-{ How To Reverse }- bY fuzzyCaT Target...: GraphCalc 2.11 Tools....: Win32Dasm, Hiew, eXecope and Brain (4000 CC is better :P)! So our target is GRAPHCALC, i don't feel like loading a file monitor or a registry monitor, so lets go directly to Win32Dasm. Ok make 2 copies of GrphCalc.exe [Win32Dasm], one GrphCalc.crk.exe [for HIEW] and the other GrphCalc.bak. [SAFE] Run GraphCalc try to register it, hmmm, looks like a bug to me what do you think? Lets give a hand to the programmer and correct it :P Load GrphCalc.exe into Win32Dasm goto to the String Reference window look for that string, found it? Cool! Double-Click on it, again, looks like we ended at the same spot, so it probably doens't have another check. So you got to this piece of code: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046DADB(C) <-- ? what do you think? (C)=Conditional [Jne,Je,Jz,etc] | :0046DC15 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"Unregistered Version of GraphCalc" | :0046DC17 68502A4C00 push 004C2A50 * Possible StringData Ref from Data Obj ->"Invalid Registration Code" <-- The String | :0046DC1C 68742A4C00 push 004C2A74 :0046DC21 8B8D74FFFFFF mov ecx, dword ptr [ebp+FFFFFF74] :0046DC27 E88A3C0200 call 004918B6 Did you seen the Conditional shit? Open GOTO CODE LOCATION window input "46DADB" yee, we reached a Je by other words a compare Jump If Equal: :0046DAD9 85C0 test eax, eax :0046DADB 0F8434010000 je 0046DC15 <-- Looks like the bug!!! :P :0046DAE1 C60584534C0001 mov byte ptr [004C5384], 01 Ok, run Hiew load GrphCalc.crk.exe press F4 to DECODE mode, press F5 enter "46DADB" now press F3 then F2 and change the JE to JNE press ENTER, ESC now F9 to update. Run it, looks ok, try to register it, hmm cool it accepted!! Exit, enter again, damn! Didn't stay registered. Ok, will be back to this soon! GraphCalc says that you can only use it for 30 days after that.... But lets try to put the pc clock up to 1 year more... Run GraphCalc and ..? Nothing!! It doesn't check if you're using for 1 day or 1000 years! But it still doesn't keep registered... Damn! Ok lets go to the AboutBox any important information there? . . . . Yes! The text "GraphCalc is a shareware....", remember when u regist it this disappears right? Ok back to Win32Dasm, look out for that string....... Nothing!! But what is the inverse of that? Hmmmm.... Find "Registered To:" string So u arrived here: * Possible StringData Ref from Data Obj -> "Registered To: " :00456999 68F4034C00 push 004C03F4 . . . Ok go up a little, see anything familiar? Maybe a conditional jump? Yeah! This: :00456989 A084534C00 mov al, byte ptr [004C5384] <- Hmmm ?! :0045698E 85C0 test eax,eax <- Very familiar and interesting!! :00456990 744A je 004569DC <- Yeah!!!!! BOOMMM!!! [Label1] . . . Got the offset from [Label1]? Run Hiew F4 "Decode", F5 "56990", F3 change 74 -> 75, F9, boom! Run it cool!!!! Registered to you!!! But theres still a prob, the register button isnt disabled and it should be!! This is where eXeScope comes up, open GraphCalc with it and look out for that menu now just check the GRAYED and DISABLED! oki! done!!! TIP the menu is the first! Easy eh? Easy prog dont u think? A little cheating but u cares? It works, doesnt it? ;) Now if u want to make a patch and make the menu disabled at same time, u'll have to use your brain, because if it is DISABLED u cant regist it and so it'll show "Registered To: " only! TIP: graphcalc.ini it auto fills whats missing!!! Cya!!! A newbie tut written by ONE!! :P Greetz: iNNU3NDo :: Duelist :: Northpole :: hmemcpy :: Ac|FuSiO :: R!SC :: PROF.X tKC :: PinguTM :: DarkShadow :: LaZaRuS :: SiR_DawG :: cokine :: CiA[File] :) fuzzyCaT [ey it's me!! :)] :: All other CiA members :: #C.i.A & #CRACKiNG4NEWBiES CiA :: EVC :: CORE :: Phrozen Crew :: eMINENCE :: MiB :: DREAD :: CLASS :: RAZOR fuzzyCaT [fuzzyCaT@Gmx.net] [www.fuzzyCaT.tsx.org] Crackers In Action 2000 (* is wrong *)