a$ a$$$$a a$a $$$a a$$$$$$ a$$a a$a `$$$' $$$$$a $$$$$$$ a$a`$$$$ `$$$ `$$ `a$$$$ $$$ `$$ a$a $$$a `$$$ `$$a $$ $$$' $$' $$ a$$$$ $$$$$ `$$ $$$a $$$ $$' $$ $$$$$$ a$$$$$ $$ `$$$$aa$$ $$$ a$$a `$$$$ $$$$$' $$ a$$a `$$$$$$$$$$ $$$' a$$$$$$ `$$$$$$' $$ $$$$$$$ `$$$$$$' .a$$$$ a$$$$$$$$ a$$$$' $$$$$' $$ `$$$ $$$$$' a$$$$$' $$ a$$$$$$$ a$$a $$' $$$ $$$ $$$$' $$$$' a$$ $$$$$ $$$$ `$$$ $$ `$$a `$$$ $$$$$$$$a. $$$' a$$$$ $$$$ `$$$ $$'a$$ $$$a a$$$ `$$$$$$$$$ $$$a$$$$$$$`$$' `$$a a$$ $$$a `$$$$$$$$ `a$$$$ $$$$$$' $$ `$$ $$' $$$$$$a `$$$$$$' `$' `$$$' `$ $$ a$$$$$$$$$$$ `$' `$$' ΙΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔ» ³ How to Crack Winflash 4.0 ³ ³ by ³ ³ WaxWeazle ³ ΘΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΔΌ Contents: - Intro - Target - Things u need - Crack target - Let's start - Future ΙΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝ» Ί±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Intro: ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±Ί ΘΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΌ Before we start with this shit, I wanna say that this is my first public tutorial. I will try to explain as good as possibly! And don't blame me for the bad english:) And BTW for viewing this file use MS best tool ever made: EDIT.COM:) ΙΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝ» Ί±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Target: ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±Ί ΘΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΌ Because this program is very easy 2 crack this tutorial is only useful for newbies! If u are a real +Cracker u don't have a shit on this! BTW there are a lot of different ways to crack this program! This is just one way! But I think this way is the fastest way and the easiest! ΙΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝ» Ί±±±±±±±±±±±±±±±±±±±±±±±±±±±± Things u need: ±±±±±±±±±±±±±±±±±±±±±±±±±±±±Ί ΘΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΌ The following things are required for this tutorial, if u don't have these things....Get them:) - W32Dasm 8.9 - Hiew 5.8x - WinFlash 4.0 - Some ASM knowledge - Ur brains:) ΙΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝ» Ί±±±±±±±±±±±±±±±±±±±±±±±±±±±± Crack target: ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±Ί ΘΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΌ The program we will crack is called WinFlash(32-bit) 4.0! See below for a little description of the program: "WinFlash was written to help you learn any material that can be represented in textual, graphical or audio formats. You can use it to easily and quickly create a text-only deck for a fast topic review WinFlash is useful in both scholastic and professional learning situations. In the corporate setting, WinFlash is an excellent tool for producing training materials for employees." ΙΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝ» Ί±±±±±±±±±±±±±±±±±±±±±±±±±±±± Let's start: ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±Ί ΘΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΌ The first thing we do is run WinFlash, a nice shareware reminder will pop-up. After pressing 'Continue Unregistered->' u will arrive in the main screen. In the menubar u see something about registering, but this is not important to us, because in this case hard-cracking is faster! If we don't use a serial to crack this sucker what method shall we use then? Simple...if u see on top of the window u see something like this: "WinFlash32 v 4.0 - 1 day and 1 uses in your 60-day/30-use evaluation" Hmm...let me think:) If we register the program we have a big chance that this message is 'removed', Am I right or am I right? So we gonna use this weakness in the program to get this sucker fully regged! Open W32DASM 8.9 and load WINFLS95.EXE(Get urselves a nice cup