How to crack Nero 4.0.9.1 with Softice ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by yoda Welcome to my first cracking tutorial. I'm a Newby ( I started cracking about 3 month ago ) but I hope I still can teach you sth. Don't blame me for any faults in this tut or my bad english :)... Let's CRACK !!! First install Nero 4.0.9.1 (downloadable at: www.ahead.de , I think :). Then run it. Sth like that should appear: ---------------------------------------------- | blah ? X | ---------------------------------------------- | blah, blah, ... | | | | Name: ______________________________ | | Company: ______________________________ | | Serial No.: ______________________________ | | ________ ________ ________ | | | Demo | | OK | | EXIT | | ---------------------------------------------- Let's try to skip this shit >:). Enter your name, company and a Serial number ( I prefer 1223 because sth like 12345 you will very often find in the Ram ). What's that, the OK button is deaktivated :(. Press str+d, so Softice will pop up. Normally we should set a breakpoint (with bpx) on the windowsapi "enablewindow" but let's use getwindowtexta, so type in "bpx getwindowtexta", press enter and F5. We'll be back at the proggy. Now add a 3 in the Serialeditbox Softice pops up. Press F5 so long until we are back in the proggy (to test how many getwindowtext's there are). Ok, the proggy does 3 getwindowtext. One for the name, one for the Company and one for the Serial. Now let's erase the last "3" in the Serialeditbox. Softice pops up. Then press 2 times F5 to go to the last getwindowtext, press F12 to go to the call of this getwindowtext. Trace (F10) down some ret's until you reach sth like this: :00435122 E8BF190B00 call 004E6AE6 :00435127 85C0 test eax, eax :00435129 7503 jne 0043512E <- the first con- :0043512B 50 push eax ditional jump :0043512C EB34 jmp 00435162 ... Trace to the conditional jump which wants to jump. Maybe we don't want :), so type in "r fl z" to change the ZeroFlag, disable your breakpoint ("bd*") and Press F5 to go back to the proggy. WoW the OK button is active, so let's press it. The proggy runs fine, but let's try to restart it. Nero says you that your Serialnumber is invalid (very smart). Click on the OK button and you will see the old Box which wants you to enter a valid serial :(. Let's try sth different ! Close Nero and set a breakpoint on the windowsapi (API = Application Programming Interface) messagebox because the first Nag looks like a messagebox. Type in (in Softice) "bpx messageboxa" (the a is for 32bit - win 9x/2000/NT). Now start Nero again. It'll break, so press F12 to get the caller. The messagebox will now appear. That's not bad just click on OK and you'll be here: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 004F0B18 6804010000 push 00000104 :004F0B1D 50 push eax :004F0B1E 6A00 push 00000000 :004F0B20 8DBDECFEFFFF lea edi, dword ptr [ebp+FFFFFEEC] * Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h | :004F0B26 FF1504845100 Call dword ptr [00518404] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004F0B10(U) | :004F0B2C 53 push ebx :004F0B2D 57 push edi :004F0B2E FF7508 push [ebp+08] :004F0B31 FF75F4 push [ebp-0C] * Reference To: USER32.MessageBoxA, Ord:01BEh | :004F0B34 FF1584855100 Call dword ptr [00518584] :004F0B3A 85F6 test esi, esi <- you are here :004F0B3C 8BF8 mov edi, eax :004F0B3E 7405 je 004F0B45 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We must find a jump which jumps over this messagebox but you'll see nothing like this over this messageboxcall :(. Hmmm.. Let's go to the caller's call :), so Press F12 and look whether you find a conditional jump over the call. When it is so then set a Breakpoint on this conditional jump (with a doubleclick in Softice) and rerun the proggy when it breaks on the jump take it (e.g.: "r fl z"), F5 and look whether the messagebox appears. If it appears try the next caller's caller. The third caller's caller is good( :0043519D 7E0E jle 004351AD <- jump we must force :0043519F 6AFF push FFFFFFFF * Possible Reference to String Resource ID=00048: "Writing Wave file" | :004351A1 6A30 push 00000030 * Possible Reference to String Resource ID=61265: "This serial number... | :004351A3 6851EF0000 push 0000EF51 :004351A8 E8F4B90B00 call 004F0BA1 <- calls the first Nag * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00435195(C), :0043519D(C) | :004351AD 8BCF mov ecx, edi :004351AF E895A90100 call 0044FB49 ) Force the jump (jle) and the messagebox telling us that we entered a invalid serial won't pop up. But what's that, again the bitchy Box (where on can enter name, company and serial) appears :(. Before we do sth against this clear your breakpoints ("bc*") and change the jle to a jmp with any Hexeditor (File: Nero.exe offset: 3519D patch: EB ). Now the first Nag won't appear on startup of Nero. Close Nero and set a breakpoint on showwindow ("bpx showwindow") in Softice and run Nero. When Softice breaks on the bitchy box try to find a conditional jump which jumps over this call. Try also the caller's callers. ... Solution: After the break press 3 times F12 then the bitchy box will appear. Click on exit and Softice pops up again, 2 times F12 and you'll see: :00483BBD E85672FFFF call 0047AE18 :00483BC2 E8F415FBFF call 004351BB <- calls bitchy box :00483BC7 85C0 test eax, eax <- you are here :00483BC9 0F84D6020000 je 00483EA5 <- closes Nero :00483BCF 8B86C0000000 mov eax, dword ptr [esi+000000C0] :00483BD5 8D8EC0000000 lea ecx, dword ptr [esi+000000C0] Now we are able to kill the box :). Just nop with a heweditor the call at 00483BC2 and nop the jump at 00483BC9.( Offsets are the same number but without the first 4 -> memory offset: 483BC2 = offset 83BC2). Now Nero should run without any Nags :) - Done. I hope I could explain all a bit understandable. GreetZ go out to all cracker on this planet !!! Thx tKC for your great tut collections. I've read all. Feel free to mail me: yoda_f2f@gmx.net (Don't ask me where to find any cracking tools, please) Inetsides where to find tools: www.crackstore.com protools.cjb.net www.warez.com (search for the program you are looking for) CU for what we will use this one, no ? :)