it crash anymore? nah.. right thing we did :) now at the point i had re-run the program so many times (over 30) that I could see the evaluation period has expired. Please register -text.. we dun wanna see it, do we? nope.. haha.. here comes the best part ;)) Yeah well.. i was lazy and because i should already be sleeping coz i gotta wake up early tomorrow morning i decided not to hunt for the timeout compare and decided to go for funny way Evaluation period has expired. Please register! .. i open the .exe with Hiew and search for the string (Evaluation). The first string I come to seems to be the right one, I edit it a bit and save and exit.. yah! looks nice ;) enter whatever u want but dont enter more chars than there originally are! now for the last parts, the stupid evaluation text.. and unregistered text in about box take the about box unregistered first.. search for unregistered in w32dasm and come across this one: :0040136D FFD5 call ebp :0040136F 8B8424CC020000 mov eax, dword ptr [esp+000002CC] :00401376 85C0 test eax, eax <-- you can only wonder.. :00401378 7408 je 00401382 <-- lamers away :0040137A 803800 cmp byte ptr [eax], 00 <-- compare "you suck ass" or "you kick ass!" :0040137D 7403 je 00401382 <-- not regged, jump lamer :0040137F 50 push eax :00401380 EB05 jmp 00401387 <-- take this jump to "registered owner" * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401378(C), :0040137D(C) | * Possible StringData Ref from Data Obj ->"" Thought i was gonna make it easy by patching the je's but not.. crashes crashes.. fackit .. ok, looks like we gotta fix this one too, symbol loader helps a lot but i'll show you the short way i did like this :00401376 85C0 test eax, eax :00401378 7408 je 00401382 :0040137A 803800 cmp byte ptr [eax], 00 :0040137D 7403 je 00401382 changes to: :00401376 40 inc eax :00401377 90 nop :00401378 7408 je 00401382 :0040137A 90 nop :0040137B 90 nop :0040137C 90 nop :0040137D 7403 je 00401382 eax is set for "passed flag" and comparing (that btw crashes this procedure) is nopped out.. look at about box now, what do you see? REGISTEREDOWNER.. looks nice :) now the last thing .. you see evaluation edition text in the top of the window? yup, easy done just search for it in Hiew eg. and replace it with the text of your choice :) Final notes: I think I never patched a program as much as I did now.. but it looks like it works. I'm a Lazy Bastard nevertheless so don't count on it :) also i never dealt with crashing problems before but i'm glad i could overcome them in this tute, i was little surprised myself that I got this thing to work. -C_DKnight reach me at c_dknight@iobox.com Greetings: (this part seems to be growing every tute and i'm sure there are still ppl left to be added) AB4DS, r!SC, Dead-Mike, NrOC, Warezpup, Hutch, [yAtEs], [E_BLiss], [LaZaRuS], Doufas, SeKt0r, nchanta, Icecream, |Xmen|, LordOfLA, F0dder, Predator, aCiDHaC, ACiD BuRN, X-Calibre, DnNuke, noos, nu, Thesmurf, defiler, Sinn0r, ^tCM^, Norika, cTT, Weazel, MisterE, Dawai, RevX, Maybird, BlackBird, FireWorx, N|Te, SheeP14o, extasy_, KaOsAuS, _zoltan, Torn@do, ByteBurn, Miscreant, croc, Br4t, [ViKiNg], Phrekie, =Metal=, B|aze, Moredhel, Seffren, Dafoe, Speedsta, Rad|cal, [Daze], VisionZ, KaKTuZ, Stilgreen, Kwazy Wabbit plus all my friends at #cdrinfo, #cracking4newbies and other chans..