of Martini!) wait.... And wait.... And finally W32DASM 8.9 is ready with de-assembling the file:) Now u can see the 'source' of WinFlash. We don't need this at th moment so click on Refs(An item in tha menu-bar) And goto 'String data references'. At this moment a new window will pop-up with all kind of strings. Now we can search for a string. Where are we searching for??? Simple...remember the weakness in tha program? Search for ' Day and', found it??? take a look at this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: *Note(1) |:004441EF(C)| :00444268 833D88DC450000 cmp dword ptr [0045DC88], 00000000 :0044426F 0F8501020000 jne 00444476 :00444275 833D18D8450000 cmp dword ptr [0045D818], 00000000 :0044427C 0F85F4010000 jne 00444476 :00444282 B8B4F34500 mov eax, 0045F3B4 * Possible StringData Ref from Code Obj ->" - " | :00444287 B9C8474400 mov ecx, 004447C8 :0044428C 8B55F4 mov edx, dword ptr [ebp-0C] :0044428F E8D0F4FBFF call 00403764 :00444294 8D95E8FDFFFF lea edx, dword ptr [ebp+FFFFFDE8] :0044429A A1A0D64500 mov eax, dword ptr [0045D6A0] :0044429F E8B0E8FBFF call 00402B54 :004442A4 8D95E8FDFFFF lea edx, dword ptr [ebp+FFFFFDE8] :004442AA B8B8F34500 mov eax, 0045F3B8 :004442AF E810F4FBFF call 004036C4 :004442B4 833DA0D6450001 cmp dword ptr [0045D6A0], 00000001 :004442BB 7522 jne 004442DF :004442BD FF35B4F34500 push dword ptr [0045F3B4] :004442C3 FF35B8F34500 push dword ptr [0045F3B8] * Possible StringData Ref from Code Obj ->" Day And " <--- This is tha string! | :004442C9 68D4474400 push 004447D4 :004442CE B8B4F34500 mov eax, 0045F3B4 :004442D3 BA03000000 mov edx, 00000003 :004442D8 E8FBF4FBFF call 004037D8 :004442DD EB20 jmp 004442FF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004442BB(C) | :004442DF FF35B4F34500 push dword ptr [0045F3B4] :004442E5 FF35B8F34500 push dword ptr [0045F3B8] * Possible StringData Ref from Code Obj ->" Days And " | :004442EB 68E8474400 push 004447E8 :004442F0 B8B4F34500 mov eax, 0045F3B4 :004442F5 BA03000000 mov edx, 00000003 :004442FA E8D9F4FBFF call 004037D8 Note(1) = On location :004441EF is a (c)jump as u can see. Let's got that location! :00444194 55 push ebp :00444195 8BEC mov ebp, esp :00444197 81C4E8FDFFFF add esp, FFFFFDE8 :0044419D 53 push ebx :0044419E 56 push esi :0044419F 57 push edi :004441A0 33C9 xor ecx, ecx :004441A2 898DE8FEFFFF mov dword ptr [ebp+FFFFFEE8], ecx :004441A8 894DF8 mov dword ptr [ebp-08], ecx :004441AB 894DF4 mov dword ptr [ebp-0C], ecx :004441AE 894DF0 mov dword ptr [ebp-10], ecx :004441B1 8945FC mov dword ptr [ebp-04], eax :004441B4 BEACF34500 mov esi, 0045F3AC :004441B9 33C0 xor eax, eax :004441BB 55 push ebp :004441BC 685F474400 push 0044475F :004441C1 64FF30 push dword ptr fs:[eax] :004441C4 648920 mov dword ptr fs:[eax], esp :004441C7 C605BCF3450000 mov byte ptr [0045F3BC], 00 :004441CE 8D45F4 lea eax, dword ptr [ebp-0C] * Possible StringData Ref from Code Obj ->"WinFlash32 v4.0" | :004441D1 BA78474400 mov edx, 00444778 :004441D6 E85DF4FBFF call 00403638 :004441DB 8D45F0 lea eax, dword ptr [ebp-10] * Possible StringData Ref from Code Obj ->"WinFlash32 PRO v4.0" | :004441DE BA90474400 mov edx, 00444790 :004441E3 E850F4FBFF call 00403638 :004441E8 833D8CDC450001 cmp dword ptr [0045DC8C], 00000001 <- Note(3) :004441EF 7577 jne 00444268 <---------------------- Note(2) :004441F1 833DCCE8450000 cmp dword ptr [0045E8CC], 00000000 :004441F8 7537 jne 00444231 :004441FA FF75F4 push [ebp-0C] * Possible StringData Ref from Code Obj ->" - Registered To " | :004441FD 68AC474400 push 004447AC :00444202 8D85E8FEFFFF lea eax, dword ptr [ebp+FFFFFEE8] :00444208 BA94DD4500 mov edx, 0045DD94 :0044420D B901010000 mov ecx, 00000101 :00444212 E8E9F4FBFF call 00403700 :00444217 FFB5E8FEFFFF push dword ptr [ebp+FFFFFEE8] :0044421D B8B4F34500 mov eax, 0045F3B4 :00444222 BA03000000 mov edx, 00000003 :00444227 E8ACF5FBFF call 004037D8 :0044422C E95E030000 jmp 0044458F * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004441F8(C) | :00444231 FF75F0 push [ebp-10] * Possible StringData Ref from Code Obj ->" - Registered To " | :00444234 68AC474400 push 004447AC :00444239 8D85E8FEFFFF lea eax, dword ptr [ebp+FFFFFEE8] :0044423F BA94DD4500 mov edx, 0045DD94 :00444244 B901010000 mov ecx, 00000101 :00444249 E8B2F4FBFF call 00403700 :0044424E FFB5E8FEFFFF push dword ptr [ebp+FFFFFEE8] :00444254 B8B4F34500 mov eax, 0045F3B4 :00444259 BA03000000 mov edx, 00000003 :0044425E E875F5FBFF call 004037D8 :00444263 E927030000 jmp 0044458F Note(2) = Here's the jump to tha shareware message! Note(3) = If 0045DC8C = 1 then the program is regged else it will jump to our shareware message! Bingo!!! The program is putting a flag at memory location 0045DC8C: 0 = Shareware 1 = Regged To crack this sucker we have to find tha location where the flag is set! This is easy! Search '0045DC8C' U get a lot of CMP 0045DC8C, ???? but remember we are searching for the flag SET! So the program uses MOVe, so if u see something like this: MOV dword ptr [0045DC8C], eax ur hot! Below is some source: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0043640E(C), :0043641B(C)| :00436522 33C0 xor eax, eax :00436524 A38CDC4500 mov dword ptr [0045DC8C], eax <-----Note(4) :00436529 6854DB4500 push 0045DB54 :0043652E 6A19 push 00000019 :00436530 6890DC4500 push 0045DC90 :00436535 68A8704300 push 004370A8 Note(4)= At last we got the FLAG setter! So let change it to: MOV dword ptr [0045DC8C], 1 <--- 1 = regged For those guys who don't know how to do this: 1) Debug program in W32DASM 2) search for a button called 'Goto address' and push it! 3) enter 00436524 4) Bam..ur back! And press 'Patch Code' button 5) U see something like this: Eip: Current instruction at eip: ----------------- ------------------------------- | Eip: 00436524 | mov dword ptr [0045DC8C], eax | ----------------- ------------------------------- Enter below new instruction: --------------------------------------------------- | | --------------------------------------------------- Now we are ready to patch the sucker! | | | Eip: Current instruction at eip: | ----------------- --------------------------------- | | Eip: 00436524 | mov dword ptr [0045DC8C], eax | | ----------------- --------------------------------- | Enter below new instruction: | Tha new code --------------------------------------------------- |--------------> | MOV [0045DC8C],1 | --------------------------------------------------- And press enter! Now press the 'Apply' button. If ur smart u bribe the new code on a piece of paper, it might be handy:) Got it? It's something like this: C7058CDC450001000000! Now press on Bill's cross of the current window. Confirm with yes. And now run tha program. No nag screens will appear and the program is running regged! Mission Acomplisched??? No! We have to patch the file for ever! So close the program and ur back in W32DASM. Goto location 00436524, write down the hex code(A38CDC4500). Exit W32DASM(Save it first!) And use Hiew or any other good editor on WINFLS95.EXE. Search for A3 8C DC 45 00 Found it??? This is at offset &H35924. Now u can change it to C7 05 8C DC 45 00 01 00 00 00....Save it! And u cracked this sucker! (Remember: Always make a backup first!) I hope u learned something about it, cya! ΙΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝ» Ί±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Future: ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±Ί ΘΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΌ I think I will bribe a new tutorial soon, only if I have enough time! I am a very busy men, ya know! And after all I am a cracker and not an essay writer:) I think the next tut is about serial 'fishing' so watch our site! Logging out..... WaxWeazle