Cracking for Newbies - by Dahood Target: Easy GIF Animator Version 1.02 Tools used: W32dasm Hview ProcDump32 Protection: 1.Nag Screen ,count down (number of times u opened the program) NOTE: This tutorial is not totally for newbies so i excpect that u know 1.how to use w32dasm 2.how to use hview (change,search,etc...) 3.Assembly Disassemble the program Right its packed and im not going to go into details i hate packed programs when u tried to disassemble u saw UPX0 UPX1 open it in hview and at the top it says upx 1.20 k so we know what is it packed with for most of the packed programs i use ProcDump open procdump and click on unpack , pick a file , pick upx .... anyways unpack it and save the unpacked to a different name like Easy.exe check the properties of both files and see is they differe try to disassemble the unpacked file k good... Now the unpacked file works disassemble it look at the strings.. not good k lets ctrl-L and hit load click on step over and trace see what calls the nag and see what call calls our real program we know that there should be a jne or je around (after) when u click evaluate enter other wise leave... lets start now that we have some information she starts to load at the *************Program Entry Point********************* :004A751C 55 push ebp keep steping over... at :004A7593 FF92D8000000 call dword ptr [edx+000000D8] the nag screen pops up so we know this is the call. now if u click evaluate nuthin happens now step over slowly when u get to :004A75BD E8B27CFAFF call 0044F274 our program pops up write all this information in a paper so after u collect everything u can just look at it. Now we know what calls the nag and what calls our program. 1 last thing u probably wondering whats the :004A759C 7424 je 004A75C2 well it jump to call which is right after the call which calls our program so its the exit jmp if u dont believe me ;) open ur unpacked file in hivew and change it to jne. now what happens when u click evaluate..... :004A7593 FF92D8000000 call dword ptr [edx+000000D8] :004A7599 83F802 cmp eax,00000002 :004A759C 7424 je 004A75C2 now all u have to do is get rid of call dword ptr [edx+000000D8] Dont NOP it changes the code and sometime it fuckes up the program make it jmp to the next line. so every time u start ur progarm it reads straight down like there was nuthin there so it should look like this :004A7593 E90100000000 jmp 004A7599 the offset is 000A6B99 just incase u forgot lol the hardest part u cant change the date forward to check it u really killed it so u still have ur original packed file right good... now open it and close it till it says expired then open ur unpacked file that u modified i hope i didnt confuse u and if u have any question, comments my icq# is 69518421 or u can e mail me at webcrawler28@hotmail.com i would like to say thanks to all the crackers 2 many 2 list , for helpin me also for there tutorials also a big thanks to krobar's site: http://zor.org/krobar/ Cracking for Newbies - by Dahood call 0043B9F0