Cracking for Newbies  - by Dahood
                

Target: Easy GIF Animator Version 1.02

Tools used: W32dasm
	    Hview
	    ProcDump32 

Protection:
1.Nag Screen ,count down (number of times u opened the program)


NOTE: This tutorial is not totally for newbies so i excpect that u know
1.how to use w32dasm
2.how to use hview (change,search,etc...)
3.Assembly



Disassemble the program

Right its packed and im not going to go into details i hate packed programs
when u tried to disassemble u saw
UPX0 UPX1 open it in hview and at the top it says upx 1.20
k so we know what is it packed with
for most of the packed programs i use ProcDump
open procdump and click on unpack , pick a file , pick upx ....
anyways unpack it and save the unpacked to a different name like Easy.exe

check the properties of both files and see is they differe
try to disassemble the unpacked file k good...


Now the unpacked file works 
disassemble it look at the strings.. not good
k 
lets ctrl-L and hit load
click on step over and trace see what calls the nag and see what call calls our real program
we know that there should be a jne or je around (after) when u click evaluate enter other 
wise leave...

lets start now that we have some information

she starts to load at the 

*************Program Entry Point*********************
:004A751C    55                     push ebp
keep steping over... at 

:004A7593    FF92D8000000           call dword ptr [edx+000000D8]

the nag screen pops up  so we know this is the call.
now if u click evaluate nuthin happens now step over slowly

when u get to 

:004A75BD    E8B27CFAFF             call 0044F274
our program pops up

write all this information in a paper so after u collect everything
u can just look at it.
Now we know what calls the nag and what calls our program. 

1 last thing u probably wondering whats the

:004A759C    7424                   je 004A75C2
well it jump to call which is right after the call which calls our 
program so its the exit jmp if u dont believe me ;) open ur unpacked 
file in hivew and change it to jne. now what happens when u click 
evaluate.....

:004A7593    FF92D8000000           call dword ptr [edx+000000D8]
:004A7599    83F802                 cmp  eax,00000002
:004A759C    7424                   je 004A75C2

now all u have to do is get rid of call dword ptr [edx+000000D8] Dont NOP
it changes the code and sometime it fuckes up the program 
make it jmp to the next line. so every time u start ur progarm it reads straight down
like there was nuthin there

so it should look like this 

:004A7593    E90100000000           jmp  004A7599

the offset is 000A6B99 just incase u forgot

lol the hardest part u cant change the date forward to check it u really killed it so
u still have ur original packed file right good... now open it and close it till it says 
expired then open ur unpacked file that u modified

i hope i didnt confuse u and if u have any question, comments
my icq# is 69518421 or u can e mail me at webcrawler28@hotmail.com

i would like to say thanks to all the crackers 2 many 2 list , for helpin me also for there 
tutorials
also a big thanks to krobar's site: http://zor.org/krobar/
 
				Cracking for Newbies  - by Dahood           call 0043B9F